From patchwork Sun Nov 26 03:15:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steffan Karger <steffan@karger.me>
X-Patchwork-Id: 96
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director1.mail.ord1d.rsapps.net ([172.28.255.1])
	by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 Wz2DBdfMGlrcdAAAgoeIoA
	for <patchwork@openvpn.net>; Sun, 26 Nov 2017 09:16:55 -0500
Received: from director5.mail.ord1c.rsapps.net ([172.28.255.1])
	by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 Q2QVBdfMGlqdTQAANGzteQ
	; Sun, 26 Nov 2017 09:16:55 -0500
Received: from smtp58.gate.ord1a ([172.28.255.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by director5.mail.ord1c.rsapps.net (Dovecot) with LMTP id
 cuCIA9fMGlrmLAAAH8LYwg
	; Sun, 26 Nov 2017 09:16:55 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.34.181.88]
Authentication-Results: smtp58.gate.ord1a.rsapps.net;
 iprev=pass policy.iprev="216.34.181.88";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed)
 header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil;
 dis=none) header.from=karger.me
X-Classification-ID: 7448f5aa-d2b4-11e7-a611-a4badb1469c9-1-1
Received: from [216.34.181.88] ([216.34.181.88:55315]
 helo=lists.sourceforge.net)
	by smtp58.gate.ord1a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id F2/E7-24325-6DCCA1A5; Sun, 26 Nov 2017 09:16:54 -0500
Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1eIxjA-0006ip-0L; Sun, 26 Nov 2017 14:16:12 +0000
Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193]
 helo=mx.sourceforge.net)
 by sfs-ml-3.v29.ch3.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89)
 (envelope-from <steffan@karger.me>) id 1eIxj8-0006iP-8S
 for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:
 To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=dkg4gBd+likvNV4Qy2E9Zn6pjx
 2MgO6d3a2omOhznAeIa3QcFWWOdLtNRuxz9673sncq2nL7nuDc4wAM3yFWEHvxHF43sjYA/Ej9bEM
 RDKpH68daliKkq/atYf83oJptHdXug2pgmOblv/RmRMRBxPOaJlWY1HAH+lx8Udxzs1M=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To
 :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=LEKw1Oq7BnofunO3/GnfR+TGBJ
 pbN3ci4YhDIDbj/Oaypt5aEr4W11AxoCzoZQbghzFMvYojecv8eyCUJ5sQ1LRpdcKHjNhbQKT764+
 d+QUPIW+t+Zv60FgETu92sxRG6qglQxZKNl555+HOs5XtUuqe5Rnb8oNRTNy0aikWB1o=;
Received: from mail-wm0-f67.google.com ([74.125.82.67])
 by sfi-mx-3.v28.ch3.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89)
 id 1eIxj7-0007Hv-Cu
 for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:10 +0000
Received: by mail-wm0-f67.google.com with SMTP id n74so4478667wmi.3
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 26 Nov 2017 06:16:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=karger-me.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=;
 b=xGLYMYhCRl26ZOGup0z4siwJ2nGSU2W784Rd/+eD5WLA1IZ6XZC6i0VoavW/7KiWkx
 Y0WSdYEnB/PK/3KH0TUXiFrOQH9Dh0+wX8zGsALVJa57m/vePrUETHXNEjCxM3j5udxw
 ArJskVFxFJWkneAHs27/QDBKZVWqMXVoycDd7eX8ZJO5EbejmUC26ZBdL1e4QlKNAqGt
 lT+eM4IRIoyLk+NjCCQ6Oxw2asy1vwBoRytSiGdQ2WAptGm6Je0W80x2iR142F9zR3TW
 B4ZAYUm5nocrW4vMVMbgGDTlyp4gnQCf+SSzygb0VlTSFyCs04NS57IFJaB5xAr/LmBA
 /mNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=;
 b=kXeZYFqKtnz/Rj2PdlNrcVxt55zhGwJjITMnm2JRdvmT+AXjzsvUQ0+/e0JGmnj5UZ
 rb2x0rTgTyhNSUzP6JDsVVhgwSpTW6dwUKj6fn2JmwD9k41HPhzefvb5y6SU7bQq6va+
 OkS17444z80aQuhUxnvIKSLOXwD9KP13iLhs44J7BAaU8wovLKyxGUMb+v4zQsKZxsr4
 NOHwYBi0SXezsk2RSR855/X49UTYD5nykiX+Ot8UXmSYOLnz7dZSfqRYlZ0tIu8PYl2y
 WyHgw1jJSXcg7fp2UgQcUIWSbztEw71+LZnFO1vMi9laBLFGEQHBdhKHnEX0TUUM4LWE
 hRxQ==
X-Gm-Message-State: AJaThX4sewnEwXC+RSEi48Ubjr2OkIVRPICXnJVIjdQGGFA1CMZWBf8Z
 4Hi0kpQBMYhvlLAY2DjIr9u16uHBMEU=
X-Google-Smtp-Source: 
 AGs4zMYaokZO8kNXi9PQNthN1UyHAisgCJmCyVsCH4oQIb5P6MdKoVOTXhfScApv4eJwYYCZiRydag==
X-Received: by 10.80.179.17 with SMTP id q17mr48764911edd.270.1511705763192;
 Sun, 26 Nov 2017 06:16:03 -0800 (PST)
Received: from vesta.fritz.box ([2001:985:e54:1:d42a:81d4:ce94:db48])
 by smtp.gmail.com with ESMTPSA id j27sm19880246eda.59.2017.11.26.06.16.02
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 26 Nov 2017 06:16:02 -0800 (PST)
From: Steffan Karger <steffan@karger.me>
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 26 Nov 2017 15:15:55 +0100
Message-Id: <20171126141555.25930-3-steffan@karger.me>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20171126141555.25930-1-steffan@karger.me>
References: <20171126141555.25930-1-steffan@karger.me>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [74.125.82.67 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1eIxj7-0007Hv-Cu
Subject: [Openvpn-devel] [PATCH 3/3] tls_ctx_set_tls_versions: move
 verify_flags to where it is used
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

Minor cleanup of this function now that we are allowed to write C99: move
(and rename) flags to the code where it's actually used to improve
readability.

(I originally did this as part of the tls-version-{min,max} patch for
openssl 1.1, but that made the diff hard to read.)

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl_openssl.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 18c0ba5f..10d161ef 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -262,9 +262,6 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
     ASSERT(NULL != ctx);
 
-    /* default certificate verification flags */
-    int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-
     /* process SSL options */
     long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
@@ -282,17 +279,18 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
     SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback);
 
     /* Require peer certificate verification */
+    int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 #if P2MP_SERVER
     if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
     {
-        flags = 0;
+        verify_flags = 0;
     }
     else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
     {
-        flags = SSL_VERIFY_PEER;
+        verify_flags = SSL_VERIFY_PEER;
     }
 #endif
-    SSL_CTX_set_verify(ctx->ctx, flags, verify_callback);
+    SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback);
 
     SSL_CTX_set_info_callback(ctx->ctx, info_callback);
 }