From c4534eb6d78a5c5d49990b6f7a9e52af771e8471 Mon Sep 17 00:00:00 2001 From: tedu <> Date: Fri, 3 Oct 2014 14:14:40 +0000 Subject: allow disabling hostname and cert verification separately. if you're careful, cert only verification can be useful. always enable both though, to avoid accidentally leaving one off. ok jsing --- src/lib/libressl/ressl.h | 5 +++-- src/lib/libressl/ressl_client.c | 8 +++++--- src/lib/libressl/ressl_config.c | 15 +++++++++++---- src/lib/libressl/ressl_internal.h | 5 +++-- 4 files changed, 22 insertions(+), 11 deletions(-) diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h index 5d980f1f75..2cad4b4d43 100644 --- a/src/lib/libressl/ressl.h +++ b/src/lib/libressl/ressl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.h,v 1.17 2014/09/29 15:11:29 jsing Exp $ */ +/* $OpenBSD: ressl.h,v 1.18 2014/10/03 14:14:40 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -58,7 +58,8 @@ void ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth); void ressl_config_clear_keys(struct ressl_config *config); -void ressl_config_insecure_no_verify(struct ressl_config *config); +void ressl_config_insecure_noverifyhost(struct ressl_config *config); +void ressl_config_insecure_noverifycert(struct ressl_config *config); void ressl_config_verify(struct ressl_config *config); struct ressl *ressl_client(void); diff --git a/src/lib/libressl/ressl_client.c b/src/lib/libressl/ressl_client.c index 8723a35ae0..013963f3a1 100644 --- a/src/lib/libressl/ressl_client.c +++ b/src/lib/libressl/ressl_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_client.c,v 1.4 2014/09/29 15:11:29 jsing Exp $ */ +/* $OpenBSD: ressl_client.c,v 1.5 2014/10/03 14:14:40 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -142,12 +142,14 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) if (ressl_configure_ssl(ctx) != 0) goto err; - if (ctx->config->verify) { + if (ctx->config->verify_host) { if (hostname == NULL) { ressl_set_error(ctx, "server name not specified"); goto err; } + } + if (ctx->config->verify_cert) { SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL); if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, @@ -188,7 +190,7 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) goto err; } - if (ctx->config->verify) { + if (ctx->config->verify_host) { cert = SSL_get_peer_certificate(ctx->ssl_conn); if (cert == NULL) { ressl_set_error(ctx, "no server certificate"); diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c index 6d535e2b42..a45364c2ef 100644 --- a/src/lib/libressl/ressl_config.c +++ b/src/lib/libressl/ressl_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_config.c,v 1.13 2014/10/03 14:09:09 jsing Exp $ */ +/* $OpenBSD: ressl_config.c,v 1.14 2014/10/03 14:14:40 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -182,13 +182,20 @@ ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth) } void -ressl_config_insecure_no_verify(struct ressl_config *config) +ressl_config_insecure_noverifyhost(struct ressl_config *config) { - config->verify = 0; + config->verify_host = 0; +} + +void +ressl_config_insecure_noverifycert(struct ressl_config *config) +{ + config->verify_cert = 0; } void ressl_config_verify(struct ressl_config *config) { - config->verify = 1; + config->verify_host = 1; + config->verify_cert = 1; } diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h index f37b5718d9..b752b5fd88 100644 --- a/src/lib/libressl/ressl_internal.h +++ b/src/lib/libressl/ressl_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_internal.h,v 1.11 2014/09/29 15:11:29 jsing Exp $ */ +/* $OpenBSD: ressl_internal.h,v 1.12 2014/10/03 14:14:40 tedu Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -37,7 +37,8 @@ struct ressl_config { char *key_mem; size_t key_len; uint32_t protocols; - int verify; + int verify_cert; + int verify_host; int verify_depth; }; -- cgit v1.2.3-55-g6feb