[asterisk-commits] file: branch file/sha256-a-harsh-reality r417079 - in /team/file/sha256-a-har...

Mon Jun 23 09:56:01 CDT 2014

Author: file
Date: Mon Jun 23 09:55:58 2014
New Revision: 417079

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=417079
Log:
Extend the "dtlsverify" option with more values to allow more detailed configuration of what to verify.

Modified:
    team/file/sha256-a-harsh-reality/configs/sip.conf.sample
    team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h
    team/file/sha256-a-harsh-reality/main/rtp_engine.c
    team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c

Modified: team/file/sha256-a-harsh-reality/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/configs/sip.conf.sample?view=diff&rev=417079&r1=417078&r2=417079
==============================================================================

--- team/file/sha256-a-harsh-reality/configs/sip.conf.sample (original)
+++ team/file/sha256-a-harsh-reality/configs/sip.conf.sample Mon Jun 23 09:55:58 2014
@@ -1292,7 +1292,11 @@
 ; DTLS-SRTP support is available if the underlying RTP engine in use supports it.
 ;
 ; dtlsenable = yes                   ; Enable or disable DTLS-SRTP support
-; dtlsverify = yes                   ; Verify that the provided peer certificate is valid
+; dtlsverify = yes                   ; Verify that provided peer certificate and fingerprint are valid
+;				     ; A value of 'yes' will perform both certificate and fingerprint verification
+;				     ; A value of 'no' will perform no certificate or fingerprint verification
+;				     ; A value of 'fingerprint' will perform ONLY fingerprint verification
+;				     ; A value of 'certificate' will perform ONLY certficiate verification
 ; dtlsrekey = 60                     ; Interval at which to renegotiate the TLS session and rekey the SRTP session
 ;                                    ; If this is not set or the value provided is 0 rekeying will be disabled
 ; dtlscertfile = file                ; Path to certificate file to present

Modified: team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h?view=diff&rev=417079&r1=417078&r2=417079
==============================================================================
--- team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h (original)
+++ team/file/sha256-a-harsh-reality/include/asterisk/rtp_engine.h Mon Jun 23 09:55:58 2014
@@ -379,14 +379,21 @@
 	AST_RTP_DTLS_HASH_SHA1,   /*!< SHA-1 fingerprint hash */
 };
 
+/*! \brief DTLS verification settings */
+enum ast_rtp_dtls_verify {
+	AST_RTP_DTLS_VERIFY_NONE = 0,		 		/*!< Don't verify anything */
+	AST_RTP_DTLS_VERIFY_FINGERPRINT = (1 << 0), /*!< Verify the fingerprint */
+	AST_RTP_DTLS_VERIFY_CERTIFICATE = (1 << 1), /*!< Verify the certificate */
+};
+
 /*! \brief DTLS configuration structure */
 struct ast_rtp_dtls_cfg {
 	unsigned int enabled:1;                /*!< Whether DTLS support is enabled or not */
-	unsigned int verify:1;                 /*!< Whether to request and verify a client certificate when acting as server */
 	unsigned int rekey;                    /*!< Interval at which to renegotiate and rekey - defaults to 0 (off) */
 	enum ast_rtp_dtls_setup default_setup; /*!< Default setup type to use for outgoing */
 	enum ast_srtp_suite suite;             /*!< Crypto suite in use */
 	enum ast_rtp_dtls_hash hash;		   /*!< Hash to use for fingerprint */
+	enum ast_rtp_dtls_verify verify;	   /*!< What should be verified */
 	char *certfile;                        /*!< Certificate file */
 	char *pvtfile;                         /*!< Private key file */
 	char *cipher;                          /*!< Cipher to use */

Modified: team/file/sha256-a-harsh-reality/main/rtp_engine.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/main/rtp_engine.c?view=diff&rev=417079&r1=417078&r2=417079
==============================================================================
--- team/file/sha256-a-harsh-reality/main/rtp_engine.c (original)
+++ team/file/sha256-a-harsh-reality/main/rtp_engine.c Mon Jun 23 09:55:58 2014
@@ -2109,7 +2109,17 @@
 	if (!strcasecmp(name, "dtlsenable")) {
 		dtls_cfg->enabled = ast_true(value) ? 1 : 0;
 	} else if (!strcasecmp(name, "dtlsverify")) {
-		dtls_cfg->verify = ast_true(value) ? 1 : 0;
+		if (!strcasecmp(value, "yes")) {
+			dtls_cfg->verify = AST_RTP_DTLS_VERIFY_FINGERPRINT | AST_RTP_DTLS_VERIFY_CERTIFICATE;
+		} else if (!strcasecmp(value, "fingerprint")) {
+			dtls_cfg->verify = AST_RTP_DTLS_VERIFY_FINGERPRINT;
+		} else if (!strcasecmp(value, "certificate")) {
+			dtls_cfg->verify = AST_RTP_DTLS_VERIFY_CERTIFICATE;
+		} else if (!strcasecmp(value, "no")) {
+			dtls_cfg->verify = AST_RTP_DTLS_VERIFY_NONE;
+		} else {
+			return -1;
+		}
 	} else if (!strcasecmp(name, "dtlsrekey")) {
 		if (sscanf(value, "%30u", &dtls_cfg->rekey) != 1) {
 			return -1;

Modified: team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c
URL: http://svnview.digium.com/svn/asterisk/team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c?view=diff&rev=417079&r1=417078&r2=417079
==============================================================================
--- team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c (original)
+++ team/file/sha256-a-harsh-reality/res/res_rtp_asterisk.c Mon Jun 23 09:55:58 2014
@@ -288,6 +288,7 @@
 	BIO *write_bio;   /*!< Memory buffer for writing */
 	ast_mutex_t dtls_timer_lock;           /*!< Lock for synchronization purposes */
 	enum ast_rtp_dtls_setup dtls_setup; /*!< Current setup state */
+	enum ast_rtp_dtls_verify dtls_verify; /*!< What to verify */
 	enum ast_srtp_suite suite;   /*!< SRTP crypto suite */
 	enum ast_rtp_dtls_hash local_hash; /*!< Local hash used for the fingerprint */
 	char local_fingerprint[160]; /*!< Fingerprint of our certificate */
@@ -797,6 +798,12 @@
 	rtp->dtls_failure = 1;
 }
 
+static int dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+{
+	/* We don't want to actually verify the certificate so just accept what they have provided */
+	return 1;
+}
+
 static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, const struct ast_rtp_dtls_cfg *dtls_cfg)
 {
 	struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
@@ -813,7 +820,11 @@
 		return -1;
 	}
 
-	SSL_CTX_set_verify(rtp->ssl_ctx, dtls_cfg->verify ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, NULL);
+	rtp->dtls_verify = dtls_cfg->verify;
+
+	SSL_CTX_set_verify(rtp->ssl_ctx, (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_FINGERPRINT) || (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) ?
+		SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, !(rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) ?
+		dtls_verify_callback : NULL);
 
 	if (dtls_cfg->suite == AST_AES_CM_128_HMAC_SHA1_80) {
 		SSL_CTX_set_tlsext_use_srtp(rtp->ssl_ctx, "SRTP_AES128_CM_SHA1_80");
@@ -1450,7 +1461,7 @@
 	struct ast_rtp_instance_stats stats = { 0, };
 
 	/* If a fingerprint is present in the SDP make sure that the peer certificate matches it */
-	if (SSL_CTX_get_verify_mode(rtp->ssl_ctx) != SSL_VERIFY_NONE) {
+	if (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_FINGERPRINT) {
 		X509 *certificate;
 
 		if (!(certificate = SSL_get_peer_certificate(rtp->ssl))) {
@@ -1487,7 +1498,7 @@
 	}
 
 	/* Ensure that certificate verification was successful */
-	if (SSL_get_verify_result(rtp->ssl) != X509_V_OK) {
+	if ((rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) && SSL_get_verify_result(rtp->ssl) != X509_V_OK) {
 		ast_log(LOG_WARNING, "Peer certificate on RTP instance '%p' failed verification test\n",
 			instance);
 		return -1;


