[Asterisk-code-review] Add mediasec capabilities (asterisk[16])
Maximilian Fridrich
asteriskteam at digium.com
Tue Jul 26 07:03:25 CDT 2022
Maximilian Fridrich has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/18837 )
Change subject: Add mediasec capabilities
......................................................................
Add mediasec capabilities
This patch adds support for mediasec SIP headers and SDP attributes.
These are defined in RFC 3329, 3GPP TS 24.229 and
draft-dawes-sipcore-mediasec-parameter. The new features are
implemented so that a backbone for RFC 3329 is present to streamline
future work on RFC 3329.
With this patch, Asterisk can communicate with Deutsche Telekom trunks
which require these fields.
ASTERISK-30032
Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2
---
M include/asterisk/res_pjsip.h
M include/asterisk/res_pjsip_session.h
M res/res_pjsip/pjsip_config.xml
M res/res_pjsip/pjsip_configuration.c
A res/res_pjsip/security_agreements.c
M res/res_pjsip_outbound_registration.c
A res/res_pjsip_rfc3329.c
M res/res_pjsip_sdp_rtp.c
M res/res_pjsip_session.c
9 files changed, 713 insertions(+), 3 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/37/18837/1
diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h
index 1714cff..c458fe2 100644
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -283,6 +283,47 @@
};
/*!
+ * \brief The kind of security negotiation
+ */
+enum ast_sip_security_negotiation {
+ /*! No security mechanism negotiation */
+ AST_SIP_SECURITY_NEG_NONE = 0,
+ /*! Use mediasec security mechanism negotiation */
+ AST_SIP_SECURITY_NEG_MEDIASEC,
+ /* Add RFC 3329 (sec-agree) mechanism negotiation in the future */
+};
+
+/*!
+ * \brief The security mechanism type
+ */
+enum ast_sip_security_mechanism_type {
+ AST_SIP_SECURITY_MECH_NONE,
+ /* Use msrp-tls as security mechanism */
+ AST_SIP_SECURITY_MECH_MSRP_TLS,
+ /* Use sdes-srtp as security mechanism */
+ AST_SIP_SECURITY_MECH_SDES_SRTP,
+ /* Use dtls-srtp as security mechanism */
+ AST_SIP_SECURITY_MECH_DTLS_SRTP,
+ /* Add RFC 3329 (sec-agree) mechanisms like tle, digest, ipsec-ike in the future */
+};
+
+/*!
+ * \brief Structure representing a security mechanism as defined in RFC 3329
+ */
+struct ast_sip_security_mechanism {
+ /*! Sorcery object */
+ SORCERY_OBJECT(details);
+ /* Used to determine which security mechanism to use. */
+ enum ast_sip_security_mechanism_type type;
+ /* The preference of this security mechanism. The higher the value, the more preferred. */
+ float qvalue;
+ /* Optional mechanism parameters. May be NULL. */
+ struct ast_vector_string *mechanism_parameters;
+};
+
+AST_VECTOR(ast_sip_security_mechanism_vector, struct ast_sip_security_mechanism *);
+
+/*!
* \brief Contact associated with an address of record
*/
struct ast_sip_contact {
@@ -353,6 +394,8 @@
);
/*! The round trip time in microseconds */
int64_t rtt;
+ /*! The security mechanism list of the contact (RFC 3329). */
+ struct ast_sip_security_mechanism_vector security_mechanisms;
/*! Current status for a contact (default - unavailable) */
enum ast_sip_contact_status_type status;
/*! Last status for a contact (default - unavailable) */
@@ -880,6 +923,10 @@
unsigned int send_connected_line;
/*! Ignore 183 if no SDP is present */
unsigned int ignore_183_without_sdp;
+ /*! Type of security negotiation to use (RFC 3329). */
+ enum ast_sip_security_negotiation security_negotiation;
+ /*! Client security mechanisms (RFC 3329). */
+ struct ast_sip_security_mechanism_vector security_mechanisms;
/*! Set which STIR/SHAKEN behaviors we want on this endpoint */
unsigned int stir_shaken;
/*! Should we authenticate OPTIONS requests per RFC 3261? */
@@ -929,6 +976,87 @@
int ast_sip_is_media_type_in(pjsip_media_type *a, ...) attribute_sentinel;
/*!
+ * \brief Add security headers to transmission data
+ *
+ * \param security_mechanisms Vector of security mechanisms.
+ * \param header_name The header name under which to add the security mechanisms.
+ * \param ... One of Security-Client, Security-Server, Security-Verify.
+ * \param add_qval If zero, don't add the q-value to the header.
+ * \param tdata The transmission data.
+ * \retval 0 Success
+ * \retval non-zero Failure
+ */
+int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms,
+ const char *header_name, int add_qval, pjsip_tx_data *tdata);
+
+/*!
+ * \brief Append to security mechanism vector from SIP header
+ *
+ * \param security_mechanisms Vector of security mechanisms to append to.
+ * \param hdr The header of the security mechanisms.
+ * \param ... Header name must be one of Security-Client, Security-Server, Security-Verify.
+ */
+void ast_sip_header_to_security_mechanism(struct ast_sip_security_mechanism_vector *security_mechanisms,
+ const pjsip_generic_string_hdr *hdr);
+
+/*!
+ * \brief Initialize security mechanism vector from string of security mechanisms.
+ *
+ * \param security_mechanisms Pointer to vector of security mechanisms to initialize.
+ * \param value String of security mechanisms as defined in RFC 3329.
+ * \retval 0 Success
+ * \retval non-zero Failure
+ */
+int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanism, const char *value);
+
+/*!
+ * \brief Removes all headers of a specific name and value from a pjsip_msg.
+ *
+ * \param msg PJSIP message from which to remove headers.
+ * \param hdr_name Name of the header to remove.
+ * \param value Optional string value of the header to remove.
+ * \param ... If NULL, remove all headers of given hdr_name.
+ */
+void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value);
+
+/*!
+ * \brief Free contents of a security mechanism vector.
+ *
+ * \param security_mechanisms Vector whose contents are to be freed
+ */
+void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms);
+
+/*!
+ * \brief Allocate a security mechanism from a string.
+ *
+ * \param security_mechanism Pointer-pointer to the security mechanism to allocate.
+ * \param value The security mechanism string as defined in RFC 3329 (section 2.2)
+ * \param ... in the form <mechanism_name>;q=<q_value>;<mechanism_parameters>
+ * \retval 0 Success
+ * \retval non-zero Failure
+ */
+int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value);
+
+/*!
+ * \brief Duplicate a security mechanism.
+ *
+ * \param security_mechanisms Security mechanism to duplicate.
+ * \retval Pointer to duplicated security mechanism. May be NULL.
+ */
+struct ast_sip_security_mechanism *ast_sip_security_mechanism_dup(const struct ast_sip_security_mechanism *security_mechanism);
+
+
+/*!
+ * \brief Set the security negotiation based on a given string.
+ *
+ * \param security_negotiation Security negotiation enum to set.
+ * \param val String that represents a security_negotiation value.
+ * \retval 0 Success
+ * \retval non-zero Failure
+ */
+int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val);
+
+/*!
* \brief Initialize an auth vector with the configured values.
*
* \param vector Vector to initialize
diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h
index e7a9457..b530ceb 100644
--- a/include/asterisk/res_pjsip_session.h
+++ b/include/asterisk/res_pjsip_session.h
@@ -30,6 +30,8 @@
#include "asterisk/sdp_srtp.h"
/* Needed for ast_media_type */
#include "asterisk/codec.h"
+/* Needed for ast_sip_security_mechanism_vector */
+#include "asterisk/res_pjsip.h"
/* Forward declarations */
struct ast_sip_endpoint;
@@ -225,6 +227,8 @@
pjsip_uri *request_uri;
/*! Media statistics for negotiated RTP streams */
AST_VECTOR(, struct ast_rtp_instance_stats *) media_stats;
+ /*! The security mechanism list of the peer (RFC 3329). */
+ struct ast_sip_security_mechanism_vector server_security_mechanisms;
/*! Number of challenges received during outgoing requests to determine if we are in a loop */
unsigned int authentication_challenge_count:4;
/*! Originating Line Info (ANI II digits) */
diff --git a/res/res_pjsip/pjsip_config.xml b/res/res_pjsip/pjsip_config.xml
index e9abc86..2fddaa8 100644
--- a/res/res_pjsip/pjsip_config.xml
+++ b/res/res_pjsip/pjsip_config.xml
@@ -56,6 +56,22 @@
List of comma separated AoRs that the endpoint should be associated with.
</para></description>
</configOption>
+ <configOption name="security_negotiation" default="no">
+ <synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
+ <description>
+ <enumlist>
+ <enum name="no" />
+ <enum name="mediasec" />
+ </enumlist>
+ </description>
+ </configOption>
+ <configOption name="security_mechanisms">
+ <synopsis>List of security mechanisms supported.</synopsis>
+ <description><para>
+ This is a comma-delimited list of security mechanisms to use. Each security mechanism
+ must be in the form defined by RFC 3329 section 2.2.
+ </para></description>
+ </configOption>
<configOption name="auth">
<synopsis>Authentication Object(s) associated with the endpoint</synopsis>
<description><para>
diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c
index b514cea..5c213a0 100644
--- a/res/res_pjsip/pjsip_configuration.c
+++ b/res/res_pjsip/pjsip_configuration.c
@@ -247,6 +247,31 @@
return 0;
}
+static int security_mechanism_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+ struct ast_sip_endpoint *endpoint = obj;
+
+ return ast_sip_security_mechanism_vector_init(&endpoint->security_mechanisms, var->value);
+}
+
+int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val) {
+ if (!strcasecmp("no", val)) {
+ *security_negotiation = AST_SIP_SECURITY_NEG_NONE;
+ } else if (!strcasecmp("mediasec", val)) {
+ *security_negotiation = AST_SIP_SECURITY_NEG_MEDIASEC;
+ } else {
+ return -1;
+ }
+ return 0;
+}
+
+static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+ struct ast_sip_endpoint *endpoint = obj;
+
+ return ast_sip_set_security_negotiation(&endpoint->security_negotiation, var->value);
+}
+
void ast_sip_auth_vector_destroy(struct ast_sip_auth_vector *auths)
{
int i;
@@ -2042,6 +2067,8 @@
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_incoming_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_incoming_call_profile));
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_outgoing_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_outgoing_call_profile));
+ ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_mechanisms", "", security_mechanism_handler, NULL, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0);
if (ast_sip_initialize_sorcery_transport()) {
ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
diff --git a/res/res_pjsip/security_agreements.c b/res/res_pjsip/security_agreements.c
new file mode 100644
index 0000000..f9e10ed
--- /dev/null
+++ b/res/res_pjsip/security_agreements.c
@@ -0,0 +1,291 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2022, Commend International
+ *
+ * Maximilian Fridrich <m.fridrich at commend.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*!
+ * \file
+ *
+ * \brief Interact with security agreement negotiations and mechanisms
+ *
+ * \author Maximilian Fridrich <m.fridrich at commend.com>
+ */
+
+#include "asterisk.h"
+
+#include <pjsip.h>
+
+#include "asterisk/res_pjsip.h"
+
+
+static int ast_sip_str_to_security_mechanism_type(const char *security_mechanism) {
+ int result = -1;
+
+ if (!strcasecmp(security_mechanism, "msrp-tls")) {
+ result = AST_SIP_SECURITY_MECH_MSRP_TLS;
+ } else if (!strcasecmp(security_mechanism, "sdes-srtp")) {
+ result = AST_SIP_SECURITY_MECH_SDES_SRTP;
+ } else if (!strcasecmp(security_mechanism, "dtls-srtp")) {
+ result = AST_SIP_SECURITY_MECH_DTLS_SRTP;
+ }
+
+ return result;
+}
+
+static char *ast_sip_security_mechanism_type_to_str(enum ast_sip_security_mechanism_type mech_type) {
+ if (mech_type == AST_SIP_SECURITY_MECH_MSRP_TLS) {
+ return "msrp-tls";
+ } else if (mech_type == AST_SIP_SECURITY_MECH_SDES_SRTP) {
+ return "sdes-srtp";
+ } else if (mech_type == AST_SIP_SECURITY_MECH_DTLS_SRTP) {
+ return "dtls-srtp";
+ } else {
+ return NULL;
+ }
+}
+
+static int ast_sip_security_mechanism_to_str(const struct ast_sip_security_mechanism *security_mechanism, int add_qvalue, char **buf) {
+ char tmp[64];
+ size_t size;
+ size_t buf_size = 128;
+ int i;
+ char *ret = ast_calloc(buf_size, sizeof(char));
+
+ if (!ret || !security_mechanism) {
+ return EINVAL;
+ }
+
+ strncat(ret, ast_sip_security_mechanism_type_to_str(security_mechanism->type), buf_size - strlen(ret) - 1);
+ if (add_qvalue) {
+ snprintf(tmp, sizeof(tmp), ";q=%f.4", security_mechanism->qvalue);
+ strncat(ret, tmp, buf_size - strlen(ret) - 1);
+ }
+
+ size = AST_VECTOR_SIZE(security_mechanism->mechanism_parameters);
+ for (i = 0; i < size; ++i) {
+ snprintf(tmp, sizeof(tmp), ";%s", AST_VECTOR_GET(security_mechanism->mechanism_parameters, i));
+ strncat(ret, tmp, buf_size - strlen(ret) - 1);
+ }
+
+ *buf = ret;
+ return 0;
+}
+
+struct ast_sip_security_mechanism *ast_sip_security_mechanism_dup(const struct ast_sip_security_mechanism *security_mechanism) {
+ size_t i;
+ struct ast_sip_security_mechanism *ret;
+
+ if (!security_mechanism) {
+ return NULL;
+ }
+ ret = ast_calloc(1, sizeof(*ret));
+ if (!ret) {
+ return NULL;
+ }
+
+ ret->type = security_mechanism->type;
+ ret->qvalue = security_mechanism->qvalue;
+ ret->mechanism_parameters = ast_malloc(sizeof(*ret->mechanism_parameters));
+ if (!ret->mechanism_parameters) {
+ ast_free(ret);
+ return NULL;
+ }
+ AST_VECTOR_INIT(ret->mechanism_parameters, AST_VECTOR_SIZE(security_mechanism->mechanism_parameters));
+
+ for (i = 0; i < AST_VECTOR_SIZE(security_mechanism->mechanism_parameters); ++i) {
+ char *param = ast_strdup(AST_VECTOR_GET(security_mechanism->mechanism_parameters, i));
+ if (param && AST_VECTOR_APPEND(ret->mechanism_parameters, param)) {
+ ast_free(param);
+ }
+ }
+ return ret;
+}
+
+void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value)
+{
+ struct pjsip_generic_string_hdr *hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, NULL);
+ for (; hdr; hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, hdr->next)) {
+ if (value == NULL || !pj_strcmp2(&hdr->hvalue, value)) {
+ pj_list_erase(hdr);
+ }
+ if (hdr->next == hdr) {
+ break;
+ }
+ }
+}
+
+void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms)
+{
+ int i;
+ size_t size;
+ struct ast_sip_security_mechanism *mech;
+
+ if (!security_mechanisms) {
+ return;
+ }
+
+ size = AST_VECTOR_SIZE(security_mechanisms);
+
+ for (i = 0; i < size; ++i) {
+ mech = AST_VECTOR_GET(security_mechanisms, 0);
+ AST_VECTOR_FREE(mech->mechanism_parameters);
+ ast_free(mech);
+ }
+ AST_VECTOR_FREE(security_mechanisms);
+}
+
+int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value) {
+ struct ast_sip_security_mechanism *mech;
+ char *param;
+ char *tmp1;
+ char *tmp2;
+ char *mechanism = ast_strdupa(value);
+ int err = 0;
+ int type = -1;
+
+ mech = ast_calloc(1, sizeof(*mech));
+ if (!mech) {
+ err = ENOMEM;
+ goto out;
+ }
+ mech->mechanism_parameters = ast_calloc(1, sizeof(*mech->mechanism_parameters));
+ if (!mech->mechanism_parameters) {
+ AST_VECTOR_FREE(mech->mechanism_parameters);
+ err = ENOMEM;
+ goto out;
+ }
+
+ tmp1 = ast_strsep(&mechanism, ';', AST_STRSEP_ALL);
+ type = ast_sip_str_to_security_mechanism_type(tmp1);
+ if (type == -1) {
+ /* Invalid mechanism */
+ AST_VECTOR_FREE(mech->mechanism_parameters);
+ err = EINVAL;
+ goto out;
+ }
+ mech->type = type;
+ while ((param = ast_strsep(&mechanism, ';', AST_STRSEP_ALL))) {
+ if (!param) {
+ AST_VECTOR_FREE(mech->mechanism_parameters);
+ err = EINVAL;
+ goto out;
+ }
+ if (strlen(param) > 3 && !strncmp(param, "q=0.", 4)) {
+ tmp1 = ast_strdupa(param);
+ tmp2 = strtok(tmp1, "=");
+ tmp2 = strtok(NULL, "");
+ mech->qvalue = strtof(tmp2, NULL);
+ continue;
+ }
+ param = ast_strdup(param);
+ AST_VECTOR_APPEND(mech->mechanism_parameters, param);
+ }
+
+ *security_mechanism = mech;
+
+out:
+ if (err) {
+ ast_free(mech);
+ }
+ return err;
+}
+
+int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms,
+ const char *header_name, int add_qval, pjsip_tx_data *tdata) {
+ struct ast_sip_security_mechanism *mech;
+ char *buf;
+ int mech_cnt;
+ int i;
+ int add_qvalue = 1;
+
+ if (!security_mechanisms || !tdata) {
+ return EINVAL;
+ }
+
+ if (!strcmp(header_name, "Security-Client")) {
+ add_qvalue = 0;
+ } else if (strcmp(header_name, "Security-Server") &&
+ strcmp(header_name, "Security-Verify")) {
+ return EINVAL;
+ }
+ /* If we're adding Security-Client headers, don't add q-value
+ * even if the function caller requested it. */
+ add_qvalue = add_qvalue && add_qval;
+
+ mech_cnt = AST_VECTOR_SIZE(security_mechanisms);
+ for (i = 0; i < mech_cnt; ++i) {
+ mech = AST_VECTOR_GET(security_mechanisms, i);
+ if (ast_sip_security_mechanism_to_str(mech, add_qvalue, &buf)) {
+ continue;
+ }
+ ast_sip_add_header(tdata, header_name, buf);
+ }
+ return 0;
+}
+
+void ast_sip_header_to_security_mechanism(struct ast_sip_security_mechanism_vector *security_mechanisms,
+ const pjsip_generic_string_hdr *hdr) {
+
+ struct ast_sip_security_mechanism *mech;
+ char buf[512];
+ char *hdr_val;
+ char *mechanism;
+
+ if (!security_mechanisms || !hdr) {
+ return;
+ }
+
+ if (pj_strcmp2(&hdr->name, "Security-Client") && pj_strcmp2(&hdr->name, "Security-Server") &&
+ pj_strcmp2(&hdr->name, "Security-Verify")) {
+ return;
+ }
+
+ ast_copy_pj_str(buf, &hdr->hvalue, sizeof(buf));
+ hdr_val = ast_skip_blanks(buf);
+
+ while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
+ if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
+ AST_VECTOR_APPEND(security_mechanisms, mech);
+ }
+ }
+}
+
+int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value)
+{
+ char *val = value ? ast_strdupa(value) : NULL;
+ struct ast_sip_security_mechanism *mech;
+ char *mechanism;
+
+ if (AST_VECTOR_SIZE(security_mechanisms)) {
+ ast_sip_security_mechanisms_vector_destroy(security_mechanisms);
+ }
+
+ if (AST_VECTOR_INIT(security_mechanisms, 1)) {
+ return -1;
+ }
+
+ if (!val) {
+ return 0;
+ }
+
+ while ((mechanism = ast_strsep(&val, ',', AST_STRSEP_ALL))) {
+ if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
+ AST_VECTOR_APPEND(security_mechanisms, mech);
+ }
+ }
+
+ return 0;
+}
\ No newline at end of file
diff --git a/res/res_pjsip_outbound_registration.c b/res/res_pjsip_outbound_registration.c
index b00221a..c102f18 100644
--- a/res/res_pjsip_outbound_registration.c
+++ b/res/res_pjsip_outbound_registration.c
@@ -87,6 +87,22 @@
are made.
</para></description>
</configOption>
+ <configOption name="security_negotiation" default="no">
+ <synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
+ <description>
+ <enumlist>
+ <enum name="no" />
+ <enum name="mediasec" />
+ </enumlist>
+ </description>
+ </configOption>
+ <configOption name="security_mechanisms">
+ <synopsis>List of security mechanisms supported.</synopsis>
+ <description><para>
+ This is a comma-delimited list of security mechanisms to use. Each security mechanism
+ must be in the form defined by RFC 3329 section 2.2.
+ </para></description>
+ </configOption>
<configOption name="outbound_auth" default="">
<synopsis>Authentication object(s) to be used for outbound registrations.</synopsis>
<description><para>
@@ -328,6 +344,10 @@
unsigned int max_retries;
/*! \brief Whether to add a line parameter to the outbound Contact or not */
unsigned int line;
+ /*! \brief Type of security negotiation to use (RFC 3329). */
+ enum ast_sip_security_negotiation security_negotiation;
+ /*! \brief Client security mechanisms (RFC 3329). */
+ struct ast_sip_security_mechanism_vector security_mechanisms;
/*! \brief Configured authentication credentials */
struct ast_sip_auth_vector outbound_auths;
/*! \brief Whether Path support is enabled */
@@ -371,6 +391,12 @@
unsigned int auth_rejection_permanent;
/*! \brief Determines whether SIP Path support should be advertised */
unsigned int support_path;
+ /*! \brief Type of security negotiation to use (RFC 3329). */
+ enum ast_sip_security_negotiation security_negotiation;
+ /*! \brief Client security mechanisms (RFC 3329). */
+ struct ast_sip_security_mechanism_vector security_mechanisms;
+ /*! \brief Security mechanisms of the peer (RFC 3329). */
+ struct ast_sip_security_mechanism_vector server_security_mechanisms;
/*! CSeq number of last sent auth request. */
unsigned int auth_cseq;
/*! \brief Serializer for stuff and things */
@@ -655,6 +681,18 @@
pj_strassign(&hdr->values[hdr->count++], &PATH_NAME);
}
+ if (client_state->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) {
+ if (client_state->status == SIP_REGISTRATION_REGISTERED) {
+ ast_sip_add_security_headers(&client_state->server_security_mechanisms,
+ "Security-Verify", 0, tdata);
+ } else {
+ ast_sip_add_security_headers(&client_state->security_mechanisms,
+ "Security-Client", 0, tdata);
+ ast_sip_add_header(tdata, "Require", "mediasec");
+ ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
+ }
+ }
+
registration_client_send(client_state, tdata);
return 0;
@@ -946,9 +984,20 @@
static int handle_registration_response(void *data)
{
struct registration_response *response = data;
+ struct sip_outbound_registration *reg = NULL;
+ struct ast_sip_endpoint *endpt = NULL;
+ struct ast_sip_contact *contact = NULL;
+ struct ast_sip_aor *aor = NULL;
+ struct ast_sip_contact_status *contact_status = NULL;
pjsip_regc_info info;
char server_uri[PJSIP_MAX_URL_SIZE];
char client_uri[PJSIP_MAX_URL_SIZE];
+ static const pj_str_t security_server = { "Security-Server", 15 };
+ static const pj_str_t security_verify = { "Security-Verify", 15 };
+ static const pj_str_t security_client = { "Security-Client", 15 };
+ static const pj_str_t proxy_require = { "Proxy-Require", 13 };
+ static const pj_str_t require = { "Require", 7 };
+
if (response->client_state->status == SIP_REGISTRATION_STOPPED) {
ao2_ref(response, -1);
@@ -972,7 +1021,7 @@
return 0;
}
}
- } else if ((response->code == 401 || response->code == 407)
+ } else if ((response->code == 401 || response->code == 407 || response->code == 494)
&& (!response->client_state->auth_attempted
|| response->rdata->msg_info.cseq->cseq != response->client_state->auth_cseq)) {
int res;
@@ -985,6 +1034,45 @@
ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n",
server_uri, client_uri);
pjsip_tx_data_add_ref(tdata);
+
+ if ((reg = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "registration", response->client_state->registration_name)) &&
+ (endpt = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", reg->endpoint)) &&
+ (aor = ast_sip_location_retrieve_aor(endpt->aors)) &&
+ (contact = ast_sip_location_retrieve_first_aor_contact(aor))) {
+ /* Get contact status through registration -> endpoint name -> aor -> contact */
+ contact_status = ast_sip_get_contact_status(contact);
+ }
+ if (!AST_VECTOR_SIZE(&response->client_state->server_security_mechanisms)) {
+ /* Add server list of security mechanism to client_state and contact status */
+ pjsip_generic_string_hdr *header;
+ header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, NULL);
+
+ for (; header;
+ header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, header->next)) {
+
+ ast_sip_header_to_security_mechanism(&response->client_state->server_security_mechanisms, header);
+ if (contact_status) {
+ /* Add server security mechanisms to contact status to be able to send correct
+ * Security-Verify headers on subsequent non-REGISTER requests
+ * through this outbound registration.
+ */
+ ast_sip_header_to_security_mechanism(&contact_status->security_mechanisms, header);
+ }
+ }
+ }
+ if (response->client_state->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) {
+ /* Add Security-Verify headers (no q-value when using mediasec)
+ * and remove Security-Client, Proxy-Require, and Require header.
+ */
+ if (pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL) == NULL) {
+ ast_sip_add_security_headers(&response->client_state->server_security_mechanisms,
+ "Security-Verify", 0, tdata);
+ }
+ ast_sip_remove_headers_by_name_and_value(tdata->msg, &security_client, NULL);
+ ast_sip_remove_headers_by_name_and_value(tdata->msg, &proxy_require, "mediasec");
+ ast_sip_remove_headers_by_name_and_value(tdata->msg, &require, "mediasec");
+ }
+
res = registration_client_send(response->client_state, tdata);
/* Save the cseq that actually got sent. */
@@ -1488,12 +1576,22 @@
ast_free(name);
}
}
+ AST_VECTOR_INIT(&state->client_state->security_mechanisms, AST_VECTOR_SIZE(®istration->security_mechanisms));
+ for (i = 0; i < AST_VECTOR_SIZE(®istration->security_mechanisms); ++i) {
+ struct ast_sip_security_mechanism *mech = ast_sip_security_mechanism_dup(AST_VECTOR_GET(®istration->security_mechanisms, i));
+
+ if (mech && AST_VECTOR_APPEND(&state->client_state->security_mechanisms, mech)) {
+ AST_VECTOR_FREE(mech->mechanism_parameters);
+ ast_free(mech);
+ }
+ }
state->client_state->retry_interval = registration->retry_interval;
state->client_state->forbidden_retry_interval = registration->forbidden_retry_interval;
state->client_state->fatal_retry_interval = registration->fatal_retry_interval;
state->client_state->max_retries = registration->max_retries;
state->client_state->retries = 0;
state->client_state->support_path = registration->support_path;
+ state->client_state->security_negotiation = registration->security_negotiation;
state->client_state->auth_rejection_permanent = registration->auth_rejection_permanent;
max_delay = registration->max_random_initial_delay;
@@ -1592,6 +1690,20 @@
return 0;
}
+static int security_mechanisms_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+ struct sip_outbound_registration *registration = obj;
+
+ return ast_sip_security_mechanism_vector_init(®istration->security_mechanisms, var->value);
+}
+
+static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+ struct sip_outbound_registration *registration = obj;
+
+ return ast_sip_set_security_negotiation(®istration->security_negotiation, var->value);
+}
+
static int outbound_auth_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
{
struct sip_outbound_registration *registration = obj;
@@ -2318,6 +2430,8 @@
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "auth_rejection_permanent", "yes", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, auth_rejection_permanent));
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "outbound_auth", "", outbound_auth_handler, outbound_auths_to_str, outbound_auths_to_var_list, 0, 0);
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_path", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_path));
+ ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_mechanisms", "", security_mechanisms_handler, NULL, NULL, 0, 0);
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "line", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, line));
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "endpoint", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct sip_outbound_registration, endpoint));
diff --git a/res/res_pjsip_rfc3329.c b/res/res_pjsip_rfc3329.c
new file mode 100644
index 0000000..308b687
--- /dev/null
+++ b/res/res_pjsip_rfc3329.c
@@ -0,0 +1,124 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2022, Commend International
+ *
+ * Maximilian Fridrich <m.fridrich at commend.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*** MODULEINFO
+ <depend>pjproject</depend>
+ <depend>res_pjsip</depend>
+ <depend>res_pjsip_session</depend>
+ <support_level>core</support_level>
+ ***/
+
+#include "asterisk.h"
+
+#include <pjsip.h>
+#include <pjsip_ua.h>
+
+#include "asterisk/res_pjsip.h"
+#include "asterisk/res_pjsip_session.h"
+#include "asterisk/module.h"
+#include "asterisk/causes.h"
+#include "asterisk/threadpool.h"
+
+static void rfc3329_incoming_response(struct ast_sip_session *session, struct pjsip_rx_data *rdata)
+{
+ static const pj_str_t str_security_server = { "Security-Server", 15 };
+ struct ast_sip_contact_status *contact_status = NULL;
+ int contact_has_mechanisms = 0;
+ struct ast_sip_security_mechanism *mech;
+ pjsip_generic_string_hdr *header;
+ char buf[128];
+ char *hdr_val;
+ char *mechanism;
+
+ if (session && session->contact) {
+ contact_status = ast_sip_get_contact_status(session->contact);
+ contact_has_mechanisms = contact_status && AST_VECTOR_SIZE(&contact_status->security_mechanisms);
+ }
+
+ if (AST_VECTOR_SIZE(&session->server_security_mechanisms) && contact_has_mechanisms) {
+ return;
+ }
+
+ header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, NULL);
+ for (; header;
+ header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, header->next)) {
+ /* Parse Security-Server headers and add to session and contact status
+ * to use for future requests. */
+ ast_copy_pj_str(buf, &header->hvalue, sizeof(buf));
+ hdr_val = ast_skip_blanks(buf);
+
+ while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
+ if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
+ AST_VECTOR_APPEND(&session->server_security_mechanisms, mech);
+ if (contact_status && !contact_has_mechanisms) {
+ AST_VECTOR_APPEND(&contact_status->security_mechanisms, mech);
+ }
+ }
+ }
+ }
+}
+
+static void rfc3329_outgoing_request(struct ast_sip_session *session, struct pjsip_tx_data *tdata)
+{
+ static const pj_str_t security_verify = { "Security-Verify", 15 };
+ struct pjsip_generic_string_hdr *hdr = NULL;
+ struct ast_sip_contact_status *contact_status = NULL;
+
+ if (session->endpoint->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) {
+ return;
+ }
+
+ contact_status = ast_sip_get_contact_status(session->contact);
+ hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL);
+
+ if (AST_VECTOR_SIZE(&contact_status->security_mechanisms) && hdr == NULL) {
+ /* Add Security-Verify headers (with q-value) */
+ ast_sip_add_security_headers(&contact_status->security_mechanisms, "Security-Verify", 0, tdata);
+
+ } else if (!hdr && AST_VECTOR_SIZE(&session->endpoint->security_mechanisms)) {
+ /* Add Security-Client headers (no q-value) and Require, Proxy-Require */
+ ast_sip_add_security_headers(&session->endpoint->security_mechanisms, "Security-Client", 0, tdata);
+ ast_sip_add_header(tdata, "Require", "mediasec");
+ ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
+ }
+}
+
+static struct ast_sip_session_supplement rfc3329_supplement = {
+ .incoming_response = rfc3329_incoming_response,
+ .outgoing_request = rfc3329_outgoing_request,
+};
+
+static int load_module(void)
+{
+ ast_sip_session_register_supplement(&rfc3329_supplement);
+ return AST_MODULE_LOAD_SUCCESS;
+}
+
+static int unload_module(void)
+{
+ ast_sip_session_unregister_supplement(&rfc3329_supplement);
+ return 0;
+}
+
+AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP RFC 3329 Support (partial)",
+ .support_level = AST_MODULE_SUPPORT_CORE,
+ .load = load_module,
+ .unload = unload_module,
+ .load_pri = AST_MODPRI_APP_DEPEND,
+ .requires = "res_pjsip,res_pjsip_session",
+);
diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index 3b2e299..4614b96 100644
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -1526,6 +1526,7 @@
static const pj_str_t STR_PASSIVE = { "passive", 7 };
static const pj_str_t STR_ACTPASS = { "actpass", 7 };
static const pj_str_t STR_HOLDCONN = { "holdconn", 8 };
+ static const pj_str_t STR_MEDSECREQ = { "requested", 9 };
enum ast_rtp_dtls_setup setup;
switch (session_media->encryption) {
@@ -1556,6 +1557,11 @@
media->attr[media->attr_count++] = attr;
} while ((tmp = AST_LIST_NEXT(tmp, sdp_srtp_list)));
+ if (session->endpoint->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) {
+ attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ);
+ media->attr[media->attr_count++] = attr;
+ }
+
break;
case AST_SIP_MEDIA_ENCRYPT_DTLS:
if (setup_dtls_srtp(session, session_media)) {
diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index 3c55af7..c2f1dd1 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -4746,7 +4746,7 @@
ast_debug(1, "%s: reINVITE received final response code %d\n",
ast_sip_session_get_name(session),
tsx->status_code);
- if ((tsx->status_code == 401 || tsx->status_code == 407)
+ if ((tsx->status_code == 401 || tsx->status_code == 407 || tsx->status_code == 494)
&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
&& !ast_sip_create_request_with_auth(
&session->endpoint->outbound_auths,
@@ -4840,7 +4840,7 @@
ast_sip_session_get_name(session),
(int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),
tsx->status_code);
- if ((tsx->status_code == 401 || tsx->status_code == 407)
+ if ((tsx->status_code == 401 || tsx->status_code == 407 || tsx->status_code == 494)
&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
&& !ast_sip_create_request_with_auth(
&session->endpoint->outbound_auths,
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/18837
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2
Gerrit-Change-Number: 18837
Gerrit-PatchSet: 1
Gerrit-Owner: Maximilian Fridrich <m.fridrich at commend.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220726/78111cb0/attachment-0001.html>
More information about the asterisk-code-review
mailing list