Skip to content

Commit

Permalink
transp,tls: add TLS client verification
Browse files Browse the repository at this point in the history
Per default, TLS client verification is disabled.
  • Loading branch information
maximilianfridrich committed Feb 8, 2024
1 parent bb7eeea commit 87d5743
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 0 deletions.
2 changes: 2 additions & 0 deletions include/re_tls.h
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,12 @@ int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
const char *tls_cipher_name(const struct tls_conn *tc);
int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count);
int tls_set_verify_server(struct tls_conn *tc, const char *host);
int tls_verify_client(struct tls_conn *tc);

int tls_get_issuer(struct tls *tls, struct mbuf *mb);
int tls_get_subject(struct tls *tls, struct mbuf *mb);
void tls_disable_verify_server(struct tls *tls);
void tls_enable_verify_client(struct tls *tls, bool enable);

int tls_set_min_proto_version(struct tls *tls, int version);
int tls_set_max_proto_version(struct tls *tls, int version);
Expand Down
4 changes: 4 additions & 0 deletions src/sip/transp.c
Original file line number Diff line number Diff line change
Expand Up @@ -682,6 +682,10 @@ static void tcp_connect_handler(const struct sa *paddr, void *arg)
err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0);
if (err)
goto out;

err = tls_verify_client(conn->sc);
if (err)
goto out;
}
#endif

Expand Down
44 changes: 44 additions & 0 deletions src/tls/openssl/tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ struct tls {
X509 *cert;
char *pass; /**< password for private key */
bool verify_server; /**< Enable SIP TLS server verification */
bool verify_client; /**< Enable SIP TLS client verification */
struct session_reuse reuse;
struct list certs; /**< Certificates for SNI selection */
};
Expand Down Expand Up @@ -1459,6 +1460,35 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host)
}


/**
* Enable verification of client certificate
*
* @param tc TLS Connection
*
* @return 0 if success, otherwise errorcode
*/
int tls_verify_client(struct tls_conn *tc)
{
#if !defined(LIBRESSL_VERSION_NUMBER)

if (!tc)
return EINVAL;

if (!tc->tls->verify_client)
return 0;

SSL_set_verify(tc->ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
tls_verify_handler);

return 0;
#else
(void)tc;

return ENOSYS;
#endif
}


static int print_error(const char *str, size_t len, void *unused)
{
(void)unused;
Expand Down Expand Up @@ -1597,6 +1627,20 @@ void tls_disable_verify_server(struct tls *tls)
}


/**
* Enables SIP TLS client verifications for following requests
*
* @param tls TLS Object
*/
void tls_enable_verify_client(struct tls *tls, bool enable)
{
if (!tls)
return;

tls->verify_client = enable;
}


/**
* Set minimum TLS version
*
Expand Down

0 comments on commit 87d5743

Please sign in to comment.