From 09d951514d219aacf9fa5caeedae85eedee94b42 Mon Sep 17 00:00:00 2001
From: Kinsey Moore <kmoore@digium.com>
Date: Wed, 17 Oct 2012 19:00:35 +0000
Subject: [PATCH] Ensure Asterisk fails TCP/TLS SIP calls when certificate
 checking fails

When placing a call to a TCP/TLS SIP endpoint whose certificate is not
signed by a configured CA certificate, Asterisk would issue a warning
and continue to process the call as if there was not an issue with the
certificate.  Asterisk now properly fails the call if the certificate
fails verification or if the certificate does not exist when
certificate checking is enabled (the default behavior).

(closes issue ASTERISK-20559)
Reported by: kmoore

Review: https://reviewboard.asterisk.org/r/2163/
........

Merged revisions 375146 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 375147 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@375148 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/tcptls.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/main/tcptls.c b/main/tcptls.c
index b52cdc4912..dffba1dcd3 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -198,11 +198,19 @@ static void *handle_tcptls_connection(void *data)
 				long res;
 				peer = SSL_get_peer_certificate(tcptls_session->ssl);
 				if (!peer) {
-					ast_log(LOG_WARNING, "No peer SSL certificate\n");
+					ast_log(LOG_ERROR, "No peer SSL certificate to verify\n");
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
 				}
+
 				res = SSL_get_verify_result(tcptls_session->ssl);
 				if (res != X509_V_OK) {
 					ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
+					X509_free(peer);
+					ast_tcptls_close_session_file(tcptls_session);
+					ao2_ref(tcptls_session, -1);
+					return NULL;
 				}
 				if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
 					ASN1_STRING *str;
@@ -233,17 +241,13 @@ static void *handle_tcptls_connection(void *data)
 					}
 					if (!found) {
 						ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
-						if (peer) {
-							X509_free(peer);
-						}
+						X509_free(peer);
 						ast_tcptls_close_session_file(tcptls_session);
 						ao2_ref(tcptls_session, -1);
 						return NULL;
 					}
 				}
-				if (peer) {
-					X509_free(peer);
-				}
+				X509_free(peer);
 			}
 		}
 		if (!tcptls_session->f) {	/* no success opening descriptor stacking */
-- 
GitLab