Minor cleanup of this function now that we are allowed to write C99: move
(and rename) flags to the code where it's actually used to improve
readability.
(I originally did this as part of the tls-version-{min,max} patch for
openssl 1.1, but that made the diff hard to read.)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126141555.25930-3-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15931.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -277,9 +277,6 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) |
277 | 277 |
{ |
278 | 278 |
ASSERT(NULL != ctx); |
279 | 279 |
|
280 |
- /* default certificate verification flags */ |
|
281 |
- int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
|
282 |
- |
|
283 | 280 |
/* process SSL options */ |
284 | 281 |
long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET; |
285 | 282 |
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
... | ... |
@@ -301,17 +298,18 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) |
301 | 301 |
SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback); |
302 | 302 |
|
303 | 303 |
/* Require peer certificate verification */ |
304 |
+ int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
|
304 | 305 |
#if P2MP_SERVER |
305 | 306 |
if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) |
306 | 307 |
{ |
307 |
- flags = 0; |
|
308 |
+ verify_flags = 0; |
|
308 | 309 |
} |
309 | 310 |
else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) |
310 | 311 |
{ |
311 |
- flags = SSL_VERIFY_PEER; |
|
312 |
+ verify_flags = SSL_VERIFY_PEER; |
|
312 | 313 |
} |
313 | 314 |
#endif |
314 |
- SSL_CTX_set_verify(ctx->ctx, flags, verify_callback); |
|
315 |
+ SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback); |
|
315 | 316 |
|
316 | 317 |
SSL_CTX_set_info_callback(ctx->ctx, info_callback); |
317 | 318 |
|