Wed Nov 26 12:42:31 CST 2008 Paulo Pizarro <paulo DOT pizarro AT gmail DOT com>

* tport: new tag TPTAG_TLS_VERIFY_PEER With this tag, the verification of certificates can be controlled: 0: no verify certificates. 1: on server mode, the certificate returned by client is checked and if fail the TLS/SSL handshake is immediately terminated. 1: on client mode, the server certificate is verified and if fail the TLS/SSL handshake is immediately terminated. I added this tag, because I'd like that my application not connected to a server with a untrusted certificate. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@10824 d0543943-73ff-0310-b7d9-9358b9ac24b2
2008-12-16 20:26:19 +00:00 · 2008-12-16 20:26:19 +00:00 · 253c81bb45
parent 3294718a97
commit 253c81bb45
7 changed files with 31 additions and 6 deletions
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@ -1 +1 @@
-Tue Dec 16 14:21:26 CST 2008
+Tue Dec 16 14:24:06 CST 2008
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@ -186,6 +186,12 @@ TPORT_DLL extern tag_typedef_t tptag_tls_version;
 TPORT_DLL extern tag_typedef_t tptag_tls_version_ref;
 #define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x))

+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer;
+#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref;
+#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x))
+
 #if 0
 TPORT_DLL extern tag_typedef_t tptag_trusted;
 #define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
@ -1448,7 +1448,7 @@ int tport_bind_set(tport_master_t *mr,
 *
 * @TAGS
 * TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(),
- * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with
+ * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with
 * tport_set_params(), especially TPTAG_QUEUESIZE().
 */
 int tport_tbind(tport_t *self,
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
@ -280,6 +280,20 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
 */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);

+/**@def TPTAG_TLS_VERIFY_PEER(x)
+ *
+ * The verification of certificates can be controlled:
+ * 0: no verify certificates;
+ * 1: on server mode, the certificate returned by client is checked
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ * 1: on client mode, the server certificate is verified
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+
 /**@def TPTAG_QUEUESIZE(x)
 *
 * Specify the number of messages that can be queued per connection.
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@ -166,7 +166,7 @@ int tls_verify_cb(int ok, X509_STORE_CTX *store)
    SU_DEBUG_1(("  err %i:%s\n", err, X509_verify_cert_error_string(err)));
  }

-  return 1;			/* Always return "ok" */
+  return ok;
 }

 static
@ -265,8 +265,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
  SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);

  SSL_CTX_set_verify(tls->ctx,
-		     getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE
-		     /* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */,
+		     ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
                     tls_verify_cb);

  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@ -48,7 +48,9 @@ typedef struct tls_s tls_t;
 extern char const tls_version[];

 typedef struct tls_issues_s {
-  int  verify_depth;    /* if 0, then do nothing                      */
+  int   verify_peer;    /* 0: no verify certificate, *
+                         * 1: if fail the TLS/SSL handshake is terminated. */
+  int   verify_depth;   /* if 0, then do nothing                      */
  int   configured;	/* If non-zero, complain about certificate errors */
  char *cert;		/* CERT file name. File format is PEM         */
  char *key;		/* Private key file. PEM format               */
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@ -174,6 +174,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
  char *tbf = NULL;
  char const *path = NULL;
  unsigned tls_version = 1;
+  unsigned tls_verify = 0;
  su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
  tls_issues_t ti = {0};

@ -185,6 +186,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
  tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
+	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
 	  TAG_END());

  if (!path) {
@ -195,6 +197,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
  }

  if (path) {
+    ti.verify_peer = tls_verify;
    ti.verify_depth = 2;
    ti.configured = path != tbf;
    ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
@ -202,6 +205,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
    ti.cert = ti.key;
    ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
    ti.version = tls_version;
+    ti.CApath = su_strdup(autohome, path);

    SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));