Commit 727db8b6 authored by Sylvain Berfini's avatar Sylvain Berfini 🎩

Added possibility to set RootCA by buffer instead of file

parent eaa198b1
......@@ -238,6 +238,15 @@ BELLESIP_EXPORT belle_tls_crypto_config_t *belle_tls_crypto_config_new(void);
*/
BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path);
/**
* Set the content of the trusted certificate chain
* @param[in/out] obj The crypto configuration object to set
* @param[in] data The content to the trusted certificate chain data(NULL terminated string)
*
* @return 0 on success
*/
BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca_data(belle_tls_crypto_config_t *obj, const char *data);
/**
* Set the exception flags to manage exception overriding during peer certificate verification
* @param[in/out] obj The crypto configuration object to set
......
......@@ -85,7 +85,7 @@ belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
return (belle_tls_verify_policy_t *)belle_tls_crypto_config_new();
}
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path) {
return belle_tls_crypto_config_set_root_ca(obj, path);
}
......@@ -98,8 +98,9 @@ unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_polic
}
/* end of deprecated on 2016/02/02 */
static void crypto_config_uninit(belle_tls_crypto_config_t *obj){
static void crypto_config_uninit(belle_tls_crypto_config_t *obj) {
if (obj->root_ca) belle_sip_free(obj->root_ca);
if (obj->root_ca_data) belle_sip_free(obj->root_ca_data);
}
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_crypto_config_t);
......@@ -123,19 +124,37 @@ belle_tls_crypto_config_t *belle_tls_crypto_config_new(void){
}
int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path){
if (obj->root_ca){
if (obj->root_ca) {
belle_sip_free(obj->root_ca);
obj->root_ca=NULL;
obj->root_ca = NULL;
}
if (path){
obj->root_ca=belle_sip_strdup(path);
belle_sip_message("Root ca path set to %s",obj->root_ca);
if (path) {
obj->root_ca = belle_sip_strdup(path);
belle_sip_message("Root ca path set to %s", obj->root_ca);
} else {
belle_sip_message("Root ca path disabled");
}
return 0;
}
int belle_tls_crypto_config_set_root_ca_data(belle_tls_crypto_config_t *obj, const char *data) {
if (obj->root_ca) {
belle_sip_free(obj->root_ca);
obj->root_ca = NULL;
}
if (obj->root_ca_data) {
belle_sip_free(obj->root_ca_data);
obj->root_ca_data = NULL;
}
if (data) {
obj->root_ca_data = belle_sip_strdup(data);
belle_sip_message("Root ca data set to %s", obj->root_ca_data);
} else {
belle_sip_message("Root ca data disabled");
}
return 0;
}
void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags){
obj->exception_flags=flags;
}
......
......@@ -225,6 +225,7 @@ belle_sip_channel_t *belle_sip_channel_find_from_list(belle_sip_list_t *l, int a
struct belle_tls_crypto_config{
belle_sip_object_t base;
char *root_ca; /**< path to the trusted certificate chain used when verifiying peer certificate */
char *root_ca_data; /**< content of the trusted certificate chain used when verifiying peer certificate */
int exception_flags; /**< override some exception raised during certificate verification, can be:
BELLE_TLS_VERIFY_NONE do not override any exception
BELLE_TLS_VERIFY_CN_MISMATCH ignore Common Name mismatch exception
......
......@@ -788,6 +788,26 @@ static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, cons
return -1;
}
static int belle_sip_tls_channel_load_root_ca_from_buffer(belle_sip_tls_channel_t *obj, const char *data) {
int err = 0;
if (data != NULL) {
if (obj->root_ca) {
bctbx_x509_certificate_free(obj->root_ca);
}
obj->root_ca = bctbx_x509_certificate_new();
//certificate data must to contain in size the NULL character
err = bctbx_x509_certificate_parse(obj->root_ca, data, strlen(data) + 1);
if (err) {
belle_sip_error("Failed to load root ca from string data: 0x%x", err);
return -1;
}
belle_sip_message("Root ca loaded from string data");
return 0;
}
belle_sip_error("Could not load root ca from null string");
return -1;
}
belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_tls_crypto_config_t *crypto_config, const char *bindip, int localport, const char *peer_cname, const char *dest, int port) {
belle_sip_tls_channel_t *obj=belle_sip_object_new(belle_sip_tls_channel_t);
belle_sip_stream_channel_t* super=(belle_sip_stream_channel_t*)obj;
......@@ -814,8 +834,10 @@ belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_
bctbx_ssl_config_set_rng(obj->sslcfg, random_generator, NULL);
bctbx_ssl_set_io_callbacks(obj->sslctx, obj, tls_callback_write, tls_callback_read);
if (crypto_config->root_ca && belle_sip_tls_channel_load_root_ca(obj,crypto_config->root_ca)==0){
bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name );
if (crypto_config->root_ca_data && belle_sip_tls_channel_load_root_ca_from_buffer(obj, crypto_config->root_ca_data) == 0) {
bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name);
} else if (crypto_config->root_ca && belle_sip_tls_channel_load_root_ca(obj, crypto_config->root_ca) == 0) {
bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name);
}
bctbx_ssl_config_set_callback_verify(obj->sslcfg, belle_sip_ssl_verify, crypto_config);
bctbx_ssl_config_set_callback_cli_cert(obj->sslcfg, belle_sip_client_certificate_request_callback, obj);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment