summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2014-10-03 14:14:40 +0000
committertedu <>2014-10-03 14:14:40 +0000
commitc4534eb6d78a5c5d49990b6f7a9e52af771e8471 (patch)
treef3a4f9d49ea98f54a4255f5a2ad77c098f92226f /src
parent9f8a5da13b6653b86f949e67554dafa4591353c0 (diff)
downloadopenbsd-c4534eb6d78a5c5d49990b6f7a9e52af771e8471.tar.gz
openbsd-c4534eb6d78a5c5d49990b6f7a9e52af771e8471.tar.bz2
openbsd-c4534eb6d78a5c5d49990b6f7a9e52af771e8471.zip
allow disabling hostname and cert verification separately.
if you're careful, cert only verification can be useful. always enable both though, to avoid accidentally leaving one off. ok jsing
Diffstat (limited to 'src')
-rw-r--r--src/lib/libressl/ressl.h5
-rw-r--r--src/lib/libressl/ressl_client.c8
-rw-r--r--src/lib/libressl/ressl_config.c15
-rw-r--r--src/lib/libressl/ressl_internal.h5
4 files changed, 22 insertions, 11 deletions
diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h
index 5d980f1f75..2cad4b4d43 100644
--- a/src/lib/libressl/ressl.h
+++ b/src/lib/libressl/ressl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl.h,v 1.17 2014/09/29 15:11:29 jsing Exp $ */ 1/* $OpenBSD: ressl.h,v 1.18 2014/10/03 14:14:40 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -58,7 +58,8 @@ void ressl_config_set_verify_depth(struct ressl_config *config,
58 int verify_depth); 58 int verify_depth);
59 59
60void ressl_config_clear_keys(struct ressl_config *config); 60void ressl_config_clear_keys(struct ressl_config *config);
61void ressl_config_insecure_no_verify(struct ressl_config *config); 61void ressl_config_insecure_noverifyhost(struct ressl_config *config);
62void ressl_config_insecure_noverifycert(struct ressl_config *config);
62void ressl_config_verify(struct ressl_config *config); 63void ressl_config_verify(struct ressl_config *config);
63 64
64struct ressl *ressl_client(void); 65struct ressl *ressl_client(void);
diff --git a/src/lib/libressl/ressl_client.c b/src/lib/libressl/ressl_client.c
index 8723a35ae0..013963f3a1 100644
--- a/src/lib/libressl/ressl_client.c
+++ b/src/lib/libressl/ressl_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl_client.c,v 1.4 2014/09/29 15:11:29 jsing Exp $ */ 1/* $OpenBSD: ressl_client.c,v 1.5 2014/10/03 14:14:40 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -142,12 +142,14 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)
142 if (ressl_configure_ssl(ctx) != 0) 142 if (ressl_configure_ssl(ctx) != 0)
143 goto err; 143 goto err;
144 144
145 if (ctx->config->verify) { 145 if (ctx->config->verify_host) {
146 if (hostname == NULL) { 146 if (hostname == NULL) {
147 ressl_set_error(ctx, "server name not specified"); 147 ressl_set_error(ctx, "server name not specified");
148 goto err; 148 goto err;
149 } 149 }
150 }
150 151
152 if (ctx->config->verify_cert) {
151 SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL); 153 SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
152 154
153 if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, 155 if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
@@ -188,7 +190,7 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname)
188 goto err; 190 goto err;
189 } 191 }
190 192
191 if (ctx->config->verify) { 193 if (ctx->config->verify_host) {
192 cert = SSL_get_peer_certificate(ctx->ssl_conn); 194 cert = SSL_get_peer_certificate(ctx->ssl_conn);
193 if (cert == NULL) { 195 if (cert == NULL) {
194 ressl_set_error(ctx, "no server certificate"); 196 ressl_set_error(ctx, "no server certificate");
diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c
index 6d535e2b42..a45364c2ef 100644
--- a/src/lib/libressl/ressl_config.c
+++ b/src/lib/libressl/ressl_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl_config.c,v 1.13 2014/10/03 14:09:09 jsing Exp $ */ 1/* $OpenBSD: ressl_config.c,v 1.14 2014/10/03 14:14:40 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -182,13 +182,20 @@ ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth)
182} 182}
183 183
184void 184void
185ressl_config_insecure_no_verify(struct ressl_config *config) 185ressl_config_insecure_noverifyhost(struct ressl_config *config)
186{ 186{
187 config->verify = 0; 187 config->verify_host = 0;
188}
189
190void
191ressl_config_insecure_noverifycert(struct ressl_config *config)
192{
193 config->verify_cert = 0;
188} 194}
189 195
190void 196void
191ressl_config_verify(struct ressl_config *config) 197ressl_config_verify(struct ressl_config *config)
192{ 198{
193 config->verify = 1; 199 config->verify_host = 1;
200 config->verify_cert = 1;
194} 201}
diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h
index f37b5718d9..b752b5fd88 100644
--- a/src/lib/libressl/ressl_internal.h
+++ b/src/lib/libressl/ressl_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl_internal.h,v 1.11 2014/09/29 15:11:29 jsing Exp $ */ 1/* $OpenBSD: ressl_internal.h,v 1.12 2014/10/03 14:14:40 tedu Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -37,7 +37,8 @@ struct ressl_config {
37 char *key_mem; 37 char *key_mem;
38 size_t key_len; 38 size_t key_len;
39 uint32_t protocols; 39 uint32_t protocols;
40 int verify; 40 int verify_cert;
41 int verify_host;
41 int verify_depth; 42 int verify_depth;
42}; 43};
43 44
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 16:01:10 +0000