tls_mgm: fixed exports; improved find_server_domain api function

OpenSIPS · Sep 8, 2015 · 5919f27 · 5919f27
1 parent 0579d43
commit 5919f27
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 10 deletions.
diff --git a/modules/tls_mgm/tls_domain.c b/modules/tls_mgm/tls_domain.c
@@ -84,7 +84,7 @@ tls_find_server_domain(struct ip_addr *ip, unsigned short port)
  * return default domain if virtual domain not found
  */
 struct tls_domain *
-tls_find_client_domain(struct ip_addr *ip, unsigned short port)
+tls_find_client_domain_addr(struct ip_addr *ip, unsigned short port)
 {
 	struct tls_domain *p = tls_client_domains;
 	while (p) {
@@ -118,6 +118,50 @@ tls_find_client_domain_name(str name)
 	return 0;
 }
 
+/*
+ * find client domain
+ * return 0 if virtual domain not found
+ */
+struct tls_domain *tls_find_client_domain(struct ip_addr *ip,
+				   unsigned short port){
+	struct tls_domain *dom;
+	struct usr_avp *avp;
+	int_str val;
+
+	avp = NULL;
+
+	if (tls_client_domain_avp > 0) {
+		avp = search_first_avp(0, tls_client_domain_avp, &val, 0);
+	} else {
+		LM_DBG("name based TLS client domains are disabled\n");
+	}
+	if (!avp) {
+		LM_DBG("no TLS client doman AVP set, looking "
+			"for socket based TLS client domain\n");
+		dom = tls_find_client_domain_addr(ip, port);
+		if (dom) {
+			LM_DBG("found socket based TLS client domain "
+				"[%s:%d]\n", ip_addr2a(&dom->addr), dom->port);
+		}
+	} else {
+		LM_DBG("TLS client domain AVP found = '%.*s'\n",
+			val.s.len, ZSW(val.s.s));
+		dom = tls_find_client_domain_name(val.s);
+		if (dom) {
+			LM_DBG("found name based TLS client domain "
+				"'%.*s'\n", val.s.len, ZSW(val.s.s));
+		} else {
+			LM_DBG("no name based TLS client domain found, "
+				"trying socket based TLS client domains\n");
+			dom = tls_find_client_domain_addr(ip, port);
+			if (dom) {
+				LM_DBG("found socket based TLS client domain [%s:%d]\n",
+					ip_addr2a(&dom->addr), dom->port);
+			}
+		}
+	}
+	return dom;
+}
 
 /*
  * create a new server domain (identified by a socket)

diff --git a/modules/tls_mgm/tls_domain.h b/modules/tls_mgm/tls_domain.h
@@ -43,7 +43,8 @@
 
 #include "tls_config.h"
 #include "tls_helper.h"
-
+#include "../../usr_avp.h"
+#include "../../ut.h"
 
 
 /*
@@ -78,10 +79,14 @@ struct tls_domain *tls_find_domain_by_id( str *id);
 struct tls_domain *tls_find_server_domain(struct ip_addr *ip,
 				   unsigned short port);
 
+/* find client domain */
+struct tls_domain *tls_find_client_domain(struct ip_addr *ip,
+				   unsigned short port);
+
 /*
  * find client with given ip and port
  */
-struct tls_domain *tls_find_client_domain(struct ip_addr *ip,
+struct tls_domain *tls_find_client_domain_addr(struct ip_addr *ip,
 				   unsigned short port);
 
 /*

diff --git a/modules/tls_mgm/tls_mgm.c b/modules/tls_mgm/tls_mgm.c
@@ -35,10 +35,11 @@ static char *tls_domain_avp = NULL;
 
 static int  mod_init(void);
 static void mod_destroy(void);
-static int tls_get_client_domain(void);
 static int tls_get_handshake_timeout(void);
 static int tls_get_send_timeout(void);
 
+/* definition of exported functions */
+static int is_peer_verified(struct sip_msg*, char*, char*);
 
 static param_export_t params[] = {
 	{ "client_domain_avp",     STR_PARAM,         &tls_domain_avp            },
@@ -61,6 +62,12 @@ static param_export_t params[] = {
 	{0, 0, 0}
 };
 
+static cmd_export_t cmds[] = {
+	{"is_peer_verified", (cmd_function)is_peer_verified,   0, 0, 0,
+			REQUEST_ROUTE},
+	{0,0,0,0,0,0}
+};
+
 /*
  *  pseudo variables
  */
@@ -232,12 +239,12 @@ static pv_export_t mod_items[] = {
 };
 
 struct module_exports exports = {
-	PROTO_PREFIX "tls_mgm",  /* module name*/
+	"tls_mgm",  /* module name*/
 	MOD_TYPE_DEFAULT,    /* class of this module */
 	MODULE_VERSION,
 	DEFAULT_DLFLAGS, /* dlopen flags */
 	NULL,            /* OpenSIPS module dependencies */
-	0,       /* exported functions */
+	cmds,       /* exported functions */
 	0,          /* exported async functions */
 	params,     /* module parameters */
 	0,          /* exported statistics */
@@ -934,9 +941,67 @@ static void mod_destroy(void)
 	return;
 }
 
-static int tls_get_client_domain(void)
+static int is_peer_verified(struct sip_msg* msg, char* foo, char* foo2)
 {
-	return tls_client_domain_avp;
+	struct tcp_connection *c;
+	SSL *ssl;
+	long ssl_verify;
+	X509 *x509_cert;
+
+	LM_DBG("started...\n");
+	if (msg->rcv.proto != PROTO_TLS) {
+		LM_ERR("proto != TLS --> peer can't be verified, return -1\n");
+		return -1;
+	}
+
+	LM_DBG("trying to find TCP connection of received message...\n");
+	/* what if we have multiple connections to the same remote socket? e.g. we can have
+	     connection 1: localIP1:localPort1 <--> remoteIP:remotePort
+	     connection 2: localIP2:localPort2 <--> remoteIP:remotePort
+	   but I think the is very unrealistic */
+	tcp_conn_get(0, &(msg->rcv.src_ip), msg->rcv.src_port, &c, NULL/*fd*/);
+	if (c==NULL) {
+		LM_ERR("no corresponding TLS/TCP connection found."
+				" This should not happen... return -1\n");
+		return -1;
+	}
+	LM_DBG("corresponding TLS/TCP connection found. s=%d, fd=%d, id=%d\n",
+			c->s, c->fd, c->id);
+
+	if (!c->extra_data) {
+		LM_ERR("no extra_data specified in TLS/TCP connection found."
+				" This should not happen... return -1\n");
+		goto error;
+	}
+
+	ssl = (SSL *) c->extra_data;
+
+	ssl_verify = SSL_get_verify_result(ssl);
+	if ( ssl_verify != X509_V_OK ) {
+		LM_WARN("verification of presented certificate failed... return -1\n");
+		goto error;
+	}
+
+	/* now, we have only valid peer certificates or peers without certificates.
+	 * Thus we have to check for the existence of a peer certificate
+	 */
+	x509_cert = SSL_get_peer_certificate(ssl);
+	if ( x509_cert == NULL ) {
+		LM_WARN("tlsops:is_peer_verified: WARNING: peer did not presented "
+			"a certificate. Thus it could not be verified... return -1\n");
+		goto error;
+	}
+
+	X509_free(x509_cert);
+
+	tcp_conn_release(c, 0);
+
+	LM_DBG("tlsops:is_peer_verified: peer is successfuly verified"
+		"...done\n");
+	return 1;
+error:
+	tcp_conn_release(c, 0);
+	return -1;
 }
 
 static int tls_get_handshake_timeout(void)
@@ -951,10 +1016,8 @@ static int tls_get_send_timeout(void)
 
 int load_tls_mgm(struct tls_mgm_binds *binds)
 {
-	binds->get_client_domain = tls_get_client_domain;
 	binds->find_server_domain = tls_find_server_domain;
 	binds->find_client_domain = tls_find_client_domain;
-	binds->find_client_domain_name = tls_find_client_domain_name;
 	binds->get_handshake_timeout = tls_get_handshake_timeout;
 	binds->get_send_timeout = tls_get_send_timeout;
 	binds->mod_init = tls_mod_init;