Commit db71d736 authored by johan's avatar johan

Rework of certificate verification policy to include more flexible ssl configuration

- rename belle_tls_verify_policy into belle_tls_crypto_config (but backward compatibility ok)
- add macro to get compile warnings on deprecated functions usage
- add possibility to give the ssl_configuration structure to the crypto library
   (works with mbedtls 2.2.1 or above only)
parent 3fd4656d
......@@ -173,7 +173,7 @@ set(STRICT_OPTIONS_CPP )
set(STRICT_OPTIONS_C )
set(STRICT_OPTIONS_OBJC "-fmodules")
if(NOT MSVC)
list(APPEND STRICT_OPTIONS_CPP "-Wall" "-Wuninitialized")
list(APPEND STRICT_OPTIONS_CPP "-Wall" "-Wuninitialized" "-Wno-error=deprecated-declarations")
if(CMAKE_C_COMPILER_ID STREQUAL "Clang")
list(APPEND STRICT_OPTIONS_CPP "-Wno-error=unknown-warning-option" "-Qunused-arguments" "-Wno-tautological-compare" "-Wno-builtin-requires-header" "-Wno-unused-function" "-Wno-gnu-designator" "-Wno-array-bounds")
elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
......
......@@ -208,12 +208,66 @@ BELLESIP_EXPORT char *belle_sip_certificates_chain_get_fingerprint(belle_sip_cer
*/
BELLESIP_EXPORT belle_sip_signing_key_t* belle_sip_signing_key_parse_file(const char* path, const char* passwd);
BELLESIP_EXPORT belle_tls_verify_policy_t *belle_tls_verify_policy_new(void);
BELLESIP_EXPORT int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path);
#define BELLE_TLS_VERIFY_NONE (0)
#define BELLE_TLS_VERIFY_CN_MISMATCH (1)
#define BELLE_TLS_VERIFY_ANY_REASON (0xff)
BELLESIP_EXPORT void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags);
BELLESIP_EXPORT unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj);
/* Set of functions deprecated on 2016/02/02 use the belle_tls_crypto_config_XXX ones */
BELLESIP_DEPRECATED BELLESIP_EXPORT belle_tls_verify_policy_t *belle_tls_verify_policy_new(void);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path);
BELLESIP_DEPRECATED BELLESIP_EXPORT void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags);
BELLESIP_DEPRECATED BELLESIP_EXPORT unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj);
/**
* Create a new crypto configuration object
* The crypto configuration may be passed to a http provider or a listening point using the appropriate methods
* It can be used to provide :
* - a path to the trusted root certificates
* - a way to override certificate verification exceptions
* - a ssl configuration structure provided directly to the underlying crypto library (mbedtls 2 or above),
* @return an empty belle_tls_crypto_config object, trusted certificate path is initialised to the default system path without any warranty
*/
BELLESIP_EXPORT belle_tls_crypto_config_t *belle_tls_crypto_config_new(void);
/**
* Set the path to the trusted certificate chain
* @param[in/out] obj The crypto configuration object to set
* @param[in] path The path to the trusted certificate chain file(NULL terminated string)
*
* @return 0 on success
*/
BELLESIP_EXPORT int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path);
/**
* Set the exception flags to manage exception overriding during peer certificate verification
* @param[in/out] obj The crypto configuration object to set
* @param[in] flags Flags value to set:
* BELLE_TLS_VERIFY_NONE to raise and error on any exception
* BELLE_TLS_VERIFY_CN_MISMATCH to ignore Common Name mismatch
* BELLE_TLS_VERIFY_ANY_REASON to ignore any exception
*
* @return 0 on success
*/
BELLESIP_EXPORT void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags);
/**
* Get the exception flags used to manage exception overriding during peer certificate verification
* @param[in]i obj The crypto configuration object to set
* @return Possible flags value :
* BELLE_TLS_VERIFY_NONE to raise and error on any exception
* BELLE_TLS_VERIFY_CN_MISMATCH to ignore Common Name mismatch
* BELLE_TLS_VERIFY_ANY_REASON to ignore any exception
*
*/
BELLESIP_EXPORT unsigned int belle_tls_crypto_config_get_verify_exceptions(const belle_tls_crypto_config_t *obj);
/**
* Set the pointer to an externally provided ssl configuration for the crypto library
* @param[in/out] obj The crypto configuration object to set
* @param[in] ssl_config A pointer to an opaque structure which will be provided directly to the crypto library used in bctoolbox. Use with extra care.
* This ssl_config structure is responsability of the caller and will not be freed at the connection's end.
*/
BELLESIP_EXPORT void belle_tls_crypto_config_set_ssl_config(belle_tls_crypto_config_t *obj, void *ssl_config);
BELLE_SIP_END_DECLS
......
......@@ -24,8 +24,18 @@
BELLE_SIP_BEGIN_DECLS
#define BELLE_SIP_HTTP_PROVIDER(obj) BELLE_SIP_CAST(obj,belle_http_provider_t)
/**
* Set the certificate verify policy for the TLS connection
* @return 0 on succes
* @deprecated Use belle_http_provider_set_tls_crypto_config() instead
*/
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx);
BELLESIP_EXPORT int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx);
/**
* Set the certificate crypto configuration used by this TLS connection
* @return 0 on succes
*/
BELLESIP_EXPORT int belle_http_provider_set_tls_crypto_config(belle_http_provider_t *obj, belle_tls_crypto_config_t *crypto_config);
/**
* Can be used to simulate network recv error, for tests.
......
......@@ -59,15 +59,13 @@ BELLESIP_EXPORT void belle_sip_listening_point_clean_channels(belle_sip_listenin
BELLESIP_EXPORT int belle_sip_listening_point_get_channel_count(const belle_sip_listening_point_t *lp);
BELLESIP_EXPORT int belle_sip_listening_point_get_well_known_port(const char *transport);
/*deprecated*/
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *s, const char *path);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *s, const char *path);
/*deprecated*/
#define BELLE_SIP_TLS_LISTENING_POINT_BADCERT_CN_MISMATCH BELLE_TLS_VERIFY_CN_MISMATCH
#define BELLE_SIP_TLS_LISTENING_POINT_BADCERT_ANY_REASON BELLE_TLS_VERIFY_ANY_REASON
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *s, int flags);
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *s, int flags);
BELLESIP_DEPRECATED BELLESIP_EXPORT int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol);
BELLESIP_EXPORT int belle_sip_tls_listening_point_set_crypto_config(belle_sip_tls_listening_point_t *s, belle_tls_crypto_config_t *crypto_config);
BELLESIP_EXPORT belle_sip_listening_point_t * belle_sip_tunnel_listening_point_new(belle_sip_stack_t *s, void *tunnelclient);
......
......@@ -22,6 +22,14 @@
#include "belle-sip/object.h"
#include "belle-sip/dict.h"
#ifndef BELLESIP_DEPRECATED
#if defined(_MSC_VER)
#define BELLESIP_DEPRECATED __declspec(deprecated)
#else
#define BELLESIP_DEPRECATED __attribute__ ((deprecated))
#endif
#endif
/**
* This enum declares all object types used in belle-sip (see belle_sip_object_t)
**/
......@@ -124,7 +132,7 @@ BELLE_SIP_DECLARE_TYPES_BEGIN(belle_sip,1)
BELLE_SIP_TYPE_ID(belle_http_channel_context_t),
BELLE_SIP_TYPE_ID(belle_generic_uri_t),
BELLE_SIP_TYPE_ID(belle_http_callbacks_t),
BELLE_SIP_TYPE_ID(belle_tls_verify_policy_t),
BELLE_SIP_TYPE_ID(belle_tls_crypto_config_t),
BELLE_SIP_TYPE_ID(belle_http_header_authorization_t),
BELLE_SIP_TYPE_ID(belle_sip_body_handler_t),
BELLE_SIP_TYPE_ID(belle_sip_memory_body_handler_t),
......@@ -167,7 +175,8 @@ typedef struct _belle_sip_uri belle_sip_uri_t;
typedef struct _belle_sip_parameters belle_sip_parameters_t;
typedef struct belle_sip_param_pair belle_sip_param_pair_t;
typedef struct _belle_sip_header belle_sip_header_t;
typedef struct belle_tls_verify_policy belle_tls_verify_policy_t;
typedef struct belle_tls_crypto_config belle_tls_crypto_config_t;
typedef struct belle_tls_crypto_config belle_tls_verify_policy_t; /* belle_tls_verify_policy_t is deprecated, just for backward compatibility */
typedef struct belle_sip_body_handler belle_sip_body_handler_t;
typedef struct belle_sip_memory_body_handler belle_sip_memory_body_handler_t;
typedef struct belle_sip_user_body_handler belle_sip_user_body_handler_t;
......
......@@ -80,28 +80,49 @@ belle_sip_auth_mode_t belle_sip_auth_event_get_mode(const belle_sip_auth_event_t
}
static void verify_policy_uninit(belle_tls_verify_policy_t *obj){
/* deprecated on 2016/02/02 */
belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
return (belle_tls_verify_policy_t *)belle_tls_crypto_config_new();
}
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
return belle_tls_crypto_config_set_root_ca(obj, path);
}
void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags){
belle_tls_crypto_config_set_verify_exceptions(obj, flags);
}
unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj){
return belle_tls_crypto_config_get_verify_exceptions(obj);
}
/* end of deprecated on 2016/02/02 */
static void crypto_config_uninit(belle_tls_crypto_config_t *obj){
if (obj->root_ca) belle_sip_free(obj->root_ca);
}
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_verify_policy_t);
BELLE_SIP_INSTANCIATE_VPTR(belle_tls_verify_policy_t,belle_sip_object_t,verify_policy_uninit,NULL,NULL,FALSE);
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_tls_crypto_config_t);
BELLE_SIP_INSTANCIATE_VPTR(belle_tls_crypto_config_t,belle_sip_object_t,crypto_config_uninit,NULL,NULL,FALSE);
belle_tls_verify_policy_t *belle_tls_verify_policy_new(){
belle_tls_verify_policy_t *obj=belle_sip_object_new(belle_tls_verify_policy_t);
belle_tls_crypto_config_t *belle_tls_crypto_config_new(void){
belle_tls_crypto_config_t *obj=belle_sip_object_new(belle_tls_crypto_config_t);
/*default to "system" default root ca, wihtout warranty...*/
#ifdef __linux
belle_tls_verify_policy_set_root_ca(obj,"/etc/ssl/certs");
belle_tls_crypto_config_set_root_ca(obj,"/etc/ssl/certs");
#elif defined(__APPLE__)
belle_tls_verify_policy_set_root_ca(obj,"/opt/local/share/curl/curl-ca-bundle.crt");
belle_tls_crypto_config_set_root_ca(obj,"/opt/local/share/curl/curl-ca-bundle.crt");
#elif __QNX__
belle_tls_verify_policy_set_root_ca(obj,"/var/certs/web_trusted@personal@certmgr");
belle_tls_crypto_config_set_root_ca(obj,"/var/certs/web_trusted@personal@certmgr");
#endif
obj->ssl_config = NULL;
obj->exception_flags = BELLE_TLS_VERIFY_NONE;
return obj;
}
int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const char *path){
int belle_tls_crypto_config_set_root_ca(belle_tls_crypto_config_t *obj, const char *path){
if (obj->root_ca){
belle_sip_free(obj->root_ca);
obj->root_ca=NULL;
......@@ -115,11 +136,15 @@ int belle_tls_verify_policy_set_root_ca(belle_tls_verify_policy_t *obj, const ch
return 0;
}
void belle_tls_verify_policy_set_exceptions(belle_tls_verify_policy_t *obj, int flags){
void belle_tls_crypto_config_set_verify_exceptions(belle_tls_crypto_config_t *obj, int flags){
obj->exception_flags=flags;
}
unsigned int belle_tls_verify_policy_get_exceptions(const belle_tls_verify_policy_t *obj){
unsigned int belle_tls_crypto_config_get_verify_exceptions(const belle_tls_crypto_config_t *obj){
return obj->exception_flags;
}
void belle_tls_crypto_config_set_ssl_config(belle_tls_crypto_config_t *obj, void *ssl_config) {
obj->ssl_config = ssl_config;
}
......@@ -202,7 +202,7 @@ BELLE_SIP_DECLARE_VPTR(belle_http_request_t);
BELLE_SIP_DECLARE_VPTR(belle_http_response_t);
BELLE_SIP_DECLARE_VPTR(belle_generic_uri_t);
BELLE_SIP_DECLARE_VPTR(belle_http_callbacks_t);
BELLE_SIP_DECLARE_VPTR(belle_tls_verify_policy_t);
BELLE_SIP_DECLARE_VPTR(belle_tls_crypto_config_t);
BELLE_SIP_DECLARE_VPTR(belle_http_header_authorization_t);
BELLE_SIP_DECLARE_VPTR(belle_sip_header_event_t);
BELLE_SIP_DECLARE_VPTR(belle_sip_header_supported_t);
......
......@@ -221,10 +221,14 @@ belle_sip_channel_t *belle_sip_channel_find_from_list(belle_sip_list_t *l, int a
#define BELLE_SIP_TLS_CHANNEL(obj) BELLE_SIP_CAST(obj,belle_sip_tls_channel_t)
struct belle_tls_verify_policy{
struct belle_tls_crypto_config{
belle_sip_object_t base;
char *root_ca;
int exception_flags;
char *root_ca; /**< path to the trusted certificate chain used when verifiying peer certificate */
int exception_flags; /**< override some exception raised during certificate verification, can be:
BELLE_TLS_VERIFY_NONE do not override any exception
BELLE_TLS_VERIFY_CN_MISMATCH ignore Common Name mismatch exception
BELLE_TLS_VERIFY_ANY_REASON(ignore any exception */
void *ssl_config; /**< externally provided ssl configuration context, will be casted and given to the underlying crypto library, use only if you really know what you're doing */
};
#endif
......@@ -38,7 +38,7 @@ struct belle_http_provider{
int ai_family;
belle_sip_list_t *tcp_channels;
belle_sip_list_t *tls_channels;
belle_tls_verify_policy_t *verify_ctx;
belle_tls_crypto_config_t *crypto_config;
};
#define BELLE_HTTP_REQUEST_INVOKE_LISTENER(obj,method,arg) \
......@@ -325,7 +325,7 @@ static void http_provider_uninit(belle_http_provider_t *obj){
belle_sip_list_free_with_data(obj->tcp_channels,belle_sip_object_unref);
belle_sip_list_for_each(obj->tls_channels,(void (*)(void*))belle_sip_channel_force_close);
belle_sip_list_free_with_data(obj->tls_channels,belle_sip_object_unref);
belle_sip_object_unref(obj->verify_ctx);
belle_sip_object_unref(obj->crypto_config);
}
BELLE_SIP_DECLARE_NO_IMPLEMENTED_INTERFACES(belle_http_provider_t);
......@@ -336,7 +336,7 @@ belle_http_provider_t *belle_http_provider_new(belle_sip_stack_t *s, const char
p->stack=s;
p->bind_ip=belle_sip_strdup(bind_ip);
p->ai_family=strchr(p->bind_ip,':') ? AF_INET6 : AF_INET;
p->verify_ctx=belle_tls_verify_policy_new();
p->crypto_config=belle_tls_crypto_config_new();
return p;
}
......@@ -426,7 +426,7 @@ int belle_http_provider_send_request(belle_http_provider_t *obj, belle_http_requ
if (strcasecmp(hop->transport,"tcp")==0){
chan=belle_sip_stream_channel_new_client(obj->stack,obj->bind_ip,0,hop->cname,hop->host,hop->port);
} else if (strcasecmp(hop->transport,"tls")==0){
chan=belle_sip_channel_new_tls(obj->stack,obj->verify_ctx,obj->bind_ip,0,hop->cname,hop->host,hop->port);
chan=belle_sip_channel_new_tls(obj->stack,obj->crypto_config,obj->bind_ip,0,hop->cname,hop->host,hop->port);
}
if (!chan){
......@@ -480,7 +480,12 @@ void belle_http_provider_cancel_request(belle_http_provider_t *obj, belle_http_r
}
int belle_http_provider_set_tls_verify_policy(belle_http_provider_t *obj, belle_tls_verify_policy_t *verify_ctx){
SET_OBJECT_PROPERTY(obj,verify_ctx,verify_ctx);
SET_OBJECT_PROPERTY(obj,crypto_config,verify_ctx);
return 0;
}
int belle_http_provider_set_tls_crypto_config(belle_http_provider_t *obj, belle_tls_crypto_config_t *crypto_config){
SET_OBJECT_PROPERTY(obj,crypto_config,crypto_config);
return 0;
}
......
......@@ -91,7 +91,7 @@ belle_sip_listening_point_t * belle_sip_stream_listening_point_new(belle_sip_sta
struct belle_sip_tls_listening_point{
belle_sip_stream_listening_point_t base;
belle_tls_verify_policy_t *verify_ctx;
belle_tls_crypto_config_t *crypto_config;
};
int belle_sip_tls_listening_point_available(void);
......
......@@ -63,7 +63,7 @@ belle_sip_signing_key_t* belle_sip_signing_key_parse(const char* buff, size_t si
int ret;
/* check size, buff is the key in PEM format and thus shall include a NULL termination char, make size includes this termination */
if (strlen(buff) == size+1) {
if (strlen(buff) == size) {
size++;
}
......@@ -121,11 +121,11 @@ static int belle_sip_certificate_fill(belle_sip_certificates_chain_t* certificat
int err;
if (format == BELLE_SIP_CERTIFICATE_RAW_FORMAT_PEM) {
if (strlen(buff) == size+1) {
/* if format is PEM, make sure the null termination char is included in the buffer given size */
if (strlen(buff) == size) {
size++;
}
}
/* if format is PEM, make sure the null termination char is included in the buffer given size */
if ((err=bctoolbox_x509_certificate_parse(certificate->cert, buff, size)) <0) {
char tmp[128];
bctoolbox_strerror(err,tmp,sizeof(tmp));
......@@ -343,7 +343,7 @@ struct belle_sip_tls_channel{
char *cur_debug_msg;
belle_sip_certificates_chain_t* client_cert_chain;
belle_sip_signing_key_t* client_cert_key;
belle_tls_verify_policy_t *verify_ctx;
belle_tls_crypto_config_t *crypto_config;
int http_proxy_connected;
belle_sip_resolver_context_t *http_proxy_resolver_ctx;
};
......@@ -374,7 +374,7 @@ static void tls_channel_uninit(belle_sip_tls_channel_t *obj){
if (obj->cur_debug_msg)
belle_sip_free(obj->cur_debug_msg);
belle_sip_object_unref(obj->verify_ctx);
belle_sip_object_unref(obj->crypto_config);
if (obj->client_cert_chain) belle_sip_object_unref(obj->client_cert_chain);
if (obj->client_cert_key) belle_sip_object_unref(obj->client_cert_key);
if (obj->http_proxy_resolver_ctx) belle_sip_object_unref(obj->http_proxy_resolver_ctx);
......@@ -723,7 +723,7 @@ int belle_sip_verify_cb_error_wrapper(bctoolbox_x509_certificate_t *cert, int de
static int belle_sip_ssl_verify(void *data , bctoolbox_x509_certificate_t *cert , int depth, uint32_t *flags){
belle_tls_verify_policy_t *verify_ctx=(belle_tls_verify_policy_t*)data;
belle_tls_crypto_config_t *crypto_config=(belle_tls_crypto_config_t*)data;
const int tmp_size = 2048, flags_str_size = 256;
char *tmp = belle_sip_malloc0(tmp_size);
char *flags_str = belle_sip_malloc0(flags_str_size);
......@@ -734,10 +734,10 @@ static int belle_sip_ssl_verify(void *data , bctoolbox_x509_certificate_t *cert
belle_sip_message("Found certificate depth=[%i], flags=[%s]:\n%s", depth, flags_str, tmp);
if (verify_ctx->exception_flags==BELLE_TLS_VERIFY_ANY_REASON){
if (crypto_config->exception_flags==BELLE_TLS_VERIFY_ANY_REASON){
/* verify context ask to ignore any exception: reset all flags */
bctoolbox_x509_certificate_unset_flag(flags, BCTOOLBOX_CERTIFICATE_VERIFY_ALL_FLAGS);
}else if (verify_ctx->exception_flags & BELLE_TLS_VERIFY_CN_MISMATCH){
}else if (crypto_config->exception_flags & BELLE_TLS_VERIFY_CN_MISMATCH){
/* verify context ask to ignore CN mismatch exception : reset this flag */
bctoolbox_x509_certificate_unset_flag(flags, BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_CN_MISMATCH);
}
......@@ -775,7 +775,7 @@ static int belle_sip_tls_channel_load_root_ca(belle_sip_tls_channel_t *obj, cons
return -1;
}
belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_tls_verify_policy_t *verify_ctx,const char *bindip, int localport, const char *peer_cname, const char *dest, int port) {
belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_tls_crypto_config_t *crypto_config, const char *bindip, int localport, const char *peer_cname, const char *dest, int port) {
belle_sip_tls_channel_t *obj=belle_sip_object_new(belle_sip_tls_channel_t);
belle_sip_stream_channel_t* super=(belle_sip_stream_channel_t*)obj;
......@@ -786,17 +786,28 @@ belle_sip_channel_t * belle_sip_channel_new_tls(belle_sip_stack_t *stack, belle_
/* create and initialise ssl context and configuration */
obj->sslctx = bctoolbox_ssl_context_new();
obj->sslcfg = bctoolbox_ssl_config_new();
bctoolbox_ssl_config_defaults(obj->sslcfg, BCTOOLBOX_SSL_IS_CLIENT, BCTOOLBOX_SSL_TRANSPORT_STREAM);
bctoolbox_ssl_config_set_authmode(obj->sslcfg, BCTOOLBOX_SSL_VERIFY_REQUIRED);
if (crypto_config->ssl_config == NULL) {
bctoolbox_ssl_config_defaults(obj->sslcfg, BCTOOLBOX_SSL_IS_CLIENT, BCTOOLBOX_SSL_TRANSPORT_STREAM);
bctoolbox_ssl_config_set_authmode(obj->sslcfg, BCTOOLBOX_SSL_VERIFY_REQUIRED);
} else { /* an SSL config is provided, use it*/
int ret = bctoolbox_ssl_config_set_crypto_library_config(obj->sslcfg, crypto_config->ssl_config);
if (ret<0) {
belle_sip_error("Unable to set external config for SSL context at TLS channel creation ret [-0x%x]", -ret);
belle_sip_object_unref(obj);
return NULL;
}
belle_sip_message("Use externally provided SSL configuration when creating TLS channel [%p]", obj);
}
bctoolbox_ssl_config_set_rng(obj->sslcfg, random_generator, NULL);
bctoolbox_ssl_set_io_callbacks(obj->sslctx, obj, tls_callback_write, tls_callback_read);
if (verify_ctx->root_ca && belle_sip_tls_channel_load_root_ca(obj,verify_ctx->root_ca)==0){
if (crypto_config->root_ca && belle_sip_tls_channel_load_root_ca(obj,crypto_config->root_ca)==0){
bctoolbox_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name );
}
bctoolbox_ssl_config_set_callback_verify(obj->sslcfg, belle_sip_ssl_verify, verify_ctx);
bctoolbox_ssl_config_set_callback_verify(obj->sslcfg, belle_sip_ssl_verify, crypto_config);
bctoolbox_ssl_config_set_callback_cli_cert(obj->sslcfg, belle_sip_client_certificate_request_callback, obj);
obj->verify_ctx=(belle_tls_verify_policy_t*)belle_sip_object_ref(verify_ctx);
obj->crypto_config=(belle_tls_crypto_config_t*)belle_sip_object_ref(crypto_config);
bctoolbox_ssl_context_setup(obj->sslctx, obj->sslcfg);
return (belle_sip_channel_t*)obj;
......
......@@ -19,11 +19,11 @@
#include "belle_sip_internal.h"
static void belle_sip_tls_listening_point_uninit(belle_sip_tls_listening_point_t *lp){
belle_sip_object_unref(lp->verify_ctx);
belle_sip_object_unref(lp->crypto_config);
}
static belle_sip_channel_t *tls_create_channel(belle_sip_listening_point_t *lp, const belle_sip_hop_t *hop){
belle_sip_channel_t *chan=belle_sip_channel_new_tls(lp->stack, ((belle_sip_tls_listening_point_t*) lp)->verify_ctx
belle_sip_channel_t *chan=belle_sip_channel_new_tls(lp->stack, ((belle_sip_tls_listening_point_t*) lp)->crypto_config
,belle_sip_uri_get_host(lp->listening_uri)
,belle_sip_uri_get_port(lp->listening_uri)
,hop->cname
......@@ -74,22 +74,27 @@ belle_sip_listening_point_t * belle_sip_tls_listening_point_new(belle_sip_stack_
belle_sip_stream_listening_point_init((belle_sip_stream_listening_point_t*)lp,s,ipaddress,port);
#endif /* ENABLE_SERVER_SOCKETS */
lp->verify_ctx=belle_tls_verify_policy_new();
lp->crypto_config=belle_tls_crypto_config_new();
return BELLE_SIP_LISTENING_POINT(lp);
}
int belle_sip_tls_listening_point_set_root_ca(belle_sip_tls_listening_point_t *lp, const char *path){
return belle_tls_verify_policy_set_root_ca(lp->verify_ctx,path);
return belle_tls_crypto_config_set_root_ca(lp->crypto_config,path);
}
int belle_sip_tls_listening_point_set_verify_exceptions(belle_sip_tls_listening_point_t *lp, int flags){
belle_tls_verify_policy_set_exceptions(lp->verify_ctx,flags);
belle_tls_crypto_config_set_verify_exceptions(lp->crypto_config,flags);
return 0;
}
int belle_sip_tls_listening_point_set_verify_policy(belle_sip_tls_listening_point_t *s, belle_tls_verify_policy_t *pol){
SET_OBJECT_PROPERTY(s,verify_ctx,pol);
SET_OBJECT_PROPERTY(s,crypto_config,(belle_tls_crypto_config_t *)pol);
return 0;
}
int belle_sip_tls_listening_point_set_crypto_config(belle_sip_tls_listening_point_t *s, belle_tls_crypto_config_t *crypto_config){
SET_OBJECT_PROPERTY(s,crypto_config,crypto_config);
return 0;
}
......
......@@ -80,9 +80,9 @@ static int http_before_all(void) {
stack=belle_sip_stack_new(NULL);
prov=belle_sip_stack_create_http_provider(stack,"0.0.0.0");
if (belle_sip_tester_get_root_ca_path() != NULL) {
belle_tls_verify_policy_t *policy=belle_tls_verify_policy_new();
belle_tls_verify_policy_set_root_ca(policy,belle_sip_tester_get_root_ca_path());
belle_http_provider_set_tls_verify_policy(prov,policy);
belle_tls_crypto_config_t *crypto_config=belle_tls_crypto_config_new();
belle_tls_crypto_config_set_root_ca(crypto_config,belle_sip_tester_get_root_ca_path());
belle_http_provider_set_tls_crypto_config(prov,crypto_config);
}
return 0;
}
......
......@@ -198,11 +198,13 @@ int register_before_all(void) {
belle_sip_provider_add_listening_point(prov,lp);
lp=belle_sip_stack_create_listening_point(stack,"0.0.0.0",7061,"TLS");
if (lp) {
belle_tls_crypto_config_t *crypto_config=belle_tls_crypto_config_new();
/* since test.linphone.org does not have proper certificates, don't verify anything*/
belle_sip_tls_listening_point_set_verify_exceptions(BELLE_SIP_TLS_LISTENING_POINT(lp),BELLE_SIP_TLS_LISTENING_POINT_BADCERT_ANY_REASON);
belle_tls_crypto_config_set_verify_exceptions(crypto_config, BELLE_TLS_VERIFY_ANY_REASON);
if (belle_sip_tester_get_root_ca_path() != NULL) {
belle_sip_tls_listening_point_set_root_ca(BELLE_SIP_TLS_LISTENING_POINT(lp), belle_sip_tester_get_root_ca_path());
belle_tls_crypto_config_set_root_ca(crypto_config,belle_sip_tester_get_root_ca_path());
}
belle_sip_tls_listening_point_set_crypto_config(BELLE_SIP_TLS_LISTENING_POINT(lp), crypto_config);
belle_sip_provider_add_listening_point(prov,lp);
}
......@@ -540,9 +542,7 @@ static void test_register_channel_inactive(void){
static void test_register_client_authenticated(void) {
belle_sip_request_t *reg;
authorized_request=NULL;
/*we don't care to check sercer cert*/
belle_sip_tls_listening_point_set_verify_exceptions( (belle_sip_tls_listening_point_t*)belle_sip_provider_get_listening_point(prov,"tls")
,BELLE_SIP_TLS_LISTENING_POINT_BADCERT_ANY_REASON);
reg=register_user_at_domain(stack, prov, "tls",1,"tester",client_auth_domain,client_auth_outbound_proxy);
if (authorized_request) {
unregister_user(stack,prov,authorized_request,1);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment