diff options
author | Alan Antonuk <alan.antonuk@gmail.com> | 2015-10-13 21:32:15 -0700 |
---|---|---|
committer | Alan Antonuk <alan.antonuk@gmail.com> | 2015-10-15 22:22:42 -0700 |
commit | 17410d968b890d1545b84debf0f83059f2aabdeb (patch) | |
tree | 57c160ac0e94f4067d8becf2d7914f5195a0526d /librabbitmq/amqp_openssl.c | |
parent | ba7c342a55e200d1f72b30d74df1591b0f72de49 (diff) | |
download | rabbitmq-c-17410d968b890d1545b84debf0f83059f2aabdeb.tar.gz |
Lib: separate peer & hostname SSL cert validation
Add amqp_ssl_socket_set_verify_peer which controls peer certificate validation,
and amqp_ssl_socket_set_verify_hostname which controls hostname validation in
the certificate. Additionally this deprecates amqp_ssl_socket_set_verify.
Fixes #180, #279, #303
Diffstat (limited to 'librabbitmq/amqp_openssl.c')
-rw-r--r-- | librabbitmq/amqp_openssl.c | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c index bb28ddb..727f48c 100644 --- a/librabbitmq/amqp_openssl.c +++ b/librabbitmq/amqp_openssl.c @@ -70,7 +70,8 @@ struct amqp_ssl_socket_t { SSL_CTX *ctx; int sockfd; SSL *ssl; - amqp_boolean_t verify; + amqp_boolean_t verify_peer; + amqp_boolean_t verify_hostname; int internal_error; }; @@ -312,13 +313,15 @@ start_connect: goto error_out2; } - result = SSL_get_verify_result(self->ssl); - if (X509_V_OK != result) { - self->internal_error = result; - status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED; - goto error_out3; + if (self->verify_peer) { + result = SSL_get_verify_result(self->ssl); + if (X509_V_OK != result) { + self->internal_error = result; + status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED; + goto error_out3; + } } - if (self->verify) { + if (self->verify_hostname) { int verify_status = amqp_ssl_socket_verify_hostname(self, host); if (verify_status) { self->internal_error = 0; @@ -425,7 +428,8 @@ amqp_ssl_socket_new(amqp_connection_state_t state) self->sockfd = -1; self->klass = &amqp_ssl_socket_class; - self->verify = 1; + self->verify_peer = 1; + self->verify_hostname = 1; status = initialize_openssl(); if (status) { @@ -555,12 +559,28 @@ void amqp_ssl_socket_set_verify(amqp_socket_t *base, amqp_boolean_t verify) { + amqp_ssl_socket_set_verify_peer(base, verify); + amqp_ssl_socket_set_verify_hostname(base, verify); +} + +void amqp_ssl_socket_set_verify_peer(amqp_socket_t *base, + amqp_boolean_t verify) { + struct amqp_ssl_socket_t *self; + if (base->klass != &amqp_ssl_socket_class) { + amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); + } + self = (struct amqp_ssl_socket_t *)base; + self->verify_peer = verify; +} + +void amqp_ssl_socket_set_verify_hostname(amqp_socket_t *base, + amqp_boolean_t verify) { struct amqp_ssl_socket_t *self; if (base->klass != &amqp_ssl_socket_class) { amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); } self = (struct amqp_ssl_socket_t *)base; - self->verify = verify; + self->verify_hostname = verify; } void |