Add option for checking IP address in the certificate as host.

GitOrigin-RevId: dba5b87a59f3d3d3241051ee0257a5786fdf4fb0
This commit is contained in:
levlam 2020-09-14 03:58:57 +03:00
parent 3ae535eae7
commit a74d02f412
2 changed files with 7 additions and 5 deletions

View File

@ -291,7 +291,7 @@ Result<SslCtx> create_ssl_ctx(CSlice cert_file, SslStream::VerifyPeer verify_pee
class SslStreamImpl { class SslStreamImpl {
public: public:
Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer) { Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer, bool check_ip_address_as_host) {
static bool init_openssl = [] { static bool init_openssl = [] {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
return OPENSSL_init_ssl(0, nullptr) != 0; return OPENSSL_init_ssl(0, nullptr) != 0;
@ -317,7 +317,7 @@ class SslStreamImpl {
#if OPENSSL_VERSION_NUMBER >= 0x10002000L #if OPENSSL_VERSION_NUMBER >= 0x10002000L
X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle.get()); X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle.get());
X509_VERIFY_PARAM_set_hostflags(param, 0); X509_VERIFY_PARAM_set_hostflags(param, 0);
if (r_ip_address.is_ok()) { if (r_ip_address.is_ok() && !check_ip_address_as_host) {
LOG(DEBUG) << "Set verification IP address to " << r_ip_address.ok().get_ip_str(); LOG(DEBUG) << "Set verification IP address to " << r_ip_address.ok().get_ip_str();
X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str()); X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
} else { } else {
@ -509,9 +509,10 @@ SslStream::SslStream(SslStream &&) = default;
SslStream &SslStream::operator=(SslStream &&) = default; SslStream &SslStream::operator=(SslStream &&) = default;
SslStream::~SslStream() = default; SslStream::~SslStream() = default;
Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer) { Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer,
bool use_ip_address_as_host) {
auto impl = make_unique<detail::SslStreamImpl>(); auto impl = make_unique<detail::SslStreamImpl>();
TRY_STATUS(impl->init(host, cert_file, verify_peer)); TRY_STATUS(impl->init(host, cert_file, verify_peer, use_ip_address_as_host));
return SslStream(std::move(impl)); return SslStream(std::move(impl));
} }
SslStream::SslStream(unique_ptr<detail::SslStreamImpl> impl) : impl_(std::move(impl)) { SslStream::SslStream(unique_ptr<detail::SslStreamImpl> impl) : impl_(std::move(impl)) {

View File

@ -25,7 +25,8 @@ class SslStream {
enum class VerifyPeer { On, Off }; enum class VerifyPeer { On, Off };
static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On); static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On,
bool check_ip_address_as_host = false);
ByteFlowInterface &read_byte_flow(); ByteFlowInterface &read_byte_flow();
ByteFlowInterface &write_byte_flow(); ByteFlowInterface &write_byte_flow();