|
Lines 178-191
NOEXPORT void auth_warnings(SERVICE_OPTI
Link Here
|
| 178 |
if(section->option.verify_peer) /* verify_peer does not depend on PKI */ |
178 |
if(section->option.verify_peer) /* verify_peer does not depend on PKI */ |
| 179 |
return; |
179 |
return; |
| 180 |
if(section->option.verify_chain) { |
180 |
if(section->option.verify_chain) { |
| 181 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L |
181 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 182 |
if(section->check_email || section->check_host || section->check_ip) |
182 |
if(section->check_email || section->check_host || section->check_ip) |
| 183 |
return; |
183 |
return; |
| 184 |
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ |
184 |
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ |
| 185 |
s_log(LOG_WARNING, |
185 |
s_log(LOG_WARNING, |
| 186 |
"Service [%s] uses \"verify = 2\" without subject checks", |
186 |
"Service [%s] uses \"verify = 2\" without subject checks", |
| 187 |
section->servname); |
187 |
section->servname); |
| 188 |
#if OPENSSL_VERSION_NUMBER<0x10002000L |
188 |
#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
| 189 |
s_log(LOG_WARNING, |
189 |
s_log(LOG_WARNING, |
| 190 |
"Rebuild your stunnel against OpenSSL version 1.0.2 or higher"); |
190 |
"Rebuild your stunnel against OpenSSL version 1.0.2 or higher"); |
| 191 |
#endif /* OPENSSL_VERSION_NUMBER<0x10002000L */ |
191 |
#endif /* OPENSSL_VERSION_NUMBER<0x10002000L */ |
|
Lines 277-283
NOEXPORT int cert_check(CLI *c, X509_STO
Link Here
|
| 277 |
} |
277 |
} |
| 278 |
|
278 |
|
| 279 |
if(depth==0) { /* additional peer certificate checks */ |
279 |
if(depth==0) { /* additional peer certificate checks */ |
| 280 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L |
280 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 281 |
if(!cert_check_subject(c, callback_ctx)) |
281 |
if(!cert_check_subject(c, callback_ctx)) |
| 282 |
return 0; /* reject */ |
282 |
return 0; /* reject */ |
| 283 |
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ |
283 |
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ |
|
Lines 288-294
NOEXPORT int cert_check(CLI *c, X509_STO
Link Here
|
| 288 |
return 1; /* accept */ |
288 |
return 1; /* accept */ |
| 289 |
} |
289 |
} |
| 290 |
|
290 |
|
| 291 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L |
291 |
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 292 |
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { |
292 |
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { |
| 293 |
X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); |
293 |
X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); |
| 294 |
NAME_LIST *ptr; |
294 |
NAME_LIST *ptr; |
|
Lines 340-346
NOEXPORT int cert_check_local(X509_STORE
Link Here
|
| 340 |
STACK_OF(X509) *sk; |
340 |
STACK_OF(X509) *sk; |
| 341 |
int i; |
341 |
int i; |
| 342 |
#endif |
342 |
#endif |
| 343 |
#if OPENSSL_VERSION_NUMBER<0x10100000L |
343 |
#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
| 344 |
X509_OBJECT obj; |
344 |
X509_OBJECT obj; |
| 345 |
int success; |
345 |
int success; |
| 346 |
#endif |
346 |
#endif |
|
Lines 349-355
NOEXPORT int cert_check_local(X509_STORE
Link Here
|
| 349 |
subject=X509_get_subject_name(cert); |
349 |
subject=X509_get_subject_name(cert); |
| 350 |
|
350 |
|
| 351 |
#if OPENSSL_VERSION_NUMBER>=0x10000000L |
351 |
#if OPENSSL_VERSION_NUMBER>=0x10000000L |
| 352 |
#if OPENSSL_VERSION_NUMBER<0x10100006L |
352 |
#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) |
| 353 |
#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs |
353 |
#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs |
| 354 |
#endif |
354 |
#endif |
| 355 |
/* modern API allows retrieving multiple matching certificates */ |
355 |
/* modern API allows retrieving multiple matching certificates */ |
|
Lines 364-370
NOEXPORT int cert_check_local(X509_STORE
Link Here
|
| 364 |
} |
364 |
} |
| 365 |
#endif |
365 |
#endif |
| 366 |
|
366 |
|
| 367 |
#if OPENSSL_VERSION_NUMBER<0x10100000L |
367 |
#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
| 368 |
/* pre-1.0.0 API only returns a single matching certificate */ |
368 |
/* pre-1.0.0 API only returns a single matching certificate */ |
| 369 |
/* we also invoke it for other OpenSSL versions before 1.1.0 */ |
369 |
/* we also invoke it for other OpenSSL versions before 1.1.0 */ |
| 370 |
memset((char *)&obj, 0, sizeof obj); |
370 |
memset((char *)&obj, 0, sizeof obj); |