Asterisk - The Open Source Telephony Project GIT-master-27fb039
Loading...
Searching...
No Matches
Macros | Functions | Variables
verification.c File Reference
#include <curl/curl.h>
#include <sys/stat.h>
#include <jwt.h>
#include <regex.h>
#include "asterisk.h"
#include "asterisk/channel.h"
#include "asterisk/cli.h"
#include "asterisk/config.h"
#include "asterisk/module.h"
#include "asterisk/sorcery.h"
#include "asterisk/astdb.h"
#include "asterisk/conversions.h"
#include "asterisk/utils.h"
#include "asterisk/paths.h"
#include "asterisk/logger.h"
#include "asterisk/acl.h"
#include "asterisk/time.h"
#include "asterisk/localtime.h"
#include "asterisk/crypto.h"
#include "asterisk/json.h"
#include "stir_shaken.h"
Include dependency graph for verification.c:

Go to the source code of this file.

Macros

#define _TRACE_PREFIX_   "v",__LINE__, ""
 
#define ASN1_TAG_TNAUTH_SPC   0
 
#define ASN1_TAG_TNAUTH_TN   2
 
#define ASN1_TAG_TNAUTH_TN_RANGE   1
 
#define AST_DB_FAMILY   "STIR_SHAKEN"
 
#define BEGIN_CERTIFICATE_STR   "-----BEGIN CERTIFICATE-----"
 
#define DUMP_X5U_MATCH()
 
#define FULL_URL_REGEX   "^([a-zA-Z]+)://(([^@]+@[^:]+):)?(([^:/?]+)|([0-9.]+)|([[][0-9a-fA-F:]+[]]))(:([0-9]+))?(/([^#\\?]+))?(\\?([^#]+))?(#(.*))?"
 
#define FULL_URL_REGEX_GROUPS   15
 
#define get_match_string(__x5u, __pmatch, __i)
 
#define IS_GET_OBJ_ERR(ret)   (ret & 0x80)
 
#define URL_MATCH_FRAGMENT   15
 
#define URL_MATCH_HOST   4
 
#define URL_MATCH_PATH   11
 
#define URL_MATCH_PORT   9
 
#define URL_MATCH_QUERY   13
 
#define URL_MATCH_SCHEME   1
 
#define URL_MATCH_USERPASS   3
 

Functions

static int add_cert_expiration_to_astdb (struct ast_stir_shaken_vs_ctx *cert, const char *cache_control_header, const char *expires_header)
 
static int add_cert_key_to_astdb (struct ast_stir_shaken_vs_ctx *cert, const char *cache_control_hdr, const char *expires_hdr)
 
enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_date_hdr (struct ast_stir_shaken_vs_ctx *ctx, const char *date_hdr)
 Add the received Date header value to the VS context.
 
enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_identity_hdr (struct ast_stir_shaken_vs_ctx *ctx, const char *identity_hdr)
 Add the received Identity header value to the VS context.
 
enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_create (const char *caller_id, struct ast_channel *chan, const char *profile_name, const char *tag, struct ast_stir_shaken_vs_ctx **ctxout)
 Create Verification Service context.
 
void ast_stir_shaken_vs_ctx_set_response_code (struct ast_stir_shaken_vs_ctx *ctx, enum ast_stir_shaken_vs_response_code vs_rc)
 Sets response code on VS context.
 
const char * ast_stir_shaken_vs_get_caller_id (struct ast_stir_shaken_vs_ctx *ctx)
 Get caller_id from context.
 
enum stir_shaken_failure_action_enum ast_stir_shaken_vs_get_failure_action (struct ast_stir_shaken_vs_ctx *ctx)
 Get failure_action from context.
 
int ast_stir_shaken_vs_get_use_rfc9410_responses (struct ast_stir_shaken_vs_ctx *ctx)
 Get use_rfc9410_responses from context.
 
enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_verify (struct ast_stir_shaken_vs_ctx *ctx)
 Perform incoming call verification.
 
static enum ast_stir_shaken_vs_response_code check_cert (struct ast_stir_shaken_vs_ctx *ctx)
 
static enum ast_stir_shaken_vs_response_code check_date_header (struct ast_stir_shaken_vs_ctx *ctx)
 
static enum ast_stir_shaken_vs_response_code check_tn_auth_list (struct ast_stir_shaken_vs_ctx *ctx)
 
static int check_x5u_url (struct ast_stir_shaken_vs_ctx *ctx, const char *x5u)
 
static void cleanup_cert_from_astdb_and_fs (struct ast_stir_shaken_vs_ctx *ctx)
 
static void ctx_destructor (void *obj)
 
static enum ast_stir_shaken_vs_response_code ctx_populate (struct ast_stir_shaken_vs_ctx *ctx)
 
static int is_cert_cache_entry_expired (char *expiration)
 
static enum ast_stir_shaken_vs_response_code retrieve_cert_from_cache (struct ast_stir_shaken_vs_ctx *ctx)
 
static enum ast_stir_shaken_vs_response_code retrieve_cert_from_url (struct ast_stir_shaken_vs_ctx *ctx)
 
static enum ast_stir_shaken_vs_response_code retrieve_verification_cert (struct ast_stir_shaken_vs_ctx *ctx)
 
int vs_load ()
 Load the stir/shaken verification service.
 
int vs_reload ()
 Reload the stir/shaken verification service.
 
const char * vs_response_code_to_str (enum ast_stir_shaken_vs_response_code vs_rc)
 Return string version of VS response code.
 
int vs_unload ()
 Unload the stir/shaken verification service.
 

Variables

static regex_t url_match_regex
 
static const char * vs_rc_map []
 

Macro Definition Documentation

◆ _TRACE_PREFIX_

#define _TRACE_PREFIX_   "v",__LINE__, ""

Definition at line 26 of file verification.c.

◆ ASN1_TAG_TNAUTH_SPC

#define ASN1_TAG_TNAUTH_SPC   0

Definition at line 247 of file verification.c.

◆ ASN1_TAG_TNAUTH_TN

#define ASN1_TAG_TNAUTH_TN   2

Definition at line 249 of file verification.c.

◆ ASN1_TAG_TNAUTH_TN_RANGE

#define ASN1_TAG_TNAUTH_TN_RANGE   1

Definition at line 248 of file verification.c.

◆ AST_DB_FAMILY

#define AST_DB_FAMILY   "STIR_SHAKEN"

Definition at line 46 of file verification.c.

◆ BEGIN_CERTIFICATE_STR

#define BEGIN_CERTIFICATE_STR   "-----BEGIN CERTIFICATE-----"

Definition at line 51 of file verification.c.

◆ DUMP_X5U_MATCH

#define DUMP_X5U_MATCH ( )

Definition at line 823 of file verification.c.

824{\
825 int i; \
826 if (TRACE_ATLEAST(4)) { \
827 ast_trace(-1, "%s: x5u: %s\n", ctx->tag, x5u); \
828 for (i=0;i<FULL_URL_REGEX_GROUPS;i++) { \
829 const char *m = get_match_string(x5u, pmatch, i); \
830 if (m) { \
831 ast_trace(-1, "%s: %2d %s\n", ctx->tag, i, m); \
832 } \
833 } \
834 } \
835}
TRACE_ATLEAST
#define TRACE_ATLEAST(level)
Definition include/asterisk/logger.h:684
FULL_URL_REGEX_GROUPS
#define FULL_URL_REGEX_GROUPS
Definition verification.c:785
get_match_string
#define get_match_string(__x5u, __pmatch, __i)
Definition verification.c:811

◆ FULL_URL_REGEX

#define FULL_URL_REGEX   "^([a-zA-Z]+)://(([^@]+@[^:]+):)?(([^:/?]+)|([0-9.]+)|([[][0-9a-fA-F:]+[]]))(:([0-9]+))?(/([^#\\?]+))?(\\?([^#]+))?(#(.*))?"

Definition at line 784 of file verification.c.

◆ FULL_URL_REGEX_GROUPS

#define FULL_URL_REGEX_GROUPS   15

Definition at line 785 of file verification.c.

◆ get_match_string

#define get_match_string (   __x5u,
  __pmatch,
  __i 
)

Definition at line 811 of file verification.c.

812 { \
813 char *__match = NULL; \
814 if (__pmatch[__i].rm_so >= 0) { \
815 regoff_t __len = __pmatch[__i].rm_eo - __pmatch[__i].rm_so; \
816 const char *__start = __x5u + __pmatch[__i].rm_so; \
817 __match = ast_alloca(__len + 1); \
818 ast_copy_string(__match, __start, __len + 1); \
819 } \
820 __match; \
821})
ast_alloca
#define ast_alloca(size)
call __builtin_alloca to ensure we get gcc builtin semantics
Definition astmm.h:288
NULL
#define NULL
Definition resample.c:96

◆ IS_GET_OBJ_ERR

#define IS_GET_OBJ_ERR (   ret)    (ret & 0x80)

Definition at line 251 of file verification.c.

◆ URL_MATCH_FRAGMENT

#define URL_MATCH_FRAGMENT   15

Definition at line 809 of file verification.c.

◆ URL_MATCH_HOST

#define URL_MATCH_HOST   4

Definition at line 805 of file verification.c.

◆ URL_MATCH_PATH

#define URL_MATCH_PATH   11

Definition at line 807 of file verification.c.

◆ URL_MATCH_PORT

#define URL_MATCH_PORT   9

Definition at line 806 of file verification.c.

◆ URL_MATCH_QUERY

#define URL_MATCH_QUERY   13

Definition at line 808 of file verification.c.

◆ URL_MATCH_SCHEME

#define URL_MATCH_SCHEME   1

Definition at line 803 of file verification.c.

◆ URL_MATCH_USERPASS

#define URL_MATCH_USERPASS   3

Definition at line 804 of file verification.c.

Function Documentation

◆ add_cert_expiration_to_astdb()

static int add_cert_expiration_to_astdb ( struct ast_stir_shaken_vs_ctx cert,
const char *  cache_control_header,
const char *  expires_header 
)
static

Definition at line 112 of file verification.c.

114{
115 RAII_VAR(struct verification_cfg *, cfg, vs_get_cfg(), ao2_cleanup);
116
117 char time_buf[32];
118 time_t current_time = time(NULL);
119 time_t max_age_hdr = 0;
120 time_t expires_hdr = 0;
121 ASN1_TIME *notAfter = NULL;
122 time_t cert_expires = 0;
123 time_t config_expires = 0;
124 time_t expires = 0;
125 int rc = 0;
126
127 config_expires = current_time + cfg->vcfg_common.max_cache_entry_age;
128
129 if (!ast_strlen_zero(cache_control_header)) {
130 char *str_max_age;
131
132 str_max_age = strstr(cache_control_header, "s-maxage");
133 if (!str_max_age) {
134 str_max_age = strstr(cache_control_header, "max-age");
135 }
136
137 if (str_max_age) {
138 unsigned int m;
139 char *equal = strchr(str_max_age, '=');
140 if (equal && !ast_str_to_uint(equal + 1, &m)) {
141 max_age_hdr = current_time + m;
142 }
143 }
144 }
145
146 if (!ast_strlen_zero(expires_header)) {
147 struct ast_tm expires_time;
148
149 ast_strptime(expires_header, "%a, %d %b %Y %T %z", &expires_time);
150 expires_time.tm_isdst = -1;
151 expires_hdr = ast_mktime(&expires_time, "GMT").tv_sec;
152 }
153
154 notAfter = X509_get_notAfter(cert->xcert);
155 cert_expires = crypto_asn_time_as_time_t(notAfter);
156
157 /*
158 * ATIS-1000074 says:
159 * The STI-VS shall implement the cache behavior described in
160 * [Ref 10]. If the HTTP response does not include any recognized
161 * caching directives or indicates caching for less than 24 hours,
162 * then the STI-VS should cache the HTTP response for 24 hours.
163 *
164 * Basically, they're saying "cache for 24 hours unless the HTTP
165 * response says to cache for longer." Instead of the fixed 24
166 * hour minumum, however, we'll use max_cache_entry_age instead.
167 *
168 * We got all the possible values of expires so let's find the
169 * highest value greater than the configured max_cache_entry_age.
170 */
171
172 /* The default */
173 expires = config_expires;
174
175 if (max_age_hdr > expires) {
176 expires = max_age_hdr;
177 }
178
179 if (expires_hdr > expires) {
180 expires = expires_hdr;
181 }
182
183 /*
184 * However... Don't cache for longer than the
185 * certificate is actually valid.
186 */
187 if (cert_expires && cert_expires < expires) {
188 expires = cert_expires;
189 }
190
191 snprintf(time_buf, sizeof(time_buf), "%ld", expires);
192
193 rc = ast_db_put(cert->hash_family, "expiration", time_buf);
194 if (rc == 0) {
195 strcpy(cert->expiration, time_buf); /* safe */
196 }
197
198 return rc;
199}
ast_db_put
int ast_db_put(const char *family, const char *key, const char *value)
Store value addressed by family/key.
Definition db.c:335
ao2_cleanup
#define ao2_cleanup(obj)
Definition astobj2.h:1934
vs_get_cfg
struct verification_cfg * vs_get_cfg(void)
Definition verification_config.c:55
ast_str_to_uint
int ast_str_to_uint(const char *str, unsigned int *res)
Convert the given string to an unsigned integer.
Definition conversions.c:56
crypto_asn_time_as_time_t
time_t crypto_asn_time_as_time_t(ASN1_TIME *at)
Return a time_t for an ASN1_TIME.
Definition crypto_utils.c:900
ast_mktime
struct timeval ast_mktime(struct ast_tm *const tmp, const char *zone)
Timezone-independent version of mktime(3).
Definition localtime.c:2357
ast_strptime
char * ast_strptime(const char *s, const char *format, struct ast_tm *tm)
Special version of strptime(3) which places the answer in the common structure ast_tm....
Definition localtime.c:2550
ast_strlen_zero
static force_inline int attribute_pure ast_strlen_zero(const char *s)
Definition strings.h:65
ast_stir_shaken_vs_ctx::hash_family
const ast_string_field hash_family
Definition verification.h:39
ast_stir_shaken_vs_ctx::expiration
char expiration[32]
Definition verification.h:46
ast_stir_shaken_vs_ctx::xcert
X509 * xcert
Definition verification.h:47
ast_tm
Definition localtime.h:35
verification_cfg
Definition common_config.h:399
RAII_VAR
#define RAII_VAR(vartype, varname, initval, dtor)
Declare a variable that will call a destructor function when it goes out of scope.
Definition utils.h:981

References ao2_cleanup, ast_db_put(), ast_mktime(), ast_str_to_uint(), ast_strlen_zero(), ast_strptime(), crypto_asn_time_as_time_t(), ast_stir_shaken_vs_ctx::expiration, ast_stir_shaken_vs_ctx::hash_family, NULL, RAII_VAR, ast_tm::tm_isdst, vs_get_cfg(), and ast_stir_shaken_vs_ctx::xcert.

Referenced by add_cert_key_to_astdb().

◆ add_cert_key_to_astdb()

static int add_cert_key_to_astdb ( struct ast_stir_shaken_vs_ctx cert,
const char *  cache_control_hdr,
const char *  expires_hdr 
)
static

Definition at line 201 of file verification.c.

203{
204 int rc = 0;
205
206 rc = ast_db_put(cert->url_family, cert->public_url, cert->hash);
207 if (rc) {
208 return rc;
209 }
210 rc = ast_db_put(cert->hash_family, "path", cert->filename);
211 if (rc) {
212 ast_db_del(cert->url_family, cert->public_url);
213 return rc;
214 }
215
216 rc = add_cert_expiration_to_astdb(cert, cache_control_hdr, expires_hdr);
217 if (rc) {
218 ast_db_del(cert->url_family, cert->public_url);
219 ast_db_del(cert->hash_family, "path");
220 }
221
222 return rc;
223}
ast_db_del
int ast_db_del(const char *family, const char *key)
Delete entry in astdb.
Definition db.c:472
ast_stir_shaken_vs_ctx::public_url
const ast_string_field public_url
Definition verification.h:39
ast_stir_shaken_vs_ctx::hash
const ast_string_field hash
Definition verification.h:39
ast_stir_shaken_vs_ctx::filename
const ast_string_field filename
Definition verification.h:39
ast_stir_shaken_vs_ctx::url_family
const ast_string_field url_family
Definition verification.h:39
add_cert_expiration_to_astdb
static int add_cert_expiration_to_astdb(struct ast_stir_shaken_vs_ctx *cert, const char *cache_control_header, const char *expires_header)
Definition verification.c:112

References add_cert_expiration_to_astdb(), ast_db_del(), ast_db_put(), ast_stir_shaken_vs_ctx::filename, ast_stir_shaken_vs_ctx::hash, ast_stir_shaken_vs_ctx::hash_family, ast_stir_shaken_vs_ctx::public_url, and ast_stir_shaken_vs_ctx::url_family.

Referenced by retrieve_cert_from_url().

◆ ast_stir_shaken_vs_ctx_add_date_hdr()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_date_hdr ( struct ast_stir_shaken_vs_ctx ctx,
const char *  date_hdr 
)

Add the received Date header value to the VS context.

Parameters
ctxVS context
date_hdrDate header value
Return values
AST_STIR_SHAKEN_VS_SUCCESSif successful
OtherAST_STIR_SHAKEN_VS errors.

Definition at line 614 of file verification.c.

616{
617 return ast_string_field_set(ctx, date_hdr, date_hdr) == 0 ?
618 AST_STIR_SHAKEN_VS_SUCCESS : AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
619}
AST_STIR_SHAKEN_VS_SUCCESS
@ AST_STIR_SHAKEN_VS_SUCCESS
Definition res_stir_shaken.h:24
AST_STIR_SHAKEN_VS_INTERNAL_ERROR
@ AST_STIR_SHAKEN_VS_INTERNAL_ERROR
Definition res_stir_shaken.h:27
ast_string_field_set
#define ast_string_field_set(x, field, data)
Set a field to a simple string value.
Definition stringfields.h:521

References AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, and ast_string_field_set.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_add_identity_hdr()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_identity_hdr ( struct ast_stir_shaken_vs_ctx ctx,
const char *  identity_hdr 
)

Add the received Identity header value to the VS context.

Parameters
ctxVS context
identity_hdrIdentity header value
Return values
AST_STIR_SHAKEN_VS_SUCCESSif successful
OtherAST_STIR_SHAKEN_VS errors.

Definition at line 606 of file verification.c.

608{
609 return ast_string_field_set(ctx, identity_hdr, identity_hdr) == 0 ?
610 AST_STIR_SHAKEN_VS_SUCCESS : AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
611}

References AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, and ast_string_field_set.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_create()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_create ( const char *  caller_id,
struct ast_channel chan,
const char *  profile_name,
const char *  tag,
struct ast_stir_shaken_vs_ctx **  ctxout 
)

Create Verification Service context.

Parameters
caller_idIncoming caller id
chanIncoming channel
profile_nameThe profile name on the endpoint May be NULL.
endpoint_behaviorBehavior associated to the specific endpoint
tagIdentifying string to output in log and trace messages.
ctxoutReceives a pointer to the newly created context The caller must release with ao2_ref or ao2_cleanup.
Return values
AST_STIR_SHAKEN_VS_SUCCESSif successful.
AST_STIR_SHAKEN_VS_DISABLEDif verification is disabled by the endpoint itself, the profile or globally.
OtherAST_STIR_SHAKEN_VS errors.

Definition at line 659 of file verification.c.

662{
663 RAII_VAR(struct ast_stir_shaken_vs_ctx *, ctx, NULL, ao2_cleanup);
664 RAII_VAR(struct profile_cfg *, profile, NULL, ao2_cleanup);
665 RAII_VAR(struct verification_cfg *, vs, NULL, ao2_cleanup);
666 RAII_VAR(char *, canon_caller_id , canonicalize_tn_alloc(caller_id), ast_free);
667
668 const char *t = S_OR(tag, S_COR(chan, ast_channel_name(chan), ""));
669 SCOPE_ENTER(3, "%s: Enter\n", t);
670
671 vs = vs_get_cfg();
672 if (vs->global_disable) {
673 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
674 "%s: Globally disabled\n", t);
675 }
676
677 if (ast_strlen_zero(profile_name)) {
678 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
679 "%s: Disabled due to missing profile name\n", t);
680 }
681
682 profile = eprofile_get_cfg(profile_name);
683 if (!profile) {
684 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
685 LOG_ERROR, "%s: No profile for profile name '%s'. Call will continue\n", tag,
686 profile_name);
687 }
688
689 if (!PROFILE_ALLOW_VERIFY(profile)) {
690 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
691 "%s: Disabled by profile '%s'\n", t, profile_name);
692 }
693
694 if (ast_strlen_zero(tag)) {
695 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS,
696 LOG_ERROR, "%s: Must provide tag\n", t);
697 }
698
699 ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor,
700 AO2_ALLOC_OPT_LOCK_NOLOCK);
701 if (!ctx) {
702 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
703 }
704 if (ast_string_field_init(ctx, 1024) != 0) {
705 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
706 }
707
708 if (ast_string_field_set(ctx, tag, tag) != 0) {
709 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
710 }
711
712 ctx->chan = chan;
713 if (ast_string_field_set(ctx, caller_id, canon_caller_id) != 0) {
714 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
715 }
716
717 /* Transfer references to ctx */
718 ctx->eprofile = profile;
719 profile = NULL;
720
721 ao2_ref(ctx, +1);
722 *ctxout = ctx;
723 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS, "%s: Done\n", t);
724}
ast_free
#define ast_free(a)
Definition astmm.h:180
AO2_ALLOC_OPT_LOCK_NOLOCK
@ AO2_ALLOC_OPT_LOCK_NOLOCK
Definition astobj2.h:367
ao2_ref
#define ao2_ref(o, delta)
Reference/unreference an object and return the old refcount.
Definition astobj2.h:459
ao2_alloc_options
#define ao2_alloc_options(data_size, destructor_fn, options)
Definition astobj2.h:404
ast_channel_name
const char * ast_channel_name(const struct ast_channel *chan)
canonicalize_tn_alloc
char * canonicalize_tn_alloc(const char *tn)
Canonicalize a TN into nre buffer.
Definition common_config.c:294
eprofile_get_cfg
struct profile_cfg * eprofile_get_cfg(const char *id)
Definition profile_config.c:127
PROFILE_ALLOW_VERIFY
#define PROFILE_ALLOW_VERIFY(__profile)
Definition common_config.h:449
SCOPE_EXIT_RTN_VALUE
#define SCOPE_EXIT_RTN_VALUE(__return_value,...)
Definition include/asterisk/logger.h:1036
SCOPE_EXIT_LOG_RTN_VALUE
#define SCOPE_EXIT_LOG_RTN_VALUE(__value, __log_level,...)
Definition include/asterisk/logger.h:1059
SCOPE_ENTER
#define SCOPE_ENTER(level,...)
Definition include/asterisk/logger.h:1008
LOG_ERROR
#define LOG_ERROR
Definition include/asterisk/logger.h:291
AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS
@ AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS
Definition res_stir_shaken.h:26
AST_STIR_SHAKEN_VS_DISABLED
@ AST_STIR_SHAKEN_VS_DISABLED
Definition res_stir_shaken.h:25
ast_string_field_init
#define ast_string_field_init(x, size)
Initialize a field pool and fields.
Definition stringfields.h:359
S_OR
#define S_OR(a, b)
returns the equivalent of logic or for strings: first one if not empty, otherwise second one.
Definition strings.h:80
S_COR
#define S_COR(a, b, c)
returns the equivalent of logic or for strings, with an additional boolean check: second one if not e...
Definition strings.h:87
ast_stir_shaken_vs_ctx
Definition verification.h:24
profile_cfg
Profile configuration for stir/shaken.
Definition common_config.h:421
ctx_destructor
static void ctx_destructor(void *obj)
Definition verification.c:647

References AO2_ALLOC_OPT_LOCK_NOLOCK, ao2_alloc_options, ao2_cleanup, ao2_ref, ast_channel_name(), ast_free, AST_STIR_SHAKEN_VS_DISABLED, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS, AST_STIR_SHAKEN_VS_SUCCESS, ast_string_field_init, ast_string_field_set, ast_strlen_zero(), ast_stir_shaken_vs_ctx::caller_id, canonicalize_tn_alloc(), ast_stir_shaken_vs_ctx::chan, ctx_destructor(), eprofile_get_cfg(), LOG_ERROR, NULL, PROFILE_ALLOW_VERIFY, RAII_VAR, S_COR, S_OR, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, and vs_get_cfg().

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_set_response_code()

void ast_stir_shaken_vs_ctx_set_response_code ( struct ast_stir_shaken_vs_ctx ctx,
enum ast_stir_shaken_vs_response_code  vs_rc 
)

Sets response code on VS context.

Parameters
ctxVS context
vs_rcast_stir_shaken_vs_response_code to set

Definition at line 640 of file verification.c.

643{
644 ctx->failure_reason = vs_rc;
645}
ast_stir_shaken_vs_ctx::failure_reason
enum ast_stir_shaken_vs_response_code failure_reason
Definition verification.h:49

References ast_stir_shaken_vs_ctx::failure_reason.

Referenced by process_failure().

◆ ast_stir_shaken_vs_get_caller_id()

const char * ast_stir_shaken_vs_get_caller_id ( struct ast_stir_shaken_vs_ctx ctx)

Get caller_id from context.

Parameters
ctxVS context
Return values
CallerID or NULL

Definition at line 634 of file verification.c.

636{
637 return ctx->caller_id;
638}
ast_stir_shaken_vs_ctx::caller_id
const ast_string_field caller_id
Definition verification.h:39

References ast_stir_shaken_vs_ctx::caller_id.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_get_failure_action()

enum stir_shaken_failure_action_enum ast_stir_shaken_vs_get_failure_action ( struct ast_stir_shaken_vs_ctx ctx)

Get failure_action from context.

Parameters
ctxVS context
Return values
ast_stir_shaken_failure_action

Definition at line 622 of file verification.c.

624{
625 return ctx->eprofile->vcfg_common.stir_shaken_failure_action;
626}
ast_stir_shaken_vs_ctx::eprofile
struct profile_cfg * eprofile
Definition verification.h:40
profile_cfg::vcfg_common
struct verification_cfg_common vcfg_common
Definition common_config.h:431
verification_cfg_common::stir_shaken_failure_action
enum stir_shaken_failure_action_enum stir_shaken_failure_action
Definition common_config.h:362

References ast_stir_shaken_vs_ctx::eprofile, verification_cfg_common::stir_shaken_failure_action, and profile_cfg::vcfg_common.

Referenced by process_failure().

◆ ast_stir_shaken_vs_get_use_rfc9410_responses()

int ast_stir_shaken_vs_get_use_rfc9410_responses ( struct ast_stir_shaken_vs_ctx ctx)

Get use_rfc9410_responses from context.

Parameters
ctxVS context
Return values
1if true
0if false

Definition at line 628 of file verification.c.

630{
631 return ctx->eprofile->vcfg_common.use_rfc9410_responses;
632}
verification_cfg_common::use_rfc9410_responses
enum use_rfc9410_responses_enum use_rfc9410_responses
Definition common_config.h:364

References ast_stir_shaken_vs_ctx::eprofile, verification_cfg_common::use_rfc9410_responses, and profile_cfg::vcfg_common.

Referenced by process_failure().

◆ ast_stir_shaken_vs_verify()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_verify ( struct ast_stir_shaken_vs_ctx ctx)

Perform incoming call verification.

Parameters
ctxVS context
Return values
AST_STIR_SHAKEN_AS_SUCCESSif successful
OtherAST_STIR_SHAKEN_AS errors.

Definition at line 895 of file verification.c.

896{
897 RAII_VAR(char *, jwt_encoded, NULL, ast_free);
898 RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
899 RAII_VAR(struct ast_json *, grants, NULL, ast_json_unref);
900 char *p = NULL;
901 char *grants_str = NULL;
902 const char *x5u;
903 const char *ppt_header = NULL;
904 const char *grant = NULL;
905 time_t now_s = time(NULL);
906 time_t iat;
907 struct ast_json *grant_obj = NULL;
908 int len;
909 int rc;
910 enum ast_stir_shaken_vs_response_code vs_rc;
911 SCOPE_ENTER(3, "%s: Verifying\n", ctx ? ctx->tag : "NULL");
912
913 if (!ctx) {
914 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
915 "%s: No context object!\n", "NULL");
916 }
917
918 if (ast_strlen_zero(ctx->identity_hdr)) {
919 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
920 "%s: No identity header in ctx\n", ctx->tag);
921 }
922
923 p = strchr(ctx->identity_hdr, ';');
924 if (ast_strlen_zero(p)) {
925 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER,
926 LOG_ERROR, "%s: Malformed identity header\n", ctx->tag);
927 }
928
929 len = p - ctx->identity_hdr + 1;
930 jwt_encoded = ast_malloc(len);
931 if (!jwt_encoded) {
932 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
933 "%s: Failed to allocate memory for encoded jwt\n", ctx->tag);
934 }
935
936 memcpy(jwt_encoded, ctx->identity_hdr, len);
937 jwt_encoded[len - 1] = '\0';
938
939 rc = jwt_decode(&jwt, jwt_encoded, NULL, 0);
940 if (rc != 0) {
941 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_HEADER, "%s: %s\n",
942 ctx->tag, vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_HEADER));
943 }
944
945 ppt_header = jwt_get_header(jwt, "ppt");
946 if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {
947 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT, "%s: %s\n",
948 ctx->tag, vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT));
949 }
950
951 vs_rc = check_date_header(ctx);
952 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
953 SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
954 "%s: Date header verification failed\n", ctx->tag);
955 }
956
957 x5u = jwt_get_header(jwt, "x5u");
958 if (ast_strlen_zero(x5u)) {
959 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
960 "%s: No x5u in Identity header\n", ctx->tag);
961 }
962
963 vs_rc = check_x5u_url(ctx, x5u);
964 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
965 SCOPE_EXIT_RTN_VALUE(vs_rc,
966 "%s: x5u URL verification failed\n", ctx->tag);
967 }
968
969 ast_trace(3, "%s: Decoded enough to get x5u: '%s'\n", ctx->tag, x5u);
970 if (ast_string_field_set(ctx, public_url, x5u) != 0) {
971 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
972 "%s: Failed to set public_url '%s'\n", ctx->tag, x5u);
973 }
974
975 iat = jwt_get_grant_int(jwt, "iat");
976 if (iat == 0) {
977 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_IAT, LOG_ERROR,
978 "%s: No 'iat' in Identity header\n", ctx->tag);
979 }
980 ast_trace(1, "date_hdr: %zu iat: %zu\n",
981 ctx->date_hdr_time, iat);
982
983 if (iat + ctx->eprofile->vcfg_common.max_iat_age < now_s) {
984 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_IAT_EXPIRED,
985 "%s: iat %ld older than %u seconds\n", ctx->tag,
986 iat, ctx->eprofile->vcfg_common.max_iat_age);
987 }
988 ctx->validity_check_time = iat;
989
990 vs_rc = ctx_populate(ctx);
991 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
992 SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
993 "%s: Unable to populate ctx\n", ctx->tag);
994 }
995
996 vs_rc = retrieve_verification_cert(ctx);
997 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
998 SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
999 "%s: Could not get valid cert from '%s'\n", ctx->tag, ctx->public_url);
1000 }
1001
1002 jwt_free(jwt);
1003 jwt = NULL;
1004
1005 rc = jwt_decode(&jwt, jwt_encoded, ctx->raw_key, ctx->raw_key_len);
1006 if (rc != 0) {
1007 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION,
1008 LOG_ERROR, "%s: Signature validation failed for '%s'\n",
1009 ctx->tag, ctx->public_url);
1010 }
1011
1012 ast_trace(1, "%s: Decoding succeeded\n", ctx->tag);
1013
1014 ppt_header = jwt_get_header(jwt, "alg");
1015 if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_ENCRYPTION_ALGORITHM)) {
1016 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG,
1017 "%s: %s\n", ctx->tag,
1018 vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG));
1019 }
1020
1021 ppt_header = jwt_get_header(jwt, "ppt");
1022 if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {
1023 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT,
1024 "%s: %s\n", ctx->tag,
1025 vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT));
1026 }
1027
1028 ppt_header = jwt_get_header(jwt, "typ");
1029 if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_TYPE)) {
1030 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP,
1031 "%s: %s\n", ctx->tag,
1032 vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP));
1033 }
1034
1035 grants_str = jwt_get_grants_json(jwt, NULL);
1036 if (ast_strlen_zero(grants_str)) {
1037 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
1038 "%s: %s\n", ctx->tag,
1039 vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS));
1040 }
1041 ast_trace(1, "grants: %s\n", grants_str);
1042 grants = ast_json_load_string(grants_str, NULL);
1043 ast_std_free(grants_str);
1044 if (!grants) {
1045 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
1046 "%s: %s\n", ctx->tag,
1047 vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS));
1048 }
1049
1050 grant = ast_json_object_string_get(grants, "attest");
1051 if (ast_strlen_zero(grant)) {
1052 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
1053 "%s: No 'attest' in Identity header\n", ctx->tag);
1054 }
1055 if (grant[0] < 'A' || grant[0] > 'C') {
1056 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
1057 "%s: Invalid attest value '%s'\n", ctx->tag, grant);
1058 }
1059 ast_string_field_set(ctx, attestation, grant);
1060 ast_trace(1, "got attest: %s\n", grant);
1061
1062 grant_obj = ast_json_object_get(grants, "dest");
1063 if (!grant_obj) {
1064 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_DEST_TN,
1065 "%s: No 'dest' in Identity header\n", ctx->tag);
1066 }
1067 if (TRACE_ATLEAST(3)) {
1068 char *otn = ast_json_dump_string(grant_obj);
1069 ast_trace(1, "got dest: %s\n", otn);
1070 ast_json_free(otn);
1071 }
1072
1073 grant_obj = ast_json_object_get(grants, "orig");
1074 if (!grant_obj) {
1075 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIG_TN,
1076 "%s: No 'orig' in Identity header\n", ctx->tag);
1077 }
1078 if (TRACE_ATLEAST(3)) {
1079 char *otn = ast_json_dump_string(grant_obj);
1080 ast_trace(1, "got orig: %s\n", otn);
1081 ast_json_free(otn);
1082 }
1083 grant = ast_json_object_string_get(grant_obj, "tn");
1084 if (!grant) {
1085 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIG_TN,
1086 "%s: No 'orig.tn' in Indentity header\n", ctx->tag);
1087 }
1088 ast_string_field_set(ctx, orig_tn, grant);
1089 if (strcmp(ctx->caller_id, ctx->orig_tn) != 0) {
1090 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH,
1091 "%s: Mismatched cid '%s' and orig_tn '%s'\n", ctx->tag,
1092 ctx->caller_id, grant);
1093 }
1094
1095 grant = ast_json_object_string_get(grants, "origid");
1096 if (ast_strlen_zero(grant)) {
1097 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIGID,
1098 "%s: No 'origid' in Identity header\n", ctx->tag);
1099 }
1100
1101 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
1102 "%s: verification succeeded\n", ctx->tag);
1103}
ast_std_free
void ast_std_free(void *ptr)
Definition astmm.c:1734
ast_malloc
#define ast_malloc(len)
A wrapper for malloc()
Definition astmm.h:191
len
static int len(struct ast_channel *chan, const char *cmd, char *data, char *buf, size_t buflen)
Definition func_strings.c:1669
ast_trace
#define ast_trace(level,...)
Definition include/asterisk/logger.h:999
ast_json_object_string_get
#define ast_json_object_string_get(object, key)
Get a string field from a JSON object.
Definition json.h:600
ast_json_unref
void ast_json_unref(struct ast_json *value)
Decrease refcount on value. If refcount reaches zero, value is freed.
Definition json.c:73
ast_json_free
void ast_json_free(void *p)
Asterisk's custom JSON allocator. Exposed for use by unit tests.
Definition json.c:52
ast_json_dump_string
#define ast_json_dump_string(root)
Encode a JSON value to a compact string.
Definition json.h:810
ast_json_load_string
struct ast_json * ast_json_load_string(const char *input, struct ast_json_error *error)
Parse null terminated string into a JSON object or array.
Definition json.c:567
ast_json_object_get
struct ast_json * ast_json_object_get(struct ast_json *object, const char *key)
Get a field from a JSON object.
Definition json.c:407
ast_stir_shaken_vs_response_code
ast_stir_shaken_vs_response_code
Definition res_stir_shaken.h:23
AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST
Definition res_stir_shaken.h:51
AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP
Definition res_stir_shaken.h:49
AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH
@ AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH
Definition res_stir_shaken.h:54
AST_STIR_SHAKEN_VS_NO_DEST_TN
@ AST_STIR_SHAKEN_VS_NO_DEST_TN
Definition res_stir_shaken.h:55
AST_STIR_SHAKEN_VS_IAT_EXPIRED
@ AST_STIR_SHAKEN_VS_IAT_EXPIRED
Definition res_stir_shaken.h:46
AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION
@ AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION
Definition res_stir_shaken.h:44
AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG
Definition res_stir_shaken.h:48
AST_STIR_SHAKEN_VS_NO_ORIGID
@ AST_STIR_SHAKEN_VS_NO_ORIGID
Definition res_stir_shaken.h:52
AST_STIR_SHAKEN_VS_INVALID_HEADER
@ AST_STIR_SHAKEN_VS_INVALID_HEADER
Definition res_stir_shaken.h:56
AST_STIR_SHAKEN_VS_NO_IAT
@ AST_STIR_SHAKEN_VS_NO_IAT
Definition res_stir_shaken.h:45
AST_STIR_SHAKEN_VS_NO_ORIG_TN
@ AST_STIR_SHAKEN_VS_NO_ORIG_TN
Definition res_stir_shaken.h:53
AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT
Definition res_stir_shaken.h:47
AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS
Definition res_stir_shaken.h:50
AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U
Definition res_stir_shaken.h:33
STIR_SHAKEN_ENCRYPTION_ALGORITHM
#define STIR_SHAKEN_ENCRYPTION_ALGORITHM
Definition stir_shaken.h:28
STIR_SHAKEN_PPT
#define STIR_SHAKEN_PPT
Definition stir_shaken.h:29
STIR_SHAKEN_TYPE
#define STIR_SHAKEN_TYPE
Definition stir_shaken.h:30
ast_json
Abstract JSON element (object, array, string, int, ...).
ast_stir_shaken_vs_ctx::orig_tn
const ast_string_field orig_tn
Definition verification.h:39
ast_stir_shaken_vs_ctx::raw_key
unsigned char * raw_key
Definition verification.h:45
ast_stir_shaken_vs_ctx::tag
const ast_string_field tag
Definition verification.h:39
ast_stir_shaken_vs_ctx::raw_key_len
long raw_key_len
Definition verification.h:44
ast_stir_shaken_vs_ctx::identity_hdr
const ast_string_field identity_hdr
Definition verification.h:39
ast_stir_shaken_vs_ctx::validity_check_time
time_t validity_check_time
Definition verification.h:43
ast_stir_shaken_vs_ctx::date_hdr_time
time_t date_hdr_time
Definition verification.h:42
verification_cfg_common::max_iat_age
unsigned int max_iat_age
Definition common_config.h:358
check_x5u_url
static int check_x5u_url(struct ast_stir_shaken_vs_ctx *ctx, const char *x5u)
Definition verification.c:837
vs_response_code_to_str
const char * vs_response_code_to_str(enum ast_stir_shaken_vs_response_code vs_rc)
Return string version of VS response code.
Definition verification.c:90
retrieve_verification_cert
static enum ast_stir_shaken_vs_response_code retrieve_verification_cert(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:577
check_date_header
static enum ast_stir_shaken_vs_response_code check_date_header(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:726
ctx_populate
static enum ast_stir_shaken_vs_response_code ctx_populate(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:549

References ast_free, ast_json_dump_string, ast_json_free(), ast_json_load_string(), ast_json_object_get(), ast_json_object_string_get, ast_json_unref(), ast_malloc, ast_std_free(), AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH, AST_STIR_SHAKEN_VS_IAT_EXPIRED, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_INVALID_HEADER, AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG, AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST, AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS, AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT, AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP, AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, AST_STIR_SHAKEN_VS_NO_DEST_TN, AST_STIR_SHAKEN_VS_NO_IAT, AST_STIR_SHAKEN_VS_NO_ORIG_TN, AST_STIR_SHAKEN_VS_NO_ORIGID, AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION, AST_STIR_SHAKEN_VS_SUCCESS, ast_string_field_set, ast_strlen_zero(), ast_trace, ast_stir_shaken_vs_ctx::caller_id, check_date_header(), check_x5u_url(), ctx_populate(), ast_stir_shaken_vs_ctx::date_hdr_time, ast_stir_shaken_vs_ctx::eprofile, ast_stir_shaken_vs_ctx::identity_hdr, len(), LOG_ERROR, verification_cfg_common::max_iat_age, NULL, ast_stir_shaken_vs_ctx::orig_tn, ast_stir_shaken_vs_ctx::public_url, RAII_VAR, ast_stir_shaken_vs_ctx::raw_key, ast_stir_shaken_vs_ctx::raw_key_len, retrieve_verification_cert(), SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, STIR_SHAKEN_ENCRYPTION_ALGORITHM, STIR_SHAKEN_PPT, STIR_SHAKEN_TYPE, ast_stir_shaken_vs_ctx::tag, TRACE_ATLEAST, ast_stir_shaken_vs_ctx::validity_check_time, profile_cfg::vcfg_common, and vs_response_code_to_str().

Referenced by stir_shaken_incoming_request().

◆ check_cert()

static enum ast_stir_shaken_vs_response_code check_cert ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 326 of file verification.c.

328{
329 RAII_VAR(char *, CN, NULL, ast_free);
330 int res = 0;
331 const char *err_msg;
332 SCOPE_ENTER(3, "%s: Validating cert '%s'\n", ctx->tag, ctx->public_url);
333
334 CN = crypto_get_cert_subject(ctx->xcert, "CN");
335 if (!CN) {
336 CN = crypto_get_cert_subject(ctx->xcert, NULL);
337 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
338 LOG_ERROR, "%s: Cert '%s' has no commonName(CN) in Subject '%s'\n",
339 ctx->tag, ctx->public_url, CN);
340 }
341
342 res = ast_string_field_set(ctx, cert_cn, CN);
343 if (res != 0) {
344 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
345 }
346
347 ast_trace(3,"%s: Checking ctx against CA ctx\n", ctx->tag);
348 res = crypto_is_cert_trusted(ctx->eprofile->vcfg_common.tcs, ctx->xcert,
349 ctx->cert_chain, &err_msg);
350 if (!res) {
351 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED,
352 LOG_ERROR, "%s: Cert '%s' not trusted: %s\n",
353 ctx->tag, ctx->public_url, err_msg);
354 }
355
356 ast_trace(3,"%s: Attempting to get the raw pubkey\n", ctx->tag);
357 ctx->raw_key_len = crypto_get_raw_pubkey_from_cert(ctx->xcert,
358 &ctx->raw_key);
359 if (ctx->raw_key_len <= 0) {
360 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_RAW_KEY,
361 LOG_ERROR, "%s: Unable to extract raw public key from '%s'\n",
362 ctx->tag, ctx->public_url);
363 }
364
365 ast_trace(3,"%s: Checking cert '%s' validity dates\n",
366 ctx->tag, ctx->public_url);
367 if (!crypto_is_cert_time_valid(ctx->xcert, ctx->validity_check_time)) {
368 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_DATE_INVALID,
369 LOG_ERROR, "%s: Cert '%s' dates not valid\n",
370 ctx->tag, ctx->public_url);
371 }
372
373 SCOPE_EXIT_RTN_VALUE(check_tn_auth_list(ctx),
374 "%s: Cert '%s' with SPC: %s CN: %s is valid\n",
375 ctx->tag, ctx->public_url, ctx->cert_spc, ctx->cert_cn);
376}
crypto_get_raw_pubkey_from_cert
int crypto_get_raw_pubkey_from_cert(X509 *cert, unsigned char **buffer)
Retrieve RAW public key from cert.
Definition crypto_utils.c:396
crypto_get_cert_subject
char * crypto_get_cert_subject(X509 *cert, const char *short_name)
Returns the Subject (or component of Subject) from a certificate.
Definition crypto_utils.c:917
crypto_is_cert_time_valid
int crypto_is_cert_time_valid(X509 *cert, time_t reftime)
Check if the reftime is within the cert's valid dates.
Definition crypto_utils.c:810
crypto_is_cert_trusted
int crypto_is_cert_trusted(struct crypto_cert_store *store, X509 *cert, STACK_OF(X509) *cert_chain, const char **err_msg)
Check if the cert is trusted.
Definition crypto_utils.c:829
AST_STIR_SHAKEN_VS_CERT_DATE_INVALID
@ AST_STIR_SHAKEN_VS_CERT_DATE_INVALID
Definition res_stir_shaken.h:40
AST_STIR_SHAKEN_VS_NO_RAW_KEY
@ AST_STIR_SHAKEN_VS_NO_RAW_KEY
Definition res_stir_shaken.h:43
AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID
@ AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID
Definition res_stir_shaken.h:38
AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED
@ AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED
Definition res_stir_shaken.h:39
ast_stir_shaken_vs_ctx::cert_cn
const ast_string_field cert_cn
Definition verification.h:39
ast_stir_shaken_vs_ctx::cert_spc
const ast_string_field cert_spc
Definition verification.h:39
verification_cfg_common::tcs
struct crypto_cert_store * tcs
Definition common_config.h:372
check_tn_auth_list
static enum ast_stir_shaken_vs_response_code check_tn_auth_list(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:254

References ast_free, AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID, AST_STIR_SHAKEN_VS_CERT_DATE_INVALID, AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_NO_RAW_KEY, ast_string_field_set, ast_trace, ast_stir_shaken_vs_ctx::cert_cn, ast_stir_shaken_vs_ctx::cert_spc, check_tn_auth_list(), crypto_get_cert_subject(), crypto_get_raw_pubkey_from_cert(), crypto_is_cert_time_valid(), crypto_is_cert_trusted(), ast_stir_shaken_vs_ctx::eprofile, LOG_ERROR, NULL, ast_stir_shaken_vs_ctx::public_url, RAII_VAR, ast_stir_shaken_vs_ctx::raw_key, ast_stir_shaken_vs_ctx::raw_key_len, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, verification_cfg_common::tcs, ast_stir_shaken_vs_ctx::validity_check_time, profile_cfg::vcfg_common, and ast_stir_shaken_vs_ctx::xcert.

Referenced by retrieve_cert_from_cache(), and retrieve_cert_from_url().

◆ check_date_header()

static enum ast_stir_shaken_vs_response_code check_date_header ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 726 of file verification.c.

728{
729 struct ast_tm date_hdr_tm;
730 struct timeval date_hdr_timeval;
731 struct timeval current_timeval;
732 char *remainder;
733 char timezone[80] = { 0 };
734 int64_t time_diff;
735 SCOPE_ENTER(3, "%s: Checking date header: '%s'\n",
736 ctx->tag, ctx->date_hdr);
737
738 if (ast_strlen_zero(ctx->date_hdr)) {
739 if (ctx->eprofile->vcfg_common.ignore_sip_date_header) {
740 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
741 "%s: ignore_sip_date_header set\n", ctx->tag);
742 }
743 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_DATE_HDR,
744 LOG_ERROR, "%s: No date header provided\n", ctx->tag);
745 }
746
747 if (!(remainder = ast_strptime(ctx->date_hdr, "%a, %d %b %Y %T", &date_hdr_tm))) {
748 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE,
749 LOG_ERROR, "%s: Failed to parse: '%s'\n",
750 ctx->tag, ctx->date_hdr);
751 }
752
753 sscanf(remainder, "%79s", timezone);
754
755 if (ast_strlen_zero(timezone)) {
756 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE,
757 LOG_ERROR, "%s: A timezone is required: '%s'\n",
758 ctx->tag, ctx->date_hdr);
759 }
760
761 date_hdr_timeval = ast_mktime(&date_hdr_tm, timezone);
762 ctx->date_hdr_time = date_hdr_timeval.tv_sec;
763 current_timeval = ast_tvnow();
764
765 time_diff = ast_tvdiff_ms(current_timeval, date_hdr_timeval);
766 ast_trace(3, "%zu %zu %zu %d\n", current_timeval.tv_sec,
767 date_hdr_timeval.tv_sec,
768 (current_timeval.tv_sec - date_hdr_timeval.tv_sec), (int)time_diff);
769 if (time_diff < 0) {
770 /* An INVITE from the future! */
771 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED,
772 LOG_ERROR, "%s: Future date: '%s'\n",
773 ctx->tag, ctx->date_hdr);
774 } else if (time_diff > (ctx->eprofile->vcfg_common.max_date_header_age * 1000)) {
775 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED,
776 LOG_ERROR, "%s: More than %u seconds old: '%s'\n",
777 ctx->tag, ctx->eprofile->vcfg_common.max_date_header_age, ctx->date_hdr);
778 }
779
780 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
781 "%s: Success: '%s'\n", ctx->tag, ctx->date_hdr);
782}
AST_STIR_SHAKEN_VS_NO_DATE_HDR
@ AST_STIR_SHAKEN_VS_NO_DATE_HDR
Definition res_stir_shaken.h:29
AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED
@ AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED
Definition res_stir_shaken.h:31
AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE
@ AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE
Definition res_stir_shaken.h:30
ast_stir_shaken_vs_ctx::date_hdr
const ast_string_field date_hdr
Definition verification.h:39
verification_cfg_common::ignore_sip_date_header
enum ignore_sip_date_header_enum ignore_sip_date_header
Definition common_config.h:370
verification_cfg_common::max_date_header_age
unsigned int max_date_header_age
Definition common_config.h:359
ast_tvdiff_ms
int64_t ast_tvdiff_ms(struct timeval end, struct timeval start)
Computes the difference (in milliseconds) between two struct timeval instances.
Definition time.h:107
ast_tvnow
struct timeval ast_tvnow(void)
Returns current timeval. Meant to replace calls to gettimeofday().
Definition time.h:159

References ast_mktime(), AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED, AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE, AST_STIR_SHAKEN_VS_NO_DATE_HDR, AST_STIR_SHAKEN_VS_SUCCESS, ast_strlen_zero(), ast_strptime(), ast_trace, ast_tvdiff_ms(), ast_tvnow(), ast_stir_shaken_vs_ctx::date_hdr, ast_stir_shaken_vs_ctx::date_hdr_time, ast_stir_shaken_vs_ctx::eprofile, verification_cfg_common::ignore_sip_date_header, LOG_ERROR, verification_cfg_common::max_date_header_age, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, and profile_cfg::vcfg_common.

Referenced by ast_stir_shaken_vs_verify().

◆ check_tn_auth_list()

static enum ast_stir_shaken_vs_response_code check_tn_auth_list ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 254 of file verification.c.

255{
256 ASN1_OCTET_STRING *tn_exten;
257 const unsigned char* octet_str_data = NULL;
258 long xlen;
259 int tag, xclass;
260 int ret;
261 SCOPE_ENTER(3, "%s: Checking TNAuthList in cert '%s'\n", ctx->tag, ctx->public_url);
262
263 tn_exten = crypto_get_cert_extension_data(ctx->xcert, get_tn_auth_nid(), NULL);
264 if (!tn_exten) {
265 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT,
266 LOG_ERROR, "%s: Cert '%s' doesn't have a TNAuthList extension\n",
267 ctx->tag, ctx->public_url);
268 }
269 octet_str_data = tn_exten->data;
270
271 /* The first call to ASN1_get_object should return a SEQUENCE */
272 ret = ASN1_get_object(&octet_str_data, &xlen, &tag, &xclass, tn_exten->length);
273 if (IS_GET_OBJ_ERR(ret)) {
274 crypto_log_openssl(LOG_ERROR, "%s: Cert '%s' has malformed TNAuthList extension\n",
275 ctx->tag, ctx->public_url);
276 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT);
277 }
278
279 if (ret != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE) {
280 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT,
281 LOG_ERROR, "%s: Cert '%s' has malformed TNAuthList extension (tag %d != V_ASN1_SEQUENCE)\n",
282 ctx->tag, ctx->public_url, tag);
283 }
284
285 /*
286 * The second call to ASN1_get_object should return one of
287 * the following tags defined in RFC8226 section 9:
288 *
289 * ASN1_TAG_TNAUTH_SPC 0
290 * ASN1_TAG_TNAUTH_TN_RANGE 1
291 * ASN1_TAG_TNAUTH_TN 2
292 *
293 * ATIS-1000080 however limits this to only ASN1_TAG_TNAUTH_SPC
294 *
295 */
296 ret = ASN1_get_object(&octet_str_data, &xlen, &tag, &xclass, tn_exten->length);
297 if (IS_GET_OBJ_ERR(ret)) {
298 crypto_log_openssl(LOG_ERROR, "%s: Cert '%s' has malformed TNAuthList extension\n",
299 ctx->tag, ctx->public_url);
300 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT);
301 }
302
303 if (ret != V_ASN1_CONSTRUCTED || tag != ASN1_TAG_TNAUTH_SPC) {
304 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT,
305 LOG_ERROR, "%s: Cert '%s' has malformed TNAuthList extension (tag %d != ASN1_TAG_TNAUTH_SPC(0))\n",
306 ctx->tag, ctx->public_url, tag);
307 }
308
309 /* The third call to ASN1_get_object should contain the SPC */
310 ret = ASN1_get_object(&octet_str_data, &xlen, &tag, &xclass, tn_exten->length);
311 if (ret != 0) {
312 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT,
313 LOG_ERROR, "%s: Cert '%s' has malformed TNAuthList extension (no SPC)\n",
314 ctx->tag, ctx->public_url);
315 }
316
317 if (ast_string_field_set(ctx, cert_spc, (char *)octet_str_data) != 0) {
318 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
319 }
320
321 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS, "%s: Cert '%s' with SPC: %s CN: %s has valid TNAuthList\n",
322 ctx->tag, ctx->public_url, ctx->cert_spc, ctx->cert_cn);
323}
crypto_log_openssl
void crypto_log_openssl(int level, char *file, int line, const char *function, const char *fmt,...)
Print a log message with any OpenSSL errors appended.
Definition crypto_utils.c:45
crypto_get_cert_extension_data
ASN1_OCTET_STRING * crypto_get_cert_extension_data(X509 *cert, int nid, const char *short_name)
Return the data from a specific extension in a cert.
Definition crypto_utils.c:107
get_tn_auth_nid
int get_tn_auth_nid(void)
Retrieves the OpenSSL NID for the TN Auth list extension.
Definition res_stir_shaken.c:44
AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT
@ AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT
Definition res_stir_shaken.h:42
AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT
@ AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT
Definition res_stir_shaken.h:41
IS_GET_OBJ_ERR
#define IS_GET_OBJ_ERR(ret)
Definition verification.c:251
ASN1_TAG_TNAUTH_SPC
#define ASN1_TAG_TNAUTH_SPC
Definition verification.c:247

References ASN1_TAG_TNAUTH_SPC, AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT, AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, ast_string_field_set, ast_stir_shaken_vs_ctx::cert_cn, ast_stir_shaken_vs_ctx::cert_spc, crypto_get_cert_extension_data(), crypto_log_openssl(), get_tn_auth_nid(), IS_GET_OBJ_ERR, LOG_ERROR, NULL, ast_stir_shaken_vs_ctx::public_url, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, and ast_stir_shaken_vs_ctx::xcert.

Referenced by check_cert().

◆ check_x5u_url()

static int check_x5u_url ( struct ast_stir_shaken_vs_ctx ctx,
const char *  x5u 
)
static

Definition at line 837 of file verification.c.

839{
840 int max_groups = url_match_regex.re_nsub + 1;
841 regmatch_t pmatch[max_groups];
842 int rc;
843 SCOPE_ENTER(3, "%s: Checking x5u '%s'\n", ctx->tag, x5u);
844
845 rc = regexec(&url_match_regex, x5u, max_groups, pmatch, 0);
846 if (rc) {
847 char regex_error[512];
848 regerror(rc, &url_match_regex, regex_error, sizeof(regex_error));
849 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
850 "%s: x5u '%s' in Identity header failed basic URL validation: %s\n",
851 ctx->tag, x5u, regex_error);
852 }
853
854 if (ctx->eprofile->vcfg_common.relax_x5u_port_scheme_restrictions
855 != relax_x5u_port_scheme_restrictions_YES) {
856 const char *scheme = get_match_string(x5u, pmatch, URL_MATCH_SCHEME);
857 const char *port = get_match_string(x5u, pmatch, URL_MATCH_PORT);
858
859 if (!ast_strings_equal(scheme, "https")) {
860 DUMP_X5U_MATCH();
861 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
862 "%s: x5u '%s': scheme '%s' not https\n",
863 ctx->tag, x5u, scheme);
864 }
865 if (!ast_strlen_zero(port)) {
866 if (!ast_strings_equal(port, "443")
867 && !ast_strings_equal(port, "8443")) {
868 DUMP_X5U_MATCH();
869 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
870 "%s: x5u '%s': port '%s' not port 443 or 8443\n",
871 ctx->tag, x5u, port);
872 }
873 }
874 }
875
876 if (ctx->eprofile->vcfg_common.relax_x5u_path_restrictions
877 != relax_x5u_path_restrictions_YES) {
878 const char *userpass = get_match_string(x5u, pmatch, URL_MATCH_USERPASS);
879 const char *qs = get_match_string(x5u, pmatch, URL_MATCH_QUERY);
880 const char *frag = get_match_string(x5u, pmatch, URL_MATCH_FRAGMENT);
881
882 if (!ast_strlen_zero(userpass) || !ast_strlen_zero(qs)
883 || !ast_strlen_zero(frag)) {
884 DUMP_X5U_MATCH();
885 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
886 "%s: x5u '%s' contains user:password, query parameters or fragment\n",
887 ctx->tag, x5u);
888 }
889 }
890
891 return 0;
892}
ast_strings_equal
int ast_strings_equal(const char *str1, const char *str2)
Compare strings for equality checking for NULL.
Definition strings.c:238
verification_cfg_common::relax_x5u_path_restrictions
enum relax_x5u_path_restrictions_enum relax_x5u_path_restrictions
Definition common_config.h:367
verification_cfg_common::relax_x5u_port_scheme_restrictions
enum relax_x5u_port_scheme_restrictions_enum relax_x5u_port_scheme_restrictions
Definition common_config.h:365
url_match_regex
static regex_t url_match_regex
Definition verification.c:48
URL_MATCH_USERPASS
#define URL_MATCH_USERPASS
Definition verification.c:804
URL_MATCH_SCHEME
#define URL_MATCH_SCHEME
Definition verification.c:803
URL_MATCH_PORT
#define URL_MATCH_PORT
Definition verification.c:806
URL_MATCH_FRAGMENT
#define URL_MATCH_FRAGMENT
Definition verification.c:809
DUMP_X5U_MATCH
#define DUMP_X5U_MATCH()
Definition verification.c:823
URL_MATCH_QUERY
#define URL_MATCH_QUERY
Definition verification.c:808

References AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, ast_strings_equal(), ast_strlen_zero(), DUMP_X5U_MATCH, ast_stir_shaken_vs_ctx::eprofile, get_match_string, LOG_ERROR, verification_cfg_common::relax_x5u_path_restrictions, verification_cfg_common::relax_x5u_port_scheme_restrictions, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, URL_MATCH_FRAGMENT, URL_MATCH_PORT, URL_MATCH_QUERY, url_match_regex, URL_MATCH_SCHEME, URL_MATCH_USERPASS, and profile_cfg::vcfg_common.

Referenced by ast_stir_shaken_vs_verify().

◆ cleanup_cert_from_astdb_and_fs()

static void cleanup_cert_from_astdb_and_fs ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 97 of file verification.c.

99{
100 if (ast_db_exists(ctx->hash_family, "path") || ast_db_exists(ctx->hash_family, "expiration")) {
101 ast_db_deltree(ctx->hash_family, NULL);
102 }
103
104 if (ast_db_exists(ctx->url_family, ctx->public_url)) {
105 ast_db_del(ctx->url_family, ctx->public_url);
106 }
107
108 /* Remove the actual file from the system */
109 remove(ctx->filename);
110}
ast_db_deltree
int ast_db_deltree(const char *family, const char *keytree)
Delete one or more entries in astdb.
Definition db.c:559
ast_db_exists
int ast_db_exists(const char *family, const char *key)
Check if family/key exitsts.
Definition db.c:438
remove
#define remove
Definition main/stdtime/private.h:218

References ast_db_del(), ast_db_deltree(), ast_db_exists(), ast_stir_shaken_vs_ctx::filename, ast_stir_shaken_vs_ctx::hash_family, NULL, ast_stir_shaken_vs_ctx::public_url, remove, and ast_stir_shaken_vs_ctx::url_family.

Referenced by retrieve_cert_from_cache().

◆ ctx_destructor()

static void ctx_destructor ( void *  obj)
static

Definition at line 647 of file verification.c.

648{
649 struct ast_stir_shaken_vs_ctx *ctx = obj;
650
651 ao2_cleanup(ctx->eprofile);
652 ast_free(ctx->raw_key);
653 ast_string_field_free_memory(ctx);
654 X509_free(ctx->xcert);
655 sk_X509_free(ctx->cert_chain);
656}
ast_string_field_free_memory
#define ast_string_field_free_memory(x)
free all memory - to be called before destroying the object
Definition stringfields.h:374

References ao2_cleanup, ast_free, ast_string_field_free_memory, ast_stir_shaken_vs_ctx::eprofile, ast_stir_shaken_vs_ctx::raw_key, and ast_stir_shaken_vs_ctx::xcert.

Referenced by ast_stir_shaken_vs_ctx_create().

◆ ctx_populate()

static enum ast_stir_shaken_vs_response_code ctx_populate ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 549 of file verification.c.

551{
552 char hash[41];
553
554 ast_sha1_hash(hash, ctx->public_url);
555 if (ast_string_field_set(ctx, hash, hash) != 0) {
556 return AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
557 }
558
559 if (ast_string_field_build(ctx, filename, "%s/%s.pem",
560 ctx->eprofile->vcfg_common.cert_cache_dir, hash) != 0) {
561 return AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
562 }
563
564 if (ast_string_field_build(ctx, hash_family, "%s/hash/%s",
565 AST_DB_FAMILY, hash) != 0) {
566 return AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
567 }
568
569 if (ast_string_field_build(ctx, url_family, "%s/url", AST_DB_FAMILY) != 0) {
570 return AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
571 }
572
573 return AST_STIR_SHAKEN_VS_SUCCESS;
574}
ast_string_field_build
#define ast_string_field_build(x, field, fmt, args...)
Set a field to a complex (built) value.
Definition stringfields.h:555
verification_cfg_common::cert_cache_dir
const ast_string_field cert_cache_dir
Definition common_config.h:356
ast_sha1_hash
void ast_sha1_hash(char *output, const char *input)
Produces SHA1 hash based on input string.
Definition utils.c:266
AST_DB_FAMILY
#define AST_DB_FAMILY
Definition verification.c:46

References AST_DB_FAMILY, ast_sha1_hash(), AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, ast_string_field_build, ast_string_field_set, verification_cfg_common::cert_cache_dir, ast_stir_shaken_vs_ctx::eprofile, ast_stir_shaken_vs_ctx::public_url, and profile_cfg::vcfg_common.

Referenced by ast_stir_shaken_vs_verify().

◆ is_cert_cache_entry_expired()

static int is_cert_cache_entry_expired ( char *  expiration)
static

Definition at line 225 of file verification.c.

226{
227 struct timeval current_time = ast_tvnow();
228 struct timeval expires = { .tv_sec = 0, .tv_usec = 0 };
229 int res = 0;
230 SCOPE_ENTER(3, "Checking for cache expiration: %s\n", expiration);
231
232 if (ast_strlen_zero(expiration)) {
233 SCOPE_EXIT_RTN_VALUE(1, "No expiration date provided\n");
234 }
235
236 if (ast_str_to_ulong(expiration, (unsigned long *)&expires.tv_sec)) {
237 SCOPE_EXIT_RTN_VALUE(1, "Couldn't convert expiration string '%s' to ulong",
238 expiration);
239 }
240 ast_trace(2, "Expiration comparison: exp: %" PRIu64 " curr: %" PRIu64 " Diff: %" PRIu64 ".\n",
241 expires.tv_sec, current_time.tv_sec, expires.tv_sec - current_time.tv_sec);
242
243 res = (ast_tvcmp(current_time, expires) == -1 ? 0 : 1);
244 SCOPE_EXIT_RTN_VALUE(res , "entry was %sexpired\n", res ? "" : "not ");
245}
ast_str_to_ulong
int ast_str_to_ulong(const char *str, unsigned long *res)
Convert the given string to an unsigned long.
Definition conversions.c:80
ast_tvcmp
int ast_tvcmp(struct timeval _a, struct timeval _b)
Compress two struct timeval instances returning -1, 0, 1 if the first arg is smaller,...
Definition time.h:137

References ast_str_to_ulong(), ast_strlen_zero(), ast_trace, ast_tvcmp(), ast_tvnow(), SCOPE_ENTER, and SCOPE_EXIT_RTN_VALUE.

Referenced by retrieve_cert_from_cache().

◆ retrieve_cert_from_cache()

static enum ast_stir_shaken_vs_response_code retrieve_cert_from_cache ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 491 of file verification.c.

492{
493 int rc = 0;
494 enum ast_stir_shaken_vs_response_code vs_rc;
495
496 SCOPE_ENTER(2, "%s: Attempting to retrieve cert '%s' from cache\n",
497 ctx->tag, ctx->public_url);
498
499 if (!ast_db_exists(ctx->hash_family, "path")) {
500 cleanup_cert_from_astdb_and_fs(ctx);
501 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CACHE_MISS,
502 "%s: No cert found in astdb for '%s'\n",
503 ctx->tag, ctx->public_url);
504 }
505
506 rc = ast_db_get(ctx->hash_family, "expiration", ctx->expiration, sizeof(ctx->expiration));
507 if (rc) {
508 cleanup_cert_from_astdb_and_fs(ctx);
509 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CACHE_MISS,
510 "%s: No cert found in astdb for '%s'\n",
511 ctx->tag, ctx->public_url);
512 }
513
514 if (!ast_file_is_readable(ctx->filename)) {
515 cleanup_cert_from_astdb_and_fs(ctx);
516 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CACHE_MISS,
517 "%s: Cert file '%s' was not found or was not readable for '%s'\n",
518 ctx->tag, ctx->filename, ctx->public_url);
519 }
520
521 if (is_cert_cache_entry_expired(ctx->expiration)) {
522 cleanup_cert_from_astdb_and_fs(ctx);
523 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED,
524 "%s: Cert file '%s' cache entry was expired for '%s'\n",
525 ctx->tag, ctx->filename, ctx->public_url);
526 }
527
528 ctx->xcert = crypto_load_cert_chain_from_file(ctx->filename, &ctx->cert_chain);
529 if (!ctx->xcert) {
530 cleanup_cert_from_astdb_and_fs(ctx);
531 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
532 "%s: Cert file '%s' was not parseable as an X509 certificate for '%s'\n",
533 ctx->tag, ctx->filename, ctx->public_url);
534 }
535
536 vs_rc = check_cert(ctx);
537 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
538 X509_free(ctx->xcert);
539 ctx->xcert = NULL;
540 SCOPE_EXIT_RTN_VALUE(vs_rc, "%s: Cert '%s' failed validity checks\n",
541 ctx->tag, ctx->public_url);
542 }
543
544 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
545 "%s: Cert '%s' successfully retrieved from cache\n",
546 ctx->tag, ctx->public_url);
547}
ast_db_get
int ast_db_get(const char *family, const char *key, char *value, int valuelen)
Get key value specified by family/key.
Definition db.c:421
crypto_load_cert_chain_from_file
X509 * crypto_load_cert_chain_from_file(const char *filename, STACK_OF(X509) **cert_chain)
Load an X509 Cert and any chained certs from a file.
Definition crypto_utils.c:203
AST_STIR_SHAKEN_VS_CERT_CACHE_MISS
@ AST_STIR_SHAKEN_VS_CERT_CACHE_MISS
Definition res_stir_shaken.h:34
AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED
@ AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED
Definition res_stir_shaken.h:36
ast_file_is_readable
int ast_file_is_readable(const char *filename)
Test that a file exists and is readable by the effective user.
Definition utils.c:3143
is_cert_cache_entry_expired
static int is_cert_cache_entry_expired(char *expiration)
Definition verification.c:225
check_cert
static enum ast_stir_shaken_vs_response_code check_cert(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:326
cleanup_cert_from_astdb_and_fs
static void cleanup_cert_from_astdb_and_fs(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:97

References ast_db_exists(), ast_db_get(), ast_file_is_readable(), AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED, AST_STIR_SHAKEN_VS_CERT_CACHE_MISS, AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID, AST_STIR_SHAKEN_VS_SUCCESS, check_cert(), cleanup_cert_from_astdb_and_fs(), crypto_load_cert_chain_from_file(), ast_stir_shaken_vs_ctx::expiration, ast_stir_shaken_vs_ctx::filename, ast_stir_shaken_vs_ctx::hash_family, is_cert_cache_entry_expired(), NULL, ast_stir_shaken_vs_ctx::public_url, SCOPE_ENTER, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, and ast_stir_shaken_vs_ctx::xcert.

Referenced by retrieve_verification_cert().

◆ retrieve_cert_from_url()

static enum ast_stir_shaken_vs_response_code retrieve_cert_from_url ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 378 of file verification.c.

380{
381 FILE *cert_file;
382 long http_code;
383 int rc = 0;
384 enum ast_stir_shaken_vs_response_code vs_rc;
385 RAII_VAR(struct curl_header_data *, header_data,
386 ast_calloc(1, sizeof(*header_data)), curl_header_data_free);
387 RAII_VAR(struct curl_write_data *, write_data,
388 ast_calloc(1, sizeof(*write_data)), curl_write_data_free);
389 RAII_VAR(struct curl_open_socket_data *, open_socket_data,
390 ast_calloc(1, sizeof(*open_socket_data)), curl_open_socket_data_free);
391
392 const char *cache_control;
393 const char *expires;
394 SCOPE_ENTER(2, "%s: Attempting to retrieve '%s' from net\n",
395 ctx->tag, ctx->public_url);
396
397 if (!header_data || !write_data || !open_socket_data) {
398 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
399 LOG_ERROR, "%s: Unable to allocate memory for curl '%s' transaction\n",
400 ctx->tag, ctx->public_url);
401 }
402
403 header_data->debug_info = ast_strdup(ctx->public_url);
404 write_data->debug_info = ast_strdup(ctx->public_url);
405 write_data->max_download_bytes = 8192;
406 write_data->stream_buffer = NULL;
407 open_socket_data->debug_info = ast_strdup(ctx->public_url);
408 open_socket_data->acl = ctx->eprofile->vcfg_common.acl;
409
410 if (!header_data->debug_info || !write_data->debug_info ||
411 !open_socket_data->debug_info) {
412 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
413 LOG_ERROR, "%s: Unable to allocate memory for curl '%s' transaction\n",
414 ctx->tag, ctx->public_url);
415 }
416
417 http_code = curler(ctx->public_url,
418 ctx->eprofile->vcfg_common.curl_timeout,
419 write_data, header_data, open_socket_data);
420
421 if (http_code / 100 != 2) {
422 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE,
423 LOG_ERROR, "%s: Failed to retrieve cert %s: code %ld\n",
424 ctx->tag, ctx->public_url, http_code);
425 }
426
427 if (!ast_begins_with(write_data->stream_buffer, BEGIN_CERTIFICATE_STR)) {
428 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
429 LOG_ERROR, "%s: Cert '%s' contains invalid data\n",
430 ctx->tag, ctx->public_url);
431 }
432
433 ctx->xcert = crypto_load_cert_chain_from_memory(write_data->stream_buffer,
434 write_data->stream_bytes_downloaded, &ctx->cert_chain);
435 if (!ctx->xcert) {
436 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
437 LOG_ERROR, "%s: Cert '%s' was not parseable as an X509 certificate\n",
438 ctx->tag, ctx->public_url);
439 }
440
441 vs_rc = check_cert(ctx);
442 if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
443 X509_free(ctx->xcert);
444 ctx->xcert = NULL;
445 SCOPE_EXIT_RTN_VALUE(vs_rc, "%s: Cert '%s' failed validity checks\n",
446 ctx->tag, ctx->public_url);
447 }
448
449 cert_file = fopen(ctx->filename, "w");
450 if (!cert_file) {
451 X509_free(ctx->xcert);
452 ctx->xcert = NULL;
453 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
454 LOG_ERROR, "%s: Failed to write cert %s: file '%s' %s (%d)\n",
455 ctx->tag, ctx->public_url, ctx->filename, strerror(errno), errno);
456 }
457
458 rc = fputs(write_data->stream_buffer, cert_file);
459 fclose(cert_file);
460 if (rc == EOF) {
461 X509_free(ctx->xcert);
462 ctx->xcert = NULL;
463 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
464 LOG_ERROR, "%s: Failed to write cert %s: file '%s' %s (%d)\n",
465 ctx->tag, ctx->public_url, ctx->filename, strerror(errno), errno);
466 }
467
468 ast_trace(2, "%s: Cert '%s' written to file '%s'\n",
469 ctx->tag, ctx->public_url, ctx->filename);
470
471 ast_trace(2, "%s: Adding cert '%s' to astdb",
472 ctx->tag, ctx->public_url);
473 cache_control = ast_variable_find_in_list(header_data->headers, "cache-control");
474 expires = ast_variable_find_in_list(header_data->headers, "expires");
475
476 rc = add_cert_key_to_astdb(ctx, cache_control, expires);
477 if (rc) {
478 X509_free(ctx->xcert);
479 ctx->xcert = NULL;
480 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
481 LOG_ERROR, "%s: Unable to add cert '%s' to ASTDB\n",
482 ctx->tag, ctx->public_url);
483 }
484
485 SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
486 "%s: Cert '%s' successfully retrieved from internet and cached\n",
487 ctx->tag, ctx->public_url);
488}
ast_strdup
#define ast_strdup(str)
A wrapper for strdup()
Definition astmm.h:241
ast_calloc
#define ast_calloc(num, len)
A wrapper for calloc()
Definition astmm.h:202
crypto_load_cert_chain_from_memory
X509 * crypto_load_cert_chain_from_memory(const char *buffer, size_t size, STACK_OF(X509) **cert_chain)
Load an X509 Cert and any chained certs from a NULL terminated buffer.
Definition crypto_utils.c:266
curl_write_data_free
void curl_write_data_free(void *obj)
Definition curl_utils.c:134
curl_header_data_free
void curl_header_data_free(void *obj)
Definition curl_utils.c:26
curl_open_socket_data_free
void curl_open_socket_data_free(void *obj)
Definition curl_utils.c:193
curler
long curler(const char *url, int request_timeout, struct curl_write_data *write_data, struct curl_header_data *header_data, struct curl_open_socket_data *open_socket_data)
Perform a curl request.
Definition curl_utils.c:232
ast_variable_find_in_list
const char * ast_variable_find_in_list(const struct ast_variable *list, const char *variable)
Gets the value of a variable from a variable list by name.
Definition main/config.c:1014
errno
int errno
AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE
@ AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE
Definition res_stir_shaken.h:37
ast_begins_with
static int force_inline attribute_pure ast_begins_with(const char *str, const char *prefix)
Checks whether a string begins with another.
Definition strings.h:97
curl_header_data
Context structure passed to ast_curl_header_default_cb.
Definition curl_utils.h:163
curl_open_socket_data
Context structure passed to ast_curl_open_socket_default_cb.
Definition curl_utils.h:341
curl_write_data
Context structure passed to ast_curl_write_default_cb.
Definition curl_utils.h:245
header_data
Data structure used for ast_sip_push_task_wait_serializer
Definition res_pjsip_header_funcs.c:336
verification_cfg_common::curl_timeout
unsigned int curl_timeout
Definition common_config.h:357
verification_cfg_common::acl
struct ast_acl_list * acl
Definition common_config.h:371
add_cert_key_to_astdb
static int add_cert_key_to_astdb(struct ast_stir_shaken_vs_ctx *cert, const char *cache_control_hdr, const char *expires_hdr)
Definition verification.c:201
BEGIN_CERTIFICATE_STR
#define BEGIN_CERTIFICATE_STR
Definition verification.c:51

References verification_cfg_common::acl, add_cert_key_to_astdb(), ast_begins_with(), ast_calloc, AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID, AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, ast_strdup, ast_trace, ast_variable_find_in_list(), BEGIN_CERTIFICATE_STR, check_cert(), crypto_load_cert_chain_from_memory(), curl_header_data_free(), curl_open_socket_data_free(), verification_cfg_common::curl_timeout, curl_write_data_free(), curler(), ast_stir_shaken_vs_ctx::eprofile, errno, ast_stir_shaken_vs_ctx::filename, LOG_ERROR, NULL, ast_stir_shaken_vs_ctx::public_url, RAII_VAR, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, profile_cfg::vcfg_common, and ast_stir_shaken_vs_ctx::xcert.

Referenced by retrieve_verification_cert().

◆ retrieve_verification_cert()

static enum ast_stir_shaken_vs_response_code retrieve_verification_cert ( struct ast_stir_shaken_vs_ctx ctx)
static

Definition at line 577 of file verification.c.

578{
579 enum ast_stir_shaken_vs_response_code rc = AST_STIR_SHAKEN_VS_SUCCESS;
580 SCOPE_ENTER(3, "%s: Retrieving cert '%s'\n", ctx->tag, ctx->public_url);
581
582 ast_trace(1, "%s: Checking cache for cert '%s'\n", ctx->tag, ctx->public_url);
583 rc = retrieve_cert_from_cache(ctx);
584 if (rc == AST_STIR_SHAKEN_VS_SUCCESS) {
585 SCOPE_EXIT_RTN_VALUE(rc, "%s: Using cert '%s' from cache\n",
586 ctx->tag, ctx->public_url);;
587 }
588
589 ast_trace(1, "%s: No valid cert for '%s' available in cache\n",
590 ctx->tag, ctx->public_url);
591 ast_trace(1, "%s: Retrieving cert directly from url '%s'\n",
592 ctx->tag, ctx->public_url);
593
594 rc = retrieve_cert_from_url(ctx);
595 if (rc == AST_STIR_SHAKEN_VS_SUCCESS) {
596 SCOPE_EXIT_RTN_VALUE(rc, "%s: Using cert '%s' from internet\n",
597 ctx->tag, ctx->public_url);
598 }
599
600 SCOPE_EXIT_LOG_RTN_VALUE(rc, LOG_ERROR,
601 "%s: Unable to retrieve cert '%s' from cache or internet\n",
602 ctx->tag, ctx->public_url);
603}
retrieve_cert_from_url
static enum ast_stir_shaken_vs_response_code retrieve_cert_from_url(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:378
retrieve_cert_from_cache
static enum ast_stir_shaken_vs_response_code retrieve_cert_from_cache(struct ast_stir_shaken_vs_ctx *ctx)
Definition verification.c:491

References AST_STIR_SHAKEN_VS_SUCCESS, ast_trace, LOG_ERROR, ast_stir_shaken_vs_ctx::public_url, retrieve_cert_from_cache(), retrieve_cert_from_url(), SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, and ast_stir_shaken_vs_ctx::tag.

Referenced by ast_stir_shaken_vs_verify().

◆ vs_load()

int vs_load ( void  )

Load the stir/shaken verification service.

Return values
0on success
-1on error

Definition at line 1122 of file verification.c.

1123{
1124 int rc = 0;
1125
1126 if (vs_config_load()) {
1127 return AST_MODULE_LOAD_DECLINE;
1128 }
1129
1130 rc = regcomp(&url_match_regex, FULL_URL_REGEX, REG_EXTENDED);
1131 if (rc) {
1132 char regex_error[512];
1133 regerror(rc, &url_match_regex, regex_error, sizeof(regex_error));
1134 ast_log(LOG_ERROR, "Verification service URL regex failed to compile: %s\n", regex_error);
1135 vs_unload();
1136 return AST_MODULE_LOAD_DECLINE;
1137 }
1138 if (url_match_regex.re_nsub != FULL_URL_REGEX_GROUPS) {
1139 ast_log(LOG_ERROR, "The verification service URL regex was updated without updating FULL_URL_REGEX_GROUPS\n");
1140 vs_unload();
1141 return AST_MODULE_LOAD_DECLINE;
1142 }
1143
1144 return AST_MODULE_LOAD_SUCCESS;
1145}
ast_log
#define ast_log
Definition astobj2.c:42
vs_config_load
int vs_config_load(void)
Definition verification_config.c:446
AST_MODULE_LOAD_SUCCESS
@ AST_MODULE_LOAD_SUCCESS
Definition module.h:70
AST_MODULE_LOAD_DECLINE
@ AST_MODULE_LOAD_DECLINE
Module has failed to load, may be in an inconsistent state.
Definition module.h:78
FULL_URL_REGEX
#define FULL_URL_REGEX
Definition verification.c:784
vs_unload
int vs_unload()
Unload the stir/shaken verification service.
Definition verification.c:1112

References ast_log, AST_MODULE_LOAD_DECLINE, AST_MODULE_LOAD_SUCCESS, FULL_URL_REGEX, FULL_URL_REGEX_GROUPS, LOG_ERROR, url_match_regex, vs_config_load(), and vs_unload().

Referenced by common_config_load().

◆ vs_reload()

int vs_reload ( void  )

Reload the stir/shaken verification service.

Return values
0on success
-1on error

Definition at line 1105 of file verification.c.

1106{
1107 vs_config_reload();
1108
1109 return 0;
1110}
vs_config_reload
int vs_config_reload(void)
Definition verification_config.c:418

References vs_config_reload().

Referenced by common_config_reload().

◆ vs_response_code_to_str()

const char * vs_response_code_to_str ( enum ast_stir_shaken_vs_response_code  vs_rc)

Return string version of VS response code.

Parameters
vs_rc
Returns
Response string

Definition at line 90 of file verification.c.

92{
93 return ARRAY_IN_BOUNDS(vs_rc, vs_rc_map) ?
94 vs_rc_map[vs_rc] : NULL;
95}
ARRAY_IN_BOUNDS
#define ARRAY_IN_BOUNDS(v, a)
Checks to see if value is within the bounds of the given array.
Definition utils.h:727
vs_rc_map
static const char * vs_rc_map[]
Definition verification.c:53

References ARRAY_IN_BOUNDS, NULL, and vs_rc_map.

Referenced by ast_stir_shaken_vs_verify(), and func_read_verification().

◆ vs_unload()

int vs_unload ( void  )

Unload the stir/shaken verification service.

Return values
0on success
-1on error

Definition at line 1112 of file verification.c.

1113{
1114 vs_config_unload();
1115 if (url_match_regex.re_nsub > 0) {
1116 regfree(&url_match_regex);
1117 }
1118
1119 return 0;
1120}
vs_config_unload
int vs_config_unload(void)
Definition verification_config.c:437

References url_match_regex, and vs_config_unload().

Referenced by common_config_unload(), and vs_load().

Variable Documentation

◆ url_match_regex

regex_t url_match_regex
static

Definition at line 48 of file verification.c.

Referenced by check_x5u_url(), vs_load(), and vs_unload().

◆ vs_rc_map

const char* vs_rc_map[]
static

Definition at line 53 of file verification.c.

53 {
54 [AST_STIR_SHAKEN_VS_SUCCESS] = "success",
55 [AST_STIR_SHAKEN_VS_DISABLED] = "disabled",
56 [AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS] = "invalid_arguments",
57 [AST_STIR_SHAKEN_VS_INTERNAL_ERROR] = "internal_error",
58 [AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR] = "missing_identity_hdr",
59 [AST_STIR_SHAKEN_VS_NO_DATE_HDR] = "missing_date_hdr",
60 [AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE] = "date_hdr_parse_failure",
61 [AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED] = "date_hdr_range_error",
62 [AST_STIR_SHAKEN_VS_NO_JWT_HDR] = "missing_jwt_hdr",
63 [AST_STIR_SHAKEN_VS_CERT_CACHE_MISS] = "cert_cache_miss",
64 [AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID] = "cert_cache_invalid",
65 [AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED] = "cert_cache_expired",
66 [AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE] = "cert_retrieval_failure",
67 [AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID] = "cert_contents_invalid",
68 [AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED] = "cert_not_trusted",
69 [AST_STIR_SHAKEN_VS_CERT_DATE_INVALID] = "cert_date_failure",
70 [AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT] = "cert_no_tn_auth_ext",
71 [AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT] = "cert_no_spc_in_auth_ext",
72 [AST_STIR_SHAKEN_VS_NO_RAW_KEY] = "no_raw_key",
73 [AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION] = "signature_validation",
74 [AST_STIR_SHAKEN_VS_NO_IAT] = "missing_iat",
75 [AST_STIR_SHAKEN_VS_IAT_EXPIRED] = "iat_range_error",
76 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT] = "invalid_or_no_ppt",
77 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG] = "invalid_or_no_alg",
78 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP] = "invalid_or_no_typ",
79 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS] = "invalid_or_no_grants",
80 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST] = "invalid_or_no_attest",
81 [AST_STIR_SHAKEN_VS_NO_ORIGID] = "missing_origid",
82 [AST_STIR_SHAKEN_VS_NO_ORIG_TN] = "missing_orig_tn",
83 [AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH] = "cid_orig_tn_mismatch",
84 [AST_STIR_SHAKEN_VS_NO_DEST_TN] = "missing_dest_tn",
85 [AST_STIR_SHAKEN_VS_INVALID_HEADER] = "invalid_header",
86 [AST_STIR_SHAKEN_VS_INVALID_GRANT] = "invalid_grant",
87 [AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID] = "invalid_or_no_callerid",
88};
AST_STIR_SHAKEN_VS_NO_JWT_HDR
@ AST_STIR_SHAKEN_VS_NO_JWT_HDR
Definition res_stir_shaken.h:32
AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR
@ AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR
Definition res_stir_shaken.h:28
AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID
@ AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID
Definition res_stir_shaken.h:35
AST_STIR_SHAKEN_VS_INVALID_GRANT
@ AST_STIR_SHAKEN_VS_INVALID_GRANT
Definition res_stir_shaken.h:57
AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID
@ AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID
Definition res_stir_shaken.h:58

Referenced by vs_response_code_to_str().

Generated on Wed Oct 29 2025 20:04:41 for Asterisk - The Open Source Telephony Project by doxygen 1.9.8