diff options
author | Sean Bright <sean.bright@gmail.com> | 2017-09-29 14:50:17 +0000 |
---|---|---|
committer | Joshua Colp <jcolp@digium.com> | 2017-11-06 08:11:20 -0500 |
commit | ddb8fd612472ff210412e69ceaed51821fc24975 (patch) | |
tree | b2ee471a9e46646c27f924724ff9dc3d9f8932fa /main/rtp_engine.c | |
parent | 92b61748beb9a23cdd6d0ec650cbc6a7bf077ec9 (diff) |
dtls: Add support for ephemeral DTLS certificates.
This mimics the behavior of Chrome and Firefox and creates an ephemeral
X.509 certificate for each DTLS session.
Currently, the only supported key type is ECDSA because of its faster
generation time, but other key types can be added in the future as
necessary.
ASTERISK-27395
Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4
Diffstat (limited to 'main/rtp_engine.c')
-rw-r--r-- | main/rtp_engine.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/main/rtp_engine.c b/main/rtp_engine.c index 226b229f2..0aed8e97c 100644 --- a/main/rtp_engine.c +++ b/main/rtp_engine.c @@ -2717,6 +2717,8 @@ int ast_rtp_dtls_cfg_parse(struct ast_rtp_dtls_cfg *dtls_cfg, const char *name, if (sscanf(value, "%30u", &dtls_cfg->rekey) != 1) { return -1; } + } else if (!strcasecmp(name, "dtlsautogeneratecert")) { + dtls_cfg->ephemeral_cert = ast_true(value) ? 1 : 0; } else if (!strcasecmp(name, "dtlscertfile")) { if (!ast_strlen_zero(value) && !ast_file_is_readable(value)) { ast_log(LOG_ERROR, "%s file %s does not exist or is not readable\n", name, value); @@ -2769,6 +2771,25 @@ int ast_rtp_dtls_cfg_parse(struct ast_rtp_dtls_cfg *dtls_cfg, const char *name, return 0; } +int ast_rtp_dtls_cfg_validate(struct ast_rtp_dtls_cfg *dtls_cfg) +{ + if (dtls_cfg->ephemeral_cert) { + if (!ast_strlen_zero(dtls_cfg->certfile)) { + ast_log(LOG_ERROR, "You cannot request automatically generated certificates" + " (dtls_auto_generate_cert) and also specify a certificate file" + " (dtls_cert_file) at the same time\n"); + return -1; + } else if (!ast_strlen_zero(dtls_cfg->pvtfile) + || !ast_strlen_zero(dtls_cfg->cafile) + || !ast_strlen_zero(dtls_cfg->capath)) { + ast_log(LOG_NOTICE, "dtls_pvt_file, dtls_cafile, and dtls_ca_path are" + " ignored when dtls_auto_generate_cert is enabled\n"); + } + } + + return 0; +} + void ast_rtp_dtls_cfg_copy(const struct ast_rtp_dtls_cfg *src_cfg, struct ast_rtp_dtls_cfg *dst_cfg) { ast_rtp_dtls_cfg_free(dst_cfg); /* Prevent a double-call leaking memory via ast_strdup */ @@ -2778,6 +2799,7 @@ void ast_rtp_dtls_cfg_copy(const struct ast_rtp_dtls_cfg *src_cfg, struct ast_rt dst_cfg->rekey = src_cfg->rekey; dst_cfg->suite = src_cfg->suite; dst_cfg->hash = src_cfg->hash; + dst_cfg->ephemeral_cert = src_cfg->ephemeral_cert; dst_cfg->certfile = ast_strdup(src_cfg->certfile); dst_cfg->pvtfile = ast_strdup(src_cfg->pvtfile); dst_cfg->cipher = ast_strdup(src_cfg->cipher); |