Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transp,tls: add TLS client verification #1059

Merged
merged 1 commit into from
Feb 11, 2024
Merged

transp,tls: add TLS client verification #1059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions include/re_tls.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,12 @@ int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
const char *tls_cipher_name(const struct tls_conn *tc);
int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count);
int tls_set_verify_server(struct tls_conn *tc, const char *host);
int tls_verify_client(struct tls_conn *tc);

int tls_get_issuer(struct tls *tls, struct mbuf *mb);
int tls_get_subject(struct tls *tls, struct mbuf *mb);
void tls_disable_verify_server(struct tls *tls);
void tls_enable_verify_client(struct tls *tls, bool enable);

int tls_set_min_proto_version(struct tls *tls, int version);
int tls_set_max_proto_version(struct tls *tls, int version);
Expand Down
4 changes: 4 additions & 0 deletions src/sip/transp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -679,6 +679,10 @@ static void tcp_connect_handler(const struct sa *paddr, void *arg)
err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0);
if (err)
goto out;

err = tls_verify_client(conn->sc);
if (err)
goto out;
}
#endif

Expand Down
45 changes: 45 additions & 0 deletions src/tls/openssl/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ struct tls {
X509 *cert;
char *pass; /**< password for private key */
bool verify_server; /**< Enable SIP TLS server verification */
bool verify_client; /**< Enable SIP TLS client verification */
struct session_reuse reuse;
struct list certs; /**< Certificates for SNI selection */
};
Expand Down Expand Up @@ -1459,6 +1460,35 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host)
}


/**
* Enable verification of client certificate
*
* @param tc TLS Connection
*
* @return 0 if success, otherwise errorcode
*/
int tls_verify_client(struct tls_conn *tc)
{
#if !defined(LIBRESSL_VERSION_NUMBER)

if (!tc)
return EINVAL;

if (!tc->tls->verify_client)
return 0;

SSL_set_verify(tc->ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
tls_verify_handler);

return 0;
#else
(void)tc;

return ENOSYS;
#endif
}


static int print_error(const char *str, size_t len, void *unused)
{
(void)unused;
Expand Down Expand Up @@ -1597,6 +1627,21 @@ void tls_disable_verify_server(struct tls *tls)
}


/**
* Enables SIP TLS client verifications for following requests
*
* @param tls TLS Object
* @param enable true to enable client verification, false to disable
*/
void tls_enable_verify_client(struct tls *tls, bool enable)
{
if (!tls)
return;

tls->verify_client = enable;
}


/**
* Set minimum TLS version
*
Expand Down
Loading