[Freeswitch-svn] [commit] r10824 - in freeswitch/trunk/libs/sofia-sip: . libsofia-sip-ua/tport libsofia-sip-ua/tport/sofia-sip

FreeSWITCH SVN mikej at freeswitch.org
Tue Dec 16 12:26:20 PST 2008 

Author: mikej
Date: Tue Dec 16 15:26:19 2008
New Revision: 10824

Log:
Wed Nov 26 12:42:31 CST 2008  Paulo Pizarro <paulo DOT pizarro AT gmail DOT com>
  * tport: new tag TPTAG_TLS_VERIFY_PEER

  With this tag, the verification of certificates can be controlled:
  0: no verify certificates.
  1: on server mode, the certificate returned by client is checked and
     if fail the TLS/SSL handshake is immediately terminated.
  1: on client mode, the server certificate is verified and
     if fail the TLS/SSL handshake is immediately terminated.

  I added this tag, because I'd like that my application not connected to a
  server with a untrusted certificate.



Modified:
   freeswitch/trunk/libs/sofia-sip/.update
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c

Modified: freeswitch/trunk/libs/sofia-sip/.update
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/.update	(original)
+++ freeswitch/trunk/libs/sofia-sip/.update	Tue Dec 16 15:26:19 2008
@@ -1 +1 @@
-Tue Dec 16 14:21:26 CST 2008
+Tue Dec 16 14:24:06 CST 2008

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h	Tue Dec 16 15:26:19 2008
@@ -186,6 +186,12 @@
 TPORT_DLL extern tag_typedef_t tptag_tls_version_ref;
 #define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x))
 
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer;
+#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref;
+#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x))
+
 #if 0
 TPORT_DLL extern tag_typedef_t tptag_trusted;
 #define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport.c	Tue Dec 16 15:26:19 2008
@@ -1448,7 +1448,7 @@
  *
  * @TAGS
  * TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(),
- * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with
+ * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with
  * tport_set_params(), especially TPTAG_QUEUESIZE().
  */
 int tport_tbind(tport_t *self,

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c	Tue Dec 16 15:26:19 2008
@@ -280,6 +280,20 @@
  */
 tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
 
+/**@def TPTAG_TLS_VERIFY_PEER(x)
+ *
+ * The verification of certificates can be controlled:
+ * 0: no verify certificates;
+ * 1: on server mode, the certificate returned by client is checked
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ * 1: on client mode, the server certificate is verified
+ *    if fail the TLS/SSL handshake is immediately terminated;
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+
 /**@def TPTAG_QUEUESIZE(x)
  *
  * Specify the number of messages that can be queued per connection.

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c	Tue Dec 16 15:26:19 2008
@@ -166,7 +166,7 @@
     SU_DEBUG_1(("  err %i:%s\n", err, X509_verify_cert_error_string(err)));
   }
 
-  return 1;			/* Always return "ok" */
+  return ok;
 }
 
 static
@@ -265,8 +265,7 @@
   SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
 
   SSL_CTX_set_verify(tls->ctx,
-		     getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE
-		     /* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */,
+		     ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
                      tls_verify_cb);
 
   if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h	Tue Dec 16 15:26:19 2008
@@ -48,7 +48,9 @@
 extern char const tls_version[];
 
 typedef struct tls_issues_s {
-  int  verify_depth;    /* if 0, then do nothing                      */
+  int   verify_peer;    /* 0: no verify certificate, *
+                         * 1: if fail the TLS/SSL handshake is terminated. */
+  int   verify_depth;   /* if 0, then do nothing                      */
   int   configured;	/* If non-zero, complain about certificate errors */
   char *cert;		/* CERT file name. File format is PEM         */
   char *key;		/* Private key file. PEM format               */

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c	Tue Dec 16 15:26:19 2008
@@ -174,6 +174,7 @@
   char *tbf = NULL;
   char const *path = NULL;
   unsigned tls_version = 1;
+  unsigned tls_verify = 0;
   su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
   tls_issues_t ti = {0};
 
@@ -185,6 +186,7 @@
   tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
 	  TPTAG_TLS_VERSION_REF(tls_version),
+	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
 	  TAG_END());
 
   if (!path) {
@@ -195,6 +197,7 @@
   }
 
   if (path) {
+    ti.verify_peer = tls_verify;
     ti.verify_depth = 2;
     ti.configured = path != tbf;
     ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
@@ -202,6 +205,7 @@
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
     ti.version = tls_version;
+    ti.CApath = su_strdup(autohome, path);
 
     SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));

More information about the Freeswitch-svn mailing list