Commit 9e053207 authored by Guillaume Roguez's avatar Guillaume Roguez

tls: revert anonymous certificate exchange

If an encrypted packet used during the encrypted
handshake steps to initialize a secure channel with a peer
is re-ordered due to the network, gnutls is not able to
process the handshake correctly.
This prevents any calls to be established
(SIP channel goes over such connection).

This patch reverts the anonymous handshake to let only
the non-encrypted certificate exchange system.
This is less anonymous as certificates are exchanged in
plain-text format.

The revert consisting to add an option to enable or not the
anonymous certificate exchange. This option is set to false
(non-enabled) by default.

Now, TLS 1.3 should resolve this situation.
So it's not a definitive patch.

Change-Id: I3214efae1b69e44967a67a628cc690d8e95c9e40
Tuleap: #572
parent 8ea35fbb
......@@ -149,11 +149,12 @@ private:
};
TlsSession::TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id,
const TlsParams& params, const TlsSessionCallbacks& cbs)
const TlsParams& params, const TlsSessionCallbacks& cbs, bool anonymous)
: socket_(new IceSocket(ice, ice_comp_id))
, isServer_(not ice->isInitiator())
, params_(params)
, callbacks_(cbs)
, anonymous_(anonymous)
, cacred_(nullptr)
, sacred_(nullptr)
, xcred_(nullptr)
......@@ -295,22 +296,31 @@ TlsSession::commonSessionInit()
{
int ret;
// Force anonymous connection, see handleStateHandshake how we handle failures
ret = gnutls_priority_set_direct(session_, TLS_FULL_PRIORITY_STRING, nullptr);
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] TLS priority set failed: %s", gnutls_strerror(ret));
return false;
}
if (anonymous_) {
// Force anonymous connection, see handleStateHandshake how we handle failures
ret = gnutls_priority_set_direct(session_, TLS_FULL_PRIORITY_STRING, nullptr);
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] TLS priority set failed: %s", gnutls_strerror(ret));
return false;
}
// Add anonymous credentials
if (isServer_)
ret = gnutls_credentials_set(session_, GNUTLS_CRD_ANON, *sacred_);
else
ret = gnutls_credentials_set(session_, GNUTLS_CRD_ANON, *cacred_);
// Add anonymous credentials
if (isServer_)
ret = gnutls_credentials_set(session_, GNUTLS_CRD_ANON, *sacred_);
else
ret = gnutls_credentials_set(session_, GNUTLS_CRD_ANON, *cacred_);
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] anonymous credential set failed: %s", gnutls_strerror(ret));
return false;
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] anonymous credential set failed: %s", gnutls_strerror(ret));
return false;
}
} else {
// Use a classic non-encrypted CERTIFICATE exchange method (less anonymous)
ret = gnutls_priority_set_direct(session_, TLS_CERT_PRIORITY_STRING, nullptr);
if (ret != GNUTLS_E_SUCCESS) {
RING_ERR("[TLS] TLS priority set failed: %s", gnutls_strerror(ret));
return false;
}
}
// Add certificate credentials
......@@ -532,7 +542,8 @@ TlsSession::handleStateSetup(UNUSED TlsSessionState state)
RING_DBG("[TLS] Start %s DTLS session", typeName());
try {
initAnonymous();
if (anonymous_)
initAnonymous();
initCredentials();
} catch (const std::exception& e) {
RING_ERR("[TLS] authentifications init failed: %s", e.what());
......
......@@ -132,7 +132,7 @@ public:
};
TlsSession(std::shared_ptr<IceTransport> ice, int ice_comp_id, const TlsParams& params,
const TlsSessionCallbacks& cbs);
const TlsSessionCallbacks& cbs, bool anonymous=false);
~TlsSession();
// Returns the TLS session type ('server' or 'client')
......@@ -165,6 +165,7 @@ private:
const bool isServer_;
const TlsParams params_;
const TlsSessionCallbacks callbacks_;
const bool anonymous_;
// State machine
TlsSessionState handleStateSetup(TlsSessionState state);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment