From ddb8fd612472ff210412e69ceaed51821fc24975 Mon Sep 17 00:00:00 2001 From: Sean Bright Date: Fri, 29 Sep 2017 14:50:17 +0000 Subject: dtls: Add support for ephemeral DTLS certificates. This mimics the behavior of Chrome and Firefox and creates an ephemeral X.509 certificate for each DTLS session. Currently, the only supported key type is ECDSA because of its faster generation time, but other key types can be added in the future as necessary. ASTERISK-27395 Change-Id: I5122e5f4b83c6320cc17407a187fcf491daf30b4 --- main/rtp_engine.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'main/rtp_engine.c') diff --git a/main/rtp_engine.c b/main/rtp_engine.c index 226b229f2..0aed8e97c 100644 --- a/main/rtp_engine.c +++ b/main/rtp_engine.c @@ -2717,6 +2717,8 @@ int ast_rtp_dtls_cfg_parse(struct ast_rtp_dtls_cfg *dtls_cfg, const char *name, if (sscanf(value, "%30u", &dtls_cfg->rekey) != 1) { return -1; } + } else if (!strcasecmp(name, "dtlsautogeneratecert")) { + dtls_cfg->ephemeral_cert = ast_true(value) ? 1 : 0; } else if (!strcasecmp(name, "dtlscertfile")) { if (!ast_strlen_zero(value) && !ast_file_is_readable(value)) { ast_log(LOG_ERROR, "%s file %s does not exist or is not readable\n", name, value); @@ -2769,6 +2771,25 @@ int ast_rtp_dtls_cfg_parse(struct ast_rtp_dtls_cfg *dtls_cfg, const char *name, return 0; } +int ast_rtp_dtls_cfg_validate(struct ast_rtp_dtls_cfg *dtls_cfg) +{ + if (dtls_cfg->ephemeral_cert) { + if (!ast_strlen_zero(dtls_cfg->certfile)) { + ast_log(LOG_ERROR, "You cannot request automatically generated certificates" + " (dtls_auto_generate_cert) and also specify a certificate file" + " (dtls_cert_file) at the same time\n"); + return -1; + } else if (!ast_strlen_zero(dtls_cfg->pvtfile) + || !ast_strlen_zero(dtls_cfg->cafile) + || !ast_strlen_zero(dtls_cfg->capath)) { + ast_log(LOG_NOTICE, "dtls_pvt_file, dtls_cafile, and dtls_ca_path are" + " ignored when dtls_auto_generate_cert is enabled\n"); + } + } + + return 0; +} + void ast_rtp_dtls_cfg_copy(const struct ast_rtp_dtls_cfg *src_cfg, struct ast_rtp_dtls_cfg *dst_cfg) { ast_rtp_dtls_cfg_free(dst_cfg); /* Prevent a double-call leaking memory via ast_strdup */ @@ -2778,6 +2799,7 @@ void ast_rtp_dtls_cfg_copy(const struct ast_rtp_dtls_cfg *src_cfg, struct ast_rt dst_cfg->rekey = src_cfg->rekey; dst_cfg->suite = src_cfg->suite; dst_cfg->hash = src_cfg->hash; + dst_cfg->ephemeral_cert = src_cfg->ephemeral_cert; dst_cfg->certfile = ast_strdup(src_cfg->certfile); dst_cfg->pvtfile = ast_strdup(src_cfg->pvtfile); dst_cfg->cipher = ast_strdup(src_cfg->cipher); -- cgit v1.2.3