belle-sip-mbedtlsv3.patch

   1 From 41b027b68f59913d166c3c91b8fdd2b40088822f Mon Sep 17 00:00:00 2001
   2 From: johan pascal <johan.pascal@belledonne-communications.com>
   3 Date: Fri, 3 Mar 2023 11:28:25 +0100
   4 Subject: [PATCH] remove TLS client certificate callback
   5
   6 ---
   7  src/transports/tls_channel.c | 57 +++++++++++++++---------------------
   8  1 file changed, 23 insertions(+), 34 deletions(-)
   9
  10 diff --git a/src/transports/tls_channel.c b/src/transports/tls_channel.c
  11 index 65811a61..9c64b8af 100644
  12 --- a/src/transports/tls_channel.c
  13 +++ b/src/transports/tls_channel.c
  14 @@ -475,37 +475,6 @@ BELLE_SIP_INSTANCIATE_CUSTOM_VPTR_BEGIN(
  15         }
  16  BELLE_SIP_INSTANCIATE_CUSTOM_VPTR_END
  17
  18 -static int belle_sip_client_certificate_request_callback(void *data, bctbx_ssl_context_t *ssl_ctx, const bctbx_list_t *names) {
  19 -       belle_sip_tls_channel_t *channel = (belle_sip_tls_channel_t *)data;
  20 -
  21 -       /* ask certificate */
  22 -       BELLE_SIP_INVOKE_LISTENERS_ARG1_ARG2(   channel->base.base.full_listeners
  23 -                       ,belle_sip_channel_listener_t
  24 -                       ,on_auth_requested
  25 -                       ,&channel->base.base
  26 -                       ,(names==NULL)?NULL:(char *)names->data); // forward only the first name of the list, this functionnality is not used for now anyway
  27 -
  28 -       /* if we got one, set it in the ssl handshake context */
  29 -       if (channel->client_cert_chain && channel->client_cert_key) {
  30 -               int err;
  31 -               char tmp[512]={0};
  32 -
  33 -               bctbx_x509_certificate_get_info_string(tmp,sizeof(tmp)-1,"",channel->client_cert_chain->cert);
  34 -               belle_sip_message("Channel [%p]  found client  certificate:\n%s",channel,tmp);
  35 -
  36 -               if ((err=bctbx_ssl_set_hs_own_cert(channel->sslctx,channel->client_cert_chain->cert,channel->client_cert_key->key))) {
  37 -                       bctbx_strerror(err,tmp,sizeof(tmp)-1);
  38 -                       belle_sip_error("Channel [%p] cannot set retrieved ssl own certificate [%s]",channel,tmp);
  39 -                       return -1; /* we were not able to set the client certificate, something is going wrong, this will abort the handshake*/
  40 -               }
  41 -               return 0;
  42 -       }
  43 -
  44 -       belle_sip_warning("Channel [%p] cannot get client certificate to answer server request", channel);
  45 -
  46 -       return 0; /* we couldn't find any certificate, just keep on going, server may decide to abort the handshake */
  47 -}
  48 -
  49  static int tls_handle_postcheck(belle_sip_tls_channel_t* channel){
  50         if (channel->crypto_config && channel->crypto_config->postcheck_cb){
  51                 const bctbx_x509_certificate_t *cert = bctbx_ssl_get_peer_certificate(channel->sslctx);
  52 @@ -883,6 +852,29 @@ static int belle_sip_tls_channel_init_bc
  53         if (crypto_config->ssl_config == NULL) {
  54                 bctbx_ssl_config_defaults(obj->sslcfg, BCTBX_SSL_IS_CLIENT, BCTBX_SSL_TRANSPORT_STREAM);
  55                 bctbx_ssl_config_set_authmode(obj->sslcfg, BCTBX_SSL_VERIFY_REQUIRED);
  56 +               /* set up client certificate */
  57 +               /* if we do not have one, request it */
  58 +               if (!(obj->client_cert_chain && obj->client_cert_key)) {
  59 +                       BELLE_SIP_INVOKE_LISTENERS_ARG1_ARG2(obj->base.base.full_listeners, belle_sip_channel_listener_t,
  60 +                                                            on_auth_requested, &obj->base.base, NULL);
  61 +               }
  62 +               /* now if we do have one set it in the ssl config */
  63 +               if (obj->client_cert_chain && obj->client_cert_key) {
  64 +                       char tmp[512] = {0};
  65 +
  66 +                       bctbx_x509_certificate_get_info_string(tmp, sizeof(tmp) - 1, "", obj->client_cert_chain->cert);
  67 +                       belle_sip_message("Channel [%p]  found client  certificate:\n%s", obj, tmp);
  68 +
  69 +                       int ret =
  70 +                           bctbx_ssl_config_set_own_cert(obj->sslcfg, obj->client_cert_chain->cert, obj->client_cert_key->key);
  71 +                       if (ret < 0) {
  72 +                               belle_sip_error(
  73 +                                   "Unable to set own certificate in config for SSL context at TLS channel creation ret [-0x%x]",
  74 +                                   -ret);
  75 +                               belle_sip_object_unref(obj);
  76 +                               return -1;
  77 +                       }
  78 +               }
  79         } else { /* an SSL config is provided, use it*/
  80                 int ret = bctbx_ssl_config_set_crypto_library_config(obj->sslcfg, crypto_config->ssl_config);
  81                 if (ret<0) {
  82 @@ -900,7 +892,6 @@ static int belle_sip_tls_channel_init_bc
  83                 bctbx_ssl_config_set_ca_chain(obj->sslcfg, obj->root_ca);
  84         }
  85         bctbx_ssl_config_set_callback_verify(obj->sslcfg, belle_sip_ssl_verify, crypto_config);
  86 -       bctbx_ssl_config_set_callback_cli_cert(obj->sslcfg, belle_sip_client_certificate_request_callback, obj);
  87
  88         bctbx_ssl_context_setup(obj->sslctx, obj->sslcfg);
  89         bctbx_ssl_set_hostname(obj->sslctx, super->base.peer_cname ? super->base.peer_cname : super->base.peer_name);