Gate TLS hostname verification behind 'verify_hostname' config param

Author: jes

modules/tls_mgm/tls_config.c

@@ -49,6 +49,8 @@ int             tls_default_method = TLS_USE_SSLv23;
 int             tls_verify_client_cert  = 1;
 int             tls_verify_server_cert  = 1;
 int             tls_require_client_cert = 1;
+/* disable hostname verification by default */
+int             tls_verify_hostname = 0;
 /* disable CRL validation for all the certificates from the chain */
 int crl_check_all = 0;
 /* default location of certificates */
@@ -70,6 +72,7 @@ str    match_address_col = str_init("match_ip_address");
 str    match_domain_col = str_init("match_sip_domain");
 str    method_col = str_init("method");
 str    verify_cert_col = str_init("verify_cert");
+str    verify_hostname_col = str_init("verify_hostname");
 str    require_cert_col = str_init("require_cert");
 str    certificate_col = str_init("certificate");
 str    pk_col = str_init("private_key");

modules/tls_mgm/tls_config.h

@@ -38,13 +38,14 @@
 #include "tls_config_helper.h"
 #include "../../str.h"
 
-#define TLS_TABLE_VERSION 3
+#define TLS_TABLE_VERSION 4
 
 extern int      tls_default_method;
 
 extern int      tls_verify_client_cert;
 extern int      tls_verify_server_cert;
 extern int      tls_require_client_cert;
+extern int      tls_verify_hostname;
 extern int	    crl_check_all;
 extern char    *tls_cert_file;
 extern char    *tls_pkey_file;
@@ -63,6 +64,7 @@ extern str     match_domain_col;
 extern str     method_col;
 extern str     verify_cert_col;
 extern str     require_cert_col;
+extern str     verify_hostname_col;
 extern str     certificate_col;
 extern str     pk_col;
 extern str     crl_check_col;

modules/tls_mgm/tls_domain.c

@@ -243,6 +243,10 @@ int set_all_domain_attr(struct tls_domain **dom, char **str_vals, int *int_vals,
 		d->require_client_cert = int_vals[INT_VALS_REQUIRE_CERT_COL];
 	}
 
+	if (int_vals[INT_VALS_VERIFY_HOSTNAME_COL] != -1) {
+		d->verify_hostname = int_vals[INT_VALS_VERIFY_HOSTNAME_COL];
+	}
+
 	p = (char *) (d + 1);
 
 	d->name.s = p;
@@ -537,9 +541,11 @@ int tls_new_domain(str *name, int type, struct tls_domain **dom)
 	if (type == DOM_FLAG_SRV) {
 		d->verify_cert         = tls_verify_client_cert;
 		d->require_client_cert = tls_require_client_cert;
+		d->verify_hostname	 = 0;
 	} else {
 		d->verify_cert         = tls_verify_server_cert;
 		d->require_client_cert = 0;
+		d->verify_hostname	 = tls_verify_hostname;
 	}
 	d->method = TLS_METHOD_UNSPEC;
 

modules/tls_mgm/tls_domain.h

@@ -59,13 +59,14 @@
 #define STR_VALS_CPLIST_COL         6
 #define STR_VALS_ECCURVE_COL        7
 
-#define NO_INT_VALS 5
+#define NO_INT_VALS 6
 
 #define INT_VALS_ID_COL             0
 #define INT_VALS_TYPE_COL           1
 #define INT_VALS_VERIFY_CERT_COL    2
 #define INT_VALS_REQUIRE_CERT_COL   3
 #define INT_VALS_CRL_CHECK_COL      4
+#define INT_VALS_VERIFY_HOSTNAME_COL 5
 
 #define NO_BLOB_VALS 4
 
@@ -74,7 +75,7 @@
 #define BLOB_VALS_CALIST_COL         2
 #define BLOB_VALS_DHPARAMS_COL       3
 
-#define NO_DB_COLS 17
+#define NO_DB_COLS 18
 
 #define CLIENT_DOMAIN_TYPE       1
 #define SERVER_DOMAIN_TYPE       2

modules/tls_mgm/tls_helper.h

@@ -82,6 +82,7 @@ struct tls_domain {
 	void *ctx;  /* openssl's SSL_CTX or wolfSSL's WOLFSSL_CTX */
 	int ctx_no;  /* number of allocated contexts */
 	int verify_cert;
+	int verify_hostname;
 	int require_client_cert;
 	int crl_check_all;
 	str cert;

modules/tls_mgm/tls_mgm.c

@@ -124,6 +124,7 @@ static const param_export_t params[] = {
 	{ "tls_method",    STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_method     },
 	{ "verify_cert",   STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_verify     },
 	{ "require_cert",  STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_require    },
+	{ "verify_hostname", STR_PARAM|USE_FUNC_PARAM, (void*)tlsp_set_verify_hostname },
 	{ "certificate",   STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_certificate},
 	{ "private_key",   STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_pk         },
 	{ "crl_check_all", STR_PARAM|USE_FUNC_PARAM,  (void*)tlsp_set_crl_check  },
@@ -141,6 +142,7 @@ static const param_export_t params[] = {
 	{ "tls_method_col",	STR_PARAM,  &method_col.s	},
 	{ "verify_cert_col",	STR_PARAM,  &verify_cert_col.s	},
 	{ "require_cert_col",	STR_PARAM,  &require_cert_col.s	},
+	{ "verify_hostname_col", STR_PARAM, &verify_hostname_col.s },
 	{ "certificate_col",	STR_PARAM,  &certificate_col.s	},
 	{ "private_key_col",	STR_PARAM,  &pk_col.s		},
 	{ "crl_check_all_col",	STR_PARAM,  &crl_check_col.s	},
@@ -417,6 +419,7 @@ int load_info(struct tls_domain **serv_dom, struct tls_domain **cli_dom,
 	columns[14] = &cplist_col;
 	columns[15] = &dhparams_col;
 	columns[16] = &eccurve_col;
+	columns[17] = &verify_hostname_col;
 
 	/* checking if the table version is up to date*/
 	if (db_check_table_version(&dr_dbf, db_hdl, &tls_db_table, TLS_TABLE_VERSION) != 0)
@@ -435,7 +438,7 @@ int load_info(struct tls_domain **serv_dom, struct tls_domain **cli_dom,
 			goto error;
 		}
 		no_rows = estimate_available_rows(4 + 45 + 4 + 45 + 4 + 4 + 45 +
-			45 + 4 + 45 + 45 + 4 * 4096, db_cols);
+			45 + 4 + 45 + 45 + 4 * 4096 + 4, db_cols);
 		if (no_rows == 0) no_rows = 5;
 		if (dr_dbf.fetch_result(db_hdl, &res, no_rows) < 0) {
 			LM_ERR("Error fetching rows\n");
@@ -517,6 +520,9 @@ int load_info(struct tls_domain **serv_dom, struct tls_domain **cli_dom,
 			check_val(eccurve_col, ROW_VALUES(row) + 16, DB_STRING, 0, 0);
 			str_vals[STR_VALS_ECCURVE_COL] = (char *) VAL_STRING(ROW_VALUES(row) + 16);
 
+			check_val(verify_hostname_col, ROW_VALUES(row) + 17, DB_INT, 0, 0);
+			int_vals[INT_VALS_VERIFY_HOSTNAME_COL] = VAL_INT(ROW_VALUES(row) + 17);
+
 			if (db_add_domain(str_vals, int_vals, blob_vals, serv_dom, cli_dom,
 								script_srv_doms, script_cli_doms) < 0) {
 				if (str_vals[STR_VALS_DOMAIN_COL])
@@ -994,6 +1000,7 @@ static int mod_init(void) {
 		method_col.len = strlen(method_col.s);
 		verify_cert_col.len = strlen(verify_cert_col.s);
 		require_cert_col.len = strlen(require_cert_col.s);
+		verify_hostname_col.len = strlen(verify_hostname_col.s);
 		certificate_col.len = strlen(certificate_col.s);
 		pk_col.len = strlen(pk_col.s);
 		crl_check_col.len = strlen(crl_check_col.s);
@@ -1253,6 +1260,9 @@ static int list_domain(mi_item_t *domains_arr, struct tls_domain *d)
 		if (add_mi_bool(domain_item, MI_SSTR("REQ_CLI_CERT"), d->require_client_cert) < 0)
 			goto error;
 
+		if (add_mi_bool(domain_item, MI_SSTR("VERIFY_HOSTNAME"), d->verify_hostname) < 0)
+			goto error;
+
 		if (add_mi_bool(domain_item, MI_SSTR("CRL_CHECKALL"), d->crl_check_all) < 0)
 			goto error;
 

modules/tls_mgm/tls_params.c

@@ -262,6 +262,25 @@ int tlsp_set_require(modparam_t type, void *in)
 	return 1;
 }
 
+int tlsp_set_verify_hostname(modparam_t type, void *in)
+{
+	str name;
+	str val;
+	unsigned int verify;
+
+	if (split_param_val((char*)in, &name, &val) < 0)
+		return -1;
+
+	if (str2int(&val, &verify)!=0) {
+		LM_ERR("option is not a number [%s]\n",val.s);
+		return -1;
+	}
+
+	set_domain_attr(name, verify_hostname, verify);
+
+	return 1;
+}
+
 int tlsp_set_crl_check(modparam_t type, void *in)
 {
 	str name;

modules/tls_mgm/tls_params.h

@@ -57,6 +57,8 @@ int tlsp_set_verify(modparam_t type, void *val);
 
 int tlsp_set_require(modparam_t type, void *val);
 
+int tlsp_set_verify_hostname(modparam_t type, void *val);
+
 int tlsp_set_crl_check(modparam_t type, void *val);
 
 int tlsp_set_certificate(modparam_t type, void *val);

modules/tls_openssl/openssl_conn_ops.c

@@ -221,11 +221,13 @@ int openssl_tls_conn_init(struct tcp_connection* c, struct tls_domain *tls_dom)
 		return -1;
 	}
 
-	param = SSL_get0_param(c->extra_data);
-	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-	if (!X509_VERIFY_PARAM_set1_host(param, c->hostname, strlen(c->hostname))) {
-		LM_ERR("failed to set hostname for SSL context\n");
-		return -1;
+	if (tls_dom->verify_hostname) {
+		param = SSL_get0_param(c->extra_data);
+		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		if (!X509_VERIFY_PARAM_set1_host(param, c->hostname, strlen(c->hostname))) {
+			LM_ERR("failed to set hostname for SSL context\n");
+			return -1;
+		}
 	}
 
 	/* put pointers to the tcp_connection and tls_domain structs