From 66809717ca572246bd0c528d82777cb8d7ec8c43 Mon Sep 17 00:00:00 2001
From: Maximilian Fridrich <m.fridrich@commend.com>
Date: Sun, 11 Feb 2024 12:00:25 +0100
Subject: [PATCH] transp,tls: add TLS client verification (#1059)

Per default, TLS client verification is disabled.
---
 include/re_tls.h      |  2 ++
 src/sip/transp.c      |  4 ++++
 src/tls/openssl/tls.c | 45 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+)

diff --git a/include/re_tls.h b/include/re_tls.h
index dcfc62958..61e28548f 100644
--- a/include/re_tls.h
+++ b/include/re_tls.h
@@ -69,10 +69,12 @@ int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
 const char *tls_cipher_name(const struct tls_conn *tc);
 int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count);
 int tls_set_verify_server(struct tls_conn *tc, const char *host);
+int tls_verify_client(struct tls_conn *tc);
 
 int tls_get_issuer(struct tls *tls, struct mbuf *mb);
 int tls_get_subject(struct tls *tls, struct mbuf *mb);
 void tls_disable_verify_server(struct tls *tls);
+void tls_enable_verify_client(struct tls *tls, bool enable);
 
 int tls_set_min_proto_version(struct tls *tls, int version);
 int tls_set_max_proto_version(struct tls *tls, int version);
diff --git a/src/sip/transp.c b/src/sip/transp.c
index 1a8d3a17c..eb6062fd6 100644
--- a/src/sip/transp.c
+++ b/src/sip/transp.c
@@ -679,6 +679,10 @@ static void tcp_connect_handler(const struct sa *paddr, void *arg)
 		err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0);
 		if (err)
 			goto out;
+
+		err = tls_verify_client(conn->sc);
+		if (err)
+			goto out;
 	}
 #endif
 
diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
index ac1f5b676..a5b983ae9 100644
--- a/src/tls/openssl/tls.c
+++ b/src/tls/openssl/tls.c
@@ -45,6 +45,7 @@ struct tls {
 	X509 *cert;
 	char *pass;          /**< password for private key             */
 	bool verify_server;  /**< Enable SIP TLS server verification   */
+	bool verify_client;  /**< Enable SIP TLS client verification   */
 	struct session_reuse reuse;
 	struct list certs;   /**< Certificates for SNI selection       */
 };
@@ -1459,6 +1460,35 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host)
 }
 
 
+/**
+ * Enable verification of client certificate
+ *
+ * @param tc   TLS Connection
+ *
+ * @return 0 if success, otherwise errorcode
+ */
+int tls_verify_client(struct tls_conn *tc)
+{
+#if !defined(LIBRESSL_VERSION_NUMBER)
+
+	if (!tc)
+		return EINVAL;
+
+	if (!tc->tls->verify_client)
+		return 0;
+
+	SSL_set_verify(tc->ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
+		       tls_verify_handler);
+
+	return 0;
+#else
+	(void)tc;
+
+	return ENOSYS;
+#endif
+}
+
+
 static int print_error(const char *str, size_t len, void *unused)
 {
 	(void)unused;
@@ -1597,6 +1627,21 @@ void tls_disable_verify_server(struct tls *tls)
 }
 
 
+/**
+ * Enables SIP TLS client verifications for following requests
+ *
+ * @param tls     TLS Object
+ * @param enable  true to enable client verification, false to disable
+ */
+void tls_enable_verify_client(struct tls *tls, bool enable)
+{
+	if (!tls)
+		return;
+
+	tls->verify_client = enable;
+}
+
+
 /**
  * Set minimum TLS version
  *