From bc10edb359e0b641234ca2ef1bdd48cecfe9be10 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Wed, 14 Dec 2016 19:27:46 +0800
Subject: [PATCH] client ssl add flag to control server cert hostname check

This is a simplified version of a patch that went on master before v2.1

675c349cc592b0d84df02382fac5617293a2965a

It enforces hostname checking for client SSL certs; perviously it was
not performed.

On v2.1+, you can control if this checking is applied or not.  But to
avoid changing to public API, it is enforced on v2.0-stable.

There is no legit reason to disable this check... if you want to disable it,
upgrade to v2.1+ or stay on v2.0-stable behind this patch.

https://github.com/warmcat/libwebsockets/issues/715
---
 lib/libwebsockets.h         |  1 -
 lib/private-libwebsockets.h |  2 +-
 lib/ssl-client.c            | 22 ++++++++++++----------
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index baa9aeac..c0f1a5de 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -349,7 +349,6 @@ enum lws_context_options {
 								  (1 << 12),
 	LWS_SERVER_OPTION_LIBUV					= (1 << 10),
 	LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS		= (1 << 11) |
-								  (1 << 3) |
 								  (1 << 12),
 	LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT			= (1 << 12),
 	LWS_SERVER_OPTION_EXPLICIT_VHOSTS			= (1 << 13),
diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h
index 4bd23c2a..402ba9cf 100644
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -1272,7 +1272,7 @@ struct lws {
 	unsigned int extension_data_pending:1;
 #endif
 #ifdef LWS_OPENSSL_SUPPORT
-	unsigned int use_ssl:2;
+	unsigned int use_ssl:3;
 	unsigned int upgraded:1;
 #endif
 #ifdef _WIN32
diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index 904c77ac..637dcc93 100644
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -53,13 +53,15 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	}
 
 #if defined LWS_HAVE_X509_VERIFY_PARAM_set1_host
-	param = SSL_get0_param(wsi->ssl);
-	/* Enable automatic hostname checks */
-	X509_VERIFY_PARAM_set_hostflags(param,
-					X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-	X509_VERIFY_PARAM_set1_host(param, hostname, 0);
-	/* Configure a non-zero callback if desired */
-	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0);
+	{
+		param = SSL_get0_param(wsi->ssl);
+		/* Enable automatic hostname checks */
+		X509_VERIFY_PARAM_set_hostflags(param,
+						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+		/* Configure a non-zero callback if desired */
+		SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0);
+	}
 #endif
 
 #ifndef USE_WOLFSSL
@@ -286,12 +288,12 @@ lws_ssl_client_connect2(struct lws *wsi)
 	lws_latency_pre(context, wsi);
 	n = SSL_get_verify_result(wsi->ssl);
 	lws_latency(context, wsi,
-		"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
-						      n, n > 0);
+		"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);
 
 	if (n != X509_V_OK) {
 		if ((n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) && wsi->use_ssl == 2) {
+		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
+		     wsi->use_ssl == 2) {
 			lwsl_notice("accepting self-signed certificate\n");
 		} else {
 			lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",