From 3b33b27f609502c3e18e83c4982ad03cd0eb4063 Mon Sep 17 00:00:00 2001
From: Yann Diorcet <yann.diorcet@belledonne-communications.com>
Date: Wed, 16 Jan 2013 15:35:03 +0100
Subject: [PATCH] Add common name certificate verification function in sal Add
 eXosip sal wrapper to eXosip_tls_verify_cn

---
 coreapi/linphonecore.c |  8 ++++++++
 coreapi/linphonecore.h |  1 +
 coreapi/sal.h          |  1 +
 coreapi/sal_eXosip2.c  | 11 +++++++++++
 coreapi/sal_eXosip2.h  |  1 +
 m4/exosip.m4           |  4 ++++
 6 files changed, 26 insertions(+)

diff --git a/coreapi/linphonecore.c b/coreapi/linphonecore.c
index 4a0c3851..ee0be33b 100644
--- a/coreapi/linphonecore.c
+++ b/coreapi/linphonecore.c
@@ -567,6 +567,7 @@ static void sip_config_read(LinphoneCore *lc)
 	sal_set_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", ROOT_CA_FILE));
 #endif
 	linphone_core_verify_server_certificates(lc,lp_config_get_int(lc->config,"sip","verify_server_certs",TRUE));
+	linphone_core_verify_server_cn(lc,lp_config_get_int(lc->config,"sip","verify_server_cn",TRUE));
 	/*setting the dscp must be done before starting the transports, otherwise it is not taken into effect*/
 	sal_set_dscp(lc->sal,linphone_core_get_sip_dscp(lc));
 	/*start listening on ports*/
@@ -3701,6 +3702,13 @@ void linphone_core_verify_server_certificates(LinphoneCore *lc, bool_t yesno){
 	sal_verify_server_certificates(lc->sal,yesno);
 }
 
+/**
+ * Specify whether the tls server certificate common name must be verified when connecting to a SIP/TLS server.
+**/
+void linphone_core_verify_server_cn(LinphoneCore *lc, bool_t yesno){
+	sal_verify_server_cn(lc->sal,yesno);
+}
+
 static void notify_end_of_ring(void *ud, MSFilter *f, unsigned int event, void *arg){
 	LinphoneCore *lc=(LinphoneCore*)ud;
 	lc->preview_finished=1;
diff --git a/coreapi/linphonecore.h b/coreapi/linphonecore.h
index 2b53f7a7..55198e31 100644
--- a/coreapi/linphonecore.h
+++ b/coreapi/linphonecore.h
@@ -1209,6 +1209,7 @@ void linphone_core_set_sound_source(LinphoneCore *lc, char source);
 void linphone_core_set_ring(LinphoneCore *lc, const char *path);
 const char *linphone_core_get_ring(const LinphoneCore *lc);
 void linphone_core_verify_server_certificates(LinphoneCore *lc, bool_t yesno);
+void linphone_core_verify_server_cn(LinphoneCore *lc, bool_t yesno);
 void linphone_core_set_root_ca(LinphoneCore *lc, const char *path);
 const char *linphone_core_get_root_ca(LinphoneCore *lc);
 void linphone_core_set_ringback(LinphoneCore *lc, const char *path);
diff --git a/coreapi/sal.h b/coreapi/sal.h
index 77e43d6b..9c0ceca7 100644
--- a/coreapi/sal.h
+++ b/coreapi/sal.h
@@ -359,6 +359,7 @@ void sal_use_101(Sal *ctx, bool_t use_101);
 void sal_set_root_ca(Sal* ctx, const char* rootCa);
 const char *sal_get_root_ca(Sal* ctx);
 void sal_verify_server_certificates(Sal *ctx, bool_t verify);
+void sal_verify_server_cn(Sal *ctx, bool_t verify);
 
 int sal_iterate(Sal *sal);
 MSList * sal_get_pending_auths(Sal *sal);
diff --git a/coreapi/sal_eXosip2.c b/coreapi/sal_eXosip2.c
index 203c7cb9..93686a75 100644
--- a/coreapi/sal_eXosip2.c
+++ b/coreapi/sal_eXosip2.c
@@ -282,6 +282,7 @@ Sal * sal_init(){
 	sal->reuse_authorization=FALSE;
 	sal->rootCa = 0;
 	sal->verify_server_certs=TRUE;
+	sal->verify_server_cn=TRUE;
 	sal->expire_old_contact=FALSE;
 	sal->add_dates=FALSE;
 	sal->dscp=-1;
@@ -378,6 +379,9 @@ static void set_tls_options(Sal *ctx){
 #ifdef HAVE_EXOSIP_TLS_VERIFY_CERTIFICATE
 	eXosip_tls_verify_certificate(ctx->verify_server_certs);
 #endif
+#ifdef HAVE_EXOSIP_TLS_VERIFY_CN
+	eXosip_tls_verify_cn(ctx->verify_server_cn);
+#endif
 }
 
 void sal_set_dscp(Sal *ctx, int dscp){
@@ -499,6 +503,13 @@ void sal_verify_server_certificates(Sal *ctx, bool_t verify){
 #endif
 }
 
+void sal_verify_server_cn(Sal *ctx, bool_t verify){
+	ctx->verify_server_cn=verify;
+#ifdef HAVE_EXOSIP_TLS_VERIFY_CN
+	eXosip_tls_verify_cn(verify);
+#endif
+}
+
 static int extract_received_rport(osip_message_t *msg, const char **received, int *rportval,SalTransport* transport){
 	osip_via_t *via=NULL;
 	osip_generic_param_t *param=NULL;
diff --git a/coreapi/sal_eXosip2.h b/coreapi/sal_eXosip2.h
index 29eee78a..89ac93ab 100644
--- a/coreapi/sal_eXosip2.h
+++ b/coreapi/sal_eXosip2.h
@@ -48,6 +48,7 @@ struct Sal{
 	bool_t use_101;
 	bool_t reuse_authorization;
 	bool_t verify_server_certs;
+	bool_t verify_server_cn;
 	bool_t expire_old_contact;
 	bool_t add_dates;
 };
diff --git a/m4/exosip.m4 b/m4/exosip.m4
index aa4b7a9c..31769e00 100644
--- a/m4/exosip.m4
+++ b/m4/exosip.m4
@@ -40,6 +40,10 @@ AC_CHECK_LIB([eXosip2],[eXosip_tls_verify_certificate],
 	[AC_DEFINE([HAVE_EXOSIP_TLS_VERIFY_CERTIFICATE],[1],[Defined when eXosip_tls_verify_certificate is available])],
 	[AC_MSG_WARN([Could not find eXosip_tls_verify_certificate in eXosip2 !])],
 	[-losipparser2 -losip2 ])
+AC_CHECK_LIB([eXosip2],[eXosip_tls_verify_cn],
+	[AC_DEFINE([HAVE_EXOSIP_TLS_VERIFY_CN],[1],[Defined when eXosip_tls_verify_certificate is available])],
+	[AC_MSG_WARN([Could not find eXosip_tls_verify_cn in eXosip2 !])],
+	[-losipparser2 -losip2 ])
 AC_CHECK_LIB([eXosip2],[eXosip_trylock],
 	[AC_DEFINE([HAVE_EXOSIP_TRYLOCK],[1],[Defined when eXosip_get_socket is available])],
 	[],
-- 
2.39.2