stir_shaken VS: Improve several return codes

* on bad client-side signature length, return "438 Invalid Identity Header (bad signature)" vs. "500 Internal Server Error" (??) * on encountering expired certificates advertised by clients, return "438 Invalid Identity Header (cert validity)" vs. "403 Stale Date" (?!) * fix abs() related compiler warnings introduced earlier (cherry picked from commit e2977a4)
OpenSIPS · Sep 27, 2023 · 630ce8a · 630ce8a
1 parent d3ff325
commit 630ce8a
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/modules/stir_shaken/stir_shaken.c b/modules/stir_shaken/stir_shaken.c
@@ -1061,7 +1061,7 @@ static int w_stir_auth(struct sip_msg *msg, str *attest, str *origid,
 			return -1;
 		}
 
-		if (abs(now - date_ts) > auth_date_freshness) {
+		if (labs(now - date_ts) > auth_date_freshness) {
 			LM_NOTICE("Date header timestamp diff exceeds local policy "
 			    "(diff: %lds, auth-freshness: %ds)\n", now - date_ts, auth_date_freshness);
 			return -4;
@@ -1538,6 +1538,7 @@ static int verify_signature(X509 *cert,
 	if (parsed->dec_signature.len != RAW_SIG_LEN) {
 		LM_ERR("Bad raw signature length [%d], should be [%d]\n",
 			parsed->dec_signature.len, RAW_SIG_LEN);
+		rc = 0;
 		goto error;
 	}
 
@@ -1851,15 +1852,15 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 			goto error;
 		}
 
-		if (abs(now - date_ts) > verify_date_freshness) {
+		if (labs(now - date_ts) > verify_date_freshness) {
 			LM_NOTICE("Date header timestamp diff exceeds local policy "
 			    "(diff: %lds, verify-freshness: %ds)\n", now - date_ts, verify_date_freshness);
 			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
 			rc = -6;
 			goto error;
 		}
 	} else {
-		if (abs(now - iat_ts) > verify_date_freshness) {
+		if (labs(now - iat_ts) > verify_date_freshness) {
 			LM_NOTICE("'iat' timestamp diff exceeds local policy "
 			    "(diff: %lds, verify-freshness: %ds)\n", now - iat_ts, verify_date_freshness);
 			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
@@ -1902,14 +1903,14 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 	if (require_date_hdr || date_hf) {
 		if (!check_cert_validity(&date_ts, cert)) {
 			LM_INFO("The Date header does not fall within the certificate validity\n");
-			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
+			SET_VERIFY_ERR_VARS(INVALID_IDENTITY_CODE, INVALID_IDENTITY_REASON " (cert validity)");
 			rc = -7;
 			goto error;
 		}
 	} else {
 		if (!check_cert_validity(&iat_ts, cert)) {
 			LM_INFO("The 'iat' value does not fall within the certificate validity\n");
-			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
+			SET_VERIFY_ERR_VARS(INVALID_IDENTITY_CODE, INVALID_IDENTITY_REASON " (cert validity)");
 			rc = -7;
 			goto error;
 		}
@@ -1928,7 +1929,7 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 	}
 
 	if (date_hf && iat_ts != date_ts &&
-		(abs(now - iat_ts) > verify_date_freshness))
+		(labs(now - iat_ts) > verify_date_freshness))
 		iat_ts = date_ts;
 
 	if ((rc = verify_signature(cert, parsed, iat_ts, orig_tn_p, dest_tn_p)) <= 0) {
@@ -1939,7 +1940,7 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 			goto error;
 		} else {
 			LM_INFO("Signature did not verify successfully\n");
-			SET_VERIFY_ERR_VARS(INVALID_IDENTITY_CODE, INVALID_IDENTITY_REASON);
+			SET_VERIFY_ERR_VARS(INVALID_IDENTITY_CODE, INVALID_IDENTITY_REASON " (bad signature)");
 			rc = -9;
 			goto error;
 		}