diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update index cad5a4b37d..fc5cc4854e 100644 --- a/libs/sofia-sip/.update +++ b/libs/sofia-sip/.update @@ -1 +1 @@ -Tue Dec 16 14:21:26 CST 2008 +Tue Dec 16 14:24:06 CST 2008 diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h index 5201083dec..69a4e9a237 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h @@ -186,6 +186,12 @@ TPORT_DLL extern tag_typedef_t tptag_tls_version; TPORT_DLL extern tag_typedef_t tptag_tls_version_ref; #define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x)) +TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer; +#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x)) + +TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref; +#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x)) + #if 0 TPORT_DLL extern tag_typedef_t tptag_trusted; #define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x)) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport.c index aa20cb7b95..2ec321f553 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport.c @@ -1448,7 +1448,7 @@ int tport_bind_set(tport_master_t *mr, * * @TAGS * TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(), - * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with + * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with * tport_set_params(), especially TPTAG_QUEUESIZE(). */ int tport_tbind(tport_t *self, diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c index 8391015e26..fad42ffc7b 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c @@ -280,6 +280,20 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment); */ tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version); +/**@def TPTAG_TLS_VERIFY_PEER(x) + * + * The verification of certificates can be controlled: + * 0: no verify certificates; + * 1: on server mode, the certificate returned by client is checked + * if fail the TLS/SSL handshake is immediately terminated; + * 1: on client mode, the server certificate is verified + * if fail the TLS/SSL handshake is immediately terminated; + * + * Use with tport_tbind(), nua_create(), nta_agent_create(), + * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create(). + */ +tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer); + /**@def TPTAG_QUEUESIZE(x) * * Specify the number of messages that can be queued per connection. diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index 59987937a6..8b6bf09f0d 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -166,7 +166,7 @@ int tls_verify_cb(int ok, X509_STORE_CTX *store) SU_DEBUG_1((" err %i:%s\n", err, X509_verify_cert_error_string(err))); } - return 1; /* Always return "ok" */ + return ok; } static @@ -265,8 +265,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth); SSL_CTX_set_verify(tls->ctx, - getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE - /* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */, + ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, tls_verify_cb); if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) { diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h index ad9d086672..f6fc2beaf3 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h @@ -48,7 +48,9 @@ typedef struct tls_s tls_t; extern char const tls_version[]; typedef struct tls_issues_s { - int verify_depth; /* if 0, then do nothing */ + int verify_peer; /* 0: no verify certificate, * + * 1: if fail the TLS/SSL handshake is terminated. */ + int verify_depth; /* if 0, then do nothing */ int configured; /* If non-zero, complain about certificate errors */ char *cert; /* CERT file name. File format is PEM */ char *key; /* Private key file. PEM format */ diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c index f6d7dcf3a6..a9432bcaab 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c @@ -174,6 +174,7 @@ static int tport_tls_init_master(tport_primary_t *pri, char *tbf = NULL; char const *path = NULL; unsigned tls_version = 1; + unsigned tls_verify = 0; su_home_t autohome[SU_HOME_AUTO_SIZE(1024)]; tls_issues_t ti = {0}; @@ -185,6 +186,7 @@ static int tport_tls_init_master(tport_primary_t *pri, tl_gets(tags, TPTAG_CERTIFICATE_REF(path), TPTAG_TLS_VERSION_REF(tls_version), + TPTAG_TLS_VERIFY_PEER_REF(tls_verify), TAG_END()); if (!path) { @@ -195,6 +197,7 @@ static int tport_tls_init_master(tport_primary_t *pri, } if (path) { + ti.verify_peer = tls_verify; ti.verify_depth = 2; ti.configured = path != tbf; ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat"); @@ -202,6 +205,7 @@ static int tport_tls_init_master(tport_primary_t *pri, ti.cert = ti.key; ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem"); ti.version = tls_version; + ti.CApath = su_strdup(autohome, path); SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));