[Asterisk-code-review] res_pjsip: Add tests for security agreements (testsuite[19])

Maximilian Fridrich asteriskteam at digium.com
Thu Sep 29 04:15:32 CDT 2022


Maximilian Fridrich has uploaded this change for review. ( https://gerrit.asterisk.org/c/testsuite/+/19391 )


Change subject: res_pjsip: Add tests for security agreements
......................................................................

res_pjsip: Add tests for security agreements

Adds tests that check the basic functionality of security agreement
mechanisms of outbound registrations. Passes if registrations succeed
after initial temporary rejection.

ASTERISK-30032

Change-Id: Iad40d0f1987d1de19b1fe1c5c53394853179ce61
---
A tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
A tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
A tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
A tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
M tests/channels/pjsip/registration/outbound/tests.yaml
5 files changed, 328 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/testsuite refs/changes/91/19391/1

diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf b/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
new file mode 100644
index 0000000..131baf8
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
@@ -0,0 +1,32 @@
+[global]
+type = global
+debug = yes
+
+[trans]
+type = transport
+protocol = udp
+bind = 127.0.0.1:5060
+
+[outreg-1]
+type = registration
+security_negotiation = mediasec
+security_mechanisms = sdes-srtp\;mediasec
+server_uri = sip:them at 127.0.0.1:5061
+client_uri = sip:us at 127.0.0.1
+outbound_auth = regauth
+expiration=12
+
+[outreg-2]
+type = registration
+security_negotiation = mediasec
+security_mechanisms = sdes-srtp\;mediasec
+server_uri = sip:them at 127.0.0.1:5062
+client_uri = sip:us at 127.0.0.1
+outbound_auth = regauth
+expiration=12
+
+[regauth]
+type = auth
+auth_type = userpass
+username = myself
+password = me-me
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
new file mode 100644
index 0000000..96b0295
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Security agreement scenario 2: 401 response received">
+    <recv request="REGISTER" crlf="true">
+        <action>
+            <ereg regexp="sdes-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Security-Client: "
+                assign_to="1" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Require: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Proxy-Require: "
+                assign_to="4" />
+        </action>
+    </recv>
+
+    <send>
+        <![CDATA[
+            SIP/2.0 401 Unauthorized
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Security-Server: msrp-tls;mediasec
+            Security-Server: sdes-srtp;mediasec
+            Security-Server: dtls-srtp;mediasec
+            WWW-Authenticate: Digest realm="asterisk", nonce="47ebe028cda119c35d4877b383027d28da013815"
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <recv request="REGISTER">
+        <action>
+            <ereg regexp="msrp-tls;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="1"
+                header="Security-Verify: "
+                assign_to="2" />
+            <ereg regexp="sdes-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="2"
+                header="Security-Verify: "
+                assign_to="3" />
+            <ereg regexp="dtls-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="3"
+                header="Security-Verify: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Require: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Proxy-Require: "
+                assign_to="4" />
+        </action>
+    </recv>
+
+    <send>
+        <![CDATA[
+            SIP/2.0 200 OK
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Expires: 12
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <!--  This could be a re- or un- register -->
+    <recv request="REGISTER" crlf="true">
+    </recv>
+
+    <send>
+       <![CDATA[
+            SIP/2.0 200 OK
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Expires: 0
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <Reference variables="1,2,3,4" />
+
+</scenario>
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
new file mode 100644
index 0000000..bac4e0c
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Security agreement scenario 1: 494 response received">
+    <recv request="REGISTER" crlf="true">
+        <action>
+            <ereg regexp="sdes-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Security-Client: "
+                assign_to="1" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Require: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Proxy-Require: "
+                assign_to="4" />
+        </action>
+    </recv>
+
+    <send>
+        <![CDATA[
+            SIP/2.0 494 Security Agreement Required
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Security-Server: msrp-tls;mediasec
+            Security-Server: sdes-srtp;mediasec
+            Security-Server: dtls-srtp;mediasec
+            WWW-Authenticate: Digest realm="asterisk", nonce="47ebe028cda119c35d4877b383027d28da013815"
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <recv request="REGISTER">
+        <action>
+            <ereg regexp="msrp-tls;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="1"
+                header="Security-Verify: "
+                assign_to="2" />
+            <ereg regexp="sdes-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="2"
+                header="Security-Verify: "
+                assign_to="3" />
+            <ereg regexp="dtls-srtp;mediasec"
+                search_in="hdr"
+                check_it="true"
+                occurrence="3"
+                header="Security-Verify: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Require: "
+                assign_to="4" />
+            <ereg regexp="mediasec"
+                search_in="hdr"
+                check_it="true"
+                header="Proxy-Require: "
+                assign_to="4" />
+        </action>
+    </recv>
+
+    <send>
+        <![CDATA[
+            SIP/2.0 200 OK
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Expires: 12
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <!--  This could be a re- or un- register -->
+    <recv request="REGISTER" crlf="true">
+    </recv>
+
+    <send>
+       <![CDATA[
+            SIP/2.0 200 OK
+            [last_Via:]
+            [last_From:]
+            [last_To:];tag=[pid]SIPpTag01[call_number]
+            [last_Call-ID:]
+            [last_CSeq:]
+            Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+            Expires: 0
+            Content-Length: 0
+        ]]>
+    </send>
+
+    <Reference variables="1,2,3,4" />
+
+</scenario>
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
new file mode 100644
index 0000000..4486b78
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
@@ -0,0 +1,62 @@
+testinfo:
+    summary: 'Check handling of security agreement mechanisms'
+    description: |
+        'Asterisk attempts to use the security agreement mechanisms as defined
+        in RFC 3329. The server rejects the initial registration with a 494
+        Security Agreement Required or some non-RFC compliant servers with 401
+        Unauthorized. Asterisk should then attempt to register with the correct
+        Security-Verify headers which have been obtained from the server's
+        response.
+
+        There are two scenarios:
+        1) The server responds with status code 494.
+        2) The server responds with status code 401.'
+
+test-modules:
+    test-object:
+        config-section: sipp-config
+        typename: 'sipp.SIPpTestCase'
+    modules:
+        -
+            typename: 'ami.AMIEventModule'
+            config-section: ami-config
+
+sipp-config:
+    test-iterations:
+        -
+            scenarios:
+                - { 'key-args': { 'scenario': 'uas-reg-494-scenario.xml', '-p': '5061'} }
+                - { 'key-args': { 'scenario': 'uas-reg-401-scenario.xml', '-p': '5062'} }
+
+ami-config:
+    -
+        type: 'headermatch'
+        conditions:
+            match:
+                Event: 'Registry'
+                ChannelType: 'PJSIP'
+                Username: 'sip:us at 127.0.0.1'
+                Domain: 'sip:them at 127.0.0.1:5061'
+                Status: 'Registered'
+        count: '1'
+    -
+        type: 'headermatch'
+        conditions:
+            match:
+                Event: 'Registry'
+                ChannelType: 'PJSIP'
+                Username: 'sip:us at 127.0.0.1'
+                Domain: 'sip:them at 127.0.0.1:5062'
+                Status: 'Registered'
+        count: '1'
+
+properties:
+    dependencies:
+        - python: 'starpy'
+        - sipp:
+            version: 'v3.1'
+        - asterisk: 'res_pjsip'
+        - asterisk: 'res_pjsip_outbound_authenticator_digest'
+        - asterisk: 'res_pjsip_outbound_registration'
+    tags:
+        - pjsip
diff --git a/tests/channels/pjsip/registration/outbound/tests.yaml b/tests/channels/pjsip/registration/outbound/tests.yaml
index c0e9dd3..9128691 100644
--- a/tests/channels/pjsip/registration/outbound/tests.yaml
+++ b/tests/channels/pjsip/registration/outbound/tests.yaml
@@ -7,3 +7,4 @@
     - test: 'forbidden_retry'
     - test: 'interval_too_brief'
     - test: 'line_parameter'
+    - test: 'sec_agreement_required'

-- 
To view, visit https://gerrit.asterisk.org/c/testsuite/+/19391
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: testsuite
Gerrit-Branch: 19
Gerrit-Change-Id: Iad40d0f1987d1de19b1fe1c5c53394853179ce61
Gerrit-Change-Number: 19391
Gerrit-PatchSet: 1
Gerrit-Owner: Maximilian Fridrich <m.fridrich at commend.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220929/06c1c720/attachment-0001.html>


More information about the asterisk-code-review mailing list