From 6d9b75dbefb06e0412910b615f256c01336e70ce Mon Sep 17 00:00:00 2001
From: Pavel Punsky <eakraly@users.noreply.github.com>
Date: Sun, 4 Sep 2022 05:56:49 -0700
Subject: [PATCH] Fix uclient certificate loading bug (#970)

When using `turnutils_uclient` with `-S` flag (TLS or DTLS) it is not required to load certificates. Only load certificates when corresponding flags are provided

Fixes #376 which prevented using `turnutils_uclient` for testing TLS/DTLS connections

Test plan:
- Run local turnserver with certificates `./bin/turnserver --cert ./bin/public.pem --pkey ./bin/private.key --use-auth-secret  --static-auth-secret=secret --realm=north.gov --allow-loopback-peers --no-cli --verbose`
- Run fixed uclient without TLS/DTLS`./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1` and get success result (just to make sure non-secure still works)
- Run fixed uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` and get success result
- Run fixed uclient with DTLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -S 127.0.0.1` and get success result
- Run unpatched uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` - error about missing certificate files

Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
---
 src/apps/uclient/mainuclient.c | 49 +++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 19 deletions(-)

diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c
index 2516f4d..a8f2b92 100644
--- a/src/apps/uclient/mainuclient.c
+++ b/src/apps/uclient/mainuclient.c
@@ -520,35 +520,47 @@ int main(int argc, char **argv)
 #endif
 #endif
 		}
+	}
 
+	int use_cert = 0;
+	int use_ca_cert = 0;
+	if(cert_file[0] && pkey_file[0])
+	{
+		use_cert = 1;
+	}
+	if(ca_cert_file[0])
+	{
+		use_ca_cert = 1;
+	}
+
+	if(use_cert)
+	{
 		int sslind = 0;
-		for(sslind = 0; sslind<root_tls_ctx_num; sslind++) {
-
-			if(cert_file[0]) {
-				if (!SSL_CTX_use_certificate_chain_file(root_tls_ctx[sslind], cert_file)) {
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no certificate found!\n");
-					exit(-1);
-				}
+		for(sslind = 0; sslind<root_tls_ctx_num; sslind++) 
+		{
+			if (!SSL_CTX_use_certificate_chain_file(root_tls_ctx[sslind], cert_file)) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: could not load certificate chain file!\n");
+				exit(-1);
 			}
 
 			if (!SSL_CTX_use_PrivateKey_file(root_tls_ctx[sslind], pkey_file,
 						SSL_FILETYPE_PEM)) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no private key found!\n");
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: could not load private key file!\n");
 				exit(-1);
 			}
 
-			if(cert_file[0]) {
-				if (!SSL_CTX_check_private_key(root_tls_ctx[sslind])) {
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
-					exit(-1);
-				}
+			if (!SSL_CTX_check_private_key(root_tls_ctx[sslind])) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
+				exit(-1);
 			}
 
-			if (ca_cert_file[0]) {
+			if (use_ca_cert) 
+			{
 				if (!SSL_CTX_load_verify_locations(root_tls_ctx[sslind], ca_cert_file, NULL )) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
-							"ERROR: cannot load CA from file: %s\n",
+							"ERROR: cannot load CA from file\n",
 							ca_cert_file);
+					exit(-1);
 				}
 
 				/* Set to require peer (client) certificate verification */
@@ -556,12 +568,11 @@ int main(int argc, char **argv)
 
 				/* Set the verification depth to 9 */
 				SSL_CTX_set_verify_depth(root_tls_ctx[sslind], 9);
-			} else {
+			} 
+			else 
+			{
 				SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_NONE, NULL );
 			}
-
-			if(!use_tcp)
-				SSL_CTX_set_read_ahead(root_tls_ctx[sslind], 1);
 		}
 	}