From 9574ba27f74aa8fc2e71feef48535d7382fab6ff Mon Sep 17 00:00:00 2001
From: Marc Olivier Chouinard <mochouinard@moctel.com>
Date: Sun, 18 Dec 2011 11:54:38 -0500
Subject: [PATCH] FS-3071 I've finally merged it all.  It all look good,
 shouldn't affect anyone who didn't set those value

---
 conf/sip_profiles/external.xml           |  8 +++--
 conf/sip_profiles/internal.xml           |  8 +++--
 src/mod/endpoints/mod_sofia/mod_sofia.h  |  3 ++
 src/mod/endpoints/mod_sofia/sofia.c      | 12 +++++++
 src/mod/endpoints/mod_sofia/sofia_glue.c | 41 ++++++++++++++++--------
 5 files changed, 52 insertions(+), 20 deletions(-)

diff --git a/conf/sip_profiles/external.xml b/conf/sip_profiles/external.xml
index afdc1e4376..4cd2836556 100644
--- a/conf/sip_profiles/external.xml
+++ b/conf/sip_profiles/external.xml
@@ -77,17 +77,19 @@
     <param name="tls-sip-port" value="$${external_tls_port}"/>
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
     <param name="tls-cert-dir" value="$${external_ssl_dir}"/>
+    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+    <param name="tls-passphrase" value=""/>
     <!-- Don't verify the date on TLS certificates -->
     <param name="tls-no-verify-date" value="false"/>
     <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
-    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
     <param name="tls-verify-policy" value="none"/>
     <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
     <param name="tls-verify-depth" value="2"/>
+    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+    <param name="tls-verify-in-subjects" value=""/>
     <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
     <param name="tls-version" value="$${sip_tls_version}"/>
-    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
-    <param name="tls-passphrase" value=""/>
 
   </settings>
 </profile>
diff --git a/conf/sip_profiles/internal.xml b/conf/sip_profiles/internal.xml
index 3a885970d1..49bfcc960a 100644
--- a/conf/sip_profiles/internal.xml
+++ b/conf/sip_profiles/internal.xml
@@ -184,17 +184,19 @@
     <param name="tls-sip-port" value="$${internal_tls_port}"/>
     <!-- Location of the agent.pem and cafile.pem ssl certificates (needed for TLS server) -->
     <param name="tls-cert-dir" value="$${internal_ssl_dir}"/>
+    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
+    <param name="tls-passphrase" value=""/>
     <!-- Don't verify the date on TLS certificates -->
     <param name="tls-no-verify-date" value="false"/>
     <!-- TLS verify policy, when registering/inviting gateways with other servers (outbound) or handling inbound registration/invite requests how should we verify their certificate -->
-    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections -->
+    <!-- set to 'in' to only verify incoming connections, 'out' to only verify outgoing connections, 'all' to verify all connections, also 'in_subjects', 'out_subjects' and 'all_subjects' for subject validation. Multiple policies can be split with a '|' pipe -->
     <param name="tls-verify-policy" value="none"/>
     <!-- Certificate max verify depth to use for validating peer TLS certificates when the verify policy is not none -->
     <param name="tls-verify-depth" value="2"/>
+    <!-- If the tls-verify-policy is set to subjects_all or subjects_in this sets which subjects are allowed, multiple subjects can be split with a '|' pipe -->
+    <param name="tls-verify-in-subjects" value=""/>
     <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not work with TLSv1 -->
     <param name="tls-version" value="$${sip_tls_version}"/>
-    <!-- Optionally set the passphrase password used by openSSL to encrypt/decrypt TLS private key files -->
-    <param name="tls-passphrase" value=""/>
 
     <!-- turn on auto-flush during bridge (skip timer sleep when the socket already has data) 
 	 (reduces delay on latent connections default true, must be disabled explicitly)-->
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 321a52d689..f148d99fdd 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -122,6 +122,7 @@ typedef struct private_object private_object_t;
 #include <sofia-sip/auth_module.h>
 #include <sofia-sip/su_md5.h>
 #include <sofia-sip/su_log.h>
+#include <sofia-sip/su_strlst.h>
 #include <sofia-sip/nea.h>
 #include <sofia-sip/msg_addr.h>
 #include <sofia-sip/tport_tag.h>
@@ -644,6 +645,8 @@ struct sofia_profile {
 	enum tport_tls_verify_policy tls_verify_policy;
 	int tls_verify_depth;
 	char *tls_passphrase;
+	char *tls_verify_in_subjects_str;
+	su_strlst_t *tls_verify_in_subjects;
 };
 
 struct private_object {
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index c078e2a0d3..c02c4789e4 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -1857,6 +1857,11 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 		}
 	}
 
+	/* We have to init the verify_subjects here as during config stage profile->home isn't setup, it should be freed when profile->home is freed */
+	if ( (profile->tls_verify_policy & TPTLS_VERIFY_SUBJECTS_IN)  && profile->tls_verify_in_subjects_str && ! profile->tls_verify_in_subjects) {
+		profile->tls_verify_in_subjects = su_strlst_dup_split((su_home_t *)profile->nua, profile->tls_verify_in_subjects_str, "|");
+	} 
+
 	profile->nua = nua_create(profile->s_root,	/* Event loop */
 							  sofia_event_callback,	/* Callback for processing events */
 							  profile,	/* Additional data to pass to callback */
@@ -1878,6 +1883,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 									 TPTAG_TLS_VERIFY_DEPTH(profile->tls_verify_depth)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERIFY_DATE(! profile->tls_no_verify_date)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
+									  TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERSION(profile->tls_version)),
 							  TAG_IF(!strchr(profile->sipip, ':'),
@@ -3632,6 +3639,9 @@ switch_status_t config_sofia(int reload, char *profile_name)
 					sofia_profile_start_failure(NULL, xprofilename);
 					goto done;
 				}
+				profile->tls_verify_policy = TPTLS_VERIFY_NONE;
+				/* lib default */
+				profile->tls_verify_depth = 2;
 
 
 				switch_mutex_init(&profile->gw_mutex, SWITCH_MUTEX_NESTED, pool);
@@ -4428,6 +4438,8 @@ switch_status_t config_sofia(int reload, char *profile_name)
 						profile->tls_cert_dir = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-passphrase")) {
 						profile->tls_passphrase = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
+						profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-version")) {
 
 						if (!strcasecmp(val, "tlsv1")) {
diff --git a/src/mod/endpoints/mod_sofia/sofia_glue.c b/src/mod/endpoints/mod_sofia/sofia_glue.c
index 2e7e85c463..472efe9003 100644
--- a/src/mod/endpoints/mod_sofia/sofia_glue.c
+++ b/src/mod/endpoints/mod_sofia/sofia_glue.c
@@ -1143,21 +1143,34 @@ sofia_transport_t sofia_glue_str2transport(const char *str)
 }
 
 enum tport_tls_verify_policy sofia_glue_str2tls_verify_policy(const char * str){
-	if (!strcasecmp(str, "in")) {
-		return TPTLS_VERIFY_IN;
-	} else if (!strcasecmp(str, "out")) {
-		return TPTLS_VERIFY_OUT;
-	} else if (!strcasecmp(str, "all")) {
-		return TPTLS_VERIFY_ALL;
-	} else if (!strcasecmp(str, "subjects_in")) {
-		return TPTLS_VERIFY_SUBJECTS_IN;
-	} else if (!strcasecmp(str, "subjects_out")) {
-		return TPTLS_VERIFY_SUBJECTS_OUT;
-	} else if (!strcasecmp(str, "subjects_all")) {
-		return TPTLS_VERIFY_SUBJECTS_ALL;
-	}
+	char *ptr_next;
+	int len;
+	enum tport_tls_verify_policy ret;
+	char *ptr_cur = (char *) str;
+	ret = TPTLS_VERIFY_NONE;
 
-	return TPTLS_VERIFY_NONE;
+	while (ptr_cur) {
+		if ((ptr_next = strchr(ptr_cur, '|'))) {
+			len = ptr_next++ - ptr_cur;
+		} else {
+			len = strlen(ptr_cur);
+		}
+		if (!strncasecmp(ptr_cur, "in",len)) {
+			ret |= TPTLS_VERIFY_IN;
+		} else if (!strncasecmp(ptr_cur, "out",len)) {
+			ret |= TPTLS_VERIFY_OUT;
+		} else if (!strncasecmp(ptr_cur, "all",len)) {
+			ret |= TPTLS_VERIFY_ALL;
+		} else if (!strncasecmp(ptr_cur, "subjects_in",len)) {
+			ret |= TPTLS_VERIFY_SUBJECTS_IN;
+		} else if (!strncasecmp(ptr_cur, "subjects_out",len)) {
+			ret |= TPTLS_VERIFY_SUBJECTS_OUT;
+		} else if (!strncasecmp(ptr_cur, "subjects_all",len)) {
+			ret |= TPTLS_VERIFY_SUBJECTS_ALL;
+		}
+		ptr_cur = ptr_next;
+	}
+	return ret;
 }
 
 char *sofia_glue_find_parameter_value(switch_core_session_t *session, const char *str, const char *param)