transp: add flag to disable SIP TLS server verification

baresip · Feb 18, 2021 · 8cf1217 · 8cf1217
1 parent e6f8c53
commit 8cf1217
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 5 deletions.
diff --git a/include/re_tls.h b/include/re_tls.h
@@ -63,6 +63,7 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host);
 
 int tls_get_issuer(struct tls *tls, struct mbuf *mb);
 int tls_get_subject(struct tls *tls, struct mbuf *mb);
+void tls_enable_sverify(struct tls *tls, bool enable);
 
 /* TCP */
 

diff --git a/src/sip/transp.c b/src/sip/transp.c
@@ -639,7 +639,7 @@ static int conn_send(struct sip_connqent **qentp, struct sip *sip, bool secure,
 	struct sip_connqent *qent;
 	int err = 0;
 
-#ifndef SIP_VERIFY_SERVER
+#ifndef USE_TLS
 	(void) host;
 #endif
 
@@ -687,11 +687,10 @@ static int conn_send(struct sip_connqent **qentp, struct sip *sip, bool secure,
 		err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0);
 		if (err)
 			goto out;
-#ifdef SIP_VERIFY_SERVER
+
 		err = tls_set_verify_server(conn->sc, host);
 		if (err)
 			goto out;
-#endif
 	}
 #endif
 

diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
@@ -33,6 +33,7 @@
 /* NOTE: shadow struct defined in tls_*.c */
 struct tls_conn {
 	SSL *ssl;
+	struct tls *tls;
 };
 
 
@@ -142,6 +143,7 @@ int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile,
 	if (!tls)
 		return ENOMEM;
 
+	tls->sverify = true;
 	switch (method) {
 
 	case TLS_METHOD_SSLV23:
@@ -1106,6 +1108,9 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host)
 	if (!tc || !host)
 		return EINVAL;
 
+	if (!tc->tls->sverify)
+		return 0;
+
 	if (sa_set_str(&sa, host, 0)) {
 		SSL_set_hostflags(tc->ssl,
 				X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
@@ -1287,3 +1292,18 @@ int tls_get_subject(struct tls *tls, struct mbuf *mb)
 	return tls_get_ca_chain_field(tls, mb, &X509_get_subject_name,
 		XN_FLAG_RFC2253);
 }
+
+
+/**
+ * Enables/disables SIP TLS server verifications for following requests
+ *
+ * @param tls     TLS Object
+ * @param enable  Enable flag
+ */
+void tls_enable_sverify(struct tls *tls, bool enable)
+{
+	if (!tls)
+		return;
+
+	tls->sverify = enable;
+}
diff --git a/src/tls/openssl/tls.h b/src/tls/openssl/tls.h
@@ -39,7 +39,8 @@ typedef X509_NAME*(tls_get_certfield_h)(X509 *);
 struct tls {
 	SSL_CTX *ctx;
 	X509 *cert;
-	char *pass;  /* password for private key */
+	char *pass;          /**< password for private key             */
+	bool sverify;        /**< Enable SIP TLS server verification   */
 };
 
 

diff --git a/src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c
@@ -26,7 +26,8 @@
 
 /* NOTE: shadow struct defined in tls_*.c */
 struct tls_conn {
-	SSL *ssl;
+	SSL *ssl;             /* inheritance */
+	struct tls *tls;      /* inheritance */
 #ifdef TLS_BIO_OPAQUE
 	BIO_METHOD *biomet;
 #endif
@@ -375,6 +376,7 @@ int tls_start_tcp(struct tls_conn **ptc, struct tls *tls, struct tcp_conn *tcp,
 		goto out;
 
 	tc->tcp = mem_ref(tcp);
+	tc->tls = tls;
 
 #ifdef TLS_BIO_OPAQUE
 	tc->biomet = bio_method_tcp();

diff --git a/src/tls/openssl/tls_udp.c b/src/tls/openssl/tls_udp.c
@@ -47,6 +47,7 @@ struct dtls_sock {
 /* NOTE: shadow struct defined in tls_*.c */
 struct tls_conn {
 	SSL *ssl;             /* inheritance */
+	struct tls *tls;      /* inheritance */
 #ifdef TLS_BIO_OPAQUE
 	BIO_METHOD *biomet;
 #endif
@@ -479,6 +480,7 @@ static int conn_alloc(struct tls_conn **ptc, struct tls *tls,
 	tc->recvh  = recvh;
 	tc->closeh = closeh;
 	tc->arg    = arg;
+	tc->tls    = tls;
 
 #ifdef TLS_BIO_OPAQUE
 	tc->biomet = bio_method_udp();