Skip to content

Commit aad12b0

Browse files
andywolkandywolk
committed
Add WSS certificate reload support to tport_reload_tls because TLS does not cover WSS transport which uses its own SSL_CTX
1 parent 91041c1 commit aad12b0

File tree

3 files changed

+109
-71
lines changed

3 files changed

+109
-71
lines changed

libsofia-sip-ua/tport/tport.c

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@ typedef struct tport_nat_s tport_nat_t;
8080

8181
#include "tport_internal.h"
8282
#include "tport_tls.h"
83+
#include "tport_ws.h"
8384

8485
#if HAVE_FUNC
8586
#elif HAVE_FUNCTION
@@ -314,7 +315,21 @@ int tport_reload_tls(tport_t *self, char const *cert_dir)
314315
ti.configured = 1;
315316

316317
for (tp = tport_primaries(self); tp; tp = tport_next(tp)) {
317-
if (tport_has_tls(tp)) {
318+
/* Reload WSS transport certificates */
319+
if (tp->tp_protoname && strcasecmp(tp->tp_protoname, "wss") == 0) {
320+
tport_ws_primary_t *wspri = (tport_ws_primary_t *)tp->tp_pri;
321+
if (wspri->ssl_ctx) {
322+
SSL_CTX *new_ctx = tport_wss_create_ssl_ctx(cert_dir);
323+
if (new_ctx) {
324+
SSL_CTX_free(wspri->ssl_ctx);
325+
wspri->ssl_ctx = new_ctx;
326+
reloaded++;
327+
SU_DEBUG_3(("tport_reload_tls: WSS certificates reloaded successfully\n" VA_NONE));
328+
} else {
329+
SU_DEBUG_1(("tport_reload_tls: WSS certificate reload failed\n" VA_NONE));
330+
}
331+
}
332+
} else if (tport_has_tls(tp)) {
318333
tport_tls_primary_t *tlspri = (tport_tls_primary_t *)tp->tp_pri;
319334
if (tlspri->tlspri_master) {
320335
if (tls_reload_cert(tlspri->tlspri_master, &ti) == 0)

libsofia-sip-ua/tport/tport_type_ws.c

Lines changed: 91 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -338,113 +338,134 @@ ssize_t tport_send_stream_ws(tport_t const *self, msg_t *msg,
338338
return size;
339339
}
340340

341-
static int tport_ws_init_primary_secure(tport_primary_t *pri,
342-
tp_name_t tpn[1],
343-
su_addrinfo_t *ai,
344-
tagi_t const *tags,
345-
char const **return_culprit)
341+
/** Create a new SSL_CTX for WSS using certificates from cert_dir.
342+
* Returns a new SSL_CTX on success, NULL on failure.
343+
*/
344+
SSL_CTX *tport_wss_create_ssl_ctx(char const *cert_dir)
346345
{
347-
tport_ws_primary_t *wspri = (tport_ws_primary_t *)pri;
348-
const char *cert = "/ssl.pem";
349-
const char *key = "/ssl.pem";
350-
const char *chain = NULL;
351-
char *homedir;
352346
su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
353-
char const *path = NULL;
354-
int ret = -1;
355-
356-
su_home_auto(autohome, sizeof autohome);
347+
const char *cert = NULL;
348+
const char *key = NULL;
349+
const char *chain = NULL;
350+
SSL_CTX *ssl_ctx = NULL;
357351

358-
tl_gets(tags,
359-
TPTAG_CERTIFICATE_REF(path),
360-
TAG_END());
352+
if (!cert_dir)
353+
return NULL;
361354

362-
if (!path) {
363-
homedir = getenv("HOME");
364-
if (!homedir)
365-
homedir = "";
366-
path = su_sprintf(autohome, "%s/.sip/auth", homedir);
367-
}
355+
su_home_auto(autohome, sizeof autohome);
368356

369-
if (path) {
370-
key = su_sprintf(autohome, "%s/%s", path, "wss.key");
371-
if (access(key, R_OK) != 0) key = NULL;
357+
key = su_sprintf(autohome, "%s/%s", cert_dir, "wss.key");
358+
if (access(key, R_OK) != 0) key = NULL;
372359

373-
cert = su_sprintf(autohome, "%s/%s", path, "wss.crt");
374-
if (access(cert, R_OK) != 0) cert = NULL;
360+
cert = su_sprintf(autohome, "%s/%s", cert_dir, "wss.crt");
361+
if (access(cert, R_OK) != 0) cert = NULL;
375362

376-
chain = su_sprintf(autohome, "%s/%s", path, "ca-bundle.crt");
377-
if (access(chain, R_OK) != 0) chain = NULL;
363+
chain = su_sprintf(autohome, "%s/%s", cert_dir, "ca-bundle.crt");
364+
if (access(chain, R_OK) != 0) chain = NULL;
378365

379-
if ( !key ) key = su_sprintf(autohome, "%s/%s", path, "wss.pem");
380-
if ( !cert ) cert = su_sprintf(autohome, "%s/%s", path, "wss.pem");
381-
if ( !chain ) chain = su_sprintf(autohome, "%s/%s", path, "wss.pem");
382-
if (access(key, R_OK) != 0) key = NULL;
383-
if (access(cert, R_OK) != 0) cert = NULL;
384-
if (access(chain, R_OK) != 0) chain = NULL;
385-
}
366+
if (!key) key = su_sprintf(autohome, "%s/%s", cert_dir, "wss.pem");
367+
if (!cert) cert = su_sprintf(autohome, "%s/%s", cert_dir, "wss.pem");
368+
if (!chain) chain = su_sprintf(autohome, "%s/%s", cert_dir, "wss.pem");
369+
if (access(key, R_OK) != 0) key = NULL;
370+
if (access(cert, R_OK) != 0) cert = NULL;
371+
if (access(chain, R_OK) != 0) chain = NULL;
386372

387373
if (!(key && cert && chain)) {
388-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
374+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
389375
goto done;
390376
}
391377

392378
init_ssl();
393379

394-
// OpenSSL_add_all_algorithms(); /* load & register cryptos */
395-
// SSL_load_error_strings(); /* load all error messages */
396-
wspri->ssl_method = SSLv23_server_method(); /* create server instance */
397-
wspri->ssl_ctx = SSL_CTX_new((SSL_METHOD *)wspri->ssl_method); /* create context */
398-
399-
if (!wspri->ssl_ctx) {
400-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
401-
goto done;
380+
ssl_ctx = SSL_CTX_new((SSL_METHOD *)SSLv23_server_method());
381+
if (!ssl_ctx) {
382+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
383+
goto done;
402384
}
403385

404-
SSL_CTX_sess_set_remove_cb(wspri->ssl_ctx, NULL);
405-
wspri->ws_secure = 1;
386+
SSL_CTX_sess_set_remove_cb(ssl_ctx, NULL);
406387

407388
/* Disable SSLv2 */
408-
SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv2);
389+
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
409390
/* Disable SSLv3 */
410-
SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv3);
391+
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
411392
/* Disable TLSv1 */
412-
SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_TLSv1);
393+
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
413394
/* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
414-
SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_COMPRESSION);
415-
395+
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
396+
416397
if (chain) {
417-
if ( !SSL_CTX_use_certificate_chain_file(wspri->ssl_ctx, chain) ) {
418-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
419-
}
398+
if (!SSL_CTX_use_certificate_chain_file(ssl_ctx, chain)) {
399+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
400+
}
420401
}
421402

422403
/* set the local certificate from CertFile */
423-
if ( !SSL_CTX_use_certificate_file(wspri->ssl_ctx, cert, SSL_FILETYPE_PEM) ) {
424-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
425-
goto done;
404+
if (!SSL_CTX_use_certificate_file(ssl_ctx, cert, SSL_FILETYPE_PEM)) {
405+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
406+
goto fail;
426407
}
427408
/* set the private key from KeyFile */
428-
if ( !SSL_CTX_use_PrivateKey_file(wspri->ssl_ctx, key, SSL_FILETYPE_PEM) ) {
429-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
430-
goto done;
409+
if (!SSL_CTX_use_PrivateKey_file(ssl_ctx, key, SSL_FILETYPE_PEM)) {
410+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
411+
goto fail;
431412
}
432413
/* verify private key */
433-
if ( !SSL_CTX_check_private_key(wspri->ssl_ctx) ) {
434-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
435-
goto done;
414+
if (!SSL_CTX_check_private_key(ssl_ctx)) {
415+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
416+
goto fail;
436417
}
437418

438-
if ( !SSL_CTX_set_cipher_list(wspri->ssl_ctx, "!eNULL:!aNULL:!DSS:HIGH:@STRENGTH") ) {
439-
tls_log_errors(3, "tport_ws_init_primary_secure", 0);
440-
goto done;
419+
if (!SSL_CTX_set_cipher_list(ssl_ctx, "!eNULL:!aNULL:!DSS:HIGH:@STRENGTH")) {
420+
tls_log_errors(3, "tport_wss_create_ssl_ctx", 0);
421+
goto fail;
441422
}
442423

443-
ret = tport_ws_init_primary(pri, tpn, ai, tags, return_culprit);
424+
su_home_zap(autohome);
425+
return ssl_ctx;
444426

427+
fail:
428+
SSL_CTX_free(ssl_ctx);
445429
done:
446430
su_home_zap(autohome);
447-
return ret;
431+
return NULL;
432+
}
433+
434+
static int tport_ws_init_primary_secure(tport_primary_t *pri,
435+
tp_name_t tpn[1],
436+
su_addrinfo_t *ai,
437+
tagi_t const *tags,
438+
char const **return_culprit)
439+
{
440+
tport_ws_primary_t *wspri = (tport_ws_primary_t *)pri;
441+
char *homedir;
442+
su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
443+
char const *path = NULL;
444+
445+
su_home_auto(autohome, sizeof autohome);
446+
447+
tl_gets(tags,
448+
TPTAG_CERTIFICATE_REF(path),
449+
TAG_END());
450+
451+
if (!path) {
452+
homedir = getenv("HOME");
453+
if (!homedir)
454+
homedir = "";
455+
path = su_sprintf(autohome, "%s/.sip/auth", homedir);
456+
}
457+
458+
wspri->ssl_ctx = tport_wss_create_ssl_ctx(path);
459+
if (!wspri->ssl_ctx) {
460+
su_home_zap(autohome);
461+
return -1;
462+
}
463+
464+
wspri->ssl_method = SSLv23_server_method();
465+
wspri->ws_secure = 1;
466+
467+
su_home_zap(autohome);
468+
return tport_ws_init_primary(pri, tpn, ai, tags, return_culprit);
448469
}
449470

450471
int tport_ws_init_primary(tport_primary_t *pri,

libsofia-sip-ua/tport/tport_ws.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,8 @@ int tport_ws_next_timer(tport_t *self, su_time_t *, char const **);
9494
void tport_ws_timer(tport_t *self, su_time_t);
9595
static void tport_ws_deinit_secondary(tport_t *self);
9696

97+
SSL_CTX *tport_wss_create_ssl_ctx(char const *cert_dir);
98+
9799
SOFIA_END_DECLS
98100

99101
#endif

0 commit comments

Comments
 (0)