Commit 99d49718 authored by Adrien Béraud's avatar Adrien Béraud Committed by Guillaume Roguez

tls_session: add peer CA parameter for certificate check

To match with the certificate chain, the peer CA certificate
must be added to the session credentials in recent GnuTLS versions,
providing an additional layer of certificate verification.

This add an optional peer_ca TLS parameter to add as a CA,
and use it in RingAccount.

Change-Id: I4b308de5b154bc9177a68d5f5db2b9f8e42d28b6
Reviewed-by: Guillaume Roguez's avatarGuillaume Roguez <guillaume.roguez@savoirfairelinux.com>
parent 11655bc4
......@@ -1800,6 +1800,7 @@ RingAccount::handlePendingCall(PendingCall& pc, bool incoming)
std::weak_ptr<SIPCall> wcall = call;
tls::TlsParams tlsParams {
/*.ca_list = */"",
/*.ca = */pc.from_cert,
/*.cert = */identity_.second,
/*.cert_key = */identity_.first,
/*.dh_params = */dhParams_,
......
......@@ -30,6 +30,7 @@
#include "noncopyable.h"
#include "compiler_intrinsics.h"
#include "manager.h"
#include "certstore.h"
#include <gnutls/gnutls.h>
#include <gnutls/dtls.h>
......@@ -319,6 +320,13 @@ TlsSession::initCredentials()
RING_DBG("[TLS] CA list %s loadev", params_.ca_list.c_str());
}
if (params_.peer_ca) {
auto chain = params_.peer_ca->getChainWithRevocations();
auto ret = gnutls_certificate_set_x509_trust(*xcred_, chain.first.data(), chain.first.size());
if (not chain.second.empty())
gnutls_certificate_set_x509_crl(*xcred_, chain.second.data(), chain.second.size());
RING_DBG("[TLS] Peer CA list %lu (%lu CRLs): %d", chain.first.size(), chain.second.size(), ret);
}
// Load user-given identity (key and passwd)
if (params_.cert) {
......@@ -385,6 +393,7 @@ TlsSession::commonSessionInit()
RING_ERR("[TLS] certificate credential set failed: %s", gnutls_strerror(ret));
return false;
}
gnutls_certificate_send_x509_rdn_sequence(session_, 0);
// DTLS hanshake timeouts
auto re_tx_timeout = duration2ms(DTLS_RETRANSMIT_TIMEOUT);
......
......@@ -114,6 +114,8 @@ struct TlsParams {
// User CA list for session credentials
std::string ca_list;
std::shared_ptr<dht::crypto::Certificate> peer_ca;
// User identity for credential
std::shared_ptr<dht::crypto::Certificate> cert;
std::shared_ptr<dht::crypto::PrivateKey> cert_key;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment