From b0e75d9d78307802a540ca1cf611d47392ebfc99 Mon Sep 17 00:00:00 2001 From: Pierre-Eric Pelloux-Prayer Date: Fri, 22 Jul 2011 11:37:38 +0200 Subject: [PATCH] Add configuration option allowing to specify trusted CA certificates. This option can contain either : - a single file path; this file can contain several concatenated CA PEM files - a folder path containing several CA PEM files --- coreapi/linphonecore.c | 14 ++++++++++++++ coreapi/linphonecore.h | 1 + coreapi/linphonecore_jni.cc | 8 ++++++++ coreapi/sal.h | 1 + coreapi/sal_eXosip2.c | 19 ++++++++++++++++++- coreapi/sal_eXosip2.h | 1 + .../org/linphone/core/LinphoneCore.java | 8 ++++++++ 7 files changed, 51 insertions(+), 1 deletion(-) diff --git a/coreapi/linphonecore.c b/coreapi/linphonecore.c index 847316d0..0db1485f 100644 --- a/coreapi/linphonecore.c +++ b/coreapi/linphonecore.c @@ -514,6 +514,8 @@ static void sip_config_read(LinphoneCore *lc) ms_free(contact); } + sal_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", "/etc/ssl/certs")); + tmp=lp_config_get_int(lc->config,"sip","guess_hostname",1); linphone_core_set_guess_hostname(lc,tmp); @@ -2898,6 +2900,18 @@ const char *linphone_core_get_ring(const LinphoneCore *lc){ return lc->sound_conf.local_ring; } +/** + * Sets the path to a file or folder containing trusted root CAs (PEM format) + * + * @param path + * @param lc The LinphoneCore object + * + * @ingroup media_parameters +**/ +void linphone_core_set_root_ca(LinphoneCore *lc,const char *path){ + sal_root_ca(lc->sal, path); +} + static void notify_end_of_ring(void *ud, MSFilter *f, unsigned int event, void *arg){ LinphoneCore *lc=(LinphoneCore*)ud; lc->preview_finished=1; diff --git a/coreapi/linphonecore.h b/coreapi/linphonecore.h index 3d263082..010b1585 100644 --- a/coreapi/linphonecore.h +++ b/coreapi/linphonecore.h @@ -857,6 +857,7 @@ char linphone_core_get_sound_source(LinphoneCore *lc); void linphone_core_set_sound_source(LinphoneCore *lc, char source); void linphone_core_set_ring(LinphoneCore *lc, const char *path); const char *linphone_core_get_ring(const LinphoneCore *lc); +void linphone_core_set_root_ca(LinphoneCore *lc, const char *path); void linphone_core_set_ringback(LinphoneCore *lc, const char *path); const char * linphone_core_get_ringback(const LinphoneCore *lc); diff --git a/coreapi/linphonecore_jni.cc b/coreapi/linphonecore_jni.cc index 1f200c82..823e5e44 100644 --- a/coreapi/linphonecore_jni.cc +++ b/coreapi/linphonecore_jni.cc @@ -698,6 +698,14 @@ extern "C" jstring Java_org_linphone_core_LinphoneCoreImpl_getRing(JNIEnv* env return NULL; } } +extern "C" void Java_org_linphone_core_LinphoneCoreImpl_setRootCA(JNIEnv* env + ,jobject thiz + ,jlong lc + ,jstring jpath) { + const char* path = jpath?env->GetStringUTFChars(jpath, NULL):NULL; + linphone_core_set_root_ca((LinphoneCore*)lc,path); + if (path) env->ReleaseStringUTFChars(jpath, path); +} extern "C" void Java_org_linphone_core_LinphoneCoreImpl_enableKeepAlive(JNIEnv* env ,jobject thiz ,jlong lc diff --git a/coreapi/sal.h b/coreapi/sal.h index 47286b09..01bf3c71 100644 --- a/coreapi/sal.h +++ b/coreapi/sal.h @@ -276,6 +276,7 @@ void sal_reuse_authorization(Sal *ctx, bool_t enabled); void sal_use_one_matching_codec_policy(Sal *ctx, bool_t one_matching_codec); void sal_use_rport(Sal *ctx, bool_t use_rports); void sal_use_101(Sal *ctx, bool_t use_101); +void sal_root_ca(Sal* ctx, const char* rootCa); int sal_iterate(Sal *sal); MSList * sal_get_pending_auths(Sal *sal); diff --git a/coreapi/sal_eXosip2.c b/coreapi/sal_eXosip2.c index 7df0fc38..ff078ccf 100644 --- a/coreapi/sal_eXosip2.c +++ b/coreapi/sal_eXosip2.c @@ -281,11 +281,14 @@ Sal * sal_init(){ sal->use_rports=TRUE; sal->use_101=TRUE; sal->reuse_authorization=FALSE; + sal->rootCa = 0; return sal; } void sal_uninit(Sal* sal){ eXosip_quit(); + if (sal->rootCa) + ms_free(sal->rootCa); ms_free(sal); } @@ -365,7 +368,14 @@ int sal_listen_port(Sal *ctx, const char *addr, int port, SalTransport tr, int i case SalTransportTLS: proto= IPPROTO_TCP; keepalive=-1; - eXosip_set_option (EXOSIP_OPT_UDP_KEEP_ALIVE,&keepalive); + eXosip_set_option (EXOSIP_OPT_UDP_KEEP_ALIVE,&keepalive); + + if (ctx->rootCa) { + eXosip_tls_ctx_t tlsCtx; + memset(&tlsCtx, 0, sizeof(tlsCtx)); + snprintf(tlsCtx.root_ca_cert, sizeof(tlsCtx.client.cert), "%s", ctx->rootCa); + eXosip_set_tls_ctx(&tlsCtx); + } break; default: ms_warning("unexpected proto, using datagram"); @@ -432,6 +442,13 @@ void sal_use_101(Sal *ctx, bool_t use_101){ ctx->use_101=use_101; } +void sal_root_ca(Sal* ctx, const char* rootCa) { + if (ctx->rootCa) + ms_free(ctx->rootCa); + ctx->rootCa = ms_strdup(rootCa); + ms_error("YIPI : %s == %s\n", rootCa, ctx->rootCa); +} + static int extract_received_rport(osip_message_t *msg, const char **received, int *rportval,SalTransport* transport){ osip_via_t *via=NULL; osip_generic_param_t *param=NULL; diff --git a/coreapi/sal_eXosip2.h b/coreapi/sal_eXosip2.h index 201cb65a..bdc25774 100644 --- a/coreapi/sal_eXosip2.h +++ b/coreapi/sal_eXosip2.h @@ -45,6 +45,7 @@ struct Sal{ bool_t use_rports; bool_t use_101; bool_t reuse_authorization; + char* rootCa; /* File _or_ folder containing root CA */ }; struct SalOp{ diff --git a/java/common/org/linphone/core/LinphoneCore.java b/java/common/org/linphone/core/LinphoneCore.java index bb52cc87..91f056c2 100644 --- a/java/common/org/linphone/core/LinphoneCore.java +++ b/java/common/org/linphone/core/LinphoneCore.java @@ -528,6 +528,14 @@ public interface LinphoneCore { * @param null if not set */ String getRing(); + + /** + * Sets file or folder containing trusted root CAs + * + * @param path path to file with multiple PEM certif or to folder with multiple PEM files + */ + void setRootCA(String path); + void setUploadBandwidth(int bw); void setDownloadBandwidth(int bw); -- 2.39.2