• Jarod Neuner's avatar
    TLS Subject Checking in tport · 7b637c59
    Jarod Neuner authored
    sofia-sip/tport.h:
    * tport_delivered_from_subjects() returns type (su_strlst_t const *)
    * Export tport_subject_search()
    
    sofia-sip/tport_tag.h + tport_tag.c:
    * Remove TPTAG_TLS_VERIFY_PEER()
      - Depreciated.  Use TPTAG_TLS_VERIFY_POLICY instead.
      - Binary Compatibility is preserved.
    * Add TPTAG_TLS_VERIFY_POLICY()
      - tport can verify incoming and/or outgoing connections, using:
        1) Certificate Signatures only - or -
        2) Certificate Signatures and Certificate Subjects
    * Add TPTAG_TLS_VERIFY_DEPTH()
      - Restrict certificate chain verification to a set length.
    * Add TPTAG_TLS_VERIFY_DATE()
      - Disable notBefore/notAfter checking (application: embedded devices)
    * Add TPTAG_TLS_VERIFY_SUBJECTS()
      - Incoming connections must present client certificates with subjects
        that match an item in this list.
      - Intended Use: Proxy Authentication
    * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT()
      - Commented out for future use.
      - Intended Use: SIP User Identities in Server Certificates.
    * Add appropriate doxygen documentation.
    
    tport.c
    * Add tport_subject_search()
      - Subject can be a hostname, IP Address, or a URI.
      - Valid subject examples include:
          example.com
          alice@example.com
          sip:alice@example.com
          sips:alice@example.com
    * tport_by_addrinfo() matches tpn_canon against the subject list
        of reusable TLS connections.
    
    tport_tls.h:
    * Add tls_init_secondary()
    * Remove tls_init_slave() & tls_init_client()
    
    tport_tls.c:
    * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE()
    * tls_post_connection_check() verifies certificate subjects.
    * tls_init_secondary()
      - Replaces tls_init_slave(), tls_init_client(), and tls_clone().
    
    tport_type_tls.c:
    * Removed erroneous reference to tport_tls_deliver()
    * Fix a memory leak caused by duplicate calls to tls_clone().
    * Populate the (tport_t *)->tp_subjects field with peer certificate data for
      new secondary connections.
    
    darcs-hash:20090115155045-2152f-aaec406d8e5dbf146949d4d3cbc9f56e201cba46.gz
    7b637c59
tport_tls.c 21.5 KB