if(!dtio->ssl) return 0;
dtio->ssl_handshake_done = 0;
dtio->ssl_brief_read = 0;
+
+ if(!set_auth_name_on_ssl(dtio->ssl, dtio->tls_server_name)) {
+ return 0;
+ }
return 1;
}
comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl);
#endif
pend->c->ssl_shake_state = comm_ssl_shake_write;
- if(w->tls_auth_name) {
-#ifdef HAVE_SSL
- (void)SSL_set_tlsext_host_name(pend->c->ssl, w->tls_auth_name);
-#endif
- }
-#ifdef HAVE_SSL_SET1_HOST
- if(w->tls_auth_name) {
- SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
- /* setting the hostname makes openssl verify the
- * host name in the x509 certificate in the
- * SSL connection*/
- if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
- log_err("SSL_set1_host failed");
- pend->c->fd = s;
- SSL_free(pend->c->ssl);
- pend->c->ssl = NULL;
- comm_point_close(pend->c);
- return 0;
- }
- }
-#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
- /* openssl 1.0.2 has this function that can be used for
- * set1_host like verification */
- if(w->tls_auth_name) {
- X509_VERIFY_PARAM* param = SSL_get0_param(pend->c->ssl);
- X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
- if(!X509_VERIFY_PARAM_set1_host(param, w->tls_auth_name, strlen(w->tls_auth_name))) {
- log_err("X509_VERIFY_PARAM_set1_host failed");
- pend->c->fd = s;
- SSL_free(pend->c->ssl);
- pend->c->ssl = NULL;
- comm_point_close(pend->c);
- return 0;
- }
- SSL_set_verify(pend->c->ssl, SSL_VERIFY_PEER, NULL);
+ if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name)) {
+ pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+ comm_point_close(pend->c);
+ return 0;
}
-#else
- verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
-#endif /* HAVE_SSL_SET1_HOST */
}
w->pkt = NULL;
w->next_waiting = (void*)pend;
#endif
}
+/** set the authname on an SSL structure, SSL* ssl */
+int set_auth_name_on_ssl(void* ssl, char* auth_name)
+{
+ if(!auth_name) return 1;
+#ifdef HAVE_SSL
+ (void)SSL_set_tlsext_host_name(ssl, auth_name);
+#endif
+#ifdef HAVE_SSL_SET1_HOST
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+ /* setting the hostname makes openssl verify the
+ * host name in the x509 certificate in the
+ * SSL connection*/
+ if(!SSL_set1_host(ssl, auth_name)) {
+ log_err("SSL_set1_host failed");
+ return 0;
+ }
+#elif defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ /* openssl 1.0.2 has this function that can be used for
+ * set1_host like verification */
+ if(auth_name) {
+ X509_VERIFY_PARAM* param = SSL_get0_param(ssl);
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ if(!X509_VERIFY_PARAM_set1_host(param, auth_name, strlen(auth_name))) {
+ log_err("X509_VERIFY_PARAM_set1_host failed");
+ return 0;
+ }
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+ }
+#else
+ verbose(VERB_ALGO, "the query has an auth_name, but libssl has no call to perform TLS authentication");
+#endif /* HAVE_SSL_SET1_HOST */
+ return 1;
+}
+
#if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) && OPENSSL_VERSION_NUMBER < 0x10100000L
/** global lock list for openssl locks */
static lock_basic_type *ub_openssl_locks = NULL;
*/
void* outgoing_ssl_fd(void* sslctx, int fd);
+/**
+ * set auth name on SSL for verification
+ * @param ssl: SSL* to set
+ * @param auth_name: if NULL nothing happens, otherwise the name to check.
+ * @return 1 on success or NULL auth_name, 0 on failure.
+ */
+int set_auth_name_on_ssl(void* ssl, char* auth_name);
+
/**
* Initialize openssl locking for thread safety
* @return false on failure (alloc failure).
projects / thirdparty / unbound.git / commitdiff
