freeswitch/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c

970 lines
24 KiB
C
Raw Normal View History

/*
* This file is part of the Sofia-SIP package
*
* Copyright (C) 2005 Nokia Corporation.
*
* Contact: Pekka Pessi <pekka.pessi@nokia.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA
*
*/
/**@CFILE tport_tls.c
* @brief TLS interface
*
* @author Mikko Haataja <ext-Mikko.A.Haataja@nokia.com>
* @author Pekka Pessi <ext-Pekka.Pessi@nokia.com>
* @author Jarod Neuner <janeuner@networkharbor.com>
*
*/
#include "config.h"
#define OPENSSL_NO_KRB5 oh-no
#define SU_WAKEUP_ARG_T struct tport_s
#include <sofia-sip/su_types.h>
#include <sofia-sip/su.h>
#include <sofia-sip/su_alloc.h>
#include <sofia-sip/su_wait.h>
#include <sofia-sip/su_string.h>
#include <openssl/lhash.h>
#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/opensslv.h>
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#if HAVE_FUNC
#elif HAVE_FUNCTION
#define __func__ __FUNCTION__
#else
static char const __func__[] = "tport_tls";
#endif
#if HAVE_SIGPIPE
#include <signal.h>
#endif
#if SU_HAVE_PTHREADS
#include <pthread.h>
#if __sun
#undef PTHREAD_ONCE_INIT
#define PTHREAD_ONCE_INIT {{ 0, 0, 0, PTHREAD_ONCE_NOTDONE }}
#endif
static pthread_once_t once = PTHREAD_ONCE_INIT;
#define ONCE_INIT(f) pthread_once(&once, f)
#else
static int once;
#define ONCE_INIT(f) (!once ? (once = 1), f() : (void)0)
#endif
#include "tport_tls.h"
char const tls_version[] = OPENSSL_VERSION_TEXT;
static int tls_ex_data_idx = -1; /* see SSL_get_ex_new_index(3ssl) */
static void
tls_init_once(void)
{
SSL_library_init();
SSL_load_error_strings();
tls_ex_data_idx = SSL_get_ex_new_index(0, "sofia-sip private data", NULL, NULL, NULL);
}
enum { tls_master = 0, tls_slave = 1};
struct tls_s {
su_home_t home[1];
SSL_CTX *ctx;
SSL *con;
BIO *bio_con;
unsigned int type:1,
accept:1,
verify_incoming:1,
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
verify_outgoing:1,
verify_subj_in:1,
verify_subj_out:1,
verify_date:1,
x509_verified:1;
/* Receiving */
int read_events;
void *read_buffer;
size_t read_buffer_len;
/* Sending */
int write_events;
void *write_buffer;
size_t write_buffer_len;
/* Host names */
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
su_strlst_t *subjects;
};
enum { tls_buffer_size = 16384 };
/** Log TLS error(s).
*
* Log the TLS error specified by the error code @a e and all the errors in
* the queue. The error code @a e implies no error, and it is not logged.
*/
static
void tls_log_errors(unsigned level, char const *s, unsigned long e)
{
if (e == 0)
e = ERR_get_error();
if (!tport_log->log_init)
su_log_init(tport_log);
if (s == NULL) s = "tls";
for (; e != 0; e = ERR_get_error()) {
if (level <= tport_log->log_level) {
const char *error = ERR_lib_error_string(e);
const char *func = ERR_func_error_string(e);
const char *reason = ERR_reason_error_string(e);
su_llog(tport_log, level, "%s: %08lx:%s:%s:%s\n",
s, e, error, func, reason);
}
}
}
/*
* This callback hands back the password to be used during decryption.
*
* buf : the function will write the password into this buffer
* size : the size of "buf"
* rwflag : indicates whether the callback is being used for reading/
* decryption (0) or writing/encryption (1)
* userdata : pointer tls_issues_t where the passphrase is stored
*/
static int passwd_cb(char *buf, int size, int rwflag, void *userdata)
{
if (rwflag == 0) { // reading/decryption
tls_issues_t *tlsi = (tls_issues_t *)userdata;
strncpy(buf, tlsi->passphrase, size);
buf[size - 1] = '\0';
return strlen(tlsi->passphrase);
}
return 0;
}
static
tls_t *tls_create(int type)
{
tls_t *tls = su_home_new(sizeof(*tls));
if (tls)
tls->type = type == tls_master ? tls_master : tls_slave;
return tls;
}
static
void tls_set_default(tls_issues_t *i)
{
i->verify_depth = i->verify_depth == 0 ? 2 : i->verify_depth;
i->cert = i->cert ? i->cert : "agent.pem";
i->key = i->key ? i->key : i->cert;
i->randFile = i->randFile ? i->randFile : "tls_seed.dat";
i->CAfile = i->CAfile ? i->CAfile : "cafile.pem";
i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
/* Default SIP cipher */
/* "RSA-WITH-AES-128-CBC-SHA"; */
/* RFC-2543-compatibility ciphersuite */
/* TLS_RSA_WITH_3DES_EDE_CBC_SHA; */
}
static
int tls_verify_cb(int ok, X509_STORE_CTX *store)
{
if (!ok)
{
char data[256];
X509 *cert = X509_STORE_CTX_get_current_cert(store);
int depth = X509_STORE_CTX_get_error_depth(store);
int err = X509_STORE_CTX_get_error(store);
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
int sslidx = SSL_get_ex_data_X509_STORE_CTX_idx();
SSL *ssl = X509_STORE_CTX_get_ex_data(store, sslidx);
tls_t *tls = SSL_get_ex_data(ssl, tls_ex_data_idx);
assert(tls);
#define TLS_VERIFY_CB_CLEAR_ERROR(OK,ERR,STORE) \
do {\
OK = 1;\
ERR = X509_V_OK;\
X509_STORE_CTX_set_error(STORE,ERR);\
} while (0)
if (tls->accept && !tls->verify_incoming)
TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
else if (!tls->accept && !tls->verify_outgoing)
TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
else switch (err) {
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_CRL_NOT_YET_VALID:
case X509_V_ERR_CRL_HAS_EXPIRED:
if (!tls->verify_date)
TLS_VERIFY_CB_CLEAR_ERROR(ok, err, store);
default:
break;
}
if (!ok) {
SU_DEBUG_3(("-Error with certificate at depth: %i\n", depth));
X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
SU_DEBUG_3((" issuer = %s\n", data));
X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
SU_DEBUG_3((" subject = %s\n", data));
SU_DEBUG_3((" err %i:%s\n", err, X509_verify_cert_error_string(err)));
}
}
return ok;
}
2013-01-25 05:08:40 +00:00
void tls_init(void) {
ONCE_INIT(tls_init_once);
}
static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
int verify;
static int random_loaded;
ONCE_INIT(tls_init_once);
if (!random_loaded) {
random_loaded = 1;
if (ti->randFile &&
!RAND_load_file(ti->randFile, 1024 * 1024)) {
if (ti->configured > 1) {
SU_DEBUG_3(("%s: cannot open randFile %s\n",
"tls_init_context", ti->randFile));
tls_log_errors(3, "tls_init_context", 0);
}
/* errno = EIO; */
/* return -1; */
}
}
#if HAVE_SIGPIPE
/* Avoid possible SIGPIPE when sending close_notify */
signal(SIGPIPE, SIG_IGN);
#endif
if (tls->ctx == NULL)
if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) {
tls_log_errors(1, "SSL_CTX_new() failed", 0);
errno = EIO;
return -1;
}
if (!(ti->version & TPTLS_VERSION_SSLv2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2);
if (!(ti->version & TPTLS_VERSION_SSLv3))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3);
if (!(ti->version & TPTLS_VERSION_TLSv1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1);
if (!(ti->version & TPTLS_VERSION_TLSv1_1))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1);
if (!(ti->version & TPTLS_VERSION_TLSv1_2))
SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2);
SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
SSL_CTX_set_timeout(tls->ctx, ti->timeout);
/* Set callback if we have a passphrase */
if (ti->passphrase != NULL) {
SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
"tls_init_context"));
}
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
if (!SSL_CTX_load_verify_locations(tls->ctx,
ti->CAfile,
ti->CApath)) {
SU_DEBUG_1(("%s: error loading CA list: %s\n",
"tls_init_context", ti->CAfile));
if (ti->configured > 0)
tls_log_errors(3, "tls_init_context(CA)", 0);
errno = EIO;
return -1;
}
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
/* corresponds to (enum tport_tls_verify_policy) */
tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0;
tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0;
tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0;
tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0;
tls->verify_date = (ti->verify_date) ? 1 : 0;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (tls->verify_incoming)
verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
else
verify = SSL_VERIFY_NONE;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) {
SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
tls_log_errors(3, "tls_init_context", 0);
errno = EIO;
return -1;
}
return 0;
}
void tls_free(tls_t *tls)
{
if (!tls)
return;
2013-03-06 18:58:22 +00:00
if (tls->con != NULL) {
SSL_shutdown(tls->con);
SSL_free(tls->con), tls->con = NULL;
}
2013-03-06 18:58:22 +00:00
if (tls->ctx != NULL && tls->type != tls_slave) {
SSL_CTX_free(tls->ctx);
2013-03-06 18:58:22 +00:00
}
su_home_unref(tls->home);
}
int tls_get_socket(tls_t *tls)
{
int sock = -1;
if (tls != NULL && tls->bio_con != NULL)
BIO_get_fd(tls->bio_con, &sock);
return sock;
}
tls_t *tls_init_master(tls_issues_t *ti)
{
/* Default id in case RAND fails */
unsigned char sessionId[32] = "sofia/tls";
tls_t *tls;
#if HAVE_SIGPIPE
signal(SIGPIPE, SIG_IGN); /* Ignore spurios SIGPIPE from OpenSSL */
#endif
tls_set_default(ti);
if (!(tls = tls_create(tls_master)))
return NULL;
if (tls_init_context(tls, ti) < 0) {
int err = errno;
tls_free(tls);
errno = err;
return NULL;
}
RAND_pseudo_bytes(sessionId, sizeof(sessionId));
SSL_CTX_set_session_id_context(tls->ctx,
(void*) sessionId,
sizeof(sessionId));
if (ti->CAfile != NULL)
SSL_CTX_set_client_CA_list(tls->ctx,
SSL_load_client_CA_file(ti->CAfile));
#if 0
if (sock != -1) {
tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);
if (tls->bio_con == NULL) {
tls_log_errors(1, "tls_init_master", 0);
tls_free(tls);
errno = EIO;
return NULL;
}
}
#endif
return tls;
}
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls_t *tls_init_secondary(tls_t *master, int sock, int accept)
{
tls_t *tls = tls_create(tls_slave);
if (tls) {
tls->ctx = master->ctx;
tls->accept = accept ? 1 : 0;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls->verify_outgoing = master->verify_outgoing;
tls->verify_incoming = master->verify_incoming;
tls->verify_subj_out = master->verify_subj_out;
tls->verify_subj_in = master->verify_subj_in;
tls->verify_date = master->verify_date;
tls->x509_verified = master->x509_verified;
if (!(tls->read_buffer = su_alloc(tls->home, tls_buffer_size)))
su_home_unref(tls->home), tls = NULL;
}
if (!tls)
return tls;
assert(sock != -1);
tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE);
tls->con = SSL_new(tls->ctx);
if (tls->con == NULL) {
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls_log_errors(1, "tls_init_secondary", 0);
tls_free(tls);
errno = EIO;
return NULL;
}
SSL_set_bio(tls->con, tls->bio_con, tls->bio_con);
SSL_set_mode(tls->con, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
SSL_set_ex_data(tls->con, tls_ex_data_idx, tls);
su_setblocking(sock, 0);
return tls;
}
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
su_inline
int tls_post_connection_check(tport_t *self, tls_t *tls)
{
X509 *cert;
int extcount;
int i, j, error;
if (!tls) return -1;
cert = SSL_get_peer_certificate(tls->con);
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (!cert) {
SU_DEBUG_7(("%s(%p): Peer did not provide X.509 Certificate.\n",
__func__, (void *) self));
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (self->tp_accepted && tls->verify_incoming)
return X509_V_ERR_CERT_UNTRUSTED;
else if (!self->tp_accepted && tls->verify_outgoing)
return X509_V_ERR_CERT_UNTRUSTED;
else
return X509_V_OK;
}
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls->subjects = su_strlst_create(tls->home);
if (!tls->subjects)
return X509_V_ERR_OUT_OF_MEM;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
extcount = X509_get_ext_count(cert);
/* Find matching subjectAltName.DNS */
for (i = 0; i < extcount; i++) {
X509_EXTENSION *ext;
char const *name;
#if OPENSSL_VERSION_NUMBER > 0x10000000L
const X509V3_EXT_METHOD *vp;
#else
X509V3_EXT_METHOD *vp;
#endif
STACK_OF(CONF_VALUE) *values;
CONF_VALUE *value;
void *d2i;
ext = X509_get_ext(cert, i);
name = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
if (strcmp(name, "subjectAltName") != 0)
continue;
vp = X509V3_EXT_get(ext); if (!vp) continue;
d2i = X509V3_EXT_d2i(ext);
values = vp->i2v(vp, d2i, NULL);
for (j = 0; j < sk_CONF_VALUE_num(values); j++) {
value = sk_CONF_VALUE_value(values, j);
if (strcmp(value->name, "DNS") == 0)
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
su_strlst_dup_append(tls->subjects, value->value);
if (strcmp(value->name, "IP") == 0)
su_strlst_dup_append(tls->subjects, value->value);
else if (strcmp(value->name, "URI") == 0)
su_strlst_dup_append(tls->subjects, value->value);
}
}
{
X509_NAME *subject;
char name[256];
subject = X509_get_subject_name(cert);
if (subject) {
if (X509_NAME_get_text_by_NID(subject, NID_commonName,
name, sizeof name) > 0) {
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
usize_t k, N = su_strlst_len(tls->subjects);
name[(sizeof name) - 1] = '\0';
for (k = 0; k < N; k++)
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (su_casematch(su_strlst_item(tls->subjects, k), name) == 0)
break;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (k >= N)
su_strlst_dup_append(tls->subjects, name);
}
}
}
X509_free(cert);
error = SSL_get_verify_result(tls->con);
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (cert && error == X509_V_OK)
tls->x509_verified = 1;
if (tport_log->log_level >= 7) {
int i, len = su_strlst_len(tls->subjects);
for (i=0; i < len; i++)
SU_DEBUG_7(("%s(%p): Peer Certificate Subject %i: %s\n", \
__func__, (void *)self, i, su_strlst_item(tls->subjects, i)));
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
if (i == 0)
SU_DEBUG_7(("%s(%p): Peer Certificate provided no usable subjects.\n",
__func__, (void *)self));
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
}
/* Verify incoming connections */
if (self->tp_accepted) {
if (!tls->verify_incoming)
return X509_V_OK;
if (!tls->x509_verified)
return error;
if (tls->verify_subj_in) {
su_strlst_t const *subjects = self->tp_pri->pri_primary->tp_subjects;
int i, items;
items = subjects ? su_strlst_len(subjects) : 0;
if (items == 0)
return X509_V_OK;
for (i=0; i < items; i++) {
if (tport_subject_search(su_strlst_item(subjects, i), tls->subjects))
return X509_V_OK;
}
SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (incoming connection)\n", \
__func__, (void *)self));
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
return X509_V_ERR_CERT_UNTRUSTED;
}
}
/* Verify outgoing connections */
else {
char const *subject = self->tp_canon;
if (!tls->verify_outgoing)
return X509_V_OK;
if (!tls->x509_verified || !subject)
return error;
if (tls->verify_subj_out) {
if (tport_subject_search(subject, tls->subjects))
return X509_V_OK; /* Subject match found in verified certificate chain */
SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (%s)\n", \
__func__, (void *)self, subject));
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
return X509_V_ERR_CERT_UNTRUSTED;
}
}
return error;
}
static
int tls_error(tls_t *tls, int ret, char const *who,
void *buf, int size)
{
int events = 0;
int err = SSL_get_error(tls->con, ret);
switch (err) {
case SSL_ERROR_WANT_WRITE:
events = SU_WAIT_OUT;
break;
case SSL_ERROR_WANT_READ:
events = SU_WAIT_IN;
break;
case SSL_ERROR_ZERO_RETURN:
return 0;
case SSL_ERROR_SYSCALL:
Merge up to the most recent sofia-sip darcs tree. Includes the following patches from darcs: Tue Aug 21 09:38:59 EDT 2007 Pekka.Pessi@nokia.com * tport_type_udp.c: checking error while checking that MSG_TRUNC works. Shall I pull this patch? (1/43) [ynWvpxqadjk], or ? for help: y Tue Aug 21 10:49:33 EDT 2007 Pekka.Pessi@nokia.com * nua_params.c: NUTAG_SIPS_URL() now sets the handle target, too. Problem reported by Jari Tenhunen. Shall I pull this patch? (2/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 11:22:42 EDT 2007 Pekka.Pessi@nokia.com * nta.c: do not destroy INVITE transaction if it has been CANCELed Handle gracefully cases where the INVITE transaction is destroyed immediately after canceling it. The old behaviour was to left it up to the application to ACK the final response returned to INVITE. Thanks for Fabio Margarido for reporting this problem. Shall I pull this patch? (3/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 13:02:01 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added test with user SDP containing already rejected media Shall I pull this patch? (4/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com * nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (5/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com UNDO: nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (6/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:00:10 EDT 2007 Pekka.Pessi@nokia.com * nta.c: disabled nta_msg_ackbye(). Fix for sf.net bug #1750691 Thanks for Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (7/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 06:54:38 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for sf.net bug #1750691 Shall I pull this patch? (8/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:03:45 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for nua_bye() sending CANCEL Shall I pull this patch? (9/43) [ynWvpxqadjk], or ? for help: y Fri Aug 31 12:08:09 EDT 2007 Pekka.Pessi@nokia.com * url.c: fixed escaping of '/' %2F, ';' %3B and '=' %3D in URL path/params Thanks for Fabio Margarido for reporting this bug. Shall I pull this patch? (10/43) [ynWvpxqadjk], or ? for help: y Mon Sep 3 10:14:55 EDT 2007 Pekka.Pessi@nokia.com * url.c: do not un-escape %40 in URI parameters. Do not unescape %2C, %3B, %3D, or %40 in URI parameters, nor %2C, %2F, %3B, %3D, or %40 in URI path. The @ sign can be ambiguous in the SIP URL, e.g., <sip:test.info;p=value@test.com> can be parsed in two ways: 1) username contains test.info;param=value and host part has test.com 2) empty username, host part test.info, URI parameter p=value@test.com Previously Sofia URL parser converted escaped '@' at signs (%40) in the URI parameters to the unescaped form. The resulting URI could be ambiguous and sometimes fail the syntax check if there was no '@' sign before the unescaped one. Thanks for Jan van den Bosch and Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (11/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 04:59:57 EDT 2007 Pekka.Pessi@nokia.com * tport.c: fixed indenting, logging Shall I pull this patch? (12/43) [ynWvpxqadjk], or ? for help: y Fri Jul 13 12:47:33 EDT 2007 Pekka.Pessi@nokia.com * nua/test_proxy.h, nua/test_proxy.c: added support for multiple domains Each domain has its own registrar and authentication module. Shall I pull this patch? (13/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:19:33 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: added timestamp to event logging Shall I pull this patch? (14/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:20:12 EDT 2007 Pekka.Pessi@nokia.com * test_nua: fixed timing problems in testing. Shall I pull this patch? (15/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:04 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: reduce su_root_step() delay to 0.1 seconds Shall I pull this patch? (16/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:22 EDT 2007 Pekka.Pessi@nokia.com * test_register.c: fixed timing problem Shall I pull this patch? (17/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 17:03:46 EDT 2007 Pekka.Pessi@nokia.com * test_100rel.c: fixed timing problems resulting in events being reordered Shall I pull this patch? (18/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:40:53 EDT 2007 Pekka.Pessi@nokia.com * nua (test_init.c, test_register.c): using test_proxy domains Shall I pull this patch? (19/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 12:12:32 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added cleanup code Shall I pull this patch? (20/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:35:35 EDT 2007 Pekka.Pessi@nokia.com * nta.c: increase lifetime of ACK transaction from T4 to T1 x 64 nta.c creates a ACK transaction in order to restransmit ACK requests when ever a retransmitted 2XX response to INVITE is received. The UAS retransmits the 2XX responses for 64 x T1 (32 second by default). Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (21/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 10:21:04 EDT 2007 Pekka.Pessi@nokia.com * Makefile.am: generating libsofia-sip-ua/docs/Doxyfile.rfc before making manpages Shall I pull this patch? (22/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:05:33 EDT 2007 Pekka.Pessi@nokia.com * sofia-sip/tport_tag.h: added TPTAG_KEEPALIVE(), TPTAG_PINGPONG(), TPTAG_PONG2PING() Shall I pull this patch? (23/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:09:06 EDT 2007 Pekka.Pessi@nokia.com * tport: added ping-pong keepalive on TCP. replaced single tick with connection-specific timer Now detecting closed connections on TLS, too. Added tests for idle timeout, receive timeout, ping-pong timeout. Shall I pull this patch? (24/43) [ynWvpxqadjk], or ? for help: y Fri Jul 6 10:19:32 EDT 2007 Pekka.Pessi@nokia.com * nta.c: added nta_incoming_received() Shall I pull this patch? (25/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:29:56 EDT 2007 Pekka.Pessi@nokia.com * nua_session.c: delay transition to ready when O/A is incomplete Delay sending ACK and subsequent transition of call to the ready state when the 200 OK response to the INVITE is received if the SDP Offer/Answer exchange using UPDATE/PRACK was still incomplete. Previously, if the O/A using UPDATE or PRACK was incomplete and an 200 OK was received, the call setup logic regarded this as a fatal error and terminated the call. Thanks for Mike Jerris for detecting and reporting this bug. Shall I pull this patch? (26/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:22:46 EDT 2007 Pekka.Pessi@nokia.com * test_call_reject.c: testing Retry-After Shall I pull this patch? (27/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:42:51 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using rudimentary outbound support in B's proxy. Shall I pull this patch? (28/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:48:33 EDT 2007 Pekka.Pessi@nokia.com * nua_register.c: added some logging to nua_register_connection_closed() Shall I pull this patch? (29/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:43:57 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using AUTHTAG_MAX_NCOUNT(1) for Mr. C C is now challenged every time. Shall I pull this patch? (30/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 11:05:19 EDT 2007 Pekka.Pessi@nokia.com * nua/test_100rel.c: fixed timing problem re response to PRACK and ACK Shall I pull this patch? (31/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 06:02:50 EDT 2007 Mikhail Zabaluev <mikhail.zabaluev@nokia.com> * DIST_SUBDIRS must include everything unconditionally Shall I pull this patch? (32/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:53:04 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: silenced warnings Shall I pull this patch? (33/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com * nua: refactored dialog refresh code Shall I pull this patch? (34/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com UNDO: nua: refactored dialog refresh code Shall I pull this patch? (35/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:01:25 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc]: renamed functions setting refresh interval Shall I pull this patch? (36/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:15:03 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc], nua_stack.c: added nua_dialog_repeat_shutdown() Shall I pull this patch? (37/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:19:20 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.h: renamed nua_remote_t as nua_dialog_peer_info_t Shall I pull this patch? (38/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:23:04 EDT 2007 Pekka.Pessi@nokia.com * nua_stack.c: added timer to client request in order to implement Retry-After Shall I pull this patch? (39/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:33:53 EDT 2007 Pekka.Pessi@nokia.com * nua: added backpointers to nua_dialog_usage_t and nua_dialog_state_t Shall I pull this patch? (40/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:56:48 EDT 2007 Pekka.Pessi@nokia.com * test_nua.c: abort() in timeout alarm function if -a is given Shall I pull this patch? (41/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 17:13:18 EDT 2007 Pekka.Pessi@nokia.com * nua_subnotref.c: include SIPTAG_EVENT() in the nua_i_notify tag list Shall I pull this patch? (42/43) [ynWvpxqadjk], or ? for help: y Mon Sep 10 12:27:53 EDT 2007 Pekka.Pessi@nokia.com * nua: save Contact from target refresh request or response. Save the Contact header which the application has added to the target refresh requests or responses and use the saved contact in subsequent target refresh requests or responses. Previously the application had no way of specifying the Contact included in the automatic responses to target refresh requests. Thanks for Anthony Minessale for reporting this problem. Shall I pull this patch? (43/43) [ynWvpxqadjk], or ? for help: y git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5692 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-09-10 20:45:25 +00:00
if (SSL_get_shutdown(tls->con) & SSL_RECEIVED_SHUTDOWN)
return 0; /* EOS */
if (errno == 0)
return 0; /* EOS */
return -1;
default:
tls_log_errors(1, who, err);
errno = EIO;
return -1;
}
if (buf) {
tls->write_events = events;
tls->write_buffer = buf, tls->write_buffer_len = size;
}
else {
tls->read_events = events;
}
errno = EAGAIN;
return -1;
}
ssize_t tls_read(tls_t *tls)
{
ssize_t ret;
if (tls == NULL) {
errno = EINVAL;
return -1;
}
if (0)
SU_DEBUG_1(("tls_read(%p) called on %s (events %u)\n", (void *)tls,
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls->type ? "master" : "slave",
tls->read_events));
if (tls->read_buffer_len)
return (ssize_t)tls->read_buffer_len;
tls->read_events = SU_WAIT_IN;
ret = SSL_read(tls->con, tls->read_buffer, tls_buffer_size);
if (ret <= 0)
return tls_error(tls, ret, "tls_read: SSL_read", NULL, 0);
return (ssize_t)(tls->read_buffer_len = ret);
}
void *tls_read_buffer(tls_t *tls, size_t N)
{
assert(N == tls->read_buffer_len);
tls->read_buffer_len = 0;
return tls->read_buffer;
}
int tls_pending(tls_t const *tls)
{
return tls && tls->con && SSL_pending(tls->con);
}
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
/** Check if data is available in TCP connection.
*
*
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
*
* @retval -1 upon an error
* @retval 0 end-of-stream
* @retval 1 nothing to read
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
* @retval 2 there is data to read
*/
int tls_want_read(tls_t *tls, int events)
{
if (tls && (events & tls->read_events)) {
int ret = tls_read(tls);
Merge up to the most recent sofia-sip darcs tree. Includes the following patches from darcs: Tue Aug 21 09:38:59 EDT 2007 Pekka.Pessi@nokia.com * tport_type_udp.c: checking error while checking that MSG_TRUNC works. Shall I pull this patch? (1/43) [ynWvpxqadjk], or ? for help: y Tue Aug 21 10:49:33 EDT 2007 Pekka.Pessi@nokia.com * nua_params.c: NUTAG_SIPS_URL() now sets the handle target, too. Problem reported by Jari Tenhunen. Shall I pull this patch? (2/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 11:22:42 EDT 2007 Pekka.Pessi@nokia.com * nta.c: do not destroy INVITE transaction if it has been CANCELed Handle gracefully cases where the INVITE transaction is destroyed immediately after canceling it. The old behaviour was to left it up to the application to ACK the final response returned to INVITE. Thanks for Fabio Margarido for reporting this problem. Shall I pull this patch? (3/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 13:02:01 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added test with user SDP containing already rejected media Shall I pull this patch? (4/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com * nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (5/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com UNDO: nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (6/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:00:10 EDT 2007 Pekka.Pessi@nokia.com * nta.c: disabled nta_msg_ackbye(). Fix for sf.net bug #1750691 Thanks for Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (7/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 06:54:38 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for sf.net bug #1750691 Shall I pull this patch? (8/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:03:45 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for nua_bye() sending CANCEL Shall I pull this patch? (9/43) [ynWvpxqadjk], or ? for help: y Fri Aug 31 12:08:09 EDT 2007 Pekka.Pessi@nokia.com * url.c: fixed escaping of '/' %2F, ';' %3B and '=' %3D in URL path/params Thanks for Fabio Margarido for reporting this bug. Shall I pull this patch? (10/43) [ynWvpxqadjk], or ? for help: y Mon Sep 3 10:14:55 EDT 2007 Pekka.Pessi@nokia.com * url.c: do not un-escape %40 in URI parameters. Do not unescape %2C, %3B, %3D, or %40 in URI parameters, nor %2C, %2F, %3B, %3D, or %40 in URI path. The @ sign can be ambiguous in the SIP URL, e.g., <sip:test.info;p=value@test.com> can be parsed in two ways: 1) username contains test.info;param=value and host part has test.com 2) empty username, host part test.info, URI parameter p=value@test.com Previously Sofia URL parser converted escaped '@' at signs (%40) in the URI parameters to the unescaped form. The resulting URI could be ambiguous and sometimes fail the syntax check if there was no '@' sign before the unescaped one. Thanks for Jan van den Bosch and Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (11/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 04:59:57 EDT 2007 Pekka.Pessi@nokia.com * tport.c: fixed indenting, logging Shall I pull this patch? (12/43) [ynWvpxqadjk], or ? for help: y Fri Jul 13 12:47:33 EDT 2007 Pekka.Pessi@nokia.com * nua/test_proxy.h, nua/test_proxy.c: added support for multiple domains Each domain has its own registrar and authentication module. Shall I pull this patch? (13/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:19:33 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: added timestamp to event logging Shall I pull this patch? (14/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:20:12 EDT 2007 Pekka.Pessi@nokia.com * test_nua: fixed timing problems in testing. Shall I pull this patch? (15/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:04 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: reduce su_root_step() delay to 0.1 seconds Shall I pull this patch? (16/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:22 EDT 2007 Pekka.Pessi@nokia.com * test_register.c: fixed timing problem Shall I pull this patch? (17/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 17:03:46 EDT 2007 Pekka.Pessi@nokia.com * test_100rel.c: fixed timing problems resulting in events being reordered Shall I pull this patch? (18/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:40:53 EDT 2007 Pekka.Pessi@nokia.com * nua (test_init.c, test_register.c): using test_proxy domains Shall I pull this patch? (19/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 12:12:32 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added cleanup code Shall I pull this patch? (20/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:35:35 EDT 2007 Pekka.Pessi@nokia.com * nta.c: increase lifetime of ACK transaction from T4 to T1 x 64 nta.c creates a ACK transaction in order to restransmit ACK requests when ever a retransmitted 2XX response to INVITE is received. The UAS retransmits the 2XX responses for 64 x T1 (32 second by default). Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (21/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 10:21:04 EDT 2007 Pekka.Pessi@nokia.com * Makefile.am: generating libsofia-sip-ua/docs/Doxyfile.rfc before making manpages Shall I pull this patch? (22/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:05:33 EDT 2007 Pekka.Pessi@nokia.com * sofia-sip/tport_tag.h: added TPTAG_KEEPALIVE(), TPTAG_PINGPONG(), TPTAG_PONG2PING() Shall I pull this patch? (23/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:09:06 EDT 2007 Pekka.Pessi@nokia.com * tport: added ping-pong keepalive on TCP. replaced single tick with connection-specific timer Now detecting closed connections on TLS, too. Added tests for idle timeout, receive timeout, ping-pong timeout. Shall I pull this patch? (24/43) [ynWvpxqadjk], or ? for help: y Fri Jul 6 10:19:32 EDT 2007 Pekka.Pessi@nokia.com * nta.c: added nta_incoming_received() Shall I pull this patch? (25/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:29:56 EDT 2007 Pekka.Pessi@nokia.com * nua_session.c: delay transition to ready when O/A is incomplete Delay sending ACK and subsequent transition of call to the ready state when the 200 OK response to the INVITE is received if the SDP Offer/Answer exchange using UPDATE/PRACK was still incomplete. Previously, if the O/A using UPDATE or PRACK was incomplete and an 200 OK was received, the call setup logic regarded this as a fatal error and terminated the call. Thanks for Mike Jerris for detecting and reporting this bug. Shall I pull this patch? (26/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:22:46 EDT 2007 Pekka.Pessi@nokia.com * test_call_reject.c: testing Retry-After Shall I pull this patch? (27/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:42:51 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using rudimentary outbound support in B's proxy. Shall I pull this patch? (28/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:48:33 EDT 2007 Pekka.Pessi@nokia.com * nua_register.c: added some logging to nua_register_connection_closed() Shall I pull this patch? (29/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:43:57 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using AUTHTAG_MAX_NCOUNT(1) for Mr. C C is now challenged every time. Shall I pull this patch? (30/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 11:05:19 EDT 2007 Pekka.Pessi@nokia.com * nua/test_100rel.c: fixed timing problem re response to PRACK and ACK Shall I pull this patch? (31/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 06:02:50 EDT 2007 Mikhail Zabaluev <mikhail.zabaluev@nokia.com> * DIST_SUBDIRS must include everything unconditionally Shall I pull this patch? (32/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:53:04 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: silenced warnings Shall I pull this patch? (33/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com * nua: refactored dialog refresh code Shall I pull this patch? (34/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com UNDO: nua: refactored dialog refresh code Shall I pull this patch? (35/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:01:25 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc]: renamed functions setting refresh interval Shall I pull this patch? (36/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:15:03 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc], nua_stack.c: added nua_dialog_repeat_shutdown() Shall I pull this patch? (37/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:19:20 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.h: renamed nua_remote_t as nua_dialog_peer_info_t Shall I pull this patch? (38/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:23:04 EDT 2007 Pekka.Pessi@nokia.com * nua_stack.c: added timer to client request in order to implement Retry-After Shall I pull this patch? (39/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:33:53 EDT 2007 Pekka.Pessi@nokia.com * nua: added backpointers to nua_dialog_usage_t and nua_dialog_state_t Shall I pull this patch? (40/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:56:48 EDT 2007 Pekka.Pessi@nokia.com * test_nua.c: abort() in timeout alarm function if -a is given Shall I pull this patch? (41/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 17:13:18 EDT 2007 Pekka.Pessi@nokia.com * nua_subnotref.c: include SIPTAG_EVENT() in the nua_i_notify tag list Shall I pull this patch? (42/43) [ynWvpxqadjk], or ? for help: y Mon Sep 10 12:27:53 EDT 2007 Pekka.Pessi@nokia.com * nua: save Contact from target refresh request or response. Save the Contact header which the application has added to the target refresh requests or responses and use the saved contact in subsequent target refresh requests or responses. Previously the application had no way of specifying the Contact included in the automatic responses to target refresh requests. Thanks for Anthony Minessale for reporting this problem. Shall I pull this patch? (43/43) [ynWvpxqadjk], or ? for help: y git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5692 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-09-10 20:45:25 +00:00
if (ret > 0)
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
return 2;
Merge up to the most recent sofia-sip darcs tree. Includes the following patches from darcs: Tue Aug 21 09:38:59 EDT 2007 Pekka.Pessi@nokia.com * tport_type_udp.c: checking error while checking that MSG_TRUNC works. Shall I pull this patch? (1/43) [ynWvpxqadjk], or ? for help: y Tue Aug 21 10:49:33 EDT 2007 Pekka.Pessi@nokia.com * nua_params.c: NUTAG_SIPS_URL() now sets the handle target, too. Problem reported by Jari Tenhunen. Shall I pull this patch? (2/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 11:22:42 EDT 2007 Pekka.Pessi@nokia.com * nta.c: do not destroy INVITE transaction if it has been CANCELed Handle gracefully cases where the INVITE transaction is destroyed immediately after canceling it. The old behaviour was to left it up to the application to ACK the final response returned to INVITE. Thanks for Fabio Margarido for reporting this problem. Shall I pull this patch? (3/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 13:02:01 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added test with user SDP containing already rejected media Shall I pull this patch? (4/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com * nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (5/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com UNDO: nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (6/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:00:10 EDT 2007 Pekka.Pessi@nokia.com * nta.c: disabled nta_msg_ackbye(). Fix for sf.net bug #1750691 Thanks for Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (7/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 06:54:38 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for sf.net bug #1750691 Shall I pull this patch? (8/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:03:45 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for nua_bye() sending CANCEL Shall I pull this patch? (9/43) [ynWvpxqadjk], or ? for help: y Fri Aug 31 12:08:09 EDT 2007 Pekka.Pessi@nokia.com * url.c: fixed escaping of '/' %2F, ';' %3B and '=' %3D in URL path/params Thanks for Fabio Margarido for reporting this bug. Shall I pull this patch? (10/43) [ynWvpxqadjk], or ? for help: y Mon Sep 3 10:14:55 EDT 2007 Pekka.Pessi@nokia.com * url.c: do not un-escape %40 in URI parameters. Do not unescape %2C, %3B, %3D, or %40 in URI parameters, nor %2C, %2F, %3B, %3D, or %40 in URI path. The @ sign can be ambiguous in the SIP URL, e.g., <sip:test.info;p=value@test.com> can be parsed in two ways: 1) username contains test.info;param=value and host part has test.com 2) empty username, host part test.info, URI parameter p=value@test.com Previously Sofia URL parser converted escaped '@' at signs (%40) in the URI parameters to the unescaped form. The resulting URI could be ambiguous and sometimes fail the syntax check if there was no '@' sign before the unescaped one. Thanks for Jan van den Bosch and Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (11/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 04:59:57 EDT 2007 Pekka.Pessi@nokia.com * tport.c: fixed indenting, logging Shall I pull this patch? (12/43) [ynWvpxqadjk], or ? for help: y Fri Jul 13 12:47:33 EDT 2007 Pekka.Pessi@nokia.com * nua/test_proxy.h, nua/test_proxy.c: added support for multiple domains Each domain has its own registrar and authentication module. Shall I pull this patch? (13/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:19:33 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: added timestamp to event logging Shall I pull this patch? (14/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:20:12 EDT 2007 Pekka.Pessi@nokia.com * test_nua: fixed timing problems in testing. Shall I pull this patch? (15/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:04 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: reduce su_root_step() delay to 0.1 seconds Shall I pull this patch? (16/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:22 EDT 2007 Pekka.Pessi@nokia.com * test_register.c: fixed timing problem Shall I pull this patch? (17/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 17:03:46 EDT 2007 Pekka.Pessi@nokia.com * test_100rel.c: fixed timing problems resulting in events being reordered Shall I pull this patch? (18/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:40:53 EDT 2007 Pekka.Pessi@nokia.com * nua (test_init.c, test_register.c): using test_proxy domains Shall I pull this patch? (19/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 12:12:32 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added cleanup code Shall I pull this patch? (20/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:35:35 EDT 2007 Pekka.Pessi@nokia.com * nta.c: increase lifetime of ACK transaction from T4 to T1 x 64 nta.c creates a ACK transaction in order to restransmit ACK requests when ever a retransmitted 2XX response to INVITE is received. The UAS retransmits the 2XX responses for 64 x T1 (32 second by default). Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (21/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 10:21:04 EDT 2007 Pekka.Pessi@nokia.com * Makefile.am: generating libsofia-sip-ua/docs/Doxyfile.rfc before making manpages Shall I pull this patch? (22/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:05:33 EDT 2007 Pekka.Pessi@nokia.com * sofia-sip/tport_tag.h: added TPTAG_KEEPALIVE(), TPTAG_PINGPONG(), TPTAG_PONG2PING() Shall I pull this patch? (23/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:09:06 EDT 2007 Pekka.Pessi@nokia.com * tport: added ping-pong keepalive on TCP. replaced single tick with connection-specific timer Now detecting closed connections on TLS, too. Added tests for idle timeout, receive timeout, ping-pong timeout. Shall I pull this patch? (24/43) [ynWvpxqadjk], or ? for help: y Fri Jul 6 10:19:32 EDT 2007 Pekka.Pessi@nokia.com * nta.c: added nta_incoming_received() Shall I pull this patch? (25/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:29:56 EDT 2007 Pekka.Pessi@nokia.com * nua_session.c: delay transition to ready when O/A is incomplete Delay sending ACK and subsequent transition of call to the ready state when the 200 OK response to the INVITE is received if the SDP Offer/Answer exchange using UPDATE/PRACK was still incomplete. Previously, if the O/A using UPDATE or PRACK was incomplete and an 200 OK was received, the call setup logic regarded this as a fatal error and terminated the call. Thanks for Mike Jerris for detecting and reporting this bug. Shall I pull this patch? (26/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:22:46 EDT 2007 Pekka.Pessi@nokia.com * test_call_reject.c: testing Retry-After Shall I pull this patch? (27/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:42:51 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using rudimentary outbound support in B's proxy. Shall I pull this patch? (28/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:48:33 EDT 2007 Pekka.Pessi@nokia.com * nua_register.c: added some logging to nua_register_connection_closed() Shall I pull this patch? (29/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:43:57 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using AUTHTAG_MAX_NCOUNT(1) for Mr. C C is now challenged every time. Shall I pull this patch? (30/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 11:05:19 EDT 2007 Pekka.Pessi@nokia.com * nua/test_100rel.c: fixed timing problem re response to PRACK and ACK Shall I pull this patch? (31/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 06:02:50 EDT 2007 Mikhail Zabaluev <mikhail.zabaluev@nokia.com> * DIST_SUBDIRS must include everything unconditionally Shall I pull this patch? (32/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:53:04 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: silenced warnings Shall I pull this patch? (33/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com * nua: refactored dialog refresh code Shall I pull this patch? (34/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com UNDO: nua: refactored dialog refresh code Shall I pull this patch? (35/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:01:25 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc]: renamed functions setting refresh interval Shall I pull this patch? (36/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:15:03 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc], nua_stack.c: added nua_dialog_repeat_shutdown() Shall I pull this patch? (37/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:19:20 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.h: renamed nua_remote_t as nua_dialog_peer_info_t Shall I pull this patch? (38/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:23:04 EDT 2007 Pekka.Pessi@nokia.com * nua_stack.c: added timer to client request in order to implement Retry-After Shall I pull this patch? (39/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:33:53 EDT 2007 Pekka.Pessi@nokia.com * nua: added backpointers to nua_dialog_usage_t and nua_dialog_state_t Shall I pull this patch? (40/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:56:48 EDT 2007 Pekka.Pessi@nokia.com * test_nua.c: abort() in timeout alarm function if -a is given Shall I pull this patch? (41/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 17:13:18 EDT 2007 Pekka.Pessi@nokia.com * nua_subnotref.c: include SIPTAG_EVENT() in the nua_i_notify tag list Shall I pull this patch? (42/43) [ynWvpxqadjk], or ? for help: y Mon Sep 10 12:27:53 EDT 2007 Pekka.Pessi@nokia.com * nua: save Contact from target refresh request or response. Save the Contact header which the application has added to the target refresh requests or responses and use the saved contact in subsequent target refresh requests or responses. Previously the application had no way of specifying the Contact included in the automatic responses to target refresh requests. Thanks for Anthony Minessale for reporting this problem. Shall I pull this patch? (43/43) [ynWvpxqadjk], or ? for help: y git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5692 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-09-10 20:45:25 +00:00
else if (ret == 0)
return 0;
Merge up to the most recent sofia-sip darcs tree. Includes the following patches from darcs: Tue Aug 21 09:38:59 EDT 2007 Pekka.Pessi@nokia.com * tport_type_udp.c: checking error while checking that MSG_TRUNC works. Shall I pull this patch? (1/43) [ynWvpxqadjk], or ? for help: y Tue Aug 21 10:49:33 EDT 2007 Pekka.Pessi@nokia.com * nua_params.c: NUTAG_SIPS_URL() now sets the handle target, too. Problem reported by Jari Tenhunen. Shall I pull this patch? (2/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 11:22:42 EDT 2007 Pekka.Pessi@nokia.com * nta.c: do not destroy INVITE transaction if it has been CANCELed Handle gracefully cases where the INVITE transaction is destroyed immediately after canceling it. The old behaviour was to left it up to the application to ACK the final response returned to INVITE. Thanks for Fabio Margarido for reporting this problem. Shall I pull this patch? (3/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 13:02:01 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added test with user SDP containing already rejected media Shall I pull this patch? (4/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com * nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (5/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:41:20 EDT 2007 Pekka.Pessi@nokia.com UNDO: nta: added option for processing orphan responses matching with a dialog The orphan responses matching with the dialog can now be processed by the response callback.The dialog leg can be created with NTATAG_RESPONSE_CALLBACK() or a response callback can be later bound to the leg with nta_leg_bind_response(). This is practically useful only with 200 OK responses to the INVITE that are retransmitted by the UAS. By default, the retransmission are catched by the ACK transaction (which then retransmits the ACK request message). However, after ACK transaction times out, the retransmitted 200 OK indicates most probably that the ACK request messages do not reach UAS. Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (6/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:00:10 EDT 2007 Pekka.Pessi@nokia.com * nta.c: disabled nta_msg_ackbye(). Fix for sf.net bug #1750691 Thanks for Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (7/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 06:54:38 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for sf.net bug #1750691 Shall I pull this patch? (8/43) [ynWvpxqadjk], or ? for help: y Thu Aug 30 07:03:45 EDT 2007 Pekka.Pessi@nokia.com * test_nua: added test for nua_bye() sending CANCEL Shall I pull this patch? (9/43) [ynWvpxqadjk], or ? for help: y Fri Aug 31 12:08:09 EDT 2007 Pekka.Pessi@nokia.com * url.c: fixed escaping of '/' %2F, ';' %3B and '=' %3D in URL path/params Thanks for Fabio Margarido for reporting this bug. Shall I pull this patch? (10/43) [ynWvpxqadjk], or ? for help: y Mon Sep 3 10:14:55 EDT 2007 Pekka.Pessi@nokia.com * url.c: do not un-escape %40 in URI parameters. Do not unescape %2C, %3B, %3D, or %40 in URI parameters, nor %2C, %2F, %3B, %3D, or %40 in URI path. The @ sign can be ambiguous in the SIP URL, e.g., <sip:test.info;p=value@test.com> can be parsed in two ways: 1) username contains test.info;param=value and host part has test.com 2) empty username, host part test.info, URI parameter p=value@test.com Previously Sofia URL parser converted escaped '@' at signs (%40) in the URI parameters to the unescaped form. The resulting URI could be ambiguous and sometimes fail the syntax check if there was no '@' sign before the unescaped one. Thanks for Jan van den Bosch and Mikhail Zabaluev for reporting this bug. Shall I pull this patch? (11/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 04:59:57 EDT 2007 Pekka.Pessi@nokia.com * tport.c: fixed indenting, logging Shall I pull this patch? (12/43) [ynWvpxqadjk], or ? for help: y Fri Jul 13 12:47:33 EDT 2007 Pekka.Pessi@nokia.com * nua/test_proxy.h, nua/test_proxy.c: added support for multiple domains Each domain has its own registrar and authentication module. Shall I pull this patch? (13/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:19:33 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: added timestamp to event logging Shall I pull this patch? (14/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:20:12 EDT 2007 Pekka.Pessi@nokia.com * test_nua: fixed timing problems in testing. Shall I pull this patch? (15/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:04 EDT 2007 Pekka.Pessi@nokia.com * test_ops.c: reduce su_root_step() delay to 0.1 seconds Shall I pull this patch? (16/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:31:22 EDT 2007 Pekka.Pessi@nokia.com * test_register.c: fixed timing problem Shall I pull this patch? (17/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 17:03:46 EDT 2007 Pekka.Pessi@nokia.com * test_100rel.c: fixed timing problems resulting in events being reordered Shall I pull this patch? (18/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:40:53 EDT 2007 Pekka.Pessi@nokia.com * nua (test_init.c, test_register.c): using test_proxy domains Shall I pull this patch? (19/43) [ynWvpxqadjk], or ? for help: y Thu Aug 23 12:12:32 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: added cleanup code Shall I pull this patch? (20/43) [ynWvpxqadjk], or ? for help: y Fri Aug 24 09:35:35 EDT 2007 Pekka.Pessi@nokia.com * nta.c: increase lifetime of ACK transaction from T4 to T1 x 64 nta.c creates a ACK transaction in order to restransmit ACK requests when ever a retransmitted 2XX response to INVITE is received. The UAS retransmits the 2XX responses for 64 x T1 (32 second by default). Partially fixes the sf.net bug #1750691 reported by Mikhail Zabaluev. Shall I pull this patch? (21/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 10:21:04 EDT 2007 Pekka.Pessi@nokia.com * Makefile.am: generating libsofia-sip-ua/docs/Doxyfile.rfc before making manpages Shall I pull this patch? (22/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:05:33 EDT 2007 Pekka.Pessi@nokia.com * sofia-sip/tport_tag.h: added TPTAG_KEEPALIVE(), TPTAG_PINGPONG(), TPTAG_PONG2PING() Shall I pull this patch? (23/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:09:06 EDT 2007 Pekka.Pessi@nokia.com * tport: added ping-pong keepalive on TCP. replaced single tick with connection-specific timer Now detecting closed connections on TLS, too. Added tests for idle timeout, receive timeout, ping-pong timeout. Shall I pull this patch? (24/43) [ynWvpxqadjk], or ? for help: y Fri Jul 6 10:19:32 EDT 2007 Pekka.Pessi@nokia.com * nta.c: added nta_incoming_received() Shall I pull this patch? (25/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 11:29:56 EDT 2007 Pekka.Pessi@nokia.com * nua_session.c: delay transition to ready when O/A is incomplete Delay sending ACK and subsequent transition of call to the ready state when the 200 OK response to the INVITE is received if the SDP Offer/Answer exchange using UPDATE/PRACK was still incomplete. Previously, if the O/A using UPDATE or PRACK was incomplete and an 200 OK was received, the call setup logic regarded this as a fatal error and terminated the call. Thanks for Mike Jerris for detecting and reporting this bug. Shall I pull this patch? (26/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:22:46 EDT 2007 Pekka.Pessi@nokia.com * test_call_reject.c: testing Retry-After Shall I pull this patch? (27/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:42:51 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using rudimentary outbound support in B's proxy. Shall I pull this patch? (28/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:48:33 EDT 2007 Pekka.Pessi@nokia.com * nua_register.c: added some logging to nua_register_connection_closed() Shall I pull this patch? (29/43) [ynWvpxqadjk], or ? for help: y Wed Jul 25 12:43:57 EDT 2007 Pekka.Pessi@nokia.com * test_nua: using AUTHTAG_MAX_NCOUNT(1) for Mr. C C is now challenged every time. Shall I pull this patch? (30/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 11:05:19 EDT 2007 Pekka.Pessi@nokia.com * nua/test_100rel.c: fixed timing problem re response to PRACK and ACK Shall I pull this patch? (31/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 06:02:50 EDT 2007 Mikhail Zabaluev <mikhail.zabaluev@nokia.com> * DIST_SUBDIRS must include everything unconditionally Shall I pull this patch? (32/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:53:04 EDT 2007 Pekka.Pessi@nokia.com * test_soa.c: silenced warnings Shall I pull this patch? (33/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com * nua: refactored dialog refresh code Shall I pull this patch? (34/43) [ynWvpxqadjk], or ? for help: y Mon Jul 23 16:59:48 EDT 2007 Pekka.Pessi@nokia.com UNDO: nua: refactored dialog refresh code Shall I pull this patch? (35/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:01:25 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc]: renamed functions setting refresh interval Shall I pull this patch? (36/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:15:03 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.[hc], nua_stack.c: added nua_dialog_repeat_shutdown() Shall I pull this patch? (37/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:19:20 EDT 2007 Pekka.Pessi@nokia.com * nua_dialog.h: renamed nua_remote_t as nua_dialog_peer_info_t Shall I pull this patch? (38/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:23:04 EDT 2007 Pekka.Pessi@nokia.com * nua_stack.c: added timer to client request in order to implement Retry-After Shall I pull this patch? (39/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 12:33:53 EDT 2007 Pekka.Pessi@nokia.com * nua: added backpointers to nua_dialog_usage_t and nua_dialog_state_t Shall I pull this patch? (40/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 13:56:48 EDT 2007 Pekka.Pessi@nokia.com * test_nua.c: abort() in timeout alarm function if -a is given Shall I pull this patch? (41/43) [ynWvpxqadjk], or ? for help: y Thu Sep 6 17:13:18 EDT 2007 Pekka.Pessi@nokia.com * nua_subnotref.c: include SIPTAG_EVENT() in the nua_i_notify tag list Shall I pull this patch? (42/43) [ynWvpxqadjk], or ? for help: y Mon Sep 10 12:27:53 EDT 2007 Pekka.Pessi@nokia.com * nua: save Contact from target refresh request or response. Save the Contact header which the application has added to the target refresh requests or responses and use the saved contact in subsequent target refresh requests or responses. Previously the application had no way of specifying the Contact included in the automatic responses to target refresh requests. Thanks for Anthony Minessale for reporting this problem. Shall I pull this patch? (43/43) [ynWvpxqadjk], or ? for help: y git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5692 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-09-10 20:45:25 +00:00
else if (errno == EAGAIN)
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
return 3; /* ??? */
else
return -1;
}
sync to the 1.12.6work3 (1.12.7 pre-release) from darcs: Mon Oct 8 15:00:04 EDT 2007 Pekka Pessi <first.lastname@nokia.com> * tport: fixed problem with tls send blocking Wed Oct 10 13:55:25 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * Fixed the internal type of statistics Thu Oct 11 11:25:59 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fix sf.net bug #1810115, crash after nta_destroy() su_msg_t delivery, again. Thanks to Mikhail Zabaluev for reporting this. Thu Oct 11 11:45:20 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nta: fixed type checking on NTATAG_UDP_MTU()/NTATAG_UDP_MTU_REF() Thu Oct 11 13:25:12 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * nua: fixed the from header handling The agent-level From header no longer overrides the From header set by nua_invite() and friends. Thanks to Fabio Margarido for keeping reporting about the problem. Thu Oct 11 13:28:58 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * RELEASE: updated Thu Oct 11 11:30:13 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * torture_sresolv.c: fixed printf() formatting types Passed a size_t to %u. Thu Oct 11 11:44:54 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> * rules/sofia.am: not using make -C dir Thu Oct 11 14:16:51 EDT 2007 Pekka Pessi <Pekka.Pessi@nokia.com> tagged release candidate 1 for 1.12.7 Thu Oct 11 12:25:28 EDT 2007 Pekka.Pessi@nokia.com * su_clone_start(): fixed spurious release of a pthreaded port git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@5842 d0543943-73ff-0310-b7d9-9358b9ac24b2
2007-10-11 19:58:13 +00:00
return 1;
}
ssize_t tls_write(tls_t *tls, void *buf, size_t size)
{
ssize_t ret;
if (0)
SU_DEBUG_1(("tls_write(%p, %p, "MOD_ZU") called on %s\n",
(void *)tls, buf, size,
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
tls && tls->type == tls_slave ? "master" : "slave"));
if (tls == NULL || buf == NULL) {
errno = EINVAL;
return -1;
}
if (tls->write_buffer) {
assert(buf == tls->write_buffer);
assert(size >= tls->write_buffer_len);
assert(tls->write_events == 0);
if (tls->write_events ||
buf != tls->write_buffer ||
size < tls->write_buffer_len) {
errno = EIO;
return -1;
}
ret = tls->write_buffer_len;
tls->write_buffer = NULL;
tls->write_buffer_len = 0;
return ret;
}
if (size == 0)
return 0;
tls->write_events = 0;
ret = SSL_write(tls->con, buf, size);
if (ret < 0)
return tls_error(tls, ret, "tls_write: SSL_write", buf, size);
return ret;
}
int tls_want_write(tls_t *tls, int events)
{
if (tls && (events & tls->write_events)) {
int ret;
void *buf = tls->write_buffer;
size_t size = tls->write_buffer_len;
tls->write_events = 0;
/* remove buf */
tls->write_buffer = NULL;
tls->write_buffer_len = 0;
ret = tls_write(tls, buf, size);
if (ret >= 0)
/* Restore buf */
return tls->write_buffer = buf, tls->write_buffer_len = ret;
else if (errno == EAGAIN)
return 0;
else
return -1;
}
return 0;
}
int tls_events(tls_t const *tls, int mask)
{
if (!tls)
return mask;
if (tls->type == tls_master)
return mask;
return
(mask & ~(SU_WAIT_IN|SU_WAIT_OUT)) |
((mask & SU_WAIT_IN) ? tls->read_events : 0) |
((mask & SU_WAIT_OUT) ? tls->write_events : 0);
}
int tls_connect(su_root_magic_t *magic, su_wait_t *w, tport_t *self)
{
tport_master_t *mr = self->tp_master;
tport_tls_t *tlstp = (tport_tls_t *)self;
tls_t *tls;
int events = su_wait_events(w, self->tp_socket);
int error;
SU_DEBUG_7(("%s(%p): events%s%s%s%s\n", __func__, (void *)self,
events & (SU_WAIT_CONNECT) ? " CONNECTING" : "",
events & SU_WAIT_IN ? " NEGOTIATING" : "",
events & SU_WAIT_ERR ? " ERROR" : "",
events & SU_WAIT_HUP ? " HANGUP" : ""));
#if HAVE_POLL
assert(w->fd == self->tp_socket);
#endif
if (events & SU_WAIT_ERR)
tport_error_event(self);
if (events & SU_WAIT_HUP && !self->tp_closed)
tport_hup_event(self);
if (self->tp_closed)
return 0;
error = su_soerror(self->tp_socket);
if (error) {
tport_error_report(self, error, NULL);
return 0;
}
if ((tls = tlstp->tlstp_context) == NULL) {
SU_DEBUG_3(("%s(%p): Error: no TLS context data for connected socket.\n",
__func__, (void *)tlstp));
tport_close(self);
tport_set_secondary_timer(self);
return 0;
}
if (self->tp_is_connected == 0) {
int ret, status;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
ret = self->tp_accepted ? SSL_accept(tls->con) : SSL_connect(tls->con);
status = SSL_get_error(tls->con, ret);
switch (status) {
case SSL_ERROR_WANT_READ:
/* OpenSSL is waiting for the peer to send handshake data */
self->tp_events = SU_WAIT_IN | SU_WAIT_ERR | SU_WAIT_HUP;
su_root_eventmask(mr->mr_root, self->tp_index,
self->tp_socket, self->tp_events);
return 0;
case SSL_ERROR_WANT_WRITE:
/* OpenSSL is waiting for the peer to receive handshake data */
self->tp_events = SU_WAIT_IN | SU_WAIT_ERR | SU_WAIT_HUP | SU_WAIT_OUT;
su_root_eventmask(mr->mr_root, self->tp_index,
self->tp_socket, self->tp_events);
return 0;
case SSL_ERROR_NONE:
/* TLS Handshake complete */
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
status = tls_post_connection_check(self, tls);
if ( status == X509_V_OK ) {
su_wait_t wait[1] = {SU_WAIT_INIT};
tport_master_t *mr = self->tp_master;
su_root_deregister(mr->mr_root, self->tp_index);
self->tp_index = -1;
self->tp_events = SU_WAIT_IN | SU_WAIT_ERR | SU_WAIT_HUP;
if ((su_wait_create(wait, self->tp_socket, self->tp_events) == -1) ||
((self->tp_index = su_root_register(mr->mr_root, wait, tport_wakeup,
self, 0)) == -1)) {
tport_close(self);
tport_set_secondary_timer(self);
return 0;
}
tls->read_events = SU_WAIT_IN;
tls->write_events = 0;
self->tp_is_connected = 1;
Thu Jan 15 09:50:45 CST 2009 Jarod Neuner <janeuner@networkharbor.com> * TLS Subject Checking in tport sofia-sip/tport.h: * tport_delivered_from_subjects() returns type (su_strlst_t const *) * Export tport_subject_search() sofia-sip/tport_tag.h + tport_tag.c: * Remove TPTAG_TLS_VERIFY_PEER() - Depreciated. Use TPTAG_TLS_VERIFY_POLICY instead. - Binary Compatibility is preserved. * Add TPTAG_TLS_VERIFY_POLICY() - tport can verify incoming and/or outgoing connections, using: 1) Certificate Signatures only - or - 2) Certificate Signatures and Certificate Subjects * Add TPTAG_TLS_VERIFY_DEPTH() - Restrict certificate chain verification to a set length. * Add TPTAG_TLS_VERIFY_DATE() - Disable notBefore/notAfter checking (application: embedded devices) * Add TPTAG_TLS_VERIFY_SUBJECTS() - Incoming connections must present client certificates with subjects that match an item in this list. - Intended Use: Proxy Authentication * Replaced TPTAG_TRUSTED() with TPTAG_X509_SUBJECT() - Commented out for future use. - Intended Use: SIP User Identities in Server Certificates. * Add appropriate doxygen documentation. tport.c * Add tport_subject_search() - Subject can be a hostname, IP Address, or a URI. - Valid subject examples include: example.com alice@example.com sip:alice@example.com sips:alice@example.com * tport_by_addrinfo() matches tpn_canon against the subject list of reusable TLS connections. tport_tls.h: * Add tls_init_secondary() * Remove tls_init_slave() & tls_init_client() tport_tls.c: * tls_verify_cb() supports TPTAG_TLS_VERIFY_DATE() * tls_post_connection_check() verifies certificate subjects. * tls_init_secondary() - Replaces tls_init_slave(), tls_init_client(), and tls_clone(). tport_type_tls.c: * Removed erroneous reference to tport_tls_deliver() * Fix a memory leak caused by duplicate calls to tls_clone(). * Populate the (tport_t *)->tp_subjects field with peer certificate data for new secondary connections. git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@11830 d0543943-73ff-0310-b7d9-9358b9ac24b2
2009-02-11 17:03:59 +00:00
self->tp_verified = tls->x509_verified;
self->tp_subjects = tls->subjects;
if (tport_has_queued(self))
tport_send_event(self);
else
tport_set_secondary_timer(self);
return 0;
}
break;
default:
{
char errbuf[64];
ERR_error_string_n(status, errbuf, 64);
SU_DEBUG_3(("%s(%p): TLS setup failed (%s)\n",
__func__, (void *)self, errbuf));
}
break;
}
}
/* TLS Handshake Failed or Peer Certificate did not Verify */
tport_close(self);
tport_set_secondary_timer(self);
return 0;
}