This patch provides a whole host of configuration options for the tport
tls module, while preserving binary compatibility and legacy behavior.
* Peer certificate subjects for outgoing messages are compared to
tpn_canon. This has been tested against requests sent to a
proxy (sips:voip.example.com), a host (sips:u...@192.168.0.1),
and a SRV lookup (sips:u...@example.com).
* A host of new TPTAG_TLS_* tags are available. Options include
verification policy, certificate chain depth, date verification,
and verification of incoming certificate subjects. All of these
were tested against an OpenSIPS proxy running in TLS mode.
* Methods from the previous patch have been preserved and/or updated:
- tport_subject_search(): finds certificate subject matches
- tport_delivered_from_subjects(): subjects from a TLS secondary.
- tport_is_verified(): TLS certificate signature was verified.
* I have included a commented-out prototype for TPTAG_X509_SUBJECT,
which is intended for matching SIP User Identities. This requires
significant work in NTA, which I won't be getting to anytime soon.
I'm also not sure that such a mechanism would be exceptionally
useful, but the idea is there if it ever proves necessary.
Cheers~
-Jarod
New patches:
[TLS Subject Checking in tport
Jarod Neuner <janeu...@networkharbor.com>**20090114184543
sofia-sip/tport.h:
* tport_delivered_from_subjects() returns type (su_strlst_t const *)
* Export tport_subject_search()
sofia-sip/tport_tag.h + tport_tag.c:
* Remove TPTAG_TLS_VERIFY_PEER()
- Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead.
- Binary Compatibility is preserved.
* Add TPTAG_TLS_VERIFY_POLICY()
- tport can verify incoming and/or outgoing connections, using:
1) Certificate Signatures only - or -
2) Certificate Signatures and Certificate Subjects
* Add TPTAG_TLS_VERIFY_DEPTH()
- Restrict certificate chain verification to a set length.
* Add TPTAG_TLS_VERIFY_DATE()
- Disable notBefore/notAfter checking (application: embedded devices)
* Add TPTAG_TLS_VERIFY_SUBJECTS()
- Incoming connections must present client certificates with subjects
that match an item in this list.
- Intended Use: Proxy Authentication
* Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT()
- Commented out for future use.
- Intended Use: SIP User Identities in Server Certificates.
* Add appropriate doxygen documentation.
tport.c
* Add tport_subject_search()
- Subject can be a hostname, IP Address, or a URI.
- Valid subject examples include:
example.com
al...@example.com
sip:al...@example.com
sips:al...@example.com
* tport_by_addrinfo() matches tpn_canon against the subject list
of reusable TLS connections.
tport_tls.h:
* Add tls_init_secondary()
* Remove tls_init_slave() & tls_init_client()
tport_tls.c:
* tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE()
* tls_post_connection_check() verifies certificate subjects.
* tls_init_secondary()
- Replaces tls_init_slave(), tls_init_client(), and tls_clone().
tport_type_tls.c:
* Removed erroneous reference to tport_tls_deliver()
* Fix a memory leak caused by duplicate calls to tls_clone().
* Populate the (tport_t *)->tp_subjects field with peer certificate data for
new secondary connections.
] {
hunk ./libsofia-sip-ua/tport/sofia-sip/tport.h 342
-TPORT_DLL su_strlst_t *tport_delivered_from_subjects(tport_t *tp, msg_t const
*msg);
+TPORT_DLL su_strlst_t const *tport_delivered_from_subjects(tport_t *tp,
+ msg_t const *msg);
+
+/** Check if the given subject string is found in su_strlst_t */
+TPORT_DLL int tport_subject_search(char const *, su_strlst_t const *);
hunk ./libsofia-sip-ua/tport/sofia-sip/tport_tag.h 189
+enum tport_tls_verify_policy {
+ TPTLS_VERIFY_NONE = 0x0,
+ TPTLS_VERIFY_INCOMING = 0x1,
+ TPTLS_VERIFY_IN = 0x1,
+ TPTLS_VERIFY_OUTGOING = 0x2,
+ TPTLS_VERIFY_OUT = 0x2,
+ TPTLS_VERIFY_ALL = 0x3,
+ TPTLS_VERIFY_SUBJECTS_IN = 0x5, /* 0x4 | TPTLS_VERIFY_INCOMING */
+ TPTLS_VERIFY_SUBJECTS_OUT = 0xA, /* 0x8 | TPTLS_VERIFY_OUTGOING */
+ TPTLS_VERIFY_SUBJECTS_ALL = 0xF,
+};
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_policy;
+#define TPTAG_TLS_VERIFY_POLICY(x) tptag_tls_verify_policy, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_policy_ref;
+#define TPTAG_TLS_VERIFY_POLICY_REF(x) tptag_tls_verify_policy_ref,
tag_uint_vr(&(x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_depth;
+#define TPTAG_TLS_VERIFY_DEPTH(x) tptag_tls_verify_depth, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_depth_ref;
+#define TPTAG_TLS_VERIFY_DEPTH_REF(x) \
+ tptag_tls_verify_depth_ref, tag_uint_vr(&(x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_date;
+#define TPTAG_TLS_VERIFY_DATE(x) tptag_tls_verify_date, tag_uint_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_date_ref;
+#define TPTAG_TLS_VERIFY_DATE_REF(x) \
+ tptag_tls_verify_date_ref, tag_uint_vr(&(x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_subjects;
+#define TPTAG_TLS_VERIFY_SUBJECTS(x) tptag_tls_verify_subjects, tag_cptr_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_verify_subjects_ref;
+#define TPTAG_TLS_VERIFY_SUBJECTS_REF(x) \
+ tptag_tls_verify_subjects_ref, tag_cptr_vr(&(x), (x))
+
+/* TPTAG_TLS_VERIFY_PEER is depreciated - Use TPTAG_TLS_VERIFY_POLICY */
hunk ./libsofia-sip-ua/tport/sofia-sip/tport_tag.h 230
-#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
+#define TPTAG_TLS_VERIFY_PEER(x) TPTAG_TLS_VERIFY_POLICY( (x) ? \
+ TPTLS_VERIFY_ALL : TPTLS_VERIFY_NONE)
hunk ./libsofia-sip-ua/tport/sofia-sip/tport_tag.h 237
-TPORT_DLL extern tag_typedef_t tptag_trusted;
-#define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))
+TPORT_DLL extern tag_typedef_t tport_x509_subject;
+#define TPTAG_X509_SUBJECT(x) tptag_x509_subject, tag_str_v((x))
hunk ./libsofia-sip-ua/tport/sofia-sip/tport_tag.h 240
-TPORT_DLL extern tag_typedef_t tptag_trusted_ref;
-#define TPTAG_TRUSTED_REF(x) tptag_trusted_ref, tag_bool_vr(&(x))
+TPORT_DLL extern tag_typedef_t tptag_x509_subject_ref;
+#define TPTAG_X509_SUBJECT_REF(x) tptag_x509_subject_ref, tag_str_vr(&(x))
hunk ./libsofia-sip-ua/tport/tport.c 276
- return tport_has_tls(self) && self->tp_verified;
+ return tport_has_tls(self) && self->tp_is_connected && self->tp_verified;
hunk ./libsofia-sip-ua/tport/tport.c 1468
- * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags
used with
- * tport_set_params(), especially TPTAG_QUEUESIZE().
+ * TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_POLICY, and
+ * tags used with tport_set_params(), especially TPTAG_QUEUESIZE().
hunk ./libsofia-sip-ua/tport/tport.c 3048
-su_strlst_t *tport_delivered_from_subjects(tport_t *tp, msg_t const *msg)
+su_strlst_t const *tport_delivered_from_subjects(tport_t *tp, msg_t const *msg)
hunk ./libsofia-sip-ua/tport/tport.c 3072
+/** Search for subject in list of TLS Certificate subjects */
+int
+tport_subject_search(char const *subject, su_strlst_t const *lst)
+{
+ int idx, ilen;
+ const char *subjuri;
+
+ if (!subject || su_strmatch(tpn_any, subject))
+ return 1;
+
+ if (!lst)
+ return 0;
+
+ /* Check if subject is a URI */
+ if (su_casenmatch(subject,"sip:",4) || su_casenmatch(subject,"sips:",5))
+ subjuri = subject + su_strncspn(subject,5,":") + 1;
+ else
+ subjuri = NULL;
+
+ ilen = su_strlst_len(lst);
+
+ for (idx = 0; idx < ilen; idx++) {
+ const char *lsturi, *lststr;
+
+ lststr = su_strlst_item(lst, idx);
+
+ /* check if lststr is a URI (sips URI is an unacceptable cert subject) */
+ if (su_casenmatch(lststr,"sip:",4))
+ lsturi = lststr + su_strncspn(lststr,4,":") + 1;
+ else
+ lsturi = NULL;
+
+
+ /* Match two SIP Server Identities */
+ if (host_cmp(subjuri ? subjuri : subject, lsturi ? lsturi : lststr) == 0)
+ return 1;
+#if 0
+ /* XXX - IETF drafts forbid wildcard certs */
+ if (!subjuri && !lsturi && su_strnmatch("*.", lststr, 2)) {
+ size_t urioffset = su_strncspn(subject, 64, ".");
+ if (urioffset) {
+ if (su_casematch(subject + urioffset, lststr+1))
+ return 1;
+ }
+ }
+#endif
+ }
+
+ return 0;
+}
+
hunk ./libsofia-sip-ua/tport/tport.c 3206
- * TPTAG_FRESH(), TPTAG_COMPARTMENT().
+ * TPTAG_FRESH(), TPTAG_COMPARTMENT(), TPTAG_X509_SUBJECT()
hunk ./libsofia-sip-ua/tport/tport.c 4635
+ if (tport_has_tls(sub) && !su_casematch(tpn->tpn_canon,
sub->tp_name->tpn_canon)) {
+ if (!tport_is_verified(sub))
+ continue;
+ if (!tport_subject_search(tpn->tpn_canon, sub->tp_subjects))
+ continue;
+ }
+
hunk ./libsofia-sip-ua/tport/tport_internal.h 184
- * Subject Name(s) provided by the
- * peer in a TLS connection (if
secondary).
+ * Subject Name(s) provided by the peer
+ * in a TLS connection (if secondary).
+ * or matched against incoming
+ * connections (if primary).
hunk ./libsofia-sip-ua/tport/tport_tag.c 284
+ * @par Depreciated:
+ * Alias for
TPTAG_TLS_VERIFY_POLICY(TPTLS_VERIFY_INCOMING|TPTLS_VERIFY_OUTGOING)
+ */
+tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+
+/*...@def TPTAG_TLS_VERIFY_POLICY(x)
hunk ./libsofia-sip-ua/tport/tport_tag.c 292
- * 0: no verify certificates;
- * 1: on server mode, the certificate returned by client is checked
- * if fail the TLS/SSL handshake is immediately terminated;
- * 1: on client mode, the server certificate is verified
- * if fail the TLS/SSL handshake is immediately terminated;
+ * @par Values:
+ * - #TPTLS_VERIFY_NONE:
+ * Do not verify Peer Certificates.
+ * - #TPTLS_VERIFY_INCOMING:
+ * Drop incoming connections which fail signature verification
+ * against trusted certificate authorities. Peers must provide a
+ * certificate during the initial TLS Handshake.
+ * - #TPTLS_VERIFY_OUTGOING:
+ * Drop outgoing connections which fail signature verification
+ * against trusted certificate authorities.
+ * - #TPTLS_VERIFY_ALL:
+ * Alias for (TPTLS_VERIFY_INCOMING|TPTLS_VERIFY_OUTGOING)
+ * - #TPTLS_VERIFY_SUBJECTS_IN:
+ * Match the certificate subject on incoming connections against
+ * a provided list. If no match is found, the connection is
+ * rejected. If no list is provided, subject checking is bypassed.
+ * Note: Implies #TPTLS_VERIFY_INCOMING.
+ * - #TPTLS_VERIFY_SUBJECTS_OUT:
+ * Match the certificate subject on outgoing connections against
+ * a provided list. If no match is found, the connection is
+ * rejected.
+ * Note: Implies #TPTLS_VERIFY_OUTGOING.
+ * - #TPTLS_VERIFY_SUBJECTS_ALL:
+ * Alias for (TPTLS_VERIFY_SUBJECTS_IN|TPTLS_VERIFY_SUBJECTS_OUT)
hunk ./libsofia-sip-ua/tport/tport_tag.c 317
- * Use with tport_tbind(), nua_create(), nta_agent_create(),
- * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ * @par Used with
+ * tport_tbind(), nua_create(), nta_agent_create(), nta_agent_add_tport(),
+ * nth_engine_create(), initial nth_site_create(),
+ * TPTAG_TLS_VERIFY_SUBJECTS(), TPTAG_TLS_VERIFY_DEPTH().
hunk ./libsofia-sip-ua/tport/tport_tag.c 322
-tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
+tag_typedef_t tptag_tls_verify_policy = UINTTAG_TYPEDEF(tls_verify_policy);
+
+/*...@def TPTAG_TLS_VERIFY_DEPTH(x)
+ *
+ * Define the maximum length of a valid certificate chain.
+ *
+ * @par Default
+ * 2
+ *
+ * @par Used with
+ * tport_tbind(), nua_create(), nta_agent_create(), nta_agent_add_tport(),
+ * nth_engine_create(), or initial nth_site_create().
+ *
+ * @par Parameter Type:
+ * unsigned int
+ *
+ */
+tag_typedef_t tptag_tls_verify_depth = UINTTAG_TYPEDEF(tls_verify_depth);
+
+/*...@def TPTAG_TLS_VERIFY_DATE(x)
+ *
+ * Enable/Disable verification of notBefore and notAfter parameters of
+ * X.509 Certificates.
+ *
+ * @par Default
+ * Enabled
+ *
+ * @par Values
+ * - 0 - Disable date verification.
+ * - Non-Zero - Enable date verification.
+ *
+ * @par Used with
+ * tport_tbind(), nua_create(), nta_agent_create(), nta_agent_add_tport(),
+ * nth_engine_create(), or initial nth_site_create().
+ *
+ * @par Parameter Type:
+ * unsigned int
+ *
+ * @par Note
+ * This tag should be only used on devices which lack accurate timekeeping.
+ */
+tag_typedef_t tptag_tls_verify_date = UINTTAG_TYPEDEF(tls_verify_date);
+
+/*...@def TPTAG_TLS_VERIFY_SUBJECTS(x)
+ *
+ * Incoming TLS connections must provide a trusted X.509 certificate.
+ * The character strings provided with this tag are matched against
+ * the subjects from the trusted certificate. If a match is not found,
+ * the connection is automatically rejected.
+ *
+ * @par Used with
+ * tport_tbind(), nua_create(), nta_agent_create(), nta_agent_add_tport(),
+ * nth_engine_create(), initial nth_site_create(),
+ * TPTLS_VERIFY_SUBJECTS_IN
+ *
+ * @par Parameter Type:
+ * void const * (actually su_strlst_t const *)
+ *
+ * @par Values
+ * - SIP Identity - sip:example.com or sip:usern...@example.com
+ * - DNS - sip.example.com
+ * - IP Address - Both IPv4 and IPv6 Supported
+ *
+ */
+tag_typedef_t tptag_tls_verify_subjects = PTRTAG_TYPEDEF(tls_verify_subjects);
+
+#if 0
+/*...@def TPTAG_X509_SUBJECT(x)
+ *
+ * Requires that a message be sent over a TLS transport with trusted X.509
+ * certificate. The character string provided must match against a subject
+ * from the trusted certificate.
+ *
+ * @par Used with
+ * tport_tsend(), TPTLS_VERIFY_SUBJECTS_OUT
+ *
+ * @par Parameter Type:
+ * char const *
+ *
+ * @par Values
+ * - Refer to TPTAG_TLS_VERIFY_SUBJECTS()
+ *
+ * @note Not Implemented.
+ */
+#endif
hunk ./libsofia-sip-ua/tport/tport_tls.c 60
-#include <string.h>
hunk ./libsofia-sip-ua/tport/tport_tls.c 68
+int tls_ex_data_idx = -1; /* see SSL_get_ex_new_index(3ssl) */
hunk ./libsofia-sip-ua/tport/tport_tls.c 79
- verify_outgoing:1,
hunk ./libsofia-sip-ua/tport/tport_tls.c 80
- verified:1;
+ verify_outgoing:1,
+ verify_subj_in:1,
+ verify_subj_out:1,
+ verify_date:1,
+ x509_verified:1;
hunk ./libsofia-sip-ua/tport/tport_tls.c 97
- su_strlst_t *subject;
+ su_strlst_t *subjects;
hunk ./libsofia-sip-ua/tport/tport_tls.c 169
+ int sslidx = SSL_get_ex_data_X509_STORE_CTX_idx();
+ SSL *ssl = X509_STORE_CTX_get_ex_data(store, sslidx);
+ tls_t *tls = SSL_get_ex_data(ssl, tls_ex_data_idx);
+
+ assert(tls);
+
+#define TLS_VERIFY_CB_CLEAR_ERROR(OK,ERR,STORE) \
+ do {\
+ OK = 1;\
+ ERR = X509_V_OK;\
+ X509_STORE_CTX_set_error(STORE,ERR);\
+ } while (0)
+
+ if (tls->accept && !tls->verify_incoming)
+ TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
+ else if (!tls->accept && !tls->verify_outgoing)
+ TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
+ else switch (err) {
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ if (!tls->verify_date)
+ TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
+
+ default:
+ break;
+ }
+
+ if (!ok) {
+ SU_DEBUG_3(("-Error with certificate at depth: %i\n", depth));
+ X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
+ SU_DEBUG_3((" issuer = %s\n", data));
+ X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
+ SU_DEBUG_3((" subject = %s\n", data));
+ SU_DEBUG_3((" err %i:%s\n", err, X509_verify_cert_error_string(err)));
+ }
hunk ./libsofia-sip-ua/tport/tport_tls.c 207
- SU_DEBUG_1(("-Error with certificate at depth: %i\n", depth));
- X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
- SU_DEBUG_1((" issuer = %s\n", data));
- X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
- SU_DEBUG_1((" subject = %s\n", data));
- SU_DEBUG_1((" err %i:%s\n", err, X509_verify_cert_error_string(err)));
hunk ./libsofia-sip-ua/tport/tport_tls.c 216
+ int verify;
hunk ./libsofia-sip-ua/tport/tport_tls.c 222
+ tls_ex_data_idx = SSL_get_ex_new_index(0, \
+ "sofia-sip private data", NULL, NULL, NULL);
hunk ./libsofia-sip-ua/tport/tport_tls.c 308
- SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
+ /* corresponds to (enum tport_tls_verify_policy) */
+ tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0;
+ tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0;
+ tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0;
+ tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0;
+ tls->verify_date = (ti->verify_date) ? 1 : 0;
hunk ./libsofia-sip-ua/tport/tport_tls.c 315
- SSL_CTX_set_verify(tls->ctx,
- ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
- tls_verify_cb);
+ if (tls->verify_incoming)
+ verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ else
+ verify = SSL_VERIFY_NONE;
hunk ./libsofia-sip-ua/tport/tport_tls.c 320
- tls->verify_incoming = tls->verify_outgoing = ti->verify_peer ? 1 : 0;
+ SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
+ SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
hunk ./libsofia-sip-ua/tport/tport_tls.c 408
-tls_t *tls_clone(tls_t *master, int sock, int accept)
+tls_t *tls_init_secondary(tls_t *master, int sock, int accept)
hunk ./libsofia-sip-ua/tport/tport_tls.c 414
+ tls->type = master->type;
hunk ./libsofia-sip-ua/tport/tport_tls.c 416
+ tls->verify_outgoing = master->verify_outgoing;
+ tls->verify_incoming = master->verify_incoming;
+ tls->verify_subj_out = master->verify_subj_out;
+ tls->verify_subj_in = master->verify_subj_in;
+ tls->verify_date = master->verify_date;
+ tls->x509_verified = master->x509_verified;
hunk ./libsofia-sip-ua/tport/tport_tls.c 435
- tls_log_errors(1, "tls_clone", 0);
+ tls_log_errors(1, "tls_init_secondary", 0);
hunk ./libsofia-sip-ua/tport/tport_tls.c 443
+ SSL_set_ex_data(tls->con, tls_ex_data_idx, tls);
hunk ./libsofia-sip-ua/tport/tport_tls.c 450
-tls_t *tls_init_slave(tls_t *master, int sock)
-{
- int accept;
- return tls_clone(master, sock, accept = 1);
-}
-
-tls_t *tls_init_client(tls_t *master, int sock)
-{
- int accept;
- return tls_clone(master, sock, accept = 0);
-}
-
-static
-int tls_post_connection_check(tls_t *tls)
+su_inline
+int tls_post_connection_check(tport_t *self, tls_t *tls)
hunk ./libsofia-sip-ua/tport/tport_tls.c 460
- if (!cert)
- return X509_V_OK;
+ if (!cert) {
+ SU_DEBUG_7(("%s(%p): Peer did not provide X.509 Certificate.\n",
+ __func__, self));
+ if (self->tp_accepted && tls->verify_incoming)
+ return X509_V_ERR_CERT_UNTRUSTED;
+ else if (!self->tp_accepted && tls->verify_outgoing)
+ return X509_V_ERR_CERT_UNTRUSTED;
+ else
+ return X509_V_OK;
+ }
hunk ./libsofia-sip-ua/tport/tport_tls.c 471
- extcount = X509_get_ext_count(cert);
+ tls->subjects = su_strlst_create(tls->home);
+ if (!tls->subjects)
+ return X509_V_ERR_OUT_OF_MEM;
hunk ./libsofia-sip-ua/tport/tport_tls.c 475
- if (!tls->subject)
- tls->subject = su_strlst_create(tls->home);
+ extcount = X509_get_ext_count(cert);
hunk ./libsofia-sip-ua/tport/tport_tls.c 499
- su_strlst_dup_append(tls->subject, value->value);
- else if (strcmp(value->name, "URI") == 0) {
- char *uri = su_strlst_dup_append(tls->subject, value->value);
- char const *url = strchr(uri, ':');
- if (url++)
- su_strlst_append(tls->subject, url);
- }
+ su_strlst_dup_append(tls->subjects, value->value);
+ if (strcmp(value->name, "IP") == 0)
+ su_strlst_dup_append(tls->subjects, value->value);
+ else if (strcmp(value->name, "URI") == 0)
+ su_strlst_dup_append(tls->subjects, value->value);
hunk ./libsofia-sip-ua/tport/tport_tls.c 516
- usize_t k, N = su_strlst_len(tls->subject);
+ usize_t k, N = su_strlst_len(tls->subjects);
hunk ./libsofia-sip-ua/tport/tport_tls.c 520
- if (strcasecmp(su_strlst_item(tls->subject, k), name) == 0)
+ if (su_casematch(su_strlst_item(tls->subjects, k), name) == 0)
hunk ./libsofia-sip-ua/tport/tport_tls.c 523
- if (k == N)
- su_strlst_dup_append(tls->subject, name);
+ if (k >= N)
+ su_strlst_dup_append(tls->subjects, name);
hunk ./libsofia-sip-ua/tport/tport_tls.c 533
- if (error == X509_V_OK)
- tls->verified = 1;
+ if (cert && error == X509_V_OK)
+ tls->x509_verified = 1;
+
+ if (tport_log->log_level >= 7) {
+ int i, len = su_strlst_len(tls->subjects);
+ for (i=0; i < len; i++)
+ SU_DEBUG_7(("%s(%p): Peer Certificate Subject %i: %s\n", \
+ __func__, self, i, su_strlst_item(tls->subjects, i)));
+ if (i == 0)
+ SU_DEBUG_7(("%s(%p): Peer Certificate provided no usable subjects.\n",
+ __func__, self));
+ }
+
+ /* Verify incoming connections */
+ if (self->tp_accepted) {
+ if (!tls->verify_incoming)
+ return X509_V_OK;
+
+ if (!tls->x509_verified)
+ return error;
+
+ if (tls->verify_subj_in) {
+ su_strlst_t const *subjects = self->tp_pri->pri_primary->tp_subjects;
+ int i, items;
+
+ items = subjects ? su_strlst_len(subjects) : 0;
+ if (items == 0)
+ return X509_V_OK;
+
+ for (i=0; i < items; i++) {
+ if (tport_subject_search(su_strlst_item(subjects, i), tls->subjects))
+ return X509_V_OK;
+ }
+ SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (incoming connection)\n", \
+ __func__, self));
+
+ return X509_V_ERR_CERT_UNTRUSTED;
+ }
+ }
+ /* Verify outgoing connections */
+ else {
+ char const *subject = self->tp_canon;
+ if (!tls->verify_outgoing)
+ return X509_V_OK;
+
+ if (!tls->x509_verified || !subject)
+ return error;
+
+ if (tls->verify_subj_out) {
+ if (tport_subject_search(subject, tls->subjects))
+ return X509_V_OK; /* Subject match found in verified certificate chain
*/
+ SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (%s)\n", \
+ __func__, self, subject));
+
+ return X509_V_ERR_CERT_UNTRUSTED;
+ }
+ }
hunk ./libsofia-sip-ua/tport/tport_tls.c 591
- if (tls->accept && !tls->verify_incoming)
- return X509_V_OK;
- else if (!tls->accept && !tls->verify_outgoing)
- return X509_V_OK;
hunk ./libsofia-sip-ua/tport/tport_tls.c 649
- tls->accept ? "server" : "client",
+ tls->type ? "master" : "slave",
hunk ./libsofia-sip-ua/tport/tport_tls.c 709
- tls && tls->type == tls_slave ? "server" : "client"));
+ tls && tls->type == tls_slave ? "master" : "slave"));
hunk ./libsofia-sip-ua/tport/tport_tls.c 833
- ret = tls->accept ? SSL_accept(tls->con) : SSL_connect(tls->con);
+ ret = self->tp_accepted ? SSL_accept(tls->con) : SSL_connect(tls->con);
hunk ./libsofia-sip-ua/tport/tport_tls.c 853
- if ( tls_post_connection_check(tls) == X509_V_OK ) {
+ status = tls_post_connection_check(self, tls);
+ if ( status == X509_V_OK ) {
hunk ./libsofia-sip-ua/tport/tport_tls.c 873
- self->tp_verified = tls->verified;
- self->tp_subjects = tls->subject == NULL ? NULL :
- su_strlst_dup(self->tp_home, tls->subject);
+ self->tp_verified = tls->x509_verified;
+ self->tp_subjects = tls->subjects;
hunk ./libsofia-sip-ua/tport/tport_tls.c 886
- {
- char errbuf[64];
- ERR_error_string_n(status, errbuf, 64);
- SU_DEBUG_3(("%s(%p): TLS setup failed (%s)\n",
- __func__, self, errbuf));
- }
hunk ./libsofia-sip-ua/tport/tport_tls.h 53
- int verify_peer; /* 0: no verify certificate, *
- * 1: if fail the TLS/SSL handshake is terminated. */
- int verify_depth; /* if 0, then do nothing */
+ unsigned policy; /* refer to tport_tag.h, tport_tls_verify_policy */
+ unsigned verify_depth;/* if 0, revert to default (2) */
+ unsigned verify_date; /* if 0, notBefore and notAfter dates are ignored */
hunk ./libsofia-sip-ua/tport/tport_tls.h 81
-tls_t *tls_init_slave(tls_t *tls_master, int sock);
-tls_t *tls_init_client(tls_t *tls_master, int sock);
+tls_t *tls_init_secondary(tls_t *tls_master, int sock, int accept);
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 97
-#if notyet
-static void tport_tls_deliver(tport_t *self, msg_t *msg, su_time_t now);
-#endif
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 170
+ unsigned tls_policy = TPTLS_VERIFY_NONE;
+ unsigned tls_depth = 0;
+ unsigned tls_date = 1;
+ su_strlst_t const *tls_subjects = NULL;
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 186
+ TPTAG_TLS_VERIFY_POLICY_REF(tls_policy),
+ TPTAG_TLS_VERIFY_DEPTH_REF(tls_depth),
+ TPTAG_TLS_VERIFY_DATE_REF(tls_date),
+ TPTAG_TLS_VERIFY_SUBJECTS_REF(tls_subjects),
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 200
- ti.verify_peer = tls_verify;
- ti.verify_depth = 2;
+ ti.policy = tls_policy | (tls_verify ? TPTLS_VERIFY_ALL : 0);
+ ti.verify_depth = tls_depth;
+ ti.verify_date = tls_date;
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 233
+ if (tls_subjects)
+ pri->pri_primary->tp_subjects = su_strlst_dup(pri->pri_home, tls_subjects);
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 257
- if (accepted) {
- tlstp->tlstp_context = tls_init_slave(master, socket);
- if (!tlstp->tlstp_context)
- return *return_reason = "tls_init_slave", -1;
- }
+ tlstp->tlstp_context = tls_init_secondary(master, socket, accepted);
+ if (!tlstp->tlstp_context)
+ return *return_reason = "tls_init_slave", -1;
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 447
- tport_tls_primary_t *tlspri = (tport_tls_primary_t *)self->tp_pri;
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 453
- if (tlstp->tlstp_context == NULL) {
- tls_t *master = tlspri->tlspri_master;
- tlstp->tlstp_context = tls_init_client(master, self->tp_socket);
- if (!tlstp->tlstp_context)
- return -1;
- }
-
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 560
- tport_tls_t *tlstp = (tport_tls_t *)self;
- tport_tls_primary_t *tlspri = (tport_tls_primary_t *)self->tp_pri;
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 573
- tlstp->tlstp_context = tls_init_slave(tlspri->tlspri_master, s);
-
hunk ./libsofia-sip-ua/tport/tport_type_tls.c 636
- if (tport_setname(self, tpn->tpn_proto, ai, tpn->tpn_canon) != -1
- &&
- tport_register_secondary(self, tls_connect, events) != -1) {
- tport_tls_t *tlstp = (tport_tls_t *)self;
- tport_tls_primary_t *tlspri = (tport_tls_primary_t *)self->tp_pri;
- tlstp->tlstp_context = tls_init_client(tlspri->tlspri_master, s);
- }
- else
+ if (tport_setname(self, tpn->tpn_proto, ai, tpn->tpn_canon) == -1)
+ goto sys_error;
+ else if (tport_register_secondary(self, tls_connect, events) == -1)
}
Context:
[torture_bnf.c: added some host_is_domain() cases
Pekka Pessi <first.l...@nokia.com>**20090113210325]
[nua_session.c: send answer in ACK if offer was sent in 200 OK to re-INVITE
Pekka Pessi <first.l...@nokia.com>**20090113205950
Thanks for Liu Yang for reporting the problem.
]
[TAG 1.12.10
Pekka Pessi <first.l...@nokia.com>**20090114122533]
[sip-dig.c: using su_casenmatch() to match NAPTR service
Pekka Pessi <first.l...@nokia.com>**20090112142914]
[su_port.c: added #include <sofia-sip/su_string.h>
Pekka Pessi <first.l...@nokia.com>**20090112142707
Making poll mechanism name matching case-insensitive.
]
[auth_client.c: auc_has_authorization() is happy if one scheme is supported
Pekka Pessi <first.l...@nokia.com>**20090109205102
If there was multiple challenges with different authentication schemes,
auc_has_authorization() required that all were supported (and used) before
authentication could proceed.
]
[su_string.c: it is A. Not a Z.
Pekka Pessi <first.l...@nokia.com>**20090109195156]
[nta.c: do not restart timer E when provisional response is received
Paulo Pizarro <paulo DOT pizarro AT gmail DOT com>**20090109192653
According to the (informational) RFC 4321 section 1.2 Timer E is not altered
during the transition to Proceeding.
]
[sip: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108211356]
[sresolv: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108211228]
[nea: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108210328]
[tport: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108210046]
[msg: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108205649]
[bnf: using <sofia-sip/su_string.h>
Pekka Pessi <first.l...@nokia.com>**20090108205501]
[nua: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108205237]
[utils/sip-dig.c: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108204709]
[nth: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108202939]
[soa: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108195746]
[iptsec: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108195053]
[sdp: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108190038]
[nta: use <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108183805]
[http: use <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108181414]
[su: using <sofia-sip/su_string.h>
Pekka Pessi <first.l...@nokia.com>**20090108181338]
[tests: using <sofia-sip/su_string.h> functions
Pekka Pessi <first.l...@nokia.com>**20090108181305]
[sofia-sip/su_string.h, su_string:c: added to open_c
Pekka Pessi <first.l...@nokia.com>**20090108181255]
[sofia-sip/su_string.h, su_string:c: added to win32
Pekka Pessi <first.l...@nokia.com>**20090108181246]
[memspn.c, memcspn.c: use functions from <sofia-sip/su_string.h>
Pekka Pessi <first.l...@nokia.com>**20090108180814]
[sofia-sip/string0.h: use functions from <sofia-sip/su_string.h>
Pekka Pessi <first.l...@nokia.com>**20090108175552]
[nua_session.c: when negotiating session refresher, default to UAC
Pekka Pessi <first.l...@nokia.com>**20090109163314]
[auth_client.c: updated documentation
Pekka Pessi <first.l...@nokia.com>**20090109161927]
[su_string.c: removed VC signedness warning
Pekka Pessi <first.l...@nokia.com>**20090109152945]
[outbound.c: use default peer info when outbound is created
Pekka Pessi <first.l...@nokia.com>**20090108202045]
[docs/Doxyfile.aliases: Added @VERSION_1_12_10, @NEW_1_12_10
Pekka Pessi <first.l...@nokia.com>**20090108190457
Also @VERSION_UNRELEASED and @NEW_UNRELEASED.
]
[auth_client: do not crash with unknown authentication schemes
Pekka Pessi <first.l...@nokia.com>**20090108190403]
[su_string.c: fixed su_strcasestr()
Pekka Pessi <first.l...@nokia.com>**20090108201149]
[sofia-sip/su_string.h: added
Pekka Pessi <first.l...@nokia.com>**20090108180421
Adding locale-independent, NULL-safe string comparison,
matching and searching functions:
- su_strcmp()
- su_strncmp()
- su_strcasecmp()
- su_strncasecmp()
- su_strmatch()
- su_strnmatch()
- su_casematch()
- su_casenmatch()
- su_strcasestr()
- su_strnspn()
- su_strncspn()
- su_memspn()
- su_memcspn()
]
[RELEASE: multi-WWW-Authenticate bug
Pekka Pessi <first.l...@nokia.com>**20090108164847]
[sip_security.c: allow multiple WWW-Authenticate and Authorization headers
Pekka Pessi <first.l...@nokia.com>**20090108163422]
[tport_type_tls.c: no tport_tls_deliver() yet
Pekka Pessi <first.l...@nokia.com>**20090105124324]
[tport_tls.c: silences warnings on signedness
Pekka Pessi <first.l...@nokia.com>**20090105124304]
[tport_tls.c: su_home_new() already zeros the allocated memory
Pekka Pessi <first.l...@nokia.com>**20090105124209]
[nua_session.c: default to initiate session refreshes
Pekka Pessi <first.l...@nokia.com>**20090105123112
Use local refresher unless remote end explicitly indicates that it takes
care of refreshing the session. Bug reported and initial patch by Timo
Bruhn.
]
[RELEASE: added Jarod's description of TLS improvements
Pekka Pessi <first.l...@nokia.com>**20090105102201]
[su_kqueue_port.c: explicit cast from int to (void *)
Michael Jerris <m...@jerris.com>**20090105100939
Fix silly compiler warning caused by freebsd not making int same size as
void* on some 64 bit amd (SFSIP-113).
]
[tport_logging.c: do not use stamp as format string
Pekka Pessi <first.l...@nokia.com>**20081219165102
Original patch by Mike Jerris.
]
[nta.c: be consistent with maxsize and max_proceeding types
Pekka Pessi <first.l...@nokia.com>**20081219143853
Original patch by Mike Jerris
]
[su_alloc.c: always unlock home before destroying mutexes
Pekka Pessi <first.l...@nokia.com>**20081215151620]
[sresolv: made sres_record_class static
Pekka Pessi <first.l...@nokia.com>**20081215165706
Should never been global.
]
[test_nua.c: made usage static
Pekka Pessi <first.l...@nokia.com>**20081215164317]
[RELEASE: mention removed globals
Pekka Pessi <first.l...@nokia.com>**20081215165436]
[sofia-resolv/sres_cache.h: added prototype for sres_cache_clean()
Pekka Pessi <first.l...@nokia.com>**20081215165021]
[sofia-sip/heap.h: added protype for su_smoothsort()
Pekka Pessi <first.l...@nokia.com>**20081215163340]
[su_tag.h: added prototype for tl_vllen()
Pekka Pessi <first.l...@nokia.com>**20081215163316]
[su_tag_class.h: added prototypes for tag functions
Pekka Pessi <first.l...@nokia.com>**20081215163255
Protypes for t_filter(), t_null_filter(), t_end_filter(),
t_socket_snprintf(), t_socket_ref_set() have been missing.
]
[Early TLS Handshake and Verification
Jarod Neuner <janeu...@networkharbor.com>**20081216221937
tport_type_tls.c:
* tport_tls_accept():
- Replaces tport_accept for incoming TLS connections.
* tport_tls_connect():
- Replaces tport_base_connect() for outgoing TLS connections.
tport_tls.c:
* tls_t now use a memory home instead of malloc.
* removed tls_check_hosts()
* tls_connect():
- Replaces tport_base_connect for TLS connection setup.
- Completes TLS handshake and verifies peer certificates.
- Destroys suspect TLS connections before sending/receiving payload.
- Populates a su_strlst_t with subjects from the peer certificate.
tport.c:
* tport_is_verified()
- true if peer certificate validated successfully
* tport_delivered_from_subjects()
- Certificate subjects listed in the peer certificate.
]
[Helper functions for vtp_connect and vtp_wakeup_pri.
Jarod Neuner <janeu...@networkharbor.com>**20081216175826
- Expose tport_setname() and tport_wakeup() via tport_internal.h
- Add tport_register_secondary() for adding secondaries to a root, and
to alleviate the need to export tprb_append.
]
[nta: NULL host and port in user Via are filled automaticaly
Stas Maximov <smaxi...@ieee.org>**20081215143145
NULL host or port in user-supplied Via header will be filled
automaticaly by NTA, just like branch and rport params.
Added related test case to test_nta_api.c.
]
[su_taglist.c. removed globals which should have been static in first place
Pekka Pessi <first.l...@nokia.com>**20081211173213
- t_null_next(), t_null_move(), t_null_dup(), t_null_copy(), t_null_find()
- t_skip_next(), t_skip_move(), t_skip_len(), t_skip_dup(), t_skip_filter()
- t_next_next(), t_next_move(), t_next_len(), t_next_dup(), t_next_filter()
]
[su: removed private functions accidentally declared as globals
Pekka Pessi <first.l...@nokia.com>**20081208145904
su_t64_to_time(), mutex_trylocker(), su_port_set_system_preferences()
]
[sofia-sip/su_uniqueid.h: proper prototype for su_random()
Pekka Pessi <first.l...@nokia.com>**20081211173249]
[su/addrinfo.c, su/localinfo.c: made usage() static
Pekka Pessi <first.l...@nokia.com>**20081211173029
Make -Wmissing-prototypes happy.
]
[sdp_print.c: print sdptl in lowercase, too
Pekka Pessi <first.l...@nokia.com>**20081211120209]
[RELEASE, configure.ac: opening development head
Pekka Pessi <first.l...@nokia.com>**20081209171108]
[TAG rel-sofia-sip-1_12_10
Pekka Pessi <first.l...@nokia.com>**20081209122326]
Patch bundle hash:
09b22f5abc8d13033f392956ecea297031a4621f
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Sofia-sip-devel mailing list
Sofia-sip-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sofia-sip-devel
