Browse code

Adding function is_peer_verified from kamailio

Jan Janak authored on 27/03/2009 17:47:43
Showing 1 changed files
... ...
@@ -96,6 +96,8 @@ static int mod_init(void);
96 96
 static int mod_child(int rank);
97 97
 static void destroy(void);
98 98
 
99
+static int is_peer_verified(struct sip_msg* msg, char* foo, char* foo2);
100
+
99 101
 MODULE_VERSION
100 102
 
101 103
 
... ...
@@ -185,7 +187,9 @@ gen_lock_t* tls_cfg_lock = NULL;
185 187
  * Exported functions
186 188
  */
187 189
 static cmd_export_t cmds[] = {
188
-	{0, 0, 0, 0, 0}
190
+	{"is_peer_verified", (cmd_function)is_peer_verified,   0, 0, 0,
191
+			REQUEST_ROUTE},
192
+	{0,0,0,0,0,0}
189 193
 };
190 194
 
191 195
 
... ...
@@ -395,3 +399,62 @@ static int mod_child(int rank)
395 399
 static void destroy(void)
396 400
 {
397 401
 }
402
+
403
+
404
+static int is_peer_verified(struct sip_msg* msg, char* foo, char* foo2)
405
+{
406
+	struct tcp_connection *c;
407
+	SSL *ssl;
408
+	long ssl_verify;
409
+	X509 *x509_cert;
410
+
411
+	DBG("started...\n");
412
+	if (msg->rcv.proto != PROTO_TLS) {
413
+		ERR("proto != TLS --> peer can't be verified, return -1\n");
414
+		return -1;
415
+	}
416
+
417
+	DBG("trying to find TCP connection of received message...\n");
418
+
419
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
420
+	if (c && c->type != PROTO_TLS) {
421
+		ERR("Connection found but is not TLS\n");
422
+		tcpconn_put(c);
423
+		return -1;
424
+	}
425
+
426
+	if (!c->extra_data) {
427
+		LM_ERR("no extra_data specified in TLS/TCP connection found."
428
+				" This should not happen... return -1\n");
429
+		tcpconn_put(c);
430
+		return -1;
431
+	}
432
+
433
+	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
434
+
435
+	ssl_verify = SSL_get_verify_result(ssl);
436
+	if ( ssl_verify != X509_V_OK ) {
437
+		LM_WARN("verification of presented certificate failed... return -1\n");
438
+		tcpconn_put(c);
439
+		return -1;
440
+	}
441
+
442
+	/* now, we have only valid peer certificates or peers without certificates.
443
+	 * Thus we have to check for the existence of a peer certificate
444
+	 */
445
+	x509_cert = SSL_get_peer_certificate(ssl);
446
+	if ( x509_cert == NULL ) {
447
+		LM_WARN("tlsops:is_peer_verified: WARNING: peer did not presented "
448
+			"a certificate. Thus it could not be verified... return -1\n");
449
+		tcpconn_put(c);
450
+		return -1;
451
+	}
452
+
453
+	X509_free(x509_cert);
454
+
455
+	tcpconn_put(c);
456
+
457
+	LM_DBG("tlsops:is_peer_verified: peer is successfuly verified"
458
+		"...done\n");
459
+	return 1;
460
+}