From 947678e0b703d0d9ce5fbc47a6f11c0575c5cb72 Mon Sep 17 00:00:00 2001
From: Dmitry Simonenko <pmwkaa@gmail.com>
Date: Fri, 31 Mar 2017 13:27:05 +0300
Subject: [PATCH] odissey: validate tls modes

---
 core/od_scheme.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 core/od_scheme.h | 10 ++++++++++
 2 files changed, 53 insertions(+)

diff --git a/core/od_scheme.c b/core/od_scheme.c
index 0706f3da..d0047447 100644
--- a/core/od_scheme.c
+++ b/core/od_scheme.c
@@ -37,6 +37,7 @@ void od_schemeinit(od_scheme_t *scheme)
 	scheme->keepalive = 7200;
 	scheme->workers = 1;
 	scheme->client_max = 100;
+	scheme->tls_verify = OD_TDISABLE;
 	scheme->tls_mode = NULL;
 	scheme->tls_ca_file = NULL;
 	scheme->tls_key_file = NULL;
@@ -207,6 +208,28 @@ int od_schemevalidate(od_scheme_t *scheme, od_log_t *log)
 	if (scheme->host == NULL)
 		scheme->host = "127.0.0.1";
 
+	/* tls */
+	if (scheme->tls_mode) {
+		if (strcmp(scheme->tls_mode, "disable") == 0) {
+			scheme->tls_verify = OD_TDISABLE;
+		} else
+		if (strcmp(scheme->tls_mode, "allow") == 0) {
+			scheme->tls_verify = OD_TALLOW;
+		} else
+		if (strcmp(scheme->tls_mode, "require") == 0) {
+			scheme->tls_verify = OD_TREQUIRE;
+		} else
+		if (strcmp(scheme->tls_mode, "verify_ca") == 0) {
+			scheme->tls_verify = OD_TVERIFY_CA;
+		} else
+		if (strcmp(scheme->tls_mode, "verify_full") == 0) {
+			scheme->tls_verify = OD_TVERIFY_FULL;
+		} else {
+			od_error(log, NULL, "unknown tls mode");
+			return -1;
+		}
+	}
+
 	/* servers */
 	if (od_listempty(&scheme->servers)) {
 		od_error(log, NULL, "no servers defined");
@@ -221,6 +244,26 @@ int od_schemevalidate(od_scheme_t *scheme, od_log_t *log)
 			         server->name);
 			return -1;
 		}
+		if (server->tls_mode) {
+			if (strcmp(server->tls_mode, "disable") == 0) {
+				server->tls_verify = OD_TDISABLE;
+			} else
+			if (strcmp(server->tls_mode, "allow") == 0) {
+				server->tls_verify = OD_TALLOW;
+			} else
+			if (strcmp(server->tls_mode, "require") == 0) {
+				server->tls_verify = OD_TREQUIRE;
+			} else
+			if (strcmp(server->tls_mode, "verify_ca") == 0) {
+				server->tls_verify = OD_TVERIFY_CA;
+			} else
+			if (strcmp(server->tls_mode, "verify_full") == 0) {
+				server->tls_verify = OD_TVERIFY_FULL;
+			} else {
+				od_error(log, NULL, "unknown server tls mode");
+				return -1;
+			}
+		}
 	}
 
 	od_schemeroute_t *default_route = NULL;
diff --git a/core/od_scheme.h b/core/od_scheme.h
index 8021dce5..46235c2c 100644
--- a/core/od_scheme.h
+++ b/core/od_scheme.h
@@ -30,11 +30,20 @@ typedef enum {
 	OD_AMD5
 } od_auth_t;
 
+typedef enum {
+	OD_TDISABLE,
+	OD_TALLOW,
+	OD_TREQUIRE,
+	OD_TVERIFY_CA,
+	OD_TVERIFY_FULL
+} od_tls_t;
+
 struct od_schemeserver_t {
 	int        id;
 	char      *name;
 	char      *host;
 	int        port;
+	od_tls_t   tls_verify;
 	char      *tls_mode;
 	char      *tls_ca_file;
 	char      *tls_key_file;
@@ -97,6 +106,7 @@ struct od_scheme_t {
 	int               keepalive;
 	int               workers;
 	int               client_max;
+	od_tls_t          tls_verify;
 	char             *tls_mode;
 	char             *tls_ca_file;
 	char             *tls_key_file;