[Sofia-sip-devel] patch: TPTAG_TLS_VERIFY_PEER

Paulo Pizarro Wed, 19 Nov 2008 12:48:04 -0800

Hello,

This patch adds support to a new tag called TPTAG_TLS_VERIFY_PEER.


With this tag, the verification of certificates can be controlled:
0: no verify certificates.
1: on server mode, the certificate returned by client is checked and if fail
the TLS/SSL handshake is immediately terminated.
1: on client mode, the server certificate is verified and if fail the
TLS/SSL handshake is immediately terminated.

I added this tag, because I'd like that my application not connected to a
server with a untrusted certificate.

Thankx,

Paulo Pizarro

Index: libsofia-sip-ua/tport/tport_tls.h
===================================================================
--- libsofia-sip-ua/tport/tport_tls.h	(revision 18493)
+++ libsofia-sip-ua/tport/tport_tls.h	(working copy)
@@ -48,7 +48,9 @@
 extern char const tls_version[];
 
 typedef struct tls_issues_s {
-  int  verify_depth;    /* if 0, then do nothing                      */
+  int   verify_peer;    /* 0: no verify certificate, *
+                         * 1: if fail the TLS/SSL handshake is terminated. */
+  int   verify_depth;   /* if 0, then do nothing                      */
   int   configured;	/* If non-zero, complain about certificate errors */
   char *cert;		/* CERT file name. File format is PEM         */
   char *key;		/* Private key file. PEM format               */
Index: libsofia-sip-ua/tport/tport_tag_ref.c
===================================================================
--- libsofia-sip-ua/tport/tport_tag_ref.c	(revision 18493)
+++ libsofia-sip-ua/tport/tport_tag_ref.c	(working copy)
@@ -79,6 +79,9 @@
 extern tag_typedef_t tptag_tls_version;
 EXPORT tag_typedef_t tptag_tls_version_ref = 
   REFTAG_TYPEDEF(tptag_tls_version);
+extern tag_typedef_t tptag_tls_verify_peer;
+EXPORT tag_typedef_t tptag_tls_verify_peer_ref = 
+  REFTAG_TYPEDEF(tptag_tls_verify_peer);
 extern tag_typedef_t tptag_queuesize;
 EXPORT tag_typedef_t tptag_queuesize_ref = 
   REFTAG_TYPEDEF(tptag_queuesize);
Index: libsofia-sip-ua/tport/tport_tag.c
===================================================================
--- libsofia-sip-ua/tport/tport_tag.c	(revision 18493)
+++ libsofia-sip-ua/tport/tport_tag.c	(working copy)
@@ -280,6 +280,20 @@
  */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
 
+/[EMAIL PROTECTED] TPTAG_TLS_VERIFY_PEER(x)
+ *
+ * The verification of certificates can be controlled:
+ * 0: no verify certificates;
+ * 1: on server mode, the certificate returned by client is checked
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ * 1: on client mode, the server certificate is verified
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(), 
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+
 /[EMAIL PROTECTED] TPTAG_QUEUESIZE(x)
  *
  * Specify the number of messages that can be queued per connection.
Index: libsofia-sip-ua/tport/tport.c
===================================================================
--- libsofia-sip-ua/tport/tport.c	(revision 18493)
+++ libsofia-sip-ua/tport/tport.c	(working copy)
@@ -1448,7 +1448,7 @@
  *
  * @TAGS
  * TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(),
- * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with
+ * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with
  * tport_set_params(), especially TPTAG_QUEUESIZE().
  */
 int tport_tbind(tport_t *self,
Index: libsofia-sip-ua/tport/sofia-sip/tport_tag.h
===================================================================
--- libsofia-sip-ua/tport/sofia-sip/tport_tag.h	(revision 18493)
+++ libsofia-sip-ua/tport/sofia-sip/tport_tag.h	(working copy)
@@ -186,6 +186,12 @@
 TPORT_DLL extern tag_typedef_t tptag_tls_version_ref;
 #define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x))
 
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer;
+#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref;
+#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x))
+
 #if 0
 TPORT_DLL extern tag_typedef_t tptag_trusted;
 #define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))
Index: libsofia-sip-ua/tport/tport_tls.c
===================================================================
--- libsofia-sip-ua/tport/tport_tls.c	(revision 18493)
+++ libsofia-sip-ua/tport/tport_tls.c	(working copy)
@@ -166,7 +166,7 @@
     SU_DEBUG_1(("  err %i:%s\n", err, X509_verify_cert_error_string(err)));
   }
  
-  return 1;			/* Always return "ok" */
+  return ok;
 }
 
 static
@@ -265,8 +265,7 @@
   SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
 
   SSL_CTX_set_verify(tls->ctx, 
-		     getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE
-		     /* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */,
+		     ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
                      tls_verify_cb);
 
   if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
Index: libsofia-sip-ua/tport/tport_type_tls.c
===================================================================
--- libsofia-sip-ua/tport/tport_type_tls.c	(revision 18493)
+++ libsofia-sip-ua/tport/tport_type_tls.c	(working copy)
@@ -161,6 +161,7 @@
   char *tbf = NULL;
   char const *path = NULL;
   unsigned tls_version = 1;
+  unsigned tls_verify = 0;
   su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
   tls_issues_t ti = {0};
 
@@ -172,6 +173,7 @@
   tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
+	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
 	  TAG_END());
 
   if (!path) {
@@ -182,6 +184,7 @@
   }
   
   if (path) {
+    ti.verify_peer = tls_verify;
     ti.verify_depth = 2;
     ti.configured = path != tbf;
     ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
@@ -189,6 +192,7 @@
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;
+    ti.CApath = su_strdup(autohome, path);
 
     SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Sofia-sip-devel mailing list
Sofia-sip-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel

[Sofia-sip-devel] patch: TPTAG_TLS_VERIFY_PEER

Reply via email to