* src/tls/tls_drv.c: Added a flag to avoid certificate validation

* src/tls/tls.erl: Likewise
* src/ejabberd_c2s.erl: Likewise

SVN Revision: 1774

4 files changed, 27 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 30f57fbba..b92d9d54b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2009-01-05  Alexey Shchepin  <alexey@process-one.net>
+
+	* src/tls/tls_drv.c: Added a flag to avoid certificate validation
+	* src/tls/tls.erl: Likewise
+	* src/ejabberd_c2s.erl: Likewise
+
 2009-01-03  Badlop  <badlop@process-one.net>
 
 	* src/*.erl: Fix EDoc comments
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 3ad6085d3..d900f3bf4 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -176,9 +176,11 @@ init([{SockMod, Socket}, Opts]) ->
     StartTLSRequired = lists:member(starttls_required, Opts),
     TLSEnabled = lists:member(tls, Opts),
     TLS = StartTLS orelse StartTLSRequired orelse TLSEnabled,
-    TLSOpts = lists:filter(fun({certfile, _}) -> true;
-			      (_) -> false
-			   end, Opts),
+    TLSOpts1 =
+	lists:filter(fun({certfile, _}) -> true;
+			(_) -> false
+		     end, Opts),
+    TLSOpts = [verify_none | TLSOpts1],
     Zlib = lists:member(zlib, Opts) andalso (not StartTLSRequired),
     IP = peerip(SockMod, Socket),
     %% Check if IP is blacklisted:
diff --git a/src/tls/tls.erl b/src/tls/tls.erl
index 72897cf08..7281fd475 100644
--- a/src/tls/tls.erl
+++ b/src/tls/tls.erl
@@ -59,6 +59,7 @@
 -define(GET_DECRYPTED_INPUT,  6).
 -define(GET_PEER_CERTIFICATE, 7).
 -define(GET_VERIFY_RESULT,    8).
+-define(VERIFY_NONE, 16#10000).
 
 -record(tlssock, {tcpsock, tlsport}).
 
@@ -120,13 +121,20 @@ tcp_to_tls(TCPSocket, Options) ->
 		{error, already_loaded} -> ok
 	    end,
 	    Port = open_port({spawn, tls_drv}, [binary]),
+	    Flags =
+		case lists:member(verify_none, Options) of
+		    true ->
+			?VERIFY_NONE;
+		    false ->
+			0
+		end,
 	    Command = case lists:member(connect, Options) of
 			  true ->
 			      ?SET_CERTIFICATE_FILE_CONNECT;
 			  false ->
 			      ?SET_CERTIFICATE_FILE_ACCEPT
 		      end,
-	    case port_control(Port, Command, CertFile ++ [0]) of
+	    case port_control(Port, Command bor Flags, CertFile ++ [0]) of
 		<<0>> ->
 		    {ok, #tlssock{tcpsock = TCPSocket, tlsport = Port}};
 		<<1, Error/binary>> ->
diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index b90cab87c..2f8e56150 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -272,6 +272,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 #define GET_DECRYPTED_INPUT  6
 #define GET_PEER_CERTIFICATE 7
 #define GET_VERIFY_RESULT    8
+#define VERIFY_NONE 0x10000
 
 
 #define die_unless(cond, errstr)				\
@@ -312,6 +313,9 @@ static int tls_drv_control(ErlDrvData handle,
    int size;
    ErlDrvBinary *b;
    X509 *cert;
+   unsigned int flags = command;
+
+   command &= 0xffff;
 
    ERR_clear_error();
    switch (command)
@@ -354,6 +358,9 @@ static int tls_drv_control(ErlDrvData handle,
 	 d->ssl = SSL_new(ssl_ctx);
 	 die_unless(d->ssl, "SSL_new failed");
 
+	 if (flags & VERIFY_NONE)
+	    SSL_set_verify(d->ssl, SSL_VERIFY_NONE, verify_callback);
+
 	 d->bio_read = BIO_new(BIO_s_mem());
 	 d->bio_write = BIO_new(BIO_s_mem());