From 78e0800beb28669360e37d78de06abf31df9dcac Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Fri, 3 Feb 2017 14:59:45 +0000
Subject: [PATCH] [Minor] Allow to disable ssl verification if needed

---
 src/libutil/http.c     |  3 ++-
 src/libutil/http.h     | 13 ++++++++-----
 src/libutil/ssl_util.c |  7 +++++--
 src/libutil/ssl_util.h |  2 +-
 src/lua/lua_http.c     | 14 ++++++++++++++
 5 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/src/libutil/http.c b/src/libutil/http.c
index 1a8a4b953..47c1836d3 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -2183,7 +2183,8 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
 				rspamd_ssl_connection_free (priv->ssl);
 			}
 
-			priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base);
+			priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base,
+					!(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY));
 			g_assert (priv->ssl != NULL);
 
 			if (!rspamd_ssl_connect_fd (priv->ssl, fd, host, &priv->ev,
diff --git a/src/libutil/http.h b/src/libutil/http.h
index 9f3861865..a28a6b389 100644
--- a/src/libutil/http.h
+++ b/src/libutil/http.h
@@ -67,15 +67,18 @@ struct rspamd_storage_shmem {
  * Body has been set for a message
  */
 #define RSPAMD_HTTP_FLAG_HAS_BODY (1 << 5)
-
+/**
+ * Do not verify server's certificate
+ */
+#define RSPAMD_HTTP_FLAG_SSL_NOVERIFY (1 << 6)
 /**
  * Options for HTTP connection
  */
 enum rspamd_http_options {
-	RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions */
-	RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */
-	RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */
-	RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */
+	RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions *///!< RSPAMD_HTTP_BODY_PARTIAL
+	RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */      //!< RSPAMD_HTTP_CLIENT_SIMPLE
+	RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */                //!< RSPAMD_HTTP_CLIENT_ENCRYPTED
+	RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */              //!< RSPAMD_HTTP_CLIENT_SHARED
 };
 
 typedef int (*rspamd_http_body_handler_t) (struct rspamd_http_connection *conn,
diff --git a/src/libutil/ssl_util.c b/src/libutil/ssl_util.c
index 3dc34e66a..a2106ff2b 100644
--- a/src/libutil/ssl_util.c
+++ b/src/libutil/ssl_util.c
@@ -34,6 +34,7 @@ struct rspamd_ssl_connection {
 		ssl_next_read,
 		ssl_next_write
 	} state;
+	gboolean verify_peer;
 	SSL *ssl;
 	gchar *hostname;
 	struct event *ev;
@@ -373,7 +374,7 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
 		if (ret == 1) {
 			event_del (c->ev);
 			/* Verify certificate */
-			if (rspamd_ssl_peer_verify (c)) {
+			if ((!c->verify_peer) || rspamd_ssl_peer_verify (c)) {
 				c->state = ssl_conn_connected;
 				c->handler (fd, EV_WRITE, c->handler_data);
 			}
@@ -435,7 +436,8 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
 }
 
 struct rspamd_ssl_connection *
-rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
+rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base,
+		gboolean verify_peer)
 {
 	struct rspamd_ssl_connection *c;
 
@@ -443,6 +445,7 @@ rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
 	c = g_slice_alloc0 (sizeof (*c));
 	c->ssl = SSL_new (ssl_ctx);
 	c->ev_base = ev_base;
+	c->verify_peer = verify_peer;
 
 	return c;
 }
diff --git a/src/libutil/ssl_util.h b/src/libutil/ssl_util.h
index 64e6a413e..73a940e00 100644
--- a/src/libutil/ssl_util.h
+++ b/src/libutil/ssl_util.h
@@ -30,7 +30,7 @@ typedef void (*rspamd_ssl_error_handler_t)(gpointer d, GError *err);
  * @return opaque connection data
  */
 struct rspamd_ssl_connection * rspamd_ssl_connection_new (gpointer ssl_ctx,
-		struct event_base *ev_base);
+		struct event_base *ev_base, gboolean verify_peer);
 
 /**
  * Connects SSL session using the specified (connected) FD
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 2213d8aae..4952f3404 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -56,6 +56,7 @@ static const struct luaL_reg httplib_m[] = {
 };
 
 #define RSPAMD_LUA_HTTP_FLAG_TEXT (1 << 0)
+#define RSPAMD_LUA_HTTP_FLAG_NOVERIFY (1 << 0)
 
 struct lua_http_cbdata {
 	lua_State *L;
@@ -260,6 +261,10 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
 			rspamd_http_message_set_peer_key (cbd->msg, cbd->peer_pk);
 		}
 
+		if (cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) {
+			cbd->msg->flags |= RSPAMD_HTTP_FLAG_SSL_NOVERIFY;
+		}
+
 		rspamd_http_connection_write_message (cbd->conn, cbd->msg,
 				cbd->host, cbd->mime_type, cbd, fd,
 				&cbd->tv, cbd->ev_base);
@@ -548,6 +553,15 @@ lua_http_request (lua_State *L)
 		}
 
 		lua_pop (L, 1);
+
+		lua_pushstring (L, "no_ssl_verify");
+		lua_gettable (L, 1);
+
+		if (!!lua_toboolean (L, -1)) {
+			flags |= RSPAMD_LUA_HTTP_FLAG_NOVERIFY;
+		}
+
+		lua_pop (L, 1);
 	}
 	else {
 		msg_err ("http request has bad params");
-- 
2.39.5