WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.
If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
ENDIF()
IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
ENDIF()
+ CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
+ "wolfssl/options.h;wolfssl/ssl.h"
+ HAVE_WOLFSSL_X509_CHECK_HOST)
+ IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
+ ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
+ ENDIF()
ELSE()
SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
SET(SSL_LIB crypto ssl)
ELSE()
SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
SET(SSL_LIB crypto ssl)
uloop_timeout_set(&us->error_timer, 0);
}
uloop_timeout_set(&us->error_timer, 0);
}
-#ifndef WOLFSSL_OPENSSL_H_
+#ifndef NO_X509_CHECK_HOST
static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
{
static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
{
if (!us->peer_cn)
return false;
if (!us->peer_cn)
return false;
+# ifndef WOLFSSL_OPENSSL_H_
ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
+# else
+ ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
+# endif
static void ustream_ssl_verify_cert(struct ustream_ssl *us)
{
static void ustream_ssl_verify_cert(struct ustream_ssl *us)
{
return;
us->valid_cert = true;
return;
us->valid_cert = true;
+#ifndef NO_X509_CHECK_HOST
us->valid_cn = ustream_ssl_verify_cn(us, cert);
us->valid_cn = ustream_ssl_verify_cn(us, cert);
__hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
{
__hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
{
r = SSL_connect(ssl);
if (r == 1) {
r = SSL_connect(ssl);
if (r == 1) {
-#ifndef WOLFSSL_OPENSSL_H_
ustream_ssl_verify_cert(us);
ustream_ssl_verify_cert(us);