Browse code

tls: updated for avp long value field

Daniel-Constantin Mierla authored on 21/11/2022 10:09:35
Showing 1 changed files
... ...
@@ -517,7 +517,7 @@ static int pv_check_cert(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
517 517
 	case PV_CERT_EXPIRED:    err = X509_V_ERR_CERT_HAS_EXPIRED;            break;
518 518
 	case PV_CERT_SELFSIGNED: err = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; break;
519 519
 	default:
520
-		BUG("unexpected parameter value \"%d\"\n", param->pvn.u.isname.name.n);
520
+		BUG("unexpected parameter value \"%ld\"\n", param->pvn.u.isname.name.n);
521 521
 		return pv_get_null(msg, param, res);
522 522
 	}
523 523
 	
... ...
@@ -617,7 +617,7 @@ static int pv_validity(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
617 617
 	case PV_CERT_NOTBEFORE: bound = NOT_BEFORE; break;
618 618
 	case PV_CERT_NOTAFTER:  bound = NOT_AFTER;  break;
619 619
 	default:
620
-		BUG("unexpected parameter value \"%d\"\n", param->pvn.u.isname.name.n);
620
+		BUG("unexpected parameter value \"%ld\"\n", param->pvn.u.isname.name.n);
621 621
 		return pv_get_null(msg, param, res);
622 622
 	}
623 623
 
... ...
@@ -1254,7 +1254,7 @@ static int sel_tlsext_sn(str* res, select_t* s, sip_msg_t* msg)
1254 1254
 static int pv_tlsext_sn(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
1255 1255
 {
1256 1256
 	if (param->pvn.u.isname.name.n != PV_TLSEXT_SNI) {
1257
-		BUG("unexpected parameter value \"%d\"\n",
1257
+		BUG("unexpected parameter value \"%ld\"\n",
1258 1258
 			param->pvn.u.isname.name.n);
1259 1259
 		return pv_get_null(msg, param, res);
1260 1260
 	}
Browse code

tls: switch to long pvar field

Daniel-Constantin Mierla authored on 16/11/2022 15:39:25
Showing 1 changed files
... ...
@@ -237,7 +237,7 @@ static int pv_cipher(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
237 237
 }
238 238
 
239 239
 
240
-static int get_bits(str* res, int* i, sip_msg_t* msg) 
240
+static int get_bits(str* res, long* i, sip_msg_t* msg) 
241 241
 {
242 242
 	str bits;
243 243
 	int b;
... ...
@@ -444,7 +444,7 @@ static int pv_cert_version(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
444 444
  * Check whether peer certificate exists and verify the result
445 445
  * of certificate verification
446 446
  */
447
-static int check_cert(str* res, int* ires, int local, int err, sip_msg_t* msg)
447
+static int check_cert(str* res, long* ires, int local, int err, sip_msg_t* msg)
448 448
 {
449 449
 	static str succ = STR_STATIC_INIT("1");
450 450
 	static str fail = STR_STATIC_INIT("0");
Browse code

tls: cert serial number can exceed uint64

- GH #3168

S-P Chan authored on 29/06/2022 23:19:18 • Daniel-Constantin Mierla committed on 04/07/2022 10:42:56
Showing 1 changed files
... ...
@@ -630,24 +630,35 @@ static int pv_validity(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
630 630
 }
631 631
 
632 632
 
633
-static int get_sn(str* res, int* ires, int local, sip_msg_t* msg)
633
+static int get_sn(str* res, int local, sip_msg_t* msg)
634 634
 {
635
-	static char buf[INT2STR_MAX_LEN];
635
+	static char buf[80]; // handle 256-bit > log(2^256,10)
636 636
 	X509* cert;
637 637
 	struct tcp_connection* c;
638
-	char* sn;
639
-	int num;
638
+	char* sn = NULL;
639
+	BIGNUM* bn = NULL;
640 640
 
641 641
 	if (get_cert(&cert, &c, msg, local) < 0) return -1;
642 642
 
643
-	num = ASN1_INTEGER_get(X509_get_serialNumber(cert));
644
-	sn = int2str(num, &res->len);
643
+	if (!(bn = BN_new())) goto error;
644
+	if (!ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), bn)) goto error;
645
+	if (!(sn = BN_bn2dec(bn)) || strlen(sn) > 80) goto error;
646
+
647
+	res->len = strlen(sn);
645 648
 	memcpy(buf, sn, res->len);
646 649
 	res->s = buf;
647
-	if (ires) *ires = num;
650
+
648 651
 	if (!local) X509_free(cert);
649 652
 	tcpconn_put(c);
653
+
654
+	BN_free(bn);
655
+	OPENSSL_free(sn);
650 656
 	return 0;
657
+
658
+ error:
659
+	if (sn) OPENSSL_free(sn);
660
+	if (bn) BN_free(bn);
661
+	return -1;
651 662
 }
652 663
 
653 664
 static int sel_sn(str* res, select_t* s, sip_msg_t* msg)
... ...
@@ -662,7 +673,7 @@ static int sel_sn(str* res, select_t* s, sip_msg_t* msg)
662 673
 		return -1;
663 674
 	}
664 675
 
665
-	return get_sn(res, NULL, local, msg);
676
+	return get_sn(res, local, msg);
666 677
 }
667 678
 
668 679
 
... ...
@@ -679,11 +690,11 @@ static int pv_sn(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
679 690
 		return pv_get_null(msg, param, res);
680 691
 	}
681 692
 	
682
-	if (get_sn(&res->rs, &res->ri, local, msg) < 0) {
693
+	if (get_sn(&res->rs, local, msg) < 0) {
683 694
 		return pv_get_null(msg, param, res);
684 695
 	}
685 696
 	
686
-	res->flags = PV_VAL_STR | PV_VAL_INT;
697
+	res->flags = PV_VAL_STR;
687 698
 	return 0;
688 699
 }
689 700
 
Browse code

tls: get local/remote issuer line via $tls(key)

- new keys: m_issuer_line, p_issuer_line

Daniel-Constantin Mierla authored on 25/11/2021 08:55:31
Showing 1 changed files
... ...
@@ -1263,6 +1263,13 @@ int pv_parse_tls_name(pv_spec_p sp, str *in)
1263 1263
 		return -1;
1264 1264
 
1265 1265
 	switch(in->len) {
1266
+		case 13:
1267
+			if(strncmp(in->s, "m_issuer_line", 13)==0)
1268
+				sp->pvp.pvn.u.isname.name.n = 1001;
1269
+			else if(strncmp(in->s, "p_issuer_line", 13)==0)
1270
+				sp->pvp.pvn.u.isname.name.n = 5001;
1271
+			else goto error;
1272
+		break;
1266 1273
 		case 14:
1267 1274
 			if(strncmp(in->s, "m_subject_line", 14)==0)
1268 1275
 				sp->pvp.pvn.u.isname.name.n = 1000;
... ...
@@ -1309,9 +1316,9 @@ int pv_get_tls(struct sip_msg *msg, pv_param_t *param,
1309 1316
 					: SSL_get_peer_certificate(ssl);
1310 1317
 	if (cert == NULL) {
1311 1318
 		if (param->pvn.u.isname.name.n < 5000) {
1312
-			LM_ERR("Unable to retrieve my TLS certificate from SSL structure\n");
1319
+			LM_ERR("failed to retrieve my TLS certificate from SSL structure\n");
1313 1320
 		} else {
1314
-			LM_ERR("Unable to retrieve peer TLS certificate from SSL structure\n");
1321
+			LM_ERR("failed to retrieve peer TLS certificate from SSL structure\n");
1315 1322
 		}
1316 1323
 		goto error;
1317 1324
 	}
... ...
@@ -1325,8 +1332,21 @@ int pv_get_tls(struct sip_msg *msg, pv_param_t *param,
1325 1332
 			if(X509_NAME_oneline(X509_get_subject_name(cert), sv.s, sv.len)==NULL) {
1326 1333
 				goto error;
1327 1334
 			}
1335
+			tcpconn_put(c);
1336
+			return pv_get_strzval(msg, param, res, sv.s);
1337
+		break;
1338
+
1339
+		case 1001:
1340
+		case 5001:
1341
+			sv.s = pv_get_buffer();
1342
+			sv.len = pv_get_buffer_size() - 1;
1343
+			if(X509_NAME_oneline(X509_get_issuer_name(cert), sv.s, sv.len)==NULL) {
1344
+				goto error;
1345
+			}
1346
+			tcpconn_put(c);
1328 1347
 			return pv_get_strzval(msg, param, res, sv.s);
1329 1348
 		break;
1349
+
1330 1350
 		default:
1331 1351
 			goto error;
1332 1352
 	}
Browse code

tls: new config variable $tls(key)

- return attributes related to tls communication
- first implemented keys:
- m_subject_line - return local (my) certificate subject line
- p_subject_line - return remote (peer) certificate subject line

Daniel-Constantin Mierla authored on 24/11/2021 08:30:22
Showing 1 changed files
... ...
@@ -39,6 +39,7 @@
39 39
 #include "../../core/tcp_server.h"
40 40
 #include "../../core/tcp_conn.h"
41 41
 #include "../../core/ut.h"
42
+#include "../../core/pvapi.h"
42 43
 #include "../../core/cfg/cfg.h"
43 44
 #include "../../core/dprint.h"
44 45
 #include "../../core/strutils.h"
... ...
@@ -1256,8 +1257,84 @@ static int pv_tlsext_sn(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
1256 1257
 }
1257 1258
 
1258 1259
 
1260
+int pv_parse_tls_name(pv_spec_p sp, str *in)
1261
+{
1262
+	if(sp==NULL || in==NULL || in->len<=0)
1263
+		return -1;
1264
+
1265
+	switch(in->len) {
1266
+		case 14:
1267
+			if(strncmp(in->s, "m_subject_line", 14)==0)
1268
+				sp->pvp.pvn.u.isname.name.n = 1000;
1269
+			else if(strncmp(in->s, "p_subject_line", 14)==0)
1270
+				sp->pvp.pvn.u.isname.name.n = 5000;
1271
+			else goto error;
1272
+		break;
1273
+		default:
1274
+			goto error;
1275
+	}
1276
+	sp->pvp.pvn.type = PV_NAME_INTSTR;
1277
+	sp->pvp.pvn.u.isname.type = 0;
1259 1278
 
1279
+	return 0;
1260 1280
 
1281
+error:
1282
+	LM_ERR("unknown PV tls name %.*s\n", in->len, in->s);
1283
+	return -1;
1284
+}
1285
+
1286
+
1287
+int pv_get_tls(struct sip_msg *msg, pv_param_t *param,
1288
+		pv_value_t *res)
1289
+{
1290
+	SSL *ssl = NULL;
1291
+	tcp_connection_t *c = NULL;
1292
+	X509 *cert = NULL;
1293
+	str sv = STR_NULL;
1294
+
1295
+	if(msg==NULL || param==NULL) {
1296
+		return -1;
1297
+	}
1298
+
1299
+	c = get_cur_connection(msg);
1300
+	if (c == NULL) {
1301
+		LM_DBG("TLS connection not found\n");
1302
+		return pv_get_null(msg, param, res);
1303
+	}
1304
+	ssl = get_ssl(c);
1305
+	if (ssl == NULL) {
1306
+		goto error;
1307
+	}
1308
+	cert = (param->pvn.u.isname.name.n < 5000) ? SSL_get_certificate(ssl)
1309
+					: SSL_get_peer_certificate(ssl);
1310
+	if (cert == NULL) {
1311
+		if (param->pvn.u.isname.name.n < 5000) {
1312
+			LM_ERR("Unable to retrieve my TLS certificate from SSL structure\n");
1313
+		} else {
1314
+			LM_ERR("Unable to retrieve peer TLS certificate from SSL structure\n");
1315
+		}
1316
+		goto error;
1317
+	}
1318
+
1319
+	switch(param->pvn.u.isname.name.n)
1320
+	{
1321
+		case 1000:
1322
+		case 5000:
1323
+			sv.s = pv_get_buffer();
1324
+			sv.len = pv_get_buffer_size() - 1;
1325
+			if(X509_NAME_oneline(X509_get_subject_name(cert), sv.s, sv.len)==NULL) {
1326
+				goto error;
1327
+			}
1328
+			return pv_get_strzval(msg, param, res, sv.s);
1329
+		break;
1330
+		default:
1331
+			goto error;
1332
+	}
1333
+
1334
+error:
1335
+	tcpconn_put(c);
1336
+	return pv_get_null(msg, param, res);
1337
+}
1261 1338
 
1262 1339
 select_row_t tls_sel[] = {
1263 1340
 	/* Current cipher parameters */
... ...
@@ -1544,6 +1621,8 @@ pv_export_t tls_pv[] = {
1544 1621
 	{{"tls_peer_server_name", sizeof("tls_peer_server_name")-1},
1545 1622
 		PVT_OTHER, pv_tlsext_sn, 0,
1546 1623
 		0, 0, pv_init_iname, PV_TLSEXT_SNI },
1624
+	{ {"tls", (sizeof("tls")-1)}, PVT_OTHER, pv_get_tls,
1625
+		0, pv_parse_tls_name, 0, 0, 0},
1547 1626
 
1548 1627
 	{ {0, 0}, 0, 0, 0, 0, 0, 0, 0 }
1549 1628
 
Browse code

tls: kemi function KSR.tls.cget(aname)

- get connection/certificates attributes by providing a corresponding
tls pv name

Daniel-Constantin Mierla authored on 18/12/2020 08:17:43
Showing 1 changed files
... ...
@@ -1404,7 +1404,7 @@ pv_export_t tls_pv[] = {
1404 1404
 	{{"tls_my_serial", sizeof("tls_my_serial")-1},
1405 1405
 		PVT_OTHER, pv_sn,0,
1406 1406
 		0, 0, pv_init_iname, PV_CERT_LOCAL },
1407
-	/* certificate parameters for peer and local, for subject and issuer*/	
1407
+	/* certificate parameters for peer and local, for subject and issuer*/
1408 1408
 	{{"tls_peer_subject", sizeof("tls_peer_subject")-1},
1409 1409
 		PVT_OTHER, pv_comp, 0,
1410 1410
 		0, 0, pv_init_iname, PV_CERT_PEER  | PV_CERT_SUBJECT },
... ...
@@ -1496,7 +1496,7 @@ pv_export_t tls_pv[] = {
1496 1496
 	{{"tls_my_subject_uid", sizeof("tls_my_subject_uid")-1},
1497 1497
 		PVT_OTHER, pv_comp, 0,
1498 1498
 		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_CERT_SUBJECT | PV_COMP_UID },
1499
-	/* subject alternative name parameters for peer and local */	
1499
+	/* subject alternative name parameters for peer and local */
1500 1500
 	{{"tls_peer_san_email", sizeof("tls_peer_san_email")-1},
1501 1501
 		PVT_OTHER, pv_alt, 0,
1502 1502
 		0, 0, pv_init_iname, PV_CERT_PEER  | PV_COMP_E },
... ...
@@ -1521,7 +1521,7 @@ pv_export_t tls_pv[] = {
1521 1521
 	{{"tls_my_san_ip", sizeof("tls_my_san_ip")-1},
1522 1522
 		PVT_OTHER, pv_alt, 0,
1523 1523
 		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_COMP_IP },
1524
-	/* peer certificate validation parameters */		
1524
+	/* peer certificate validation parameters */
1525 1525
 	{{"tls_peer_verified", sizeof("tls_peer_verified")-1},
1526 1526
 		PVT_OTHER, pv_check_cert, 0,
1527 1527
 		0, 0, pv_init_iname, PV_CERT_VERIFIED },
... ...
@@ -1540,11 +1540,71 @@ pv_export_t tls_pv[] = {
1540 1540
 	{{"tls_peer_notAfter", sizeof("tls_peer_notAfter")-1},
1541 1541
 		PVT_OTHER, pv_validity, 0,
1542 1542
 		0, 0, pv_init_iname, PV_CERT_NOTAFTER },
1543
-	/* peer certificate validation parameters */		
1543
+	/* peer certificate validation parameters */
1544 1544
 	{{"tls_peer_server_name", sizeof("tls_peer_server_name")-1},
1545 1545
 		PVT_OTHER, pv_tlsext_sn, 0,
1546 1546
 		0, 0, pv_init_iname, PV_TLSEXT_SNI },
1547 1547
 
1548 1548
 	{ {0, 0}, 0, 0, 0, 0, 0, 0, 0 }
1549 1549
 
1550
-}; 
1550
+};
1551
+
1552
+
1553
+/**
1554
+ *
1555
+ */
1556
+static sr_kemi_xval_t _ksr_kemi_tls_xval = {0};
1557
+
1558
+
1559
+/**
1560
+ *
1561
+ */
1562
+sr_kemi_xval_t* ki_tls_cget_attr(sip_msg_t* msg, str *aname)
1563
+{
1564
+	pv_param_t param;
1565
+	pv_value_t value;
1566
+	int i;
1567
+
1568
+	memset(&_ksr_kemi_tls_xval, 0, sizeof(sr_kemi_xval_t));
1569
+	for(i=0; tls_pv[i].name.s != NULL; i++) {
1570
+		if((tls_pv[i].name.len == aname->len)
1571
+				&& strncmp(tls_pv[i].name.s, aname->s, aname->len) == 0) {
1572
+			break;
1573
+		}
1574
+	}
1575
+	if(tls_pv[i].name.s==NULL) {
1576
+		LM_WARN("unknown attribute: %.*s\n", aname->len, aname->s);
1577
+		sr_kemi_xval_null(&_ksr_kemi_tls_xval, SR_KEMI_XVAL_NULL_EMPTY);
1578
+		return &_ksr_kemi_tls_xval;
1579
+	}
1580
+	if(tls_pv[i].parse_name!=NULL || tls_pv[i].parse_index!=NULL) {
1581
+		LM_WARN("unsupported attribute: %.*s\n", aname->len, aname->s);
1582
+		sr_kemi_xval_null(&_ksr_kemi_tls_xval, SR_KEMI_XVAL_NULL_EMPTY);
1583
+		return &_ksr_kemi_tls_xval;
1584
+	}
1585
+	memset(&param, 0, sizeof(pv_param_t));
1586
+	memset(&value, 0, sizeof(pv_value_t));
1587
+
1588
+	if(tls_pv[i].getf(msg, &param, &value) != 0) {
1589
+		sr_kemi_xval_null(&_ksr_kemi_tls_xval, SR_KEMI_XVAL_NULL_EMPTY);
1590
+		return &_ksr_kemi_tls_xval;
1591
+	}
1592
+	if(value.flags & PV_VAL_NULL) {
1593
+		sr_kemi_xval_null(&_ksr_kemi_tls_xval, SR_KEMI_XVAL_NULL_EMPTY);
1594
+		return &_ksr_kemi_tls_xval;
1595
+	}
1596
+	if(value.flags & PV_TYPE_INT) {
1597
+		_ksr_kemi_tls_xval.vtype = SR_KEMIP_INT;
1598
+		_ksr_kemi_tls_xval.v.n = value.ri;
1599
+		return &_ksr_kemi_tls_xval;
1600
+	}
1601
+	if(value.flags & PV_VAL_STR) {
1602
+		_ksr_kemi_tls_xval.vtype = SR_KEMIP_STR;
1603
+		_ksr_kemi_tls_xval.v.s = value.rs;
1604
+		return &_ksr_kemi_tls_xval;
1605
+	}
1606
+
1607
+	LM_WARN("unsupported value for attribute: %.*s\n", aname->len, aname->s);
1608
+	sr_kemi_xval_null(&_ksr_kemi_tls_xval, SR_KEMI_XVAL_NULL_EMPTY);
1609
+	return &_ksr_kemi_tls_xval;
1610
+}
Browse code

tls: add sel for tls verified cert chain (requires OpenSSL 1.1+) (#2289)

* tls: add sel for tls verified cert chain (requires OpenSSL 1.1+)

* remove extra tcpconn_put() call

Co-authored-by: Armen Babikyan <armen@firespotter.com>

Armen Babikyan authored on 20/04/2020 07:51:26 • GitHub committed on 20/04/2020 07:51:26
Showing 1 changed files
... ...
@@ -687,19 +687,11 @@ static int pv_sn(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
687 687
 }
688 688
 
689 689
 
690
-static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
690
+static int cert_to_buf(X509 *cert, char **bufptr, size_t *len)
691 691
 {
692 692
 #define MAX_CERT_SIZE 16384
693
-	/* buf2 holds the urlencoded version of buf, which can be up to 3 times its size */
694 693
 	static char buf[MAX_CERT_SIZE];
695
-	static char buf2[MAX_CERT_SIZE*3+1];
696
-	X509* cert;
697
-	struct tcp_connection* c;
698
-	size_t   len;
699
-	BIO     *mem;
700
-	str     temp_str;
701
-
702
-	if (get_cert(&cert, &c, msg, local) < 0) return -1;
694
+	BIO     *mem = NULL;
703 695
 
704 696
 	mem = BIO_new(BIO_s_mem());
705 697
 	if (!mem) {
... ...
@@ -712,17 +704,45 @@ static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
712 704
 		goto err;
713 705
 	}
714 706
 
715
-	len = BIO_pending(mem);
716
-	if (len > MAX_CERT_SIZE) {
707
+	*len = BIO_pending(mem);
708
+	if (*len > MAX_CERT_SIZE) {
717 709
 		ERR("certificate is too long\n");
718 710
 		goto err;
719 711
 	}
720 712
 
721
-	if (BIO_read(mem, buf, len) <= 0) {
713
+	if (BIO_read(mem, buf, *len) <= 0) {
722 714
 		ERR("problem reading data out of BIO");
723 715
 		goto err;
724 716
 	}
725 717
 
718
+	*bufptr = buf;
719
+
720
+	BIO_free(mem);
721
+	return 0;
722
+err:
723
+
724
+	if (mem) BIO_free(mem);
725
+	return -1;
726
+}
727
+
728
+
729
+static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
730
+{
731
+	char *buf = NULL;
732
+	/* buf2 holds the urlencoded version of buf, which can be up to 3 times its size */
733
+	static char buf2[MAX_CERT_SIZE*3+1];
734
+	X509* cert;
735
+	struct tcp_connection* c;
736
+	size_t   len;
737
+	str     temp_str;
738
+
739
+	if (get_cert(&cert, &c, msg, local) < 0) return -1;
740
+
741
+	if (cert_to_buf(cert, &buf, &len) < 0) {
742
+		ERR("cert to buf failed\n");
743
+		goto err;
744
+	}
745
+
726 746
 	if (urlencoded)
727 747
 	{
728 748
 		temp_str.len = len;
... ...
@@ -741,13 +761,11 @@ static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
741 761
 		res->len = len;
742 762
 	}
743 763
 
744
-	BIO_free(mem);
745 764
 	if (!local) X509_free(cert);
746 765
 	tcpconn_put(c);
747 766
 	return 0;
748 767
 
749 768
  err:
750
-	if (mem) BIO_free(mem);
751 769
 	if (!local) X509_free(cert);
752 770
 	tcpconn_put(c);
753 771
 	return -1;
... ...
@@ -804,6 +822,74 @@ static int pv_ssl_cert(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
804 822
 }
805 823
 
806 824
 
825
+#if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
826
+/* NB: SSL_get0_verified_chain() was introduced in OpenSSL 1.1.0 */
827
+static int get_verified_cert_chain(STACK_OF(X509)** chain, struct tcp_connection** c, struct sip_msg* msg)
828
+{
829
+	SSL* ssl;
830
+
831
+	*chain = 0;
832
+	*c = get_cur_connection(msg);
833
+	if (!(*c)) {
834
+		INFO("TLS connection not found\n");
835
+		return -1;
836
+	}
837
+	ssl = get_ssl(*c);
838
+	if (!ssl) goto err;
839
+	*chain = SSL_get0_verified_chain(ssl);
840
+	if (!*chain) {
841
+		ERR("Unable to retrieve peer TLS verified chain from SSL structure\n");
842
+		goto err;
843
+	}
844
+
845
+	return 0;
846
+err:
847
+	tcpconn_put(*c);
848
+	return -1;
849
+}
850
+
851
+
852
+static int sel_ssl_verified_cert_chain(str* res, select_t* s, sip_msg_t* msg)
853
+{
854
+	char *buf = NULL;
855
+	struct tcp_connection* c;
856
+	size_t   len;
857
+	STACK_OF(X509)* chain;
858
+	X509* cert;
859
+	int i;
860
+
861
+	if (get_verified_cert_chain(&chain, &c, msg) < 0) return -1;
862
+
863
+	if (s->params[s->n-1].type == SEL_PARAM_INT) {
864
+		i = s->params[s->n-1].v.i;
865
+	} else
866
+		return -1;
867
+
868
+	if (i < 0 || i >= sk_X509_num(chain))
869
+		return -1;
870
+
871
+	cert = sk_X509_value(chain, i);
872
+	if (!cert)
873
+		return -1;
874
+
875
+	if (cert_to_buf(cert, &buf, &len) < 0) {
876
+		ERR("cert to buf failed\n");
877
+		goto err;
878
+	}
879
+
880
+	res->s = buf;
881
+	res->len = len;
882
+
883
+	tcpconn_put(c);
884
+	return 0;
885
+
886
+err:
887
+	tcpconn_put(c);
888
+	return -1;
889
+}
890
+#endif /* (OPENSSL_VERSION_NUMBER >= 0x10100001L) */
891
+
892
+
807 893
 static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
808 894
 {
809 895
 	static char buf[1024];
... ...
@@ -1208,6 +1294,10 @@ select_row_t tls_sel[] = {
1208 1294
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("URLEncodedCert"), sel_ssl_cert, DIVERSION | CERT_URLENCODED},
1209 1295
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("urlencoded_cert"), sel_ssl_cert, DIVERSION | CERT_URLENCODED},
1210 1296
 
1297
+#if (OPENSSL_VERSION_NUMBER >= 0x10100001L)
1298
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("verified_cert_chain"), sel_ssl_verified_cert_chain, CONSUME_NEXT_INT},
1299
+#endif
1300
+
1211 1301
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("sn"),            sel_sn, 0},
1212 1302
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serialNumber"),  sel_sn, 0},
1213 1303
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serial_number"), sel_sn, 0},
Browse code

tls: fix raw vs urlencoded behavior in sel_ssl_cert()

Armen Babikyan authored on 18/04/2020 21:18:40 • Henning Westerholt committed on 19/04/2020 10:36:56
Showing 1 changed files
... ...
@@ -756,16 +756,18 @@ static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
756 756
 
757 757
 static int sel_ssl_cert(str* res, select_t* s, sip_msg_t* msg)
758 758
 {
759
-	int local=0, urlencoded=0;
759
+	int i, local = 0, urlencoded = 0;
760 760
 
761
-	switch(s->params[s->n - 2].v.i) {
762
-	case CERT_PEER: local = 0; break;
763
-	case CERT_LOCAL: local = 1; break;
764
-	case CERT_RAW: urlencoded = 0; break;
765
-	case CERT_URLENCODED: urlencoded = 1; break;
766
-	default:
767
-		BUG("Bug in call to sel_ssl_cert\n");
768
-		return -1;
761
+	for(i = 1; i <= s->n - 1; i++) {
762
+		switch(s->params[i].v.i) {
763
+		case CERT_PEER:       local = 0; break;
764
+		case CERT_LOCAL:      local = 1; break;
765
+		case CERT_RAW:        urlencoded = 0; break;
766
+		case CERT_URLENCODED: urlencoded = 1; break;
767
+		default:
768
+			BUG("Bug in call to sel_ssl_cert\n");
769
+			return -1;
770
+		}
769 771
 	}
770 772
 
771 773
 	return get_ssl_cert(res, local, urlencoded, msg);
... ...
@@ -1201,10 +1203,10 @@ select_row_t tls_sel[] = {
1201 1203
 
1202 1204
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("version"), sel_cert_version, 0},
1203 1205
 
1204
-	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("rawCert"), sel_ssl_cert, CERT_RAW},
1205
-	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("raw_cert"), sel_ssl_cert, CERT_RAW},
1206
-	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("URLEncodedCert"), sel_ssl_cert, CERT_URLENCODED},
1207
-	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("urlencoded_cert"), sel_ssl_cert, CERT_URLENCODED},
1206
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("rawCert"), sel_ssl_cert, DIVERSION | CERT_RAW},
1207
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("raw_cert"), sel_ssl_cert, DIVERSION | CERT_RAW},
1208
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("URLEncodedCert"), sel_ssl_cert, DIVERSION | CERT_URLENCODED},
1209
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("urlencoded_cert"), sel_ssl_cert, DIVERSION | CERT_URLENCODED},
1208 1210
 
1209 1211
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("sn"),            sel_sn, 0},
1210 1212
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serialNumber"),  sel_sn, 0},
Browse code

tls: init local variables to avoid compile warnings

Daniel-Constantin Mierla authored on 06/04/2020 17:31:11
Showing 1 changed files
... ...
@@ -756,7 +756,7 @@ static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
756 756
 
757 757
 static int sel_ssl_cert(str* res, select_t* s, sip_msg_t* msg)
758 758
 {
759
-	int local, urlencoded;
759
+	int local=0, urlencoded=0;
760 760
 
761 761
 	switch(s->params[s->n - 2].v.i) {
762 762
 	case CERT_PEER: local = 0; break;
Browse code

tls: add support for urlencoded cert PVs and select

- new PVs: $tls_peer_raw_cert, $tls_peer_urlencoded_cert, $tls_my_raw_cert, $tls_my_urlencoded_cert
- new selects: @tls.peer.raw_cert, @tls.peer.urlencoded_cert, @tls.my.raw_cert, @tls.my.urlencoded_cert

Armen Babikyan authored on 31/03/2020 01:19:53
Showing 1 changed files
... ...
@@ -41,6 +41,7 @@
41 41
 #include "../../core/ut.h"
42 42
 #include "../../core/cfg/cfg.h"
43 43
 #include "../../core/dprint.h"
44
+#include "../../core/strutils.h"
44 45
 #include "tls_server.h"
45 46
 #include "tls_select.h"
46 47
 #include "tls_mod.h"
... ...
@@ -58,6 +59,8 @@ enum {
58 59
 	CERT_SELFSIGNED,  /* self-signed certificate test */
59 60
 	CERT_NOTBEFORE,   /* Select validity end from certificate */
60 61
 	CERT_NOTAFTER,    /* Select validity start from certificate */
62
+	CERT_RAW,         /* Select raw PEM-encoded certificate */
63
+	CERT_URLENCODED,  /* Select urlencoded PEM-encoded certificate */
61 64
 	COMP_CN,          /* Common name */
62 65
 	COMP_O,           /* Organization name */
63 66
 	COMP_OU,          /* Organization unit */
... ...
@@ -85,21 +88,23 @@ enum {
85 88
 	PV_CERT_SELFSIGNED = 1<<7,   /* self-signed certificate test */
86 89
 	PV_CERT_NOTBEFORE  = 1<<8,   /* Select validity end from certificate */
87 90
 	PV_CERT_NOTAFTER   = 1<<9,   /* Select validity start from certificate */
88
-
89
-	PV_COMP_CN = 1<<10,          /* Common name */
90
-	PV_COMP_O  = 1<<11,          /* Organization name */
91
-	PV_COMP_OU = 1<<12,          /* Organization unit */
92
-	PV_COMP_C  = 1<<13,          /* Country name */
93
-	PV_COMP_ST = 1<<14,          /* State */
94
-	PV_COMP_L  = 1<<15,          /* Locality/town */
95
-
96
-	PV_COMP_HOST = 1<<16,        /* hostname from subject/alternative */
97
-	PV_COMP_URI  = 1<<17,        /* URI from subject/alternative */
98
-	PV_COMP_E    = 1<<18,        /* Email address */
99
-	PV_COMP_IP   = 1<<19,        /* IP from subject/alternative */
100
-	PV_COMP_UID  = 1<<20,        /* UserID*/
101
-
102
-	PV_TLSEXT_SNI = 1<<21,       /* Peer's server name (TLS extension) */
91
+	PV_CERT_RAW        = 1<<10,  /* Select raw PEM-encoded certificate */
92
+	PV_CERT_URLENCODED = 1<<11,  /* Select urlencoded PEM-encoded certificate */
93
+
94
+	PV_COMP_CN = 1<<12,          /* Common name */
95
+	PV_COMP_O  = 1<<13,          /* Organization name */
96
+	PV_COMP_OU = 1<<14,          /* Organization unit */
97
+	PV_COMP_C  = 1<<15,          /* Country name */
98
+	PV_COMP_ST = 1<<16,          /* State */
99
+	PV_COMP_L  = 1<<17,          /* Locality/town */
100
+
101
+	PV_COMP_HOST = 1<<18,        /* hostname from subject/alternative */
102
+	PV_COMP_URI  = 1<<19,        /* URI from subject/alternative */
103
+	PV_COMP_E    = 1<<20,        /* Email address */
104
+	PV_COMP_IP   = 1<<21,        /* IP from subject/alternative */
105
+	PV_COMP_UID  = 1<<22,        /* UserID*/
106
+
107
+	PV_TLSEXT_SNI = 1<<23,       /* Peer's server name (TLS extension) */
103 108
 };
104 109
 
105 110
 
... ...
@@ -682,6 +687,120 @@ static int pv_sn(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
682 687
 }
683 688
 
684 689
 
690
+static int get_ssl_cert(str* res, int local, int urlencoded, sip_msg_t* msg)
691
+{
692
+#define MAX_CERT_SIZE 16384
693
+	/* buf2 holds the urlencoded version of buf, which can be up to 3 times its size */
694
+	static char buf[MAX_CERT_SIZE];
695
+	static char buf2[MAX_CERT_SIZE*3+1];
696
+	X509* cert;
697
+	struct tcp_connection* c;
698
+	size_t   len;
699
+	BIO     *mem;
700
+	str     temp_str;
701
+
702
+	if (get_cert(&cert, &c, msg, local) < 0) return -1;
703
+
704
+	mem = BIO_new(BIO_s_mem());
705
+	if (!mem) {
706
+		ERR("Error while creating memory BIO\n");
707
+		goto err;
708
+	}
709
+
710
+	/* Write a certificate to a BIO */
711
+	if (!PEM_write_bio_X509(mem, cert)) {
712
+		goto err;
713
+	}
714
+
715
+	len = BIO_pending(mem);
716
+	if (len > MAX_CERT_SIZE) {
717
+		ERR("certificate is too long\n");
718
+		goto err;
719
+	}
720
+
721
+	if (BIO_read(mem, buf, len) <= 0) {
722
+		ERR("problem reading data out of BIO");
723
+		goto err;
724
+	}
725
+
726
+	if (urlencoded)
727
+	{
728
+		temp_str.len = len;
729
+		temp_str.s = buf;
730
+		res->s = buf2;
731
+		res->len = MAX_CERT_SIZE*3+1;
732
+
733
+		if (urlencode(&temp_str, res) < 0) {
734
+			ERR("Problem with urlencode()\n");
735
+			goto err;
736
+		}
737
+	}
738
+	else
739
+	{
740
+		res->s = buf;
741
+		res->len = len;
742
+	}
743
+
744
+	BIO_free(mem);
745
+	if (!local) X509_free(cert);
746
+	tcpconn_put(c);
747
+	return 0;
748
+
749
+ err:
750
+	if (mem) BIO_free(mem);
751
+	if (!local) X509_free(cert);
752
+	tcpconn_put(c);
753
+	return -1;
754
+}
755
+
756
+
757
+static int sel_ssl_cert(str* res, select_t* s, sip_msg_t* msg)
758
+{
759
+	int local, urlencoded;
760
+
761
+	switch(s->params[s->n - 2].v.i) {
762
+	case CERT_PEER: local = 0; break;
763
+	case CERT_LOCAL: local = 1; break;
764
+	case CERT_RAW: urlencoded = 0; break;
765
+	case CERT_URLENCODED: urlencoded = 1; break;
766
+	default:
767
+		BUG("Bug in call to sel_ssl_cert\n");
768
+		return -1;
769
+	}
770
+
771
+	return get_ssl_cert(res, local, urlencoded, msg);
772
+}
773
+
774
+
775
+static int pv_ssl_cert(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
776
+{
777
+	int local, urlencoded;
778
+
779
+	if (param->pvn.u.isname.name.n & PV_CERT_PEER) {
780
+		local = 0;
781
+	} else if (param->pvn.u.isname.name.n & PV_CERT_LOCAL) {
782
+		local = 1;
783
+	} else {
784
+		BUG("bug in call to pv_ssl_cert\n");
785
+		return pv_get_null(msg, param, res);
786
+	}
787
+
788
+	if (param->pvn.u.isname.name.n & PV_CERT_RAW) {
789
+		urlencoded = 0;
790
+	} else if (param->pvn.u.isname.name.n & PV_CERT_URLENCODED) {
791
+		urlencoded = 1;
792
+	} else {
793
+		BUG("bug in call to pv_ssl_cert\n");
794
+		return pv_get_null(msg, param, res);
795
+	}
796
+
797
+	if (get_ssl_cert(&res->rs, local, urlencoded, msg) < 0) {
798
+		return pv_get_null(msg, param, res);
799
+	}
800
+	res->flags = PV_VAL_STR;
801
+	return 0;
802
+}
803
+
685 804
 
686 805
 static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
687 806
 {
... ...
@@ -1082,6 +1201,11 @@ select_row_t tls_sel[] = {
1082 1201
 
1083 1202
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("version"), sel_cert_version, 0},
1084 1203
 
1204
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("rawCert"), sel_ssl_cert, CERT_RAW},
1205
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("raw_cert"), sel_ssl_cert, CERT_RAW},
1206
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("URLEncodedCert"), sel_ssl_cert, CERT_URLENCODED},
1207
+	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("urlencoded_cert"), sel_ssl_cert, CERT_URLENCODED},
1208
+
1085 1209
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("sn"),            sel_sn, 0},
1086 1210
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serialNumber"),  sel_sn, 0},
1087 1211
 	{ sel_cert, SEL_PARAM_STR, STR_STATIC_INIT("serial_number"), sel_sn, 0},
... ...
@@ -1162,6 +1286,19 @@ pv_export_t tls_pv[] = {
1162 1286
 	{{"tls_cipher_bits", sizeof("tls_cipher_bits")-1},
1163 1287
 		PVT_OTHER,  pv_bits, 0,
1164 1288
 		0, 0, 0, 0 },
1289
+	/* raw and urlencoded versions of peer and local certificates */
1290
+	{{"tls_peer_raw_cert", sizeof("tls_peer_raw_cert")-1},
1291
+		PVT_OTHER, pv_ssl_cert, 0,
1292
+		0, 0, pv_init_iname, PV_CERT_PEER | PV_CERT_RAW},
1293
+	{{"tls_my_raw_cert", sizeof("tls_my_raw_cert")-1},
1294
+		PVT_OTHER, pv_ssl_cert, 0,
1295
+		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_CERT_RAW},
1296
+	{{"tls_peer_urlencoded_cert", sizeof("tls_peer_urlencoded_cert")-1},
1297
+		PVT_OTHER, pv_ssl_cert, 0,
1298
+		0, 0, pv_init_iname, PV_CERT_PEER | PV_CERT_URLENCODED},
1299
+	{{"tls_my_urlencoded_cert", sizeof("tls_my_urlencoded_cert")-1},
1300
+		PVT_OTHER, pv_ssl_cert, 0,
1301
+		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_CERT_URLENCODED},
1165 1302
 	/* general certificate parameters for peer and local */
1166 1303
 	{{"tls_peer_version", sizeof("tls_peer_version")-1},
1167 1304
 		PVT_OTHER, pv_cert_version, 0,
Browse code

tls: use NID_userId instead of NID_x500UniqueIdentifier access (GH #1846)

- use NID_userId instead of NID_x500UniqueIdentifier to access the uid field
in x509 subjects in tls module
- pull request GH #1846 from Sebastian Denz, denzs at gonicus dot de

Henning Westerholt authored on 11/02/2019 20:26:10
Showing 1 changed files
... ...
@@ -68,7 +68,7 @@ enum {
68 68
 	COMP_URI,         /* URI from subject/alternative */
69 69
 	COMP_E,           /* Email address */
70 70
 	COMP_IP,          /* IP from subject/alternative */
71
-	COMP_UI,          /* Unique identifier */
71
+	COMP_UID,         /* UserID*/
72 72
 	TLSEXT_SN         /* Server name of the peer */
73 73
 };
74 74
 
... ...
@@ -97,7 +97,7 @@ enum {
97 97
 	PV_COMP_URI  = 1<<17,        /* URI from subject/alternative */
98 98
 	PV_COMP_E    = 1<<18,        /* Email address */
99 99
 	PV_COMP_IP   = 1<<19,        /* IP from subject/alternative */
100
-	PV_COMP_UI   = 1<<20,        /* Unique identifier */
100
+	PV_COMP_UID  = 1<<20,        /* UserID*/
101 101
 
102 102
 	PV_TLSEXT_SNI = 1<<21,       /* Peer's server name (TLS extension) */
103 103
 };
... ...
@@ -714,7 +714,7 @@ static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
714 714
 		case NID_countryName:            elem = "CountryName";             break;
715 715
 		case NID_stateOrProvinceName:    elem = "StateOrProvinceName";     break;
716 716
 		case NID_localityName:           elem = "LocalityName";            break;
717
-		case NID_x500UniqueIdentifier:   elem = "UniqueIdentifier";        break;
717
+		case NID_userId:                 elem = "UserID";                  break;
718 718
 		default:                         elem = "Unknown";                 break;
719 719
 		}
720 720
 		DBG("Element %s not found in certificate subject/issuer\n", elem);
... ...
@@ -762,7 +762,7 @@ static int sel_comp(str* res, select_t* s, sip_msg_t* msg)
762 762
 		case COMP_C:       nid = NID_countryName;            break;
763 763
 		case COMP_ST:      nid = NID_stateOrProvinceName;    break;
764 764
 		case COMP_L:       nid = NID_localityName;           break;
765
-		case COMP_UI:      nid = NID_x500UniqueIdentifier;   break;
765
+		case COMP_UID:     nid = NID_userId;                 break;
766 766
 		default:
767 767
 			BUG("Bug in sel_comp: %d\n", s->params[s->n - 1].v.i);
768 768
 			return -1;
... ...
@@ -804,14 +804,14 @@ static int pv_comp(sip_msg_t* msg, pv_param_t* param, pv_value_t* res)
804 804
 	}
805 805
 
806 806
 	switch(ind_local) {
807
-		case PV_COMP_CN: nid = NID_commonName;             break;
808
-		case PV_COMP_O:  nid = NID_organizationName;       break;
809
-		case PV_COMP_OU: nid = NID_organizationalUnitName; break;
810
-		case PV_COMP_C:  nid = NID_countryName;            break;
811
-		case PV_COMP_ST: nid = NID_stateOrProvinceName;    break;
812
-		case PV_COMP_L:  nid = NID_localityName;           break;
813
-		case PV_COMP_UI: nid = NID_x500UniqueIdentifier;   break;
814
-		default:      nid = NID_undef;
807
+		case PV_COMP_CN:  nid = NID_commonName;             break;
808
+		case PV_COMP_O:   nid = NID_organizationName;       break;
809
+		case PV_COMP_OU:  nid = NID_organizationalUnitName; break;
810
+		case PV_COMP_C:   nid = NID_countryName;            break;
811
+		case PV_COMP_ST:  nid = NID_stateOrProvinceName;    break;
812
+		case PV_COMP_L:   nid = NID_localityName;           break;
813
+		case PV_COMP_UID: nid = NID_userId;                 break;
814
+		default:          nid = NID_undef;
815 815
 	}
816 816
 
817 817
 	if (get_comp(&res->rs, local, issuer, nid, msg) < 0) {
... ...
@@ -1137,9 +1137,9 @@ select_row_t tls_sel[] = {
1137 1137
 	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("organizational_unit_name"), sel_comp, DIVERSION | COMP_OU},
1138 1138
 	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("unit"),                     sel_comp, DIVERSION | COMP_OU},
1139 1139
 
1140
-	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("uid"),               sel_comp, DIVERSION | COMP_UI},
1141
-	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("uniqueIdentifier"),  sel_comp, DIVERSION | COMP_UI},
1142
-	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("unique_identifier"), sel_comp, DIVERSION | COMP_UI},
1140
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("uid"),               sel_comp, DIVERSION | COMP_UID},
1141
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("uniqueIdentifier"),  sel_comp, DIVERSION | COMP_UID},
1142
+	{ sel_name, SEL_PARAM_STR, STR_STATIC_INIT("unique_identifier"), sel_comp, DIVERSION | COMP_UID},
1143 1143
 
1144 1144
 	{ NULL, SEL_PARAM_INT, STR_NULL, NULL, 0}
1145 1145
 };
... ...
@@ -1263,10 +1263,10 @@ pv_export_t tls_pv[] = {
1263 1263
 	/* unique identifier for peer and local */
1264 1264
 	{{"tls_peer_subject_uid", sizeof("tls_peer_subject_uid")-1},
1265 1265
 		PVT_OTHER, pv_comp, 0,
1266
-		0, 0, pv_init_iname, PV_CERT_PEER | PV_CERT_SUBJECT | PV_COMP_UI },
1266
+		0, 0, pv_init_iname, PV_CERT_PEER | PV_CERT_SUBJECT | PV_COMP_UID },
1267 1267
 	{{"tls_my_subject_uid", sizeof("tls_my_subject_uid")-1},
1268 1268
 		PVT_OTHER, pv_comp, 0,
1269
-		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_CERT_SUBJECT | PV_COMP_UI },
1269
+		0, 0, pv_init_iname, PV_CERT_LOCAL | PV_CERT_SUBJECT | PV_COMP_UID },
1270 1270
 	/* subject alternative name parameters for peer and local */	
1271 1271
 	{{"tls_peer_san_email", sizeof("tls_peer_san_email")-1},
1272 1272
 		PVT_OTHER, pv_alt, 0,
Browse code

tls: add support for unique identifier PVs and select (GH #1843)

- add support for unique identifier PVs and select, related to issue GH #1843
- new PVs: $tls_peer_subject_uid and $tls_my_subject_uid
- new selects: uid, uniqueIdentifier and unique_identifier

Henning Westerholt authored on 10/02/2019 13:30:45
Showing 1 changed files
... ...
@@ -68,6 +68,7 @@ enum {
68 68
 	COMP_URI,         /* URI from subject/alternative */
69 69
 	COMP_E,           /* Email address */
70 70
 	COMP_IP,          /* IP from subject/alternative */
71
+	COMP_UI,          /* Unique identifier */
71 72
 	TLSEXT_SN         /* Server name of the peer */
72 73
 };
73 74
 
... ...
@@ -96,8 +97,9 @@ enum {
96 97
 	PV_COMP_URI  = 1<<17,        /* URI from subject/alternative */
97 98
 	PV_COMP_E    = 1<<18,        /* Email address */
98 99
 	PV_COMP_IP   = 1<<19,        /* IP from subject/alternative */
100
+	PV_COMP_UI   = 1<<20,        /* Unique identifier */
99 101
 
100
-	PV_TLSEXT_SNI = 1<<20,       /* Peer's server name (TLS extension) */
102
+	PV_TLSEXT_SNI = 1<<21,       /* Peer's server name (TLS extension) */
101 103
 };
102 104
 
103 105
 
... ...
@@ -712,6 +714,7 @@ static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
712 714
 		case NID_countryName:            elem = "CountryName";             break;
713 715
 		case NID_stateOrProvinceName:    elem = "StateOrProvinceName";     break;