polarssl: enable client side ssl verification if a certificate was loaded

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

2 files changed, 9 insertions, 7 deletions

diff --git a/ustream-polarssl.c b/ustream-polarssl.c
index c0147ed..8516d7f 100644
--- a/ustream-polarssl.c
+++ b/ustream-polarssl.c
@@ -95,6 +95,7 @@ __ustream_ssl_context_new(bool server)
 	if (!ctx)
 		return NULL;
 
+	ctx->auth = SSL_VERIFY_NONE;
 	ctx->server = server;
 #ifdef USE_VERSION_1_3
 	pk_init(&ctx->key);
@@ -117,6 +118,9 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char
 	if (ret)
 		return -1;
 
+	if (!ctx->server)
+		ctx->auth = SSL_VERIFY_OPTIONAL;
+
 	return 0;
 }
 
@@ -256,7 +260,7 @@ static const int default_ciphersuites[] =
 __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 {
 	ssl_context *ssl;
-	int ep, auth;
+	int ep;
 
 	ssl = calloc(1, sizeof(ssl_context));
 	if (!ssl)
@@ -267,17 +271,14 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx)
 		return NULL;
 	}
 
-	if (ctx->server) {
+	if (ctx->server)
 		ep = SSL_IS_SERVER;
-		auth = SSL_VERIFY_NONE;
-	} else {
+	else
 		ep = SSL_IS_CLIENT;
-		auth = SSL_VERIFY_OPTIONAL;
-	}
 
 	ssl_set_ciphersuites(ssl, default_ciphersuites);
 	ssl_set_endpoint(ssl, ep);
-	ssl_set_authmode(ssl, auth);
+	ssl_set_authmode(ssl, ctx->auth);
 	ssl_set_rng(ssl, _urandom, NULL);
 
 	if (ctx->server) {
diff --git a/ustream-polarssl.h b/ustream-polarssl.h
index 70e8b42..1da2ff6 100644
--- a/ustream-polarssl.h
+++ b/ustream-polarssl.h
@@ -40,6 +40,7 @@ struct ustream_ssl_ctx {
 	rsa_context key;
 #endif
 	x509_crt cert;
+	int auth;
 	bool server;
 };