From 85288fd0b31027e7948180e0e057242e13f15da4 Mon Sep 17 00:00:00 2001
From: Romain DEP <rom1dep@gmail.com>
Date: Sat, 21 Jul 2018 20:27:49 +0200
Subject: add 'verify_certificate' as possible configuration token for policy
 files  This lets the user configure a per-domain certificate validation
 policy

---
 src/network/tcp_socket_handler.cpp | 5 +++++
 src/network/tls_policy.cpp         | 7 +++++++
 src/network/tls_policy.hpp         | 2 ++
 3 files changed, 14 insertions(+)

(limited to 'src/network')

diff --git a/src/network/tcp_socket_handler.cpp b/src/network/tcp_socket_handler.cpp
index 642cf03..c6e173d 100644
--- a/src/network/tcp_socket_handler.cpp
+++ b/src/network/tcp_socket_handler.cpp
@@ -332,6 +332,11 @@ void TCPSocketHandler::tls_verify_cert_chain(const std::vector<Botan::X509_Certi
                                              Botan::Usage_Type usage, const std::string& hostname,
                                              const Botan::TLS::Policy& policy)
 {
+  if (!this->policy.verify_certificate_info())
+    {
+      log_debug("Not verifying certificate due to domain policy ");
+      return;
+    }
   log_debug("Checking remote certificate for hostname ", hostname);
   try
     {
diff --git a/src/network/tls_policy.cpp b/src/network/tls_policy.cpp
index b88eb88..8aa8b72 100644
--- a/src/network/tls_policy.cpp
+++ b/src/network/tls_policy.cpp
@@ -37,6 +37,8 @@ void BiboumiTLSPolicy::load(std::istream& is)
       // Workaround for options that are not overridden in Botan::TLS::Text_Policy
       if (pair.first == "require_cert_revocation_info")
         this->req_cert_revocation_info = !(pair.second == "0" || utils::tolower(pair.second) == "false");
+      else if (pair.first == "verify_certificate")
+        this->verify_certificate = !(pair.second == "0" || utils::tolower(pair.second) == "false");
       else
         this->set(pair.first, pair.second);
     }
@@ -47,4 +49,9 @@ bool BiboumiTLSPolicy::require_cert_revocation_info() const
   return this->req_cert_revocation_info;
 }
 
+bool BiboumiTLSPolicy::verify_certificate_info() const
+{
+  return this->verify_certificate;
+}
+
 #endif
diff --git a/src/network/tls_policy.hpp b/src/network/tls_policy.hpp
index 29fd2b3..a0790a3 100644
--- a/src/network/tls_policy.hpp
+++ b/src/network/tls_policy.hpp
@@ -21,8 +21,10 @@ public:
   BiboumiTLSPolicy &operator=(BiboumiTLSPolicy &&) = delete;
 
   bool require_cert_revocation_info() const override;
+  bool verify_certificate_info() const;
 protected:
   bool req_cert_revocation_info{true};
+  bool verify_certificate{true};
 };
 
 #endif
-- 
cgit v1.2.3