1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
diff -wru tlswrap-1.04.orig/tls.c tlswrap-1.04/tls.c
--- tlswrap-1.04.orig/tls.c 2006-11-25 19:52:08.000000000 +0100
+++ tlswrap-1.04/tls.c 2017-12-05 04:43:56.757223948 +0100
@@ -73,10 +73,12 @@
printf("egd_sock is %s\n", egd_sock);
#ifdef HAVE_RAND_STATUS
if (RAND_status() != 1) {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || OPENSSL_NO_EGD
if ( RAND_egd(egd_sock) == -1 ) {
fprintf(stderr, "egd_sock is %s\n", egd_sock);
sys_err("RAND_egd failed\n");
}
+#endif
if (RAND_status() != 1)
sys_err("ssl_init: System without /dev/urandom, PRNG seeding must be done manually.\r\n");
}
@@ -262,7 +264,8 @@
int ok, extcount, i, j;
char *extstr;
SSL *ssl;
-#if (OPENSSL_VERSION_NUMBER > 0x00908000L)
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
+#elif (OPENSSL_VERSION_NUMBER > 0x00908000L)
unsigned char const *data1;
#else
unsigned char *data1;
@@ -279,6 +282,16 @@
if (debug)
printf("tls_cert2\n");
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L)
+ if (ud->sec_level > 3) {
+ X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ X509_VERIFY_PARAM_set1_host(param, ud->serv_dns.hostname, 0);
+ X509_VERIFY_PARAM_set1_ip_asc(param, ud->serv_data_host);
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
+ }
+#endif
+
if ((x509_peer = SSL_get_peer_certificate(ssl)) == NULL)
return X509_V_ERR_APPLICATION_VERIFICATION; /* SSL_get_peer* can only be NULL on 'anonymous DH connections' so shouldn't happen. */
@@ -287,6 +300,8 @@
return SSL_get_verify_result(ssl);
}
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
if ((extcount = X509_get_ext_count(x509_peer)) > 0) {
if (debug) printf("extcount = %d\n", extcount);
for (i = 0; i < extcount; i++) {
@@ -333,6 +348,7 @@
return X509_V_ERR_APPLICATION_VERIFICATION;
}
}
+#endif
X509_free(x509_peer);
return SSL_get_verify_result(ssl);
}
|
GitWeb
