From 253c81bb45b5b0f8eb074af74a21786068c34c73 Mon Sep 17 00:00:00 2001
From: Michael Jerris <mike@jerris.com>
Date: Tue, 16 Dec 2008 20:26:19 +0000
Subject: [PATCH] Wed Nov 26 12:42:31 CST 2008  Paulo Pizarro <paulo DOT
 pizarro AT gmail DOT com>   * tport: new tag TPTAG_TLS_VERIFY_PEER

  With this tag, the verification of certificates can be controlled:
  0: no verify certificates.
  1: on server mode, the certificate returned by client is checked and
     if fail the TLS/SSL handshake is immediately terminated.
  1: on client mode, the server certificate is verified and
     if fail the TLS/SSL handshake is immediately terminated.

  I added this tag, because I'd like that my application not connected to a
  server with a untrusted certificate.



git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@10824 d0543943-73ff-0310-b7d9-9358b9ac24b2
---
 libs/sofia-sip/.update                             |  2 +-
 .../libsofia-sip-ua/tport/sofia-sip/tport_tag.h    |  6 ++++++
 libs/sofia-sip/libsofia-sip-ua/tport/tport.c       |  2 +-
 libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c   | 14 ++++++++++++++
 libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c   |  5 ++---
 libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h   |  4 +++-
 .../libsofia-sip-ua/tport/tport_type_tls.c         |  4 ++++
 7 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update
index cad5a4b37d..fc5cc4854e 100644
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@@ -1 +1 @@
-Tue Dec 16 14:21:26 CST 2008
+Tue Dec 16 14:24:06 CST 2008
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
index 5201083dec..69a4e9a237 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@@ -186,6 +186,12 @@ TPORT_DLL extern tag_typedef_t tptag_tls_version;
 TPORT_DLL extern tag_typedef_t tptag_tls_version_ref;
 #define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x))
 
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer;
+#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref;
+#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x))
+
 #if 0
 TPORT_DLL extern tag_typedef_t tptag_trusted;
 #define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
index aa20cb7b95..2ec321f553 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
@@ -1448,7 +1448,7 @@ int tport_bind_set(tport_master_t *mr,
  *
  * @TAGS
  * TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(),
- * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with
+ * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with
  * tport_set_params(), especially TPTAG_QUEUESIZE().
  */
 int tport_tbind(tport_t *self,
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
index 8391015e26..fad42ffc7b 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
@@ -280,6 +280,20 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
  */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
 
+/**@def TPTAG_TLS_VERIFY_PEER(x)
+ *
+ * The verification of certificates can be controlled:
+ * 0: no verify certificates;
+ * 1: on server mode, the certificate returned by client is checked
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ * 1: on client mode, the server certificate is verified
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+
 /**@def TPTAG_QUEUESIZE(x)
  *
  * Specify the number of messages that can be queued per connection.
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index 59987937a6..8b6bf09f0d 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -166,7 +166,7 @@ int tls_verify_cb(int ok, X509_STORE_CTX *store)
     SU_DEBUG_1(("  err %i:%s\n", err, X509_verify_cert_error_string(err)));
   }
 
-  return 1;			/* Always return "ok" */
+  return ok;
 }
 
 static
@@ -265,8 +265,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
   SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
 
   SSL_CTX_set_verify(tls->ctx,
-		     getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE
-		     /* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */,
+		     ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
                      tls_verify_cb);
 
   if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
index ad9d086672..f6fc2beaf3 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@@ -48,7 +48,9 @@ typedef struct tls_s tls_t;
 extern char const tls_version[];
 
 typedef struct tls_issues_s {
-  int  verify_depth;    /* if 0, then do nothing                      */
+  int   verify_peer;    /* 0: no verify certificate, *
+                         * 1: if fail the TLS/SSL handshake is terminated. */
+  int   verify_depth;   /* if 0, then do nothing                      */
   int   configured;	/* If non-zero, complain about certificate errors */
   char *cert;		/* CERT file name. File format is PEM         */
   char *key;		/* Private key file. PEM format               */
diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
index f6d7dcf3a6..a9432bcaab 100644
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@@ -174,6 +174,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char *tbf = NULL;
   char const *path = NULL;
   unsigned tls_version = 1;
+  unsigned tls_verify = 0;
   su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
   tls_issues_t ti = {0};
 
@@ -185,6 +186,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
+	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
 	  TAG_END());
 
   if (!path) {
@@ -195,6 +197,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   }
 
   if (path) {
+    ti.verify_peer = tls_verify;
     ti.verify_depth = 2;
     ti.configured = path != tbf;
     ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
@@ -202,6 +205,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;
+    ti.CApath = su_strdup(autohome, path);
 
     SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));