From 1c399bdffe2054b8b0ad9729f9e218f8eb469492 Mon Sep 17 00:00:00 2001
From: Ron Eldor <Ron.Eldor@arm.com>
Date: Wed, 4 Jul 2018 18:45:27 +0300
Subject: [PATCH] Set authmode to optional, if not set

Set authmode to `MBEDTLS_SSL_VERIFY_REQUIRED` when using dtls-srtp,
in case authmode was not set. This is to support self signed certificates
received by the server, which is the case with webRTC. Certificate fingerprints
are verified outside the dtls stack, as defined in RFC 5763.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
---
 library/ssl_srv.c | 6 +++---
 library/ssl_tls.c | 6 ++++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 82baeca10c..00549649cf 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3021,9 +3021,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
     else
 #endif
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
-    /* check if we have a chosen srtp protection profile */
-    if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
-        authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    /* check if we have a chosen srtp protection profile, force verify mode to be at least OPTIONAL */
+    if ( ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) && ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) {
+        authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
     }
         else
 #endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 987b33024e..02efcb4123 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2753,6 +2753,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
                        : ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
                                MBEDTLS_SRTP_UNSET_PROFILE
+                       && ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE
                        ? MBEDTLS_SSL_VERIFY_REQUIRED
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
                        : ssl->conf->authmode;
@@ -2760,8 +2761,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
     const int authmode =
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
             ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
-                                           MBEDTLS_SRTP_UNSET_PROFILE ?
-                         MBEDTLS_SSL_VERIFY_REQUIRED :
+                                           MBEDTLS_SRTP_UNSET_PROFILE &&
+            ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ?
+            MBEDTLS_SSL_VERIFY_REQUIRED :
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
             ssl->conf->authmode;
 #endif