Add support for the ca_list_path option for PJSIP transports.

This allows for a path to be specified that has a collection of CA certificates in it. ASTERISK-24575 #close Reported by cloos Patches: pj-ca-path-trunk.diff uploaded by cloos (License #5956) Review: https://reviewboard.asterisk.org/r/4344 ........ Merged revisions 430709 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@430713 65c4cc65-6c06-0410-ace0-fbb531ad65f3
10 years ago · 023fa0f9e8
parent a8ea2f9287
commit 023fa0f9e8
8 changed files with 1435 additions and 1227 deletions
--- a/6
+++ b/6
@ -124,6 +124,12 @@ res_fax
   res_fax.conf and via the fax options dialplan function 'FAXOPT(t38timeout)'.
   The default remains at 5000 milliseconds.

+PJSIP Transports
+----------
+ * The ca_list_path transport parameter has been added for TLS transports. This
+   option behaves similarly to the old sip.conf option "tlscapath". In order to
+   use this, you must be using PJProject version ?.? or higher.
+
 ARI
 ------------------
 * The Originate operation now takes in an originator channel. The linked ID of
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@ -758,6 +758,10 @@
        ; "")
 ;ca_list_file=  ; File containing a list of certificates to read TLS ONLY
                ; (default: "")
+;ca_list_path=  ; Path to directory containing certificates to read TLS ONLY.
+                ; PJProject version 2.4 or higher is required for this option to
+				; be used.
+                ; (default: "")
 ;cert_file=     ; Certificate file for endpoint TLS ONLY
                ; Will read .crt or .pem file but only uses cert,
                ; a .key file must be specified via priv_key_file
--- a/2624
+++ b/2624
--- a/configure.ac
+++ b/configure.ac
@ -457,6 +457,7 @@ AST_EXT_LIB_SETUP([POPT], [popt], [popt])
 AST_EXT_LIB_SETUP_OPTIONAL([PJ_TRANSACTION_GRP_LOCK], [PJSIP Transaction Group Lock Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_REPLACE_MEDIA_STREAM], [PJSIP Media Stream Replacement Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_GET_DEST_INFO], [pjsip_get_dest_info support], [PJPROJECT], [pjsip])
+AST_EXT_LIB_SETUP_OPTIONAL([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj_ssl_cert_load_from_files2 support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP([PORTAUDIO], [PortAudio], [portaudio])
 AST_EXT_LIB_SETUP([PRI], [ISDN PRI], [pri])
 AST_EXT_LIB_SETUP_OPTIONAL([PRI_SETUP_ACK_INBAND], [ISDN PRI progress inband ie in SETUP ACK], [PRI], [pri])
@ -2076,6 +2077,7 @@ LIBS="${saved_libs}"
 CPPFLAGS="${saved_cppflags}"

 AST_EXT_LIB_CHECK([PJSIP_GET_DEST_INFO], [pjsip], [pjsip_get_dest_info], [pjsip.h], [$PJPROJECT_LIBS], [$PJPROJECT_CFLAGS])
+AST_EXT_LIB_CHECK([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj], [pj_ssl_cert_load_from_files2], [pjlib.h], [$PJPROJECT_LIBS], [$PJPROJECT_CFLAGS])

 AST_EXT_LIB_CHECK([POPT], [popt], [poptStrerror], [popt.h])

--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@ -584,6 +584,10 @@
 /* Define if your system has the PJSIP_REPLACE_MEDIA_STREAM headers. */
 #undef HAVE_PJSIP_REPLACE_MEDIA_STREAM

+/* Define to 1 if PJPROJECT has the pj_ssl_cert_load_from_files2 support
+   feature. */
+#undef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
+
 /* Define to 1 if PJPROJECT has the PJSIP Transaction Group Lock Support
   feature. */
 #undef HAVE_PJ_TRANSACTION_GRP_LOCK
@ -1295,11 +1299,6 @@
 /* Define to 1 if running on Darwin. */
 #undef _DARWIN_UNLIMITED_SELECT

-/* Enable large inode numbers on Mac OS X 10.5.  */
-#ifndef _DARWIN_USE_64_BIT_INODE
-# define _DARWIN_USE_64_BIT_INODE 1
-#endif
-
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS

--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@ -91,6 +91,8 @@ struct ast_sip_transport {
 	AST_DECLARE_STRING_FIELDS(
 		/*! Certificate of authority list file */
 		AST_STRING_FIELD(ca_list_file);
+		/*! Certificate of authority list path */
+		AST_STRING_FIELD(ca_list_path);
 		/*! Public certificate file */
 		AST_STRING_FIELD(cert_file);
 		/*! Optional private key of the certificate file */
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@ -832,6 +832,9 @@
 				<configOption name="ca_list_file">
 					<synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis>
 				</configOption>
+				<configOption name="ca_list_path">
+					<synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis>
+				</configOption>
 				<configOption name="cert_file">
 					<synopsis>Certificate file for endpoint (TLS ONLY)</synopsis>
 					<description><para>
@ -1340,6 +1343,9 @@
 				<parameter name="CaListFile">
 					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_file']/synopsis/node())"/></para>
 				</parameter>
+				<parameter name="CaListPath">
+					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_path']/synopsis/node())"/></para>
+				</parameter>
 				<parameter name="CertFile">
 					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='cert_file']/synopsis/node())"/></para>
 				</parameter>
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@ -217,6 +217,14 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
 		res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg, &transport->state->factory);
 	} else if (transport->type == AST_TRANSPORT_TLS) {
 		transport->tls.ca_list_file = pj_str((char*)transport->ca_list_file);
+#ifdef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
+		transport->tls.ca_list_path = pj_str((char*)transport->ca_list_path);
+#else
+		if (!ast_strlen_zero(transport->ca_list_path)) {
+			ast_log(LOG_WARNING, "Asterisk has been built against a version of pjproject that does not "
+					"support the 'ca_list_path' option. Please upgrade to version 2.4 or later.\n");
+		}
+#endif
 		transport->tls.cert_file = pj_str((char*)transport->cert_file);
 		transport->tls.privkey_file = pj_str((char*)transport->privkey_file);
 		transport->tls.password = pj_str((char*)transport->password);
@ -743,6 +751,7 @@ int ast_sip_initialize_sorcery_transport(void)
 	ast_sorcery_object_field_register_custom(sorcery, "transport", "bind", "", transport_bind_handler, transport_bind_to_str, NULL, 0, 0);
 	ast_sorcery_object_field_register(sorcery, "transport", "async_operations", "1", OPT_UINT_T, 0, FLDSET(struct ast_sip_transport, async_operations));
 	ast_sorcery_object_field_register(sorcery, "transport", "ca_list_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_file));
+	ast_sorcery_object_field_register(sorcery, "transport", "ca_list_path", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_path));
 	ast_sorcery_object_field_register(sorcery, "transport", "cert_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, cert_file));
 	ast_sorcery_object_field_register(sorcery, "transport", "priv_key_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, privkey_file));
 	ast_sorcery_object_field_register(sorcery, "transport", "password", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, password));