diff --git a/include/re_tls.h b/include/re_tls.h index ff34b2e66..6cea772e2 100644 --- a/include/re_tls.h +++ b/include/re_tls.h @@ -63,6 +63,7 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host); int tls_get_issuer(struct tls *tls, struct mbuf *mb); int tls_get_subject(struct tls *tls, struct mbuf *mb); +void tls_disable_verify_server(struct tls *tls); /* TCP */ diff --git a/src/sip/transp.c b/src/sip/transp.c index 6cc079d26..3400c8222 100644 --- a/src/sip/transp.c +++ b/src/sip/transp.c @@ -639,7 +639,7 @@ static int conn_send(struct sip_connqent **qentp, struct sip *sip, bool secure, struct sip_connqent *qent; int err = 0; -#ifndef SIP_VERIFY_SERVER +#ifndef USE_TLS (void) host; #endif @@ -687,11 +687,10 @@ static int conn_send(struct sip_connqent **qentp, struct sip *sip, bool secure, err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0); if (err) goto out; -#ifdef SIP_VERIFY_SERVER + err = tls_set_verify_server(conn->sc, host); if (err) goto out; -#endif } #endif diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index 984658b03..087967560 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -33,6 +33,7 @@ /* NOTE: shadow struct defined in tls_*.c */ struct tls_conn { SSL *ssl; + struct tls *tls; }; @@ -142,6 +143,7 @@ int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile, if (!tls) return ENOMEM; + tls->verify_server = true; switch (method) { case TLS_METHOD_SSLV23: @@ -1106,6 +1108,9 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host) if (!tc || !host) return EINVAL; + if (!tc->tls->verify_server) + return 0; + if (sa_set_str(&sa, host, 0)) { SSL_set_hostflags(tc->ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); @@ -1287,3 +1292,17 @@ int tls_get_subject(struct tls *tls, struct mbuf *mb) return tls_get_ca_chain_field(tls, mb, &X509_get_subject_name, XN_FLAG_RFC2253); } + + +/** + * Disables SIP TLS server verifications for following requests + * + * @param tls TLS Object + */ +void tls_disable_verify_server(struct tls *tls) +{ + if (!tls) + return; + + tls->verify_server = false; +} diff --git a/src/tls/openssl/tls.h b/src/tls/openssl/tls.h index 3a977e8e9..9c11578f7 100644 --- a/src/tls/openssl/tls.h +++ b/src/tls/openssl/tls.h @@ -39,7 +39,8 @@ typedef X509_NAME*(tls_get_certfield_h)(X509 *); struct tls { SSL_CTX *ctx; X509 *cert; - char *pass; /* password for private key */ + char *pass; /**< password for private key */ + bool verify_server; /**< Enable SIP TLS server verification */ }; diff --git a/src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c index 25bd9e118..acaa0bb17 100644 --- a/src/tls/openssl/tls_tcp.c +++ b/src/tls/openssl/tls_tcp.c @@ -26,7 +26,8 @@ /* NOTE: shadow struct defined in tls_*.c */ struct tls_conn { - SSL *ssl; + SSL *ssl; /* inheritance */ + struct tls *tls; /* inheritance */ #ifdef TLS_BIO_OPAQUE BIO_METHOD *biomet; #endif @@ -375,6 +376,7 @@ int tls_start_tcp(struct tls_conn **ptc, struct tls *tls, struct tcp_conn *tcp, goto out; tc->tcp = mem_ref(tcp); + tc->tls = tls; #ifdef TLS_BIO_OPAQUE tc->biomet = bio_method_tcp(); diff --git a/src/tls/openssl/tls_udp.c b/src/tls/openssl/tls_udp.c index 4ec81a303..bca2d27b7 100644 --- a/src/tls/openssl/tls_udp.c +++ b/src/tls/openssl/tls_udp.c @@ -47,6 +47,7 @@ struct dtls_sock { /* NOTE: shadow struct defined in tls_*.c */ struct tls_conn { SSL *ssl; /* inheritance */ + struct tls *tls; /* inheritance */ #ifdef TLS_BIO_OPAQUE BIO_METHOD *biomet; #endif @@ -479,6 +480,7 @@ static int conn_alloc(struct tls_conn **ptc, struct tls *tls, tc->recvh = recvh; tc->closeh = closeh; tc->arg = arg; + tc->tls = tls; #ifdef TLS_BIO_OPAQUE tc->biomet = bio_method_udp();