2009/1/6 Jarod Neuner <j.neu...@networkharbor.com>: > This patch should wrap up the major changes to the tport module. A new > pointer (tpn_subject) has been added to the tp_name_t structure, which > defines the subject name of the intended recipient of each message.
Many thanks for your patch! Unfortunately adding new fields to tpn_subject breaks the binary compatibility, which causes all kind of problems with Debian (and maemo) packages. So, I can't accept your patch at the moment in the main repository. Also, if we want to do some automated Subject testing at tport level, I'd go for using tpn_canon which should contain the domain name used in the SIP URI. in that case TPTAG_TLS_VERIFY_PEER() >= 2 could be used to determine whether to check subject or not. For more hairier cases, perhaps tags in tport_tsend() arguments containing the desired subject (e.g., TPTAG_X509_SUBJECT or TPTAG_X509_SUBJECT_DN, TPTAG_X509_SUBJECT_DNS, TPTAG_X509_SUBJECT_RFC822, and TPTAG_X509_SUBJECT_URI)? If we are trying to send an INVITE to sip:b...@biloxi.com, the peer certificate could contain subjects like URI sip:biloxi.com, sips:biloxi.com, dNSName biloxi.com (and in case they use NAPTR) dNSname ext-sip-proxy.biloxi.com. Likewise, incoming connection from sip:al...@atlanta.com could have URI sip:al...@atlanta.com or rfc822Name al...@atlanta.com. So perhaps nta or upper layers could build a list of possible subjects and include them with the tport_tsend(). > As before, these patches should not change the behavior of NTA or NUA. > The next patch will be directed at those modules (that is, once I wrap > my head around what is going on in NTA). ;) > Here is a quick rundown on the (intended) behavior of the subject > verification code: > > *** For established TLS Connections *** > tport_is_verified() > - Indicates whether or not an active TLS tport secondary > has a verified certificate. > tport_delivered_from_subjects() > - Provides a list of the verified certificate subjects > associated with the peer that delivered a message. > tport_subject_search() > - Searches a list of certificate subjects. > - Supports peer certificates with URI subjects > and wildcard hostnames. Why sip:foo.bar.com matches w/ *.bar.com but not with foo.bar.com? > *** For Outgoing Messages on New Connections *** > The goal here was to allow the higher levels to call tport_tsend() with > any tpn_subject and guarantee that the message will only be delivered to > a completely authenticated peer. I think pseudocode will provide a > better overview of what should happen: > > if (TPORT_TLS_VERIFY_PEER(1) is not set) > send message > else if (peer_cert does not verify) > do not send message > else if (tpn_subject is not set) > send message > else if (peer_cert->subjects includes tpn_subject) > send message > else > do not send message -- Pekka.Pessi mail at nokia.com ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Sofia-sip-devel mailing list Sofia-sip-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
