Commit 653526bf authored by Ghislain MARY's avatar Ghislain MARY
Browse files

Merge branch 'bctoolbox'

parents 0168639e 58bbbe36
......@@ -38,7 +38,6 @@ option(ENABLE_RTP_MAP_ALWAYS_IN_SDP "Always include rtpmap in SDP." OFF)
option(ENABLE_SERVER_SOCKETS "Enable server sockets" ON)
option(ENABLE_STATIC "Build static library (default is shared library)." OFF)
option(ENABLE_STRICT "Build with strict compile options." YES)
option(ENABLE_TLS "Enable TLS support" ON)
option(ENABLE_TUNNEL "Enable tunnel support" OFF)
option(ENABLE_TESTS "Enable compilation of tests" ON)
......@@ -99,12 +98,13 @@ cmake_pop_check_state()
if(ENABLE_RTP_MAP_ALWAYS_IN_SDP)
set(BELLE_SDP_FORCE_RTP_MAP 1)
endif()
if(ENABLE_TLS)
find_package(PolarSSL REQUIRED)
if(POLARSSL_FOUND)
set(HAVE_POLARSSL 1)
endif()
if(LINPHONE_BUILDER_GROUP_EXTERNAL_SOURCE_PATH_BUILDERS)
include("${EP_bctoolbox_CONFIG_DIR}/BcToolboxConfig.cmake")
else()
find_package(BcToolBox REQUIRED)
endif()
if(ENABLE_TUNNEL)
if(LINPHONE_BUILDER_GROUP_EXTERNAL_SOURCE_PATH_BUILDERS)
include("${EP_tunnel_CONFIG_DIR}/TunnelConfig.cmake")
......@@ -140,13 +140,11 @@ set(libdir ${prefix}/lib)
set(includedir ${prefix}/include)
get_filename_component(antlr3c_library_path "${ANTLR3C_LIBRARIES}" PATH)
set(LIBS_PRIVATE "-L${antlr3c_library_path} -lantlr3c")
get_filename_component(bctoolbox_library_path "${BCTOOLBOX_LIBRARIES}" PATH)
set(LIBS_PRIVATE "${LIBS_PRIVATE} -L${bctoolbox_library_path} -lbctoolbox")
if(CUNIT_FOUND)
set(REQUIRES_PRIVATE "${REQUIRES_PRIVATE} cunit")
endif()
if(HAVE_POLARSSL)
get_filename_component(polarssl_library_path "${POLARSSL_LIBRARIES}" PATH)
set(LIBS_PRIVATE "${LIBS_PRIVATE} -L${polarssl_library_path} -lpolarssl")
endif()
if(HAVE_LIBDL)
set(LIBS_PRIVATE "${LIBS_PRIVATE} -ldl")
endif()
......@@ -162,7 +160,7 @@ include_directories(
src
${CMAKE_CURRENT_BINARY_DIR}
${CMAKE_CURRENT_BINARY_DIR}/src
${POLARSSL_INCLUDE_DIRS}
${BCTOOLBOX_INCLUDE_DIRS}
)
if(TUNNEL_FOUND)
include_directories(${TUNNEL_INCLUDE_DIRS})
......@@ -179,7 +177,7 @@ set(STRICT_OPTIONS_CPP )
set(STRICT_OPTIONS_C )
set(STRICT_OPTIONS_OBJC "-fmodules")
if(NOT MSVC)
list(APPEND STRICT_OPTIONS_CPP "-Wall" "-Wuninitialized")
list(APPEND STRICT_OPTIONS_CPP "-Wall" "-Wuninitialized" "-Wno-error=deprecated-declarations")
if(CMAKE_C_COMPILER_ID STREQUAL "Clang")
list(APPEND STRICT_OPTIONS_CPP "-Wno-error=unknown-warning-option" "-Qunused-arguments" "-Wno-tautological-compare" "-Wno-builtin-requires-header" "-Wno-unused-function" "-Wno-gnu-designator" "-Wno-array-bounds")
elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
......
......@@ -73,8 +73,8 @@ LOCAL_SRC_FILES := \
bodyhandler.c \
transports/stream_channel.c \
transports/stream_listeningpoint.c \
transports/tls_channel_polarssl.c \
transports/tls_listeningpoint_polarssl.c \
transports/tls_channel.c \
transports/tls_listeningpoint.c \
transports/udp_channel.c \
transports/udp_listeningpoint.c \
wakelock.c
......@@ -97,12 +97,9 @@ LOCAL_CFLAGS += -DBELLE_SIP_DONT_CHECK_HEADERS_IN_MESSAGE
endif
LOCAL_STATIC_LIBRARIES := \
antlr3
antlr3
ifeq ($(BUILD_TLS),1)
LOCAL_STATIC_LIBRARIES += polarssl
LOCAL_C_INCLUDES += $(LOCAL_PATH)/../../externals/polarssl/include
LOCAL_CFLAGS += -DHAVE_POLARSSL=1
endif
LOCAL_C_INCLUDES += $(LOCAL_PATH)/../../bctoolbox/include
LOCAL_STATIC_LIBRARIES += bctoolbox
include $(BUILD_STATIC_LIBRARY)
############################################################################
# FindPolarSSL.txt
# Copyright (C) 2015 Belledonne Communications, Grenoble France
# FindiBcToolBox.cmake
# Copyright (C) 2016 Belledonne Communications, Grenoble France
#
############################################################################
#
......@@ -20,58 +20,37 @@
#
############################################################################
#
# - Find the polarssl include file and library
# - Find the bctoolbox include file and library
#
# POLARSSL_FOUND - system has polarssl
# POLARSSL_INCLUDE_DIRS - the polarssl include directory
# POLARSSL_LIBRARIES - The libraries needed to use polarssl
# BCTOOLBOX_FOUND - system has BC Toolbox
# BCTOOLBOX_INCLUDE_DIRS - the BC Toolbox include directory
# BCTOOLBOX_LIBRARIES - The libraries needed to use BC Toolbox
include(CMakePushCheckState)
include(CheckIncludeFile)
include(CheckCSourceCompiles)
include(CheckSymbolExists)
set(_POLARSSL_ROOT_PATHS
set(_BCTOOLBOX_ROOT_PATHS
${CMAKE_INSTALL_PREFIX}
)
find_path(POLARSSL_INCLUDE_DIRS
NAMES polarssl/ssl.h
HINTS _POLARSSL_ROOT_PATHS
find_path(BCTOOLBOX_INCLUDE_DIRS
NAMES bctoolbox/crypto.h
HINTS _BCTOOLBOX_ROOT_PATHS
PATH_SUFFIXES include
)
if(POLARSSL_INCLUDE_DIRS)
set(HAVE_POLARSSL_SSL_H 1)
endif()
find_library(POLARSSL_LIBRARIES
NAMES polarssl mbedtls
HINTS _POLARSSL_ROOT_PATHS
find_library(BCTOOLBOX_LIBRARIES
NAMES bctoolbox
HINTS _BCTOOLBOX_ROOT_PATHS
PATH_SUFFIXES bin lib
)
if(POLARSSL_LIBRARIES)
cmake_push_check_state(RESET)
set(CMAKE_REQUIRED_INCLUDES ${POLARSSL_INCLUDE_DIRS})
set(CMAKE_REQUIRED_LIBRARIES ${POLARSSL_LIBRARIES})
check_c_source_compiles("#include <polarssl/version.h>
#include <polarssl/x509.h>
#if POLARSSL_VERSION_NUMBER >= 0x01030000
#include <polarssl/compat-1.2.h>
#endif
int main(int argc, char *argv[]) {
x509parse_crtpath(0,0);
return 0;
}"
X509PARSE_CRTPATH_OK)
check_symbol_exists(ssl_get_dtls_srtp_protection_profile "polarssl/ssl.h" HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
cmake_pop_check_state()
endif()
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(PolarSSL
find_package_handle_standard_args(BcToolBox
DEFAULT_MSG
POLARSSL_INCLUDE_DIRS POLARSSL_LIBRARIES HAVE_POLARSSL_SSL_H
BCTOOLBOX_INCLUDE_DIRS BCTOOLBOX_LIBRARIES
)
mark_as_advanced(POLARSSL_INCLUDE_DIRS POLARSSL_LIBRARIES HAVE_POLARSSL_SSL_H X509PARSE_CRTPATH_OK HAVE_SSL_GET_DTLS_SRTP_PROTECTION_PROFILE)
mark_as_advanced(BCTOOLBOX_INCLUDE_DIRS BCTOOLBOX_LIBRARIES)
......@@ -37,9 +37,6 @@
#cmakedefine HAVE_ANTLR3_H
#cmakedefine HAVE_ANTLR_STRING_STREAM_NEW
#cmakedefine HAVE_POLARSSL_SSL_H
#cmakedefine HAVE_POLARSSL
#cmakedefine HAVE_CUNIT_CUNIT_H
#cmakedefine HAVE_CU_CURSES
#cmakedefine HAVE_CU_GET_SUITE
......
......@@ -131,16 +131,16 @@ typedef enum belle_sip_certificate_raw_format {
* @param buff raw buffer
* @param size buffer size
* @param format either PEM or DER
* @return belle_sip_certificates_chain_t or NUL if cannot be decoded
* @return belle_sip_certificates_chain_t or NULL if cannot be decoded
*/
BELLESIP_EXPORT belle_sip_certificates_chain_t* belle_sip_certificates_chain_parse(const char* buff, size_t size,belle_sip_certificate_raw_format_t format);
/**
* Parse a buffer containing either a private or public rsa key
* Parse a buffer containing either a private or public rsa key in PEM format
* @param buff raw buffer
* @param size buffer size
* @param passwd password (optionnal)
* @return list of belle_sip_signing_key_t or NUL iff cannot be decoded
* @return list of belle_sip_signing_key_t or NULL if cannot be decoded
*/
BELLESIP_EXPORT belle_sip_signing_key_t* belle_sip_signing_key_parse(const char* buff, size_t size,const char* passwd);
......@@ -208,12 +208,66 @@ BELLESIP_EXPORT char *belle_sip_certificates_chain_get_fingerprint(belle_sip_cer
*/
BELLESIP_EXPORT belle_sip_signing_key_t* belle_sip_signing_key_parse_file(const char* path, const char* passwd);
BELLESIP_EXPORT belle_tls_verify_policy_t *belle_tls_verify_policy_new(void);
BELLESIP_EXPORT int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path);
#define BELLE_TLS_VERIFY_NONE (0)
#define BELLE_TLS_VERIFY_CN_MISMATCH (1)
#define BELLE_TLS_VERIFY_ANY_REASON (0xff)
BELLESIP_EXPORT void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags);
BELLESIP_EXPORT unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj);
/* Set of functions deprecated on 2016/02/02 use the belle_tls_crypto_config_XXX ones */
BELLESIP_DEPRECATED BELLESIP_EXPORT belle_tls_verify_policy_t *belle_tls_verify_policy_new(void);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path);
BELLESIP_DEPRECATED BELLESIP_EXPORT void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags);
BELLESIP_DEPRECATED BELLESIP_EXPORT unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj);
/**
* Create a new crypto configuration object
* The crypto configuration may be passed to a http provider or a listening point using the appropriate methods
* It can be used to provide :
* - a path to the trusted root certificates
* - a way to override certificate verification exceptions
* - a ssl configuration structure provided directly to the underlying crypto library (mbedtls 2 or above),
* @return an empty belle_tls_crypto_config object, trusted certificate path is initialised to the default system path without any warranty
*/
BELLESIP_EXPORT belle_tls_crypto_config_t *belle_tls_crypto_config_new(void);
/**
* Set the path to the trusted certificate chain
* @param[in/out] obj The crypto configuration object to set
* @param[in] path The path to the trusted certificate chain file(NULL terminated string)
*
* @return 0 on success
*/
BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path);
/**
* Set the exception flags to manage exception overriding during peer certificate verification
* @param[in/out] obj The crypto configuration object to set
* @param[in] flags Flags value to set:
* BELLE_TLS_VERIFY_NONE to raise and error on any exception
* BELLE_TLS_VERIFY_CN_MISMATCH to ignore Common Name mismatch
* BELLE_TLS_VERIFY_ANY_REASON to ignore any exception
*
* @return 0 on success
*/
BELLESIP_EXPORT void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags);
/**
* Get the exception flags used to manage exception overriding during peer certificate verification
* @param[in]i obj The crypto configuration object to set
* @return Possible flags value :
* BELLE_TLS_VERIFY_NONE to raise and error on any exception
* BELLE_TLS_VERIFY_CN_MISMATCH to ignore Common Name mismatch
* BELLE_TLS_VERIFY_ANY_REASON to ignore any exception
*
*/
BELLESIP_EXPORT unsigned int belle_tls_crypto_config_get_verify_exceptions(const belle_tls_crypto_config_t *obj);
/**
* Set the pointer to an externally provided ssl configuration for the crypto library
* @param[in/out] obj The crypto configuration object to set
* @param[in] ssl_config A pointer to an opaque structure which will be provided directly to the crypto library used in bctoolbox. Use with extra care.
* This ssl_config structure is responsability of the caller and will not be freed at the connection's end.
*/
BELLESIP_EXPORT void belle_tls_crypto_config_set_ssl_config(belle_tls_crypto_config_t *obj, void *ssl_config);
BELLE_SIP_END_DECLS
......
......@@ -24,8 +24,18 @@
BELLE_SIP_BEGIN_DECLS
#define BELLE_SIP_HTTP_PROVIDER(obj) BELLE_SIP_CAST(obj,belle_http_provider_t)
/**
* Set the certificate verify policy for the TLS connection
* @return 0 on succes
* @deprecated Use belle_http_provider_set_tls_crypto_config() instead
*/
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx);
BELLESIP_EXPORT int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx);
/**
* Set the certificate crypto configuration used by this TLS connection
* @return 0 on succes
*/
BELLESIP_EXPORT int belle_http_provider_set_tls_crypto_config(belle_http_provider_t *obj, belle_tls_crypto_config_t *crypto_config);
/**
* Can be used to simulate network recv error, for tests.
......
......@@ -59,15 +59,13 @@ BELLESIP_EXPORT void belle_sip_listening_point_clean_channels(belle_sip_listenin
BELLESIP_EXPORT int belle_sip_listening_point_get_channel_count(const belle_sip_listening_point_t *lp);
BELLESIP_EXPORT int belle_sip_listening_point_get_well_known_port(const char *transport);
/*deprecated*/
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *s, const char *path);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *s, const char *path);
/*deprecated*/
#define BELLE_SIP_TLS_LISTENING_POINT_BADCERT_CN_MISMATCH BELLE_TLS_VERIFY_CN_MISMATCH
#define BELLE_SIP_TLS_LISTENING_POINT_BADCERT_ANY_REASON BELLE_TLS_VERIFY_ANY_REASON
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *s, int flags);
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *s, int flags);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol);
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_crypto_config(belle_sip_tls_listening_point_t *s, belle_tls_crypto_config_t *crypto_config);
BELLESIP_EXPORT belle_sip_listening_point_t * belle_sip_tunnel_listening_point_new(belle_sip_stack_t *s, void *tunnelclient);
......
......@@ -22,6 +22,14 @@
#include "belle-sip/object.h"
#include "belle-sip/dict.h"
#ifndef BELLESIP_DEPRECATED
#if defined(_MSC_VER)
#define BELLESIP_DEPRECATED __declspec(deprecated)
#else
#define BELLESIP_DEPRECATED __attribute__ ((deprecated))
#endif
#endif
/**
* This enum declares all object types used in belle-sip (see belle_sip_object_t)
**/
......@@ -124,7 +132,7 @@ BELLE_SIP_DECLARE_TYPES_BEGIN(belle_sip,1)
BELLE_SIP_TYPE_ID(belle_http_channel_context_t),
BELLE_SIP_TYPE_ID(belle_generic_uri_t),
BELLE_SIP_TYPE_ID(belle_http_callbacks_t),
BELLE_SIP_TYPE_ID(belle_tls_verify_policy_t),
BELLE_SIP_TYPE_ID(belle_tls_crypto_config_t),
BELLE_SIP_TYPE_ID(belle_http_header_authorization_t),
BELLE_SIP_TYPE_ID(belle_sip_body_handler_t),
BELLE_SIP_TYPE_ID(belle_sip_memory_body_handler_t),
......@@ -167,7 +175,8 @@ typedef struct _belle_sip_uri belle_sip_uri_t;
typedef struct _belle_sip_parameters belle_sip_parameters_t;
typedef struct belle_sip_param_pair belle_sip_param_pair_t;
typedef struct _belle_sip_header belle_sip_header_t;
typedef struct belle_tls_verify_policy belle_tls_verify_policy_t;
typedef struct belle_tls_crypto_config belle_tls_crypto_config_t;
typedef struct belle_tls_crypto_config belle_tls_verify_policy_t; /* belle_tls_verify_policy_t is deprecated, just for backward compatibility */
typedef struct belle_sip_body_handler belle_sip_body_handler_t;
typedef struct belle_sip_memory_body_handler belle_sip_memory_body_handler_t;
typedef struct belle_sip_user_body_handler belle_sip_user_body_handler_t;
......
......@@ -23,6 +23,9 @@
set(INCLUDES ${ANTLR3C_INCLUDE_DIRS})
set(LIBS ${ANTLR3C_LIBRARIES})
list(APPEND INCLUDES ${BCTOOLBOX_INCLUDE_DIR})
list(APPEND LIBS ${BCTOOLBOX_LIBRARIES})
if(Threads_FOUND)
if(CMAKE_USE_PTHREADS_INIT AND NOT CMAKE_SYSTEM_NAME MATCHES "QNX")
list(APPEND LIBS pthread)
......@@ -67,15 +70,6 @@ add_custom_command(
set_source_files_properties(${SDP_GENERATED_SOURCE_FILES_C} ${SIP_MESSAGE_GENERATED_SOURCE_FILES_C} PROPERTIES GENERATED TRUE)
if(ENABLE_TLS)
set(TLS_SOURCE_FILES_C
transports/tls_listeningpoint_polarssl.c
transports/tls_channel_polarssl.c
)
list(APPEND INCLUDES ${POLARSSL_INCLUDE_DIR})
list(APPEND LIBS ${POLARSSL_LIBRARIES})
endif()
if(ENABLE_TUNNEL)
set(TUNNEL_SOURCE_FILES_C
transports/tunnel_listeningpoint.c
......@@ -134,11 +128,12 @@ set(BELLE_SIP_SOURCE_FILES_C
transports/stream_listeningpoint.c
transports/udp_channel.c
transports/udp_listeningpoint.c
transports/tls_listeningpoint.c
transports/tls_channel.c
grammars/belle_sip_message.g
grammars/belle_sdp.g
${SDP_GENERATED_SOURCE_FILES_C}
${SIP_MESSAGE_GENERATED_SOURCE_FILES_C}
${TLS_SOURCE_FILES_C}
${TUNNEL_SOURCE_FILES_C}
)
set(BELLE_SIP_SOURCE_FILES_CXX
......
......@@ -80,28 +80,49 @@ belle_sip_auth_mode_t belle_sip_auth_event_get_mode(const belle_sip_auth_event_t
}
static void verify_policy_uninit(belle_tls_verify_policy_t *obj){
/* deprecated on 2016/02/02 */
belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
return (belle_tls_verify_policy_t *)belle_tls_crypto_config_new();
}
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
return belle_tls_crypto_config_set_root_ca(obj, path);
}
void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags){
belle_tls_crypto_config_set_verify_exceptions(obj, flags);
}
unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj){
return belle_tls_crypto_config_get_verify_exceptions(obj);
}
/* end of deprecated on 2016/02/02 */
static void crypto_config_uninit(belle_tls_crypto_config_t *obj){
if (obj->root_ca) belle_sip_free(obj->root_ca);
}
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_verify_policy_t);
BELLE_SIP_INSTANCIATE_VPTR(belle_tls_verify_policy_t,belle_sip_object_t,verify_policy_uninit,NULL,NULL,FALSE);
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_crypto_config_t);
BELLE_SIP_INSTANCIATE_VPTR(belle_tls_crypto_config_t,belle_sip_object_t,crypto_config_uninit,NULL,NULL,FALSE);
belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
belle_tls_verify_policy_t *obj=belle_sip_object_new(belle_tls_verify_policy_t);
belle_tls_crypto_config_t *belle_tls_crypto_config_new(void){
belle_tls_crypto_config_t *obj=belle_sip_object_new(belle_tls_crypto_config_t);
/*default to "system" default root ca, wihtout warranty...*/
#ifdef __linux
belle_tls_verify_policy_set_root_ca(obj,"/etc/ssl/certs");
belle_tls_crypto_config_set_root_ca(obj,"/etc/ssl/certs");
#elif defined(__APPLE__)
belle_tls_verify_policy_set_root_ca(obj,"/opt/local/share/curl/curl-ca-bundle.crt");
belle_tls_crypto_config_set_root_ca(obj,"/opt/local/share/curl/curl-ca-bundle.crt");
#elif __QNX__
belle_tls_verify_policy_set_root_ca(obj,"/var/certs/web_trusted@personal@certmgr");
belle_tls_crypto_config_set_root_ca(obj,"/var/certs/web_trusted@personal@certmgr");
#endif
obj->ssl_config = NULL;
obj->exception_flags = BELLE_TLS_VERIFY_NONE;
return obj;
}
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path){
if (obj->root_ca){
belle_sip_free(obj->root_ca);
obj->root_ca=NULL;
......@@ -115,11 +136,15 @@ int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const ch
return 0;
}
void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags){
void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags){
obj->exception_flags=flags;
}
unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj){
unsigned int belle_tls_crypto_config_get_verify_exceptions(const belle_tls_crypto_config_t *obj){
return obj->exception_flags;
}
void belle_tls_crypto_config_set_ssl_config(belle_tls_crypto_config_t *obj, void *ssl_config) {
obj->ssl_config = ssl_config;
}
......@@ -202,7 +202,7 @@ BELLE_SIP_DECLARE_VPTR(belle_http_request_t);
BELLE_SIP_DECLARE_VPTR(belle_http_response_t);
BELLE_SIP_DECLARE_VPTR(belle_generic_uri_t);
BELLE_SIP_DECLARE_VPTR(belle_http_callbacks_t);
BELLE_SIP_DECLARE_VPTR(belle_tls_verify_policy_t);
BELLE_SIP_DECLARE_VPTR(belle_tls_crypto_config_t);
BELLE_SIP_DECLARE_VPTR(belle_http_header_authorization_t);
BELLE_SIP_DECLARE_VPTR(belle_sip_header_event_t);
BELLE_SIP_DECLARE_VPTR(belle_sip_header_supported_t);
......
......@@ -221,10 +221,14 @@ belle_sip_channel_t *belle_sip_channel_find_from_list(belle_sip_list_t *l, int a
#define BELLE_SIP_TLS_CHANNEL(obj) BELLE_SIP_CAST(obj,belle_sip_tls_channel_t)
struct belle_tls_verify_policy{
struct belle_tls_crypto_config{
belle_sip_object_t base;
char *root_ca;
int exception_flags;
char *root_ca; /**< path to the trusted certificate chain used when verifiying peer certificate */
int exception_flags; /**< override some exception raised during certificate verification, can be:
BELLE_TLS_VERIFY_NONE do not override any exception
BELLE_TLS_VERIFY_CN_MISMATCH ignore Common Name mismatch exception
BELLE_TLS_VERIFY_ANY_REASON(ignore any exception */
void *ssl_config; /**< externally provided ssl configuration context, will be casted and given to the underlying crypto library, use only if you really know what you're doing */
};
#endif
......@@ -38,7 +38,7 @@ struct belle_http_provider{
int ai_family;
belle_sip_list_t *tcp_channels;
belle_sip_list_t *tls_channels;
belle_tls_verify_policy_t *verify_ctx;
belle_tls_crypto_config_t *crypto_config;
};
#define BELLE_HTTP_REQUEST_INVOKE_LISTENER(obj,method,arg) \
......@@ -325,7 +325,7 @@ static void http_provider_uninit(belle_http_provider_t *obj){
belle_sip_list_free_with_data(obj->tcp_channels,belle_sip_object_unref);
belle_sip_list_for_each(obj->tls_channels,(void (*)(void*))belle_sip_channel_force_close);
belle_sip_list_free_with_data(obj->tls_channels,belle_sip_object_unref);
belle_sip_object_unref(obj->verify_ctx);
belle_sip_object_unref(obj->crypto_config);
}
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_http_provider_t);
......@@ -336,7 +336,7 @@ belle_http_provider_t *belle_http_provider_new(belle_sip_stack_t *s, const char
p->stack=s;
p->bind_ip=belle_sip_strdup(bind_ip);
p->ai_family=strchr(p->bind_ip,':') ? AF_INET6 : AF_INET;
p->verify_ctx=belle_tls_verify_policy_new();
p->crypto_config=belle_tls_crypto_config_new();
return p;
}
......@@ -425,12 +425,10 @@ int belle_http_provider_send_request(belle_http_provider_t *obj, belle_http_requ
if (!chan){
if (strcasecmp(hop->transport,"tcp")==0){
chan=belle_sip_stream_channel_new_client(obj->stack,obj->bind_ip,0,hop->cname,hop->host,hop->port);
} else if (strcasecmp(hop->transport,"tls")==0){
chan=belle_sip_channel_new_tls(obj->stack,obj->crypto_config,obj->bind_ip,0,hop->cname,hop->host,hop->port);
}
#ifdef HAVE_POLARSSL
else if (strcasecmp(hop->transport,"tls")==0){
chan=belle_sip_channel_new_tls(obj->stack,obj->verify_ctx,obj->bind_ip,0,hop->cname,hop->host,hop->port);
}
#endif
if (!chan){
belle_sip_error("%s: cannot create channel for [%s:%s:%i]", __FUNCTION__, hop->transport, hop->cname,
hop->port);
......@@ -482,7 +480,12 @@ void belle_http_provider_cancel_request(belle_http_provider_t *obj, belle_http_r
}
int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx){
SET_OBJECT_PROPERTY(obj,verify_ctx,verify_ctx);
SET_OBJECT_PROPERTY(obj,crypto_config,verify_ctx);
return 0;
}
int belle_http_provider_set_tls_crypto_config(belle_http_provider_t *obj, belle_tls_crypto_config_t *crypto_config){
SET_OBJECT_PROPERTY(obj,crypto_config,crypto_config);
return 0;
}
......
......@@ -91,7 +91,7 @@ belle_sip_listening_point_t * belle_sip_stream_listening_point_new(belle_sip_sta
struct belle_sip_tls_listening_point{
belle_sip_stream_listening_point_t base;
belle_tls_verify_policy_t *verify_ctx;
belle_tls_crypto_config_t *crypto_config;
};
int belle_sip_tls_listening_point_available(void);
......
......@@ -18,16 +18,12 @@
#include "belle_sip_internal.h"
#ifdef HAVE_POLARSSL
#include <polarssl/ssl.h>
static void belle_sip_tls_listening_point_uninit(belle_sip_tls_listening_point_t *lp){
belle_sip_object_unref(lp->verify_ctx);
belle_sip_object_unref(lp->crypto_config);
}
static belle_sip_channel_t *tls_create_channel(belle_sip_listening_point_t *lp, const belle_sip_hop_t *hop){
belle_sip_channel_t *chan=belle_sip_channel_new_tls(lp->stack, ((belle_sip_tls_listening_point_t*) lp)->verify_ctx
belle_sip_channel_t *chan=belle_sip_channel_new_tls(lp->stack, ((belle_sip_tls_listening_point_t*) lp)->crypto_config
,belle_sip_uri_get_host(lp->listening_uri)
,belle_sip_uri_get_port(lp->listening_uri)
,hop->cname
......@@ -56,7 +52,7 @@ static int on_new_connection(void *userdata, unsigned int revents){
socklen_t slen=sizeof(addr);
belle_sip_tls_listening_point_t *lp=(belle_sip_tls_listening_point_t*)userdata;
belle_sip_stream_listening_point_t *super=(belle_sip_stream_listening_point_t*)lp;
child=accept(super->server_sock,(struct sockaddr*)&addr,&slen);
if (child==(belle_sip_socket_t)-1){
belle_sip_error("Listening point [%p] accept() failed on TLS server socket: %s",lp,belle_sip_get_socket_error_string());
......@@ -77,47 +73,31 @@ belle_sip_listening_point_t * belle_sip_tls_listening_point_new(belle_sip_stack_
#else
belle_sip_stream_listening_point_init((belle_sip_stream_listening_point_t*)lp,s,ipaddress,port);
#endif /* ENABLE_SERVER_SOCKETS */
lp->verify_ctx=belle_tls_verify_policy_new();
lp->crypto_config=belle_tls_crypto_config_new();
return BELLE_SIP_LISTENING_POINT(lp);
}
int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *lp, const char *path){
return belle_tls_verify_policy_set_root_ca(lp->verify_ctx,path);
return belle_tls_crypto_config_set_root_ca(lp->crypto_config,path);
}
int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *lp, int flags){
belle_tls_verify_policy_set_exceptions(lp->verify_ctx,flags);
belle_tls_crypto_config_set_verify_exceptions(lp->crypto_config,flags);
return 0;
}
int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol){
SET_OBJECT_PROPERTY(s,verify_ctx,pol);
SET_OBJECT_PROPERTY(s,crypto_config,(belle_tls_crypto_config_t *)pol);
return 0;
}
int belle_sip_tls_listening_point_available(void){
return TRUE;