From 87d5743969659b9b311ce697061a640411be6df9 Mon Sep 17 00:00:00 2001 From: Maximilian Fridrich Date: Thu, 25 Jan 2024 15:31:20 +0100 Subject: [PATCH] transp,tls: add TLS client verification Per default, TLS client verification is disabled. --- include/re_tls.h | 2 ++ src/sip/transp.c | 4 ++++ src/tls/openssl/tls.c | 44 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/include/re_tls.h b/include/re_tls.h index dcfc62958..61e28548f 100644 --- a/include/re_tls.h +++ b/include/re_tls.h @@ -69,10 +69,12 @@ int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite, const char *tls_cipher_name(const struct tls_conn *tc); int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count); int tls_set_verify_server(struct tls_conn *tc, const char *host); +int tls_verify_client(struct tls_conn *tc); int tls_get_issuer(struct tls *tls, struct mbuf *mb); int tls_get_subject(struct tls *tls, struct mbuf *mb); void tls_disable_verify_server(struct tls *tls); +void tls_enable_verify_client(struct tls *tls, bool enable); int tls_set_min_proto_version(struct tls *tls, int version); int tls_set_max_proto_version(struct tls *tls, int version); diff --git a/src/sip/transp.c b/src/sip/transp.c index ada515522..6b1002a55 100644 --- a/src/sip/transp.c +++ b/src/sip/transp.c @@ -682,6 +682,10 @@ static void tcp_connect_handler(const struct sa *paddr, void *arg) err = tls_start_tcp(&conn->sc, transp->tls, conn->tc, 0); if (err) goto out; + + err = tls_verify_client(conn->sc); + if (err) + goto out; } #endif diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index ac1f5b676..c3d500569 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -45,6 +45,7 @@ struct tls { X509 *cert; char *pass; /**< password for private key */ bool verify_server; /**< Enable SIP TLS server verification */ + bool verify_client; /**< Enable SIP TLS client verification */ struct session_reuse reuse; struct list certs; /**< Certificates for SNI selection */ }; @@ -1459,6 +1460,35 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host) } +/** + * Enable verification of client certificate + * + * @param tc TLS Connection + * + * @return 0 if success, otherwise errorcode + */ +int tls_verify_client(struct tls_conn *tc) +{ +#if !defined(LIBRESSL_VERSION_NUMBER) + + if (!tc) + return EINVAL; + + if (!tc->tls->verify_client) + return 0; + + SSL_set_verify(tc->ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, + tls_verify_handler); + + return 0; +#else + (void)tc; + + return ENOSYS; +#endif +} + + static int print_error(const char *str, size_t len, void *unused) { (void)unused; @@ -1597,6 +1627,20 @@ void tls_disable_verify_server(struct tls *tls) } +/** + * Enables SIP TLS client verifications for following requests + * + * @param tls TLS Object + */ +void tls_enable_verify_client(struct tls *tls, bool enable) +{ + if (!tls) + return; + + tls->verify_client = enable; +} + + /** * Set minimum TLS version *