Add client certificate support. Still needs a few tweaks but this will

ride upcoming minor bump ok jsing@
author: beck <beck@openbsd.org> 2015-09-09 19:23:04 +0000
committer: beck <beck@openbsd.org> 2015-09-09 19:23:04 +0000
commit: 51f3bd3dbcf375a862a54d39077f65773c61ada8 (patch)
tree: 1d00b84316a00168f9b3ed6f1dad92324fefbda9 /lib/libtls/tls_server.c
parent: Make sure we check TLS_WRITE_AGAIN when calling tls_read() and if (diff)
download: wireguard-openbsd-51f3bd3dbcf375a862a54d39077f65773c61ada8.tar.xz
wireguard-openbsd-51f3bd3dbcf375a862a54d39077f65773c61ada8.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index 190682e630a..6f8daa0acab 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.11 2015/09/09 14:32:06 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.12 2015/09/09 19:23:04 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -60,8 +60,15 @@ tls_configure_server(struct tls *ctx)
 
 	if (tls_configure_ssl(ctx) != 0)
 		goto err;
-	if (tls_configure_keypair(ctx) != 0)
+	if (tls_configure_keypair(ctx, 1) != 0)
 		goto err;
+	if (ctx->config->verify_client != 0) {
+		int verify = SSL_VERIFY_PEER;
+		if (ctx->config->verify_client == 1)
+			verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		if (tls_configure_ssl_verify(ctx, verify) == -1)
+			goto err;
+	}
 
 	if (ctx->config->dheparams == -1)
 		SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
author	beck <beck@openbsd.org>	2015-09-09 19:23:04 +0000
committer	beck <beck@openbsd.org>	2015-09-09 19:23:04 +0000
commit	51f3bd3dbcf375a862a54d39077f65773c61ada8 (patch)
tree	1d00b84316a00168f9b3ed6f1dad92324fefbda9 /lib/libtls/tls_server.c
parent	Make sure we check TLS_WRITE_AGAIN when calling tls_read() and if (diff)
download	wireguard-openbsd-51f3bd3dbcf375a862a54d39077f65773c61ada8.tar.xz wireguard-openbsd-51f3bd3dbcf375a862a54d39077f65773c61ada8.zip