diff options
author | Eneas U de Queiroz <cotequeiroz@gmail.com> | 2019-09-18 23:18:03 -0300 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2019-09-20 20:48:34 +0200 |
commit | 1c38fd8780d2bfed96358ac358ba1f33e32bf5de (patch) | |
tree | 77b2c71a996695708e8c385f1f0dd97790147c91 | |
parent | 33308eebda34c90455dbce825fac112a987c0ecd (diff) | |
download | ustream-ssl-1c38fd8780d2bfed96358ac358ba1f33e32bf5de.tar.gz |
wolfssl: enable CN validation
WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.
If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
-rw-r--r-- | CMakeLists.txt | 6 | ||||
-rw-r--r-- | ustream-openssl.c | 12 |
2 files changed, 14 insertions, 4 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 6b3fc8c..86e1b07 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL) IF (NOT HAVE_WOLFSSL_SSLSETIORECV) ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV) ENDIF() + CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host + "wolfssl/options.h;wolfssl/ssl.h" + HAVE_WOLFSSL_X509_CHECK_HOST) + IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST) + ADD_DEFINITIONS(-DNO_X509_CHECK_HOST) + ENDIF() ELSE() SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c) SET(SSL_LIB crypto ssl) diff --git a/ustream-openssl.c b/ustream-openssl.c index 21abf61..c830618 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret) uloop_timeout_set(&us->error_timer, 0); } -#ifndef WOLFSSL_OPENSSL_H_ +#ifndef NO_X509_CHECK_HOST static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert) { @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert) if (!us->peer_cn) return false; +# ifndef WOLFSSL_OPENSSL_H_ ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL); +# else + ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL); +# endif return ret == 1; } +#endif static void ustream_ssl_verify_cert(struct ustream_ssl *us) { @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us) return; us->valid_cert = true; +#ifndef NO_X509_CHECK_HOST us->valid_cn = ustream_ssl_verify_cn(us, cert); +#endif X509_free(cert); } -#endif __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us) { @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us) r = SSL_connect(ssl); if (r == 1) { -#ifndef WOLFSSL_OPENSSL_H_ ustream_ssl_verify_cert(us); -#endif return U_SSL_OK; } |