diff options
author | Nanang Izzuddin <nanang@teluu.com> | 2015-01-15 06:55:02 +0000 |
---|---|---|
committer | Nanang Izzuddin <nanang@teluu.com> | 2015-01-15 06:55:02 +0000 |
commit | 8a7f21ccfdb0e0883c6ba951de5c7065a8e263a0 (patch) | |
tree | ae65ffab1c0659d3932054e2db33d3eb33195fed /pjlib | |
parent | 61c0fc6417c175c88155f44183e66c8fbb7652e4 (diff) |
Close #1810: Adding CA path support into SSL socket.
git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4973 74dad513-b988-da41-8d7b-12977e46ad98
Diffstat (limited to 'pjlib')
-rw-r--r-- | pjlib/include/pj/ssl_sock.h | 25 | ||||
-rw-r--r-- | pjlib/src/pj/ssl_sock_ossl.c | 44 | ||||
-rw-r--r-- | pjlib/src/pj/ssl_sock_symbian.cpp | 13 |
3 files changed, 76 insertions, 6 deletions
diff --git a/pjlib/include/pj/ssl_sock.h b/pjlib/include/pj/ssl_sock.h index b2a530b3..2d66b325 100644 --- a/pjlib/include/pj/ssl_sock.h +++ b/pjlib/include/pj/ssl_sock.h @@ -202,6 +202,31 @@ PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool, const pj_str_t *privkey_pass, pj_ssl_cert_t **p_cert); +/** + * Create credential from files. + * + * This is the same as pj_ssl_cert_load_from_files() but also + * accepts an additional param CA_path to load CA certificates from + * a directory. + * + * @param CA_file The file of trusted CA list. + * @param CA_path The path to a directory of trusted CA list. + * @param cert_file The file of certificate. + * @param privkey_file The file of private key. + * @param privkey_pass The password of private key, if any. + * @param p_cert Pointer to credential instance to be created. + * + * @return PJ_SUCCESS when successful. + */ +PJ_DECL(pj_status_t) pj_ssl_cert_load_from_files2( + pj_pool_t *pool, + const pj_str_t *CA_file, + const pj_str_t *CA_path, + const pj_str_t *cert_file, + const pj_str_t *privkey_file, + const pj_str_t *privkey_pass, + pj_ssl_cert_t **p_cert); + /** * Dump SSL certificate info. diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index 887b939a..80749000 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -189,6 +189,7 @@ struct pj_ssl_sock_t struct pj_ssl_cert_t { pj_str_t CA_file; + pj_str_t CA_path; pj_str_t cert_file; pj_str_t privkey_file; pj_str_t privkey_pass; @@ -581,14 +582,25 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock) /* Apply credentials */ if (cert) { /* Load CA list if one is specified. */ - if (cert->CA_file.slen) { + if (cert->CA_file.slen || cert->CA_path.slen) { - rc = SSL_CTX_load_verify_locations(ctx, cert->CA_file.ptr, NULL); + rc = SSL_CTX_load_verify_locations( + ctx, + cert->CA_file.slen == 0 ? NULL : cert->CA_file.ptr, + cert->CA_path.slen == 0 ? NULL : cert->CA_path.ptr); if (rc != 1) { status = GET_SSL_STATUS(ssock); - PJ_LOG(1,(ssock->pool->obj_name, "Error loading CA list file " - "'%s'", cert->CA_file.ptr)); + if (cert->CA_file.slen) { + PJ_LOG(1,(ssock->pool->obj_name, + "Error loading CA list file '%s'", + cert->CA_file.ptr)); + } + if (cert->CA_path.slen) { + PJ_LOG(1,(ssock->pool->obj_name, + "Error loading CA path '%s'", + cert->CA_path.ptr)); + } SSL_CTX_free(ctx); return status; } @@ -1928,12 +1940,31 @@ PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files (pj_pool_t *pool, const pj_str_t *privkey_pass, pj_ssl_cert_t **p_cert) { + return pj_ssl_cert_load_from_files2(pool, CA_file, NULL, cert_file, + privkey_file, privkey_pass, p_cert); +} + +PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files2(pj_pool_t *pool, + const pj_str_t *CA_file, + const pj_str_t *CA_path, + const pj_str_t *cert_file, + const pj_str_t *privkey_file, + const pj_str_t *privkey_pass, + pj_ssl_cert_t **p_cert) +{ pj_ssl_cert_t *cert; - PJ_ASSERT_RETURN(pool && CA_file && cert_file && privkey_file, PJ_EINVAL); + PJ_ASSERT_RETURN(pool && (CA_file || CA_path) && cert_file && + privkey_file, + PJ_EINVAL); cert = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t); - pj_strdup_with_null(pool, &cert->CA_file, CA_file); + if (CA_file) { + pj_strdup_with_null(pool, &cert->CA_file, CA_file); + } + if (CA_path) { + pj_strdup_with_null(pool, &cert->CA_path, CA_path); + } pj_strdup_with_null(pool, &cert->cert_file, cert_file); pj_strdup_with_null(pool, &cert->privkey_file, privkey_file); pj_strdup_with_null(pool, &cert->privkey_pass, privkey_pass); @@ -1957,6 +1988,7 @@ PJ_DECL(pj_status_t) pj_ssl_sock_set_certificate( cert_ = PJ_POOL_ZALLOC_T(pool, pj_ssl_cert_t); pj_memcpy(cert_, cert, sizeof(cert)); pj_strdup_with_null(pool, &cert_->CA_file, &cert->CA_file); + pj_strdup_with_null(pool, &cert_->CA_path, &cert->CA_path); pj_strdup_with_null(pool, &cert_->cert_file, &cert->cert_file); pj_strdup_with_null(pool, &cert_->privkey_file, &cert->privkey_file); pj_strdup_with_null(pool, &cert_->privkey_pass, &cert->privkey_pass); diff --git a/pjlib/src/pj/ssl_sock_symbian.cpp b/pjlib/src/pj/ssl_sock_symbian.cpp index 509b1072..1c7aadf0 100644 --- a/pjlib/src/pj/ssl_sock_symbian.cpp +++ b/pjlib/src/pj/ssl_sock_symbian.cpp @@ -859,8 +859,21 @@ PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files(pj_pool_t *pool, const pj_str_t *privkey_pass, pj_ssl_cert_t **p_cert) { + return pj_ssl_cert_load_from_files2(pool, CA_file, NULL, cert_file, + privkey_file, privkey_pass, p_cert); +} + +PJ_DEF(pj_status_t) pj_ssl_cert_load_from_files2(pj_pool_t *pool, + const pj_str_t *CA_file, + const pj_str_t *CA_path, + const pj_str_t *cert_file, + const pj_str_t *privkey_file, + const pj_str_t *privkey_pass, + pj_ssl_cert_t **p_cert) +{ PJ_UNUSED_ARG(pool); PJ_UNUSED_ARG(CA_file); + PJ_UNUSED_ARG(CA_path); PJ_UNUSED_ARG(cert_file); PJ_UNUSED_ARG(privkey_file); PJ_UNUSED_ARG(privkey_pass); |