[asterisk-bugs] [JIRA] (ASTERISK-27284) Status of RFC 3323 and PJSIP
Richard Mudgett (JIRA)
noreply at issues.asterisk.org
Thu Sep 21 10:00:07 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-27284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238807#comment-238807 ]
Richard Mudgett edited comment on ASTERISK-27284 at 9/21/17 9:59 AM:
---------------------------------------------------------------------
The cause of the problem is in res/res_pjsip_caller_id.c:152
{code}
if (privacy && !pj_stricmp2(&privacy->hvalue, "id")) {
id->number.presentation = AST_PRES_PROHIB_USER_NUMBER_NOT_SCREENED;
id->name.presentation = AST_PRES_PROHIB_USER_NUMBER_NOT_SCREENED;
} else {
id->number.presentation = AST_PRES_ALLOWED_USER_NUMBER_NOT_SCREENED;
id->name.presentation = AST_PRES_ALLOWED_USER_NUMBER_NOT_SCREENED;
}
{code}
If the Privacy header isn't exactly "id", any call will be de-anonymized. Might this have to be changed to a pj_stristr construction? Or splitting the value of Privacy on ; and check the parts of it?
was (Author: dtryba):
The cause of the problem is in res/res_pjsip_caller_id.c:152
{quote}
if (privacy && !pj_stricmp2(&privacy->hvalue, "id")) {
id->number.presentation = AST_PRES_PROHIB_USER_NUMBER_NOT_SCREENED;
id->name.presentation = AST_PRES_PROHIB_USER_NUMBER_NOT_SCREENED;
} else {
id->number.presentation = AST_PRES_ALLOWED_USER_NUMBER_NOT_SCREENED;
id->name.presentation = AST_PRES_ALLOWED_USER_NUMBER_NOT_SCREENED;
}
{quote}
If the Privacy header isn't exactly "id", any call will be de-anonymized. Might this have to be changed to a pj_stristr construction? Or splitting the value of Privacy on ; and check the parts of it?
> Status of RFC 3323 and PJSIP
> ----------------------------
>
> Key: ASTERISK-27284
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27284
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip_caller_id
> Affects Versions: 13.14.1
> Reporter: dtryba
> Assignee: Unassigned
> Severity: Trivial
>
> My upstream provider complained that Anonymous calls to our endusers got de-anonymized during transit in our platform. These incoming calls have the headers:
> {quote}
> From: "Anonymous" <sip:anonymous at anonymous.invalid>
> {quote}
> and
> {quote}
> Privacy: id;user;critical
> P-Asserted-Identity: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> After passing through Asterisk 13.14.x, the Privacy header is removed, PAI is unaffected and From is changed to:
> {quote}
> From: "Example" <sip:0123456789 at example.org;user=phone>
> {quote}
> All involved pjsip endpoints have send_pai, trust_id_inbound and trust_id_outbound set to yes.
> This violates RFC 3233:
> {quote}
> Privacy-hdr = "Privacy" HCOLON priv-value *(";" priv-value)
> priv-value = "header" / "session" / "user" / "none" / "critical" / token
> {quote}
> Where:
> {quote}
> critical: The user asserts that the privacy services requested for
> this message are critical, and that therefore, if these privacy
> services cannot be provided by the network, this request should be
> rejected. Criticality cannot be managed appropriately for
> responses.
> {quote}
> But is RFC still applicable to SIP?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list