Commit f45856be authored by johan's avatar johan

Tunnel client can verify server certificate

parent 61919a5c
......@@ -100,6 +100,15 @@ void TunnelManager::startClient() {
ms_message("TunnelManager: Starting tunnel client");
mTunnelClient = new TunnelClient(TRUE);
mTunnelClient->setCallback((TunnelClientController::StateCallback)tunnelCallback,this);
if (mVerifyServerCertificate) {
const char *rootCertificatePath = linphone_core_get_root_ca(mCore);
if (rootCertificatePath != NULL) {
ms_message("TunnelManager: Load root certificate from %s", rootCertificatePath);
mTunnelClient->setRootCertificate(rootCertificatePath); /* give the path to root certificate to the tunnel client in order to be able to verify the server certificate */
} else {
ms_warning("TunnelManager is set to verify server certificate but no root certificate is available in linphoneCore");
}
}
list<ServerAddr>::iterator it;
for(it=mServerAddrs.begin();it!=mServerAddrs.end();++it){
const ServerAddr &addr=*it;
......@@ -427,6 +436,14 @@ bool TunnelManager::tunnelizeSipPacketsEnabled() const {
return mTunnelizeSipPackets;
}
void TunnelManager::verifyServerCertificate(bool enable){
mVerifyServerCertificate = enable;
}
bool TunnelManager::verifyServerCertificateEnabled() const {
return mVerifyServerCertificate;
}
void TunnelManager::setHttpProxy(const char *host,int port, const char *username, const char *passwd){
mHttpUserName=username?username:"";
mHttpPasswd=passwd?passwd:"";
......
......@@ -110,6 +110,18 @@ namespace belledonnecomm {
* @return True, SIP packets pass through the tunnel
*/
bool tunnelizeSipPacketsEnabled() const;
/**
* Indicate to the tunnel manager wether server certificate
* must be verified during TLS handshake. Default: disabled
* @param enable If set to TRUE, SIP packets will pass through the tunnel.
* If set to FALSE, SIP packets will pass by the configured proxies.
*/
void verifyServerCertificate(bool enable);
/**
* Check wether the tunnel manager is set to verify server certificate during TLS handshake
* @return True, server certificate is verified(using the linphonecore root certificate)
*/
bool verifyServerCertificateEnabled() const;
/**
* @brief Constructor
* @param lc The LinphoneCore instance of which the TunnelManager will be associated to.
......@@ -188,6 +200,7 @@ namespace belledonnecomm {
LinphoneTunnelMode mMode;
State mState;
bool mTunnelizeSipPackets;
bool mVerifyServerCertificate;
TunnelClient* mTunnelClient;
std::string mHttpUserName;
std::string mHttpPasswd;
......
......@@ -330,6 +330,15 @@ bool_t linphone_tunnel_sip_enabled(const LinphoneTunnel *tunnel) {
return bcTunnel(tunnel)->tunnelizeSipPacketsEnabled() ? TRUE : FALSE;
}
void linphone_tunnel_verify_server_certificate(LinphoneTunnel *tunnel, bool_t enable) {
bcTunnel(tunnel)->verifyServerCertificate(enable);
lp_config_set_int(config(tunnel), "tunnel", "verifyCert", (enable ? TRUE : FALSE));
}
bool_t linphone_tunnel_verify_server_certificate_enabled(const LinphoneTunnel *tunnel) {
return bcTunnel(tunnel)->verifyServerCertificateEnabled() ? TRUE : FALSE;
}
static void my_ortp_logv(const char *domain, OrtpLogLevel level, const char *fmt, va_list args){
ortp_logv(domain, level,fmt,args);
}
......@@ -342,10 +351,12 @@ static void my_ortp_logv(const char *domain, OrtpLogLevel level, const char *fmt
void linphone_tunnel_configure(LinphoneTunnel *tunnel){
LinphoneTunnelMode mode = linphone_tunnel_mode_from_string(lp_config_get_string(config(tunnel), "tunnel", "mode", NULL));
bool_t tunnelizeSIPPackets = (bool_t)lp_config_get_int(config(tunnel), "tunnel", "sip", TRUE);
bool_t tunnelVerifyServerCertificate = (bool_t)lp_config_get_int(config(tunnel), "tunnel", "verifyCert", FALSE);
linphone_tunnel_enable_logs_with_handler(tunnel,TRUE,my_ortp_logv);
linphone_tunnel_load_config(tunnel);
linphone_tunnel_enable_sip(tunnel, tunnelizeSIPPackets);
linphone_tunnel_set_mode(tunnel, mode);
linphone_tunnel_verify_server_certificate(tunnel, tunnelVerifyServerCertificate);
}
/* Deprecated functions */
......
[sip]
sip_port=-1
sip_tcp_port=-1
sip_tls_port=-1
default_proxy=0
ping_with_options=0
composing_idle_timeout=1
[auth_info_0]
username=pauline
userid=pauline
passwd=secret
realm=sip.example.org
[proxy_0]
reg_proxy=sip2.linphone.org;transport=tls
reg_route=sip2.linphone.org;transport=tls
reg_identity=sip:pauline@sip.example.org
reg_expires=3600
reg_sendregister=1
publish=0
dial_escape_plus=0
#[friend_0]
#url="Mariette" <sip:marie@sip.example.org>
#pol=accept
#subscribe=0
[rtp]
audio_rtp_port=18070-28000
video_rtp_port=39072-49000
[video]
display=0
capture=0
show_local=0
size=qcif
enabled=0
self_view=0
automatically_initiate=0
automatically_accept=0
device=StaticImage: Static picture
[sound]
echocancellation=0 #to not overload cpu in case of VG
[net]
dns_srv_enabled=0 #no srv needed in general
stun_server=stun.linphone.org
[tunnel]
verifyCert=1
......@@ -30,10 +30,10 @@ static char* get_public_contact_ip(LinphoneCore* lc) {
}
static void call_with_tunnel_base(LinphoneTunnelMode tunnel_mode, bool_t with_sip, LinphoneMediaEncryption encryption, bool_t with_video_and_ice) {
static void call_with_tunnel_base_with_config_files(LinphoneTunnelMode tunnel_mode, bool_t with_sip, LinphoneMediaEncryption encryption, bool_t with_video_and_ice, const char *marie_rc, const char *pauline_rc) {
if (linphone_core_tunnel_available()){
LinphoneCoreManager *pauline = linphone_core_manager_new( "pauline_rc");
LinphoneCoreManager *marie = linphone_core_manager_new( "marie_rc");
LinphoneCoreManager *pauline = linphone_core_manager_new( pauline_rc);
LinphoneCoreManager *marie = linphone_core_manager_new( marie_rc);
LinphoneCall *pauline_call, *marie_call;
LinphoneProxyConfig *proxy = linphone_core_get_default_proxy_config(pauline->lc);
LinphoneAddress *server_addr = linphone_address_new(linphone_proxy_config_get_server_addr(proxy));
......@@ -155,6 +155,9 @@ static void call_with_tunnel_base(LinphoneTunnelMode tunnel_mode, bool_t with_si
}
}
static void call_with_tunnel_base(LinphoneTunnelMode tunnel_mode, bool_t with_sip, LinphoneMediaEncryption encryption, bool_t with_video_and_ice) {
call_with_tunnel_base_with_config_files(tunnel_mode, with_sip, encryption, with_video_and_ice, "marie_rc", "pauline_rc");
}
static void call_with_tunnel(void) {
call_with_tunnel_base(LinphoneTunnelModeEnable, TRUE, LinphoneMediaEncryptionNone, FALSE);
......@@ -168,6 +171,10 @@ static void call_with_tunnel_without_sip(void) {
call_with_tunnel_base(LinphoneTunnelModeEnable, FALSE, LinphoneMediaEncryptionNone, FALSE);
}
static void call_with_tunnel_verify_server_certificate(void) {
call_with_tunnel_base_with_config_files(LinphoneTunnelModeEnable, TRUE, LinphoneMediaEncryptionNone, FALSE, "marie_rc", "pauline_tunnel_verify_server_certificate_rc");
}
static void call_with_tunnel_auto(void) {
call_with_tunnel_base(LinphoneTunnelModeAuto, TRUE, LinphoneMediaEncryptionNone, FALSE);
}
......@@ -237,6 +244,7 @@ test_t tunnel_tests[] = {
TEST_NO_TAG("Simple", call_with_tunnel),
TEST_NO_TAG("With SRTP", call_with_tunnel_srtp),
TEST_NO_TAG("Without SIP", call_with_tunnel_without_sip),
TEST_NO_TAG("Verify Server Certificate", call_with_tunnel_verify_server_certificate),
TEST_NO_TAG("In automatic mode", call_with_tunnel_auto),
TEST_NO_TAG("In automatic mode with SRTP without SIP", call_with_tunnel_auto_without_sip_with_srtp),
TEST_NO_TAG("Ice call", tunnel_ice_call),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment