Add support for the ca_list_path option for PJSIP transports.

This allows for a path to be specified that has a collection of CA certificates in it. ASTERISK-24575 #close Reported by cloos Patches: pj-ca-path-trunk.diff uploaded by cloos (License #5956) Review: https://reviewboard.asterisk.org/r/4344 ........ Merged revisions 430709 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@430713 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-09-30 02:26:23 +00:00 · 2015-01-16 21:46:09 +00:00
parent a8ea2f9287
commit 023fa0f9e8
8 changed files with 1428 additions and 1220 deletions
--- a/6
+++ b/6
@@ -124,6 +124,12 @@ res_fax
   res_fax.conf and via the fax options dialplan function 'FAXOPT(t38timeout)'.
   The default remains at 5000 milliseconds.
 PJSIP Transports
 ----------
 * The ca_list_path transport parameter has been added for TLS transports. This
   option behaves similarly to the old sip.conf option "tlscapath". In order to
   use this, you must be using PJProject version ?.? or higher.
 ARI
 ------------------
 * The Originate operation now takes in an originator channel. The linked ID of
--- a/configs/samples/pjsip.conf.sample
+++ b/configs/samples/pjsip.conf.sample
@@ -758,6 +758,10 @@
        ; "")
 ;ca_list_file=  ; File containing a list of certificates to read TLS ONLY
                ; (default: "")
 ;ca_list_path=  ; Path to directory containing certificates to read TLS ONLY.
                ; PJProject version 2.4 or higher is required for this option to
 				; be used.
                ; (default: "")
 ;cert_file=     ; Certificate file for endpoint TLS ONLY
                ; Will read .crt or .pem file but only uses cert,
                ; a .key file must be specified via priv_key_file
--- a/2468
+++ b/2468
--- a/configure.ac
+++ b/configure.ac
@@ -457,6 +457,7 @@ AST_EXT_LIB_SETUP([POPT], [popt], [popt])
 AST_EXT_LIB_SETUP_OPTIONAL([PJ_TRANSACTION_GRP_LOCK], [PJSIP Transaction Group Lock Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_REPLACE_MEDIA_STREAM], [PJSIP Media Stream Replacement Support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJSIP_GET_DEST_INFO], [pjsip_get_dest_info support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP_OPTIONAL([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj_ssl_cert_load_from_files2 support], [PJPROJECT], [pjsip])
 AST_EXT_LIB_SETUP([PORTAUDIO], [PortAudio], [portaudio])
 AST_EXT_LIB_SETUP([PRI], [ISDN PRI], [pri])
 AST_EXT_LIB_SETUP_OPTIONAL([PRI_SETUP_ACK_INBAND], [ISDN PRI progress inband ie in SETUP ACK], [PRI], [pri])
@@ -2076,6 +2077,7 @@ LIBS="${saved_libs}"
 CPPFLAGS="${saved_cppflags}"
 AST_EXT_LIB_CHECK([PJSIP_GET_DEST_INFO], [pjsip], [pjsip_get_dest_info], [pjsip.h], [$PJPROJECT_LIBS], [$PJPROJECT_CFLAGS])
 AST_EXT_LIB_CHECK([PJ_SSL_CERT_LOAD_FROM_FILES2], [pj], [pj_ssl_cert_load_from_files2], [pjlib.h], [$PJPROJECT_LIBS], [$PJPROJECT_CFLAGS])
 AST_EXT_LIB_CHECK([POPT], [popt], [poptStrerror], [popt.h])
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@@ -584,6 +584,10 @@
 /* Define if your system has the PJSIP_REPLACE_MEDIA_STREAM headers. */
 #undef HAVE_PJSIP_REPLACE_MEDIA_STREAM
 /* Define to 1 if PJPROJECT has the pj_ssl_cert_load_from_files2 support
   feature. */
 #undef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
 /* Define to 1 if PJPROJECT has the PJSIP Transaction Group Lock Support
   feature. */
 #undef HAVE_PJ_TRANSACTION_GRP_LOCK
@@ -1295,11 +1299,6 @@
 /* Define to 1 if running on Darwin. */
 #undef _DARWIN_UNLIMITED_SELECT
 /* Enable large inode numbers on Mac OS X 10.5.  */
 #ifndef _DARWIN_USE_64_BIT_INODE
 # define _DARWIN_USE_64_BIT_INODE 1
 #endif
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -91,6 +91,8 @@ struct ast_sip_transport {
 	AST_DECLARE_STRING_FIELDS(
 		/*! Certificate of authority list file */
 		AST_STRING_FIELD(ca_list_file);
 		/*! Certificate of authority list path */
 		AST_STRING_FIELD(ca_list_path);
 		/*! Public certificate file */
 		AST_STRING_FIELD(cert_file);
 		/*! Optional private key of the certificate file */
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -832,6 +832,9 @@
 				<configOption name="ca_list_file">
 					<synopsis>File containing a list of certificates to read (TLS ONLY)</synopsis>
 				</configOption>
 				<configOption name="ca_list_path">
 					<synopsis>Path to directory containing a list of certificates to read (TLS ONLY)</synopsis>
 				</configOption>
 				<configOption name="cert_file">
 					<synopsis>Certificate file for endpoint (TLS ONLY)</synopsis>
 					<description><para>
@@ -1340,6 +1343,9 @@
 				<parameter name="CaListFile">
 					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_file']/synopsis/node())"/></para>
 				</parameter>
 				<parameter name="CaListPath">
 					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='ca_list_path']/synopsis/node())"/></para>
 				</parameter>
 				<parameter name="CertFile">
 					<para><xi:include xpointer="xpointer(/docs/configInfo[@name='res_pjsip']/configFile[@name='pjsip.conf']/configObject[@name='transport']/configOption[@name='cert_file']/synopsis/node())"/></para>
 				</parameter>
--- a/res/res_pjsip/config_transport.c
+++ b/res/res_pjsip/config_transport.c
@@ -217,6 +217,14 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
 		res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg, &transport->state->factory);
 	} else if (transport->type == AST_TRANSPORT_TLS) {
 		transport->tls.ca_list_file = pj_str((char*)transport->ca_list_file);
 #ifdef HAVE_PJ_SSL_CERT_LOAD_FROM_FILES2
 		transport->tls.ca_list_path = pj_str((char*)transport->ca_list_path);
 #else
 		if (!ast_strlen_zero(transport->ca_list_path)) {
 			ast_log(LOG_WARNING, "Asterisk has been built against a version of pjproject that does not "
 					"support the 'ca_list_path' option. Please upgrade to version 2.4 or later.\n");
 		}
 #endif
 		transport->tls.cert_file = pj_str((char*)transport->cert_file);
 		transport->tls.privkey_file = pj_str((char*)transport->privkey_file);
 		transport->tls.password = pj_str((char*)transport->password);
@@ -743,6 +751,7 @@ int ast_sip_initialize_sorcery_transport(void)
 	ast_sorcery_object_field_register_custom(sorcery, "transport", "bind", "", transport_bind_handler, transport_bind_to_str, NULL, 0, 0);
 	ast_sorcery_object_field_register(sorcery, "transport", "async_operations", "1", OPT_UINT_T, 0, FLDSET(struct ast_sip_transport, async_operations));
 	ast_sorcery_object_field_register(sorcery, "transport", "ca_list_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_file));
 	ast_sorcery_object_field_register(sorcery, "transport", "ca_list_path", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, ca_list_path));
 	ast_sorcery_object_field_register(sorcery, "transport", "cert_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, cert_file));
 	ast_sorcery_object_field_register(sorcery, "transport", "priv_key_file", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, privkey_file));
 	ast_sorcery_object_field_register(sorcery, "transport", "password", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_transport, password));