Add needsPeerVerification function to check if peer cert should be verified

Summary:
This patch adds a function to AsyncSSLSocket, so the user can check if the peer cert
should be verified. This allows the user to implement custom logic for peer cert validation.

Reviewed By: Orvid

Differential Revision: D4456402

fbshipit-source-id: 2f8a5c932d0341d6c9290bcb52264dd4fa174263

diff --git a/folly/io/async/AsyncSSLSocket.cpp b/folly/io/async/AsyncSSLSocket.cpp
index 43f876d84f2dd22be77e19cefebb95bdb478b2e7..d6fe249580eeda49f79c3884cb81fd5f9c22ef6e 100644 (file)
--- a/folly/io/async/AsyncSSLSocket.cpp
+++ b/folly/io/async/AsyncSSLSocket.cpp
@@ -656,6 +656,15 @@ void AsyncSSLSocket::connect(ConnectCallback* callback,
   AsyncSocket::connect(connector, address, timeout, options, bindAddr);
 }
 
+bool AsyncSSLSocket::needsPeerVerification() const {
+  if (verifyPeer_ == SSLContext::SSLVerifyPeerEnum::USE_CTX) {
+    return ctx_->needsPeerVerification();
+  }
+  return (
+      verifyPeer_ == SSLContext::SSLVerifyPeerEnum::VERIFY ||
+      verifyPeer_ == SSLContext::SSLVerifyPeerEnum::VERIFY_REQ_CLIENT_CERT);
+}
+
 void AsyncSSLSocket::applyVerificationOptions(SSL * ssl) {
   // apply the settings specified in verifyPeer_
   if (verifyPeer_ == SSLContext::SSLVerifyPeerEnum::USE_CTX) {

diff --git a/folly/io/async/AsyncSSLSocket.h b/folly/io/async/AsyncSSLSocket.h
index 4b0f13f6c1c0dbd90dafba3258d4c49f136b5a5d..7d90fbb1e1e9dcd3de7160dbe1c4b1412e4890f8 100644 (file)
--- a/folly/io/async/AsyncSSLSocket.h
+++ b/folly/io/async/AsyncSSLSocket.h
@@ -587,6 +587,13 @@ class AsyncSSLSocket : public virtual AsyncSocket {
    */
   void getSSLServerCiphers(std::string& serverCiphers) const;
 
+  /**
+   * Method to check if peer verfication is set.
+   *
+   * @return true if peer verification is required.
+   */
+  bool needsPeerVerification() const;
+
   static int getSSLExDataIndex();
   static AsyncSSLSocket* getFromSSL(const SSL *ssl);
   static int bioWrite(BIO* b, const char* in, int inl);