[Openvpn-devel,3/3] tls_ctx_set_tls_versions: move verify_flags to where it is used

Message ID 20171126141555.25930-3-steffan@karger.me
State Accepted
Headers show
Series
  • [Openvpn-devel,1/3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Related show

Commit Message

Steffan Karger Nov. 26, 2017, 2:15 p.m.
Minor cleanup of this function now that we are allowed to write C99: move
(and rename) flags to the code where it's actually used to improve
readability.

(I originally did this as part of the tls-version-{min,max} patch for
openssl 1.1, but that made the diff hard to read.)

Signed-off-by: Steffan Karger <steffan@karger.me>
---
 src/openvpn/ssl_openssl.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

Comments

Gert Doering Jan. 20, 2018, 1:49 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Cleanup, no effective code change.

Your patch has been applied to the master branch.

commit e05aca4517b666740b384399348b995a3a646629
Author: Steffan Karger
Date:   Sun Nov 26 15:15:55 2017 +0100

     tls_ctx_set_tls_versions: move verify_flags to where it is used

     Signed-off-by: Steffan Karger <steffan@karger.me>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20171126141555.25930-3-steffan@karger.me>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15931.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 18c0ba5f..10d161ef 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -262,9 +262,6 @@  tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
     ASSERT(NULL != ctx);
 
-    /* default certificate verification flags */
-    int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-
     /* process SSL options */
     long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
@@ -282,17 +279,18 @@  tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
     SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback);
 
     /* Require peer certificate verification */
+    int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 #if P2MP_SERVER
     if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
     {
-        flags = 0;
+        verify_flags = 0;
     }
     else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
     {
-        flags = SSL_VERIFY_PEER;
+        verify_flags = SSL_VERIFY_PEER;
     }
 #endif
-    SSL_CTX_set_verify(ctx->ctx, flags, verify_callback);
+    SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback);
 
     SSL_CTX_set_info_callback(ctx->ctx, info_callback);
 }