<p>Benjamin Keith Ford has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/16526">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">STIR/SHAKEN: Option split and response codes.<br><br>The stir_shaken configuration option now has 4 different choices to pick<br>from: off, attest, verify, and on. Off and on behave the same way they<br>do now. Attest will only perform attestation on the endpoint, and verify<br>will only perform verification on the endpoint.<br><br>Certain responses are required to be sent based on certain conditions<br>for STIR/SHAKEN. For example, if we get a Date header that is outside of<br>the time range that is considered valid, a 403 Stale Date response<br>should be sent. This and several other responses have been added.<br><br>Change-Id: I4ac1ecf652cd0e336006b0ca638dc826b5b1ebf7<br>---<br>A doc/UPGRADE-staging/stir_shaken_option_split.txt<br>M include/asterisk/res_pjsip.h<br>M include/asterisk/res_stir_shaken.h<br>M res/res_pjsip/pjsip_configuration.c<br>M res/res_pjsip_session.c<br>M res/res_pjsip_stir_shaken.c<br>M res/res_stir_shaken.c<br>7 files changed, 249 insertions(+), 69 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/26/16526/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/UPGRADE-staging/stir_shaken_option_split.txt b/doc/UPGRADE-staging/stir_shaken_option_split.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..79df214</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/stir_shaken_option_split.txt</span><br><span>@@ -0,0 +1,7 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: STIR/SHAKEN</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+The STIR/SHAKEN configuration option has been split into</span><br><span style="color: hsl(120, 100%, 40%);">+4 different choices: off, attest, verify, and on. Off and</span><br><span style="color: hsl(120, 100%, 40%);">+on behave the same way as before. Attest will only perform</span><br><span style="color: hsl(120, 100%, 40%);">+attestation on the endpoint, and verify will only perform</span><br><span style="color: hsl(120, 100%, 40%);">+verification on the endpoint.</span><br><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index 351ce09..8094a32 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -525,6 +525,17 @@</span><br><span> AST_SIP_REDIRECT_URI_PJSIP,</span><br><span> };</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+enum ast_sip_stir_shaken_behavior {</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Don't do any STIR/SHAKEN operations */</span><br><span style="color: hsl(120, 100%, 40%);">+ AST_SIP_STIR_SHAKEN_OFF = 0,</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Only do STIR/SHAKEN attestation */</span><br><span style="color: hsl(120, 100%, 40%);">+ AST_SIP_STIR_SHAKEN_ATTEST,</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Only do STIR/SHAKEN verification */</span><br><span style="color: hsl(120, 100%, 40%);">+ AST_SIP_STIR_SHAKEN_VERIFY,</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Do STIR/SHAKEN attestation and verification */</span><br><span style="color: hsl(120, 100%, 40%);">+ AST_SIP_STIR_SHAKEN_ON,</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \brief Incoming/Outgoing call offer/answer joint codec preference.</span><br><span> *</span><br><span>@@ -913,7 +924,7 @@</span><br><span> unsigned int suppress_q850_reason_headers;</span><br><span> /*! Ignore 183 if no SDP is present */</span><br><span> unsigned int ignore_183_without_sdp;</span><br><span style="color: hsl(0, 100%, 40%);">- /*! Enable STIR/SHAKEN support on this endpoint */</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Set which STIR/SHAKEN behaviors we want on this endpoint */</span><br><span> unsigned int stir_shaken;</span><br><span> /*! Should we authenticate OPTIONS requests per RFC 3261? */</span><br><span> unsigned int allow_unauthenticated_options;</span><br><span>diff --git a/include/asterisk/res_stir_shaken.h b/include/asterisk/res_stir_shaken.h</span><br><span>index 5175907..103eb17 100644</span><br><span>--- a/include/asterisk/res_stir_shaken.h</span><br><span>+++ b/include/asterisk/res_stir_shaken.h</span><br><span>@@ -22,6 +22,12 @@</span><br><span> #define STIR_SHAKEN_PPT "shaken"</span><br><span> #define STIR_SHAKEN_TYPE "passport"</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* Response codes from RFC8224 */</span><br><span style="color: hsl(120, 100%, 40%);">+#define STIR_SHAKEN_RESPONSE_CODE_STALE_DATE 403</span><br><span style="color: hsl(120, 100%, 40%);">+#define STIR_SHAKEN_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT 428</span><br><span style="color: hsl(120, 100%, 40%);">+#define STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO 436</span><br><span style="color: hsl(120, 100%, 40%);">+#define STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL 437</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> enum ast_stir_shaken_verification_result {</span><br><span> AST_STIR_SHAKEN_VERIFY_NOT_PRESENT, /*! No STIR/SHAKEN information was available */</span><br><span> AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED, /*! Signature verification failed */</span><br><span>@@ -80,12 +86,13 @@</span><br><span> * \param signature The payload signature</span><br><span> * \param algorithm The signature algorithm</span><br><span> * \param public_cert_url The public key URL</span><br><span style="color: hsl(120, 100%, 40%);">+ * \param ss_payload A pointer to a ast_stir_shaken_payload that will get populated on success</span><br><span> *</span><br><span style="color: hsl(0, 100%, 40%);">- * \retval ast_stir_shaken_payload on success</span><br><span style="color: hsl(0, 100%, 40%);">- * \retval NULL on failure</span><br><span style="color: hsl(120, 100%, 40%);">+ * \retval 0 on success</span><br><span style="color: hsl(120, 100%, 40%);">+ * \retval response code on failure (or -1 if no code to return)</span><br><span> */</span><br><span style="color: hsl(0, 100%, 40%);">-struct ast_stir_shaken_payload *ast_stir_shaken_verify(const char *header, const char *payload, const char *signature,</span><br><span style="color: hsl(0, 100%, 40%);">- const char *algorithm, const char *public_cert_url);</span><br><span style="color: hsl(120, 100%, 40%);">+int ast_stir_shaken_verify(const char *header, const char *payload, const char *signature, const char *algorithm,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *public_cert_url, struct ast_stir_shaken_payload **ss_payload);</span><br><span> </span><br><span> /*!</span><br><span> * \brief Retrieve the stir/shaken sorcery context</span><br><span>diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c</span><br><span>index 6defa7c..2c9e85d 100644</span><br><span>--- a/res/res_pjsip/pjsip_configuration.c</span><br><span>+++ b/res/res_pjsip/pjsip_configuration.c</span><br><span>@@ -717,6 +717,44 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static int stir_shaken_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_sip_endpoint *endpoint = obj;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!strcasecmp("off", var->value)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken = AST_SIP_STIR_SHAKEN_OFF;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!strcasecmp("attest", var->value)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken = AST_SIP_STIR_SHAKEN_ATTEST;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!strcasecmp("verify", var->value)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken = AST_SIP_STIR_SHAKEN_VERIFY;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!strcasecmp("on", var->value)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken = AST_SIP_STIR_SHAKEN_ON;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "'%s' is not a valid value for option "</span><br><span style="color: hsl(120, 100%, 40%);">+ "'stir_shaken' - defaulting to 'off' for endpoint %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ var->value, ast_sorcery_object_get_id(endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken = AST_SIP_STIR_SHAKEN_OFF;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static const char *stir_shaken_map[] = {</span><br><span style="color: hsl(120, 100%, 40%);">+ [AST_SIP_STIR_SHAKEN_OFF] "off",</span><br><span style="color: hsl(120, 100%, 40%);">+ [AST_SIP_STIR_SHAKEN_ATTEST] = "attest",</span><br><span style="color: hsl(120, 100%, 40%);">+ [AST_SIP_STIR_SHAKEN_VERIFY] = "verify",</span><br><span style="color: hsl(120, 100%, 40%);">+ [AST_SIP_STIR_SHAKEN_ON] = "on",</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static int stir_shaken_to_str(const void *obj, const intptr_t *args, char **buf)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ const struct ast_sip_endpoint *endpoint = obj;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ARRAY_IN_BOUNDS(endpoint->stir_shaken, stir_shaken_map)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ *buf = ast_strdup(stir_shaken_map[endpoint->stir_shaken]);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int group_handler(const struct aco_option *opt,</span><br><span> struct ast_variable *var, void *obj)</span><br><span> {</span><br><span>@@ -2152,7 +2190,7 @@</span><br><span> ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "codec_prefs_outgoing_answer",</span><br><span> "prefer: pending, operation: intersect, keep: all",</span><br><span> codec_prefs_handler, outgoing_answer_codec_prefs_to_str, NULL, 0, 0);</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "stir_shaken", "off", stir_shaken_handler, stir_shaken_to_str, NULL, 0, 0);</span><br><span> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));</span><br><span> </span><br><span> if (ast_sip_initialize_sorcery_transport()) {</span><br><span>diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c</span><br><span>index b1288b5..c72fa74 100644</span><br><span>--- a/res/res_pjsip_session.c</span><br><span>+++ b/res/res_pjsip_session.c</span><br><span>@@ -4051,6 +4051,8 @@</span><br><span> {</span><br><span> RAII_VAR(struct ast_sip_endpoint *, endpoint,</span><br><span> ast_pjsip_rdata_get_endpoint(rdata), ao2_cleanup);</span><br><span style="color: hsl(120, 100%, 40%);">+ static const pj_str_t identity_str = { "Identity", 8 };</span><br><span style="color: hsl(120, 100%, 40%);">+ const pj_str_t use_identity_header_str = { "Use Identity Header", 19 };</span><br><span> pjsip_inv_session *inv_session = NULL;</span><br><span> struct ast_sip_session *session;</span><br><span> struct new_invite invite;</span><br><span>@@ -4060,6 +4062,13 @@</span><br><span> </span><br><span> ast_assert(endpoint != NULL);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if ((endpoint->stir_shaken == AST_SIP_STIR_SHAKEN_VERIFY ||</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint->stir_shaken == AST_SIP_STIR_SHAKEN_ON) &&</span><br><span style="color: hsl(120, 100%, 40%);">+ !ast_sip_rdata_get_header_value(rdata, identity_str)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 428, &use_identity_header_str, NULL, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ SCOPE_EXIT_RTN("No Identity header when we require one\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> inv_session = pre_session_setup(rdata, endpoint);</span><br><span> if (!inv_session) {</span><br><span> /* pre_session_setup() returns a response on failure */</span><br><span>diff --git a/res/res_pjsip_stir_shaken.c b/res/res_pjsip_stir_shaken.c</span><br><span>index b2b2084..f1b3962 100644</span><br><span>--- a/res/res_pjsip_stir_shaken.c</span><br><span>+++ b/res/res_pjsip_stir_shaken.c</span><br><span>@@ -32,6 +32,9 @@</span><br><span> </span><br><span> #include "asterisk/res_stir_shaken.h"</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*! The Date header will not be valid after this many milliseconds (60 seconds recommended) */</span><br><span style="color: hsl(120, 100%, 40%);">+#define STIR_SHAKEN_DATE_HEADER_TIMEOUT 60000</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \brief Get the attestation from the payload</span><br><span> *</span><br><span>@@ -109,6 +112,56 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static int check_date_header(pjsip_rx_data *rdata)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ static const pj_str_t date_hdr_str = { "Date", 4 };</span><br><span style="color: hsl(120, 100%, 40%);">+ char *date_hdr_val;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_tm date_hdr_tm;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct timeval date_hdr_timeval;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct timeval current_timeval;</span><br><span style="color: hsl(120, 100%, 40%);">+ char *remainder;</span><br><span style="color: hsl(120, 100%, 40%);">+ char timezone[80];</span><br><span style="color: hsl(120, 100%, 40%);">+ int64_t time_diff;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ date_hdr_val = ast_sip_rdata_get_header_value(rdata, date_hdr_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_strlen_zero(date_hdr_val)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to get Date header from incoming INVITE for STIR/SHAKEN\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!(remainder = ast_strptime(date_hdr_val, "%a, %d %b %Y %T", &date_hdr_tm))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "Failed to parse Date header\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ sscanf(remainder, "%79s", timezone);</span><br><span style="color: hsl(120, 100%, 40%);">+ date_hdr_timeval = ast_mktime(&date_hdr_tm, S_OR(timezone, NULL));</span><br><span style="color: hsl(120, 100%, 40%);">+ current_timeval = ast_tvnow();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ time_diff = ast_tvdiff_ms(current_timeval, date_hdr_timeval);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (time_diff < 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* An INVITE from the future! */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "STIR/SHAKEN Date header has a future date\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (time_diff > STIR_SHAKEN_DATE_HEADER_TIMEOUT) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "STIR/SHAKEN Date header was outside of the allowable range (60 seconds)\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* Send a response back and end the session */</span><br><span style="color: hsl(120, 100%, 40%);">+static void stir_shaken_inv_end_session(struct ast_sip_session *session, pjsip_rx_data *rdata, int response_code, const pj_str_t response_str)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tx_data *tdata;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pjsip_inv_end_session(session->inv_session, response_code, &response_str, &tdata) == PJ_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_hangup(session->channel);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \internal</span><br><span> * \brief Session supplement callback on an incoming INVITE request</span><br><span>@@ -122,6 +175,10 @@</span><br><span> static int stir_shaken_incoming_request(struct ast_sip_session *session, pjsip_rx_data *rdata)</span><br><span> {</span><br><span> static const pj_str_t identity_str = { "Identity", 8 };</span><br><span style="color: hsl(120, 100%, 40%);">+ const pj_str_t bad_identity_info_str = { "Bad Identity Info", 17 };</span><br><span style="color: hsl(120, 100%, 40%);">+ const pj_str_t unsupported_credential_str = { "Unsupported Credential", 22 };</span><br><span style="color: hsl(120, 100%, 40%);">+ const pj_str_t stale_date_str = { "Stale Date", 10 };</span><br><span style="color: hsl(120, 100%, 40%);">+ const pj_str_t use_supported_passport_format_str = { "Use Supported PASSporT Format", 29 };</span><br><span> char *identity_hdr_val;</span><br><span> char *encoded_val;</span><br><span> struct ast_channel *chan = session->channel;</span><br><span>@@ -132,10 +189,21 @@</span><br><span> char *algorithm;</span><br><span> char *public_cert_url;</span><br><span> char *attestation;</span><br><span style="color: hsl(120, 100%, 40%);">+ char *ppt;</span><br><span> int mismatch = 0;</span><br><span> struct ast_stir_shaken_payload *ss_payload;</span><br><span style="color: hsl(120, 100%, 40%);">+ int code;</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_tx_data *tdata;</span><br><span style="color: hsl(120, 100%, 40%);">+ RAII_VAR(struct ast_json *, json, NULL, ast_json_unref);</span><br><span style="color: hsl(120, 100%, 40%);">+ RAII_VAR(char *, combined_str, NULL, ast_free);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (!session->endpoint->stir_shaken) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Check if this is a reinvite. If it is, we don't need to do anything */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (rdata->msg_info.to->tag.slen) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (session->endpoint->stir_shaken != AST_SIP_STIR_SHAKEN_VERIFY</span><br><span style="color: hsl(120, 100%, 40%);">+ && session->endpoint->stir_shaken != AST_SIP_STIR_SHAKEN_ON) {</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span>@@ -148,48 +216,88 @@</span><br><span> encoded_val = strtok_r(identity_hdr_val, ".", &identity_hdr_val);</span><br><span> header = ast_base64url_decode_string(encoded_val);</span><br><span> if (ast_strlen_zero(header)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s is missing header\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO, bad_identity_info_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> encoded_val = strtok_r(identity_hdr_val, ".", &identity_hdr_val);</span><br><span> payload = ast_base64url_decode_string(encoded_val);</span><br><span> if (ast_strlen_zero(payload)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s is missing payload\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO, bad_identity_info_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> /* It's fine to leave the signature encoded */</span><br><span> signature = strtok_r(identity_hdr_val, ";", &identity_hdr_val);</span><br><span> if (ast_strlen_zero(signature)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s is missing signature\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO, bad_identity_info_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> /* Trim "info=<" to get public cert URL */</span><br><span> strtok_r(identity_hdr_val, "<", &identity_hdr_val);</span><br><span> public_cert_url = strtok_r(identity_hdr_val, ">", &identity_hdr_val);</span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_strlen_zero(public_cert_url)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span> </span><br><span> /* Make sure the public URL is actually a URL */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!ast_begins_with(public_cert_url, "http")) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_strlen_zero(public_cert_url) || !ast_begins_with(public_cert_url, "http")) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* RFC8224 states that if we can't acquire the credentials needed</span><br><span style="color: hsl(120, 100%, 40%);">+ * by the verification service, we should send a 436 */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s did not have valid URL (%s)\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint), public_cert_url);</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO, bad_identity_info_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> algorithm = strtok_r(identity_hdr_val, ";", &identity_hdr_val);</span><br><span> if (ast_strlen_zero(algorithm)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_stir_shaken_add_verification(chan, caller_id, "", AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* RFC8224 states that if the algorithm is not specified, use ES256 */</span><br><span style="color: hsl(120, 100%, 40%);">+ algorithm = STIR_SHAKEN_ENCRYPTION_ALGORITHM;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ strtok_r(algorithm, "=", &algorithm);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (strcmp(algorithm, STIR_SHAKEN_ENCRYPTION_ALGORITHM)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* RFC8224 states that if we don't support the algorithm, send a 437 */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s uses an unsupported algorithm (%s)\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint), algorithm);</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL, unsupported_credential_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* The only thing left should be ppt=shaken (which could have more values later),</span><br><span style="color: hsl(120, 100%, 40%);">+ * unless using the compact PASSport form */</span><br><span style="color: hsl(120, 100%, 40%);">+ strtok_r(identity_hdr_val, "=", &identity_hdr_val);</span><br><span style="color: hsl(120, 100%, 40%);">+ ppt = ast_strip(identity_hdr_val);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!ast_strlen_zero(ppt) && strcmp(ppt, STIR_SHAKEN_PPT)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "STIR/SHAKEN INVITE for %s has unsupported ppt (%s)\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint), ppt);</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT, use_supported_passport_format_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (check_date_header(rdata)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s has old Date header\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_STALE_DATE, stale_date_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> attestation = get_attestation_from_payload(payload);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ss_payload = ast_stir_shaken_verify(header, payload, signature, algorithm, public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (!ss_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ code = ast_stir_shaken_verify(header, payload, signature, algorithm, public_cert_url, &ss_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (code != 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (code > 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* RFC8224 states that if we can't get the credentials we need, send a 437 */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "STIR/SHAKEN INVITE for %s failed during verification process\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_get_id(session->endpoint));</span><br><span style="color: hsl(120, 100%, 40%);">+ stir_shaken_inv_end_session(session, rdata, STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL, unsupported_credential_str);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> ast_stir_shaken_add_verification(chan, caller_id, attestation, AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED);</span><br><span> return 0;</span><br><span> }</span><br><span>@@ -333,7 +441,8 @@</span><br><span> </span><br><span> static void stir_shaken_outgoing_request(struct ast_sip_session *session, pjsip_tx_data *tdata)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- if (!session->endpoint->stir_shaken) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (session->endpoint->stir_shaken != AST_SIP_STIR_SHAKEN_ATTEST</span><br><span style="color: hsl(120, 100%, 40%);">+ && session->endpoint->stir_shaken != AST_SIP_STIR_SHAKEN_ON) {</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span>diff --git a/res/res_stir_shaken.c b/res/res_stir_shaken.c</span><br><span>index 1d8c785..053b61c 100644</span><br><span>--- a/res/res_stir_shaken.c</span><br><span>+++ b/res/res_stir_shaken.c</span><br><span>@@ -617,8 +617,8 @@</span><br><span> return filename;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-struct ast_stir_shaken_payload *ast_stir_shaken_verify(const char *header, const char *payload, const char *signature,</span><br><span style="color: hsl(0, 100%, 40%);">- const char *algorithm, const char *public_cert_url)</span><br><span style="color: hsl(120, 100%, 40%);">+int ast_stir_shaken_verify(const char *header, const char *payload, const char *signature, const char *algorithm,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *public_cert_url, struct ast_stir_shaken_payload **ss_payload)</span><br><span> {</span><br><span> struct ast_stir_shaken_payload *ret_payload;</span><br><span> EVP_PKEY *public_key;</span><br><span>@@ -630,27 +630,27 @@</span><br><span> </span><br><span> if (ast_strlen_zero(header)) {</span><br><span> ast_log(LOG_ERROR, "'header' is required for STIR/SHAKEN verification\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> if (ast_strlen_zero(payload)) {</span><br><span> ast_log(LOG_ERROR, "'payload' is required for STIR/SHAKEN verification\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> if (ast_strlen_zero(signature)) {</span><br><span> ast_log(LOG_ERROR, "'signature' is required for STIR/SHAKEN verification\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> if (ast_strlen_zero(algorithm)) {</span><br><span> ast_log(LOG_ERROR, "'algorithm' is required for STIR/SHAKEN verification\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> if (ast_strlen_zero(public_cert_url)) {</span><br><span> ast_log(LOG_ERROR, "'public_cert_url' is required for STIR/SHAKEN verification\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> /* Check to see if we have already downloaded this public cert. The reason we</span><br><span>@@ -665,7 +665,7 @@</span><br><span> */</span><br><span> file_path = get_path_to_public_key(public_cert_url);</span><br><span> if (ast_asprintf(&dir_path, "%s/keys/%s", ast_config_AST_DATA_DIR, STIR_SHAKEN_DIR_NAME) < 0) {</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> /* If we don't have an entry in AstDB, CURL from the provided URL */</span><br><span>@@ -681,7 +681,7 @@</span><br><span> /* Download to the default path */</span><br><span> file_path = run_curl(public_cert_url, dir_path);</span><br><span> if (!file_path) {</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> /* Signal that we have already downloaded a new file, no reason to do it again */</span><br><span>@@ -704,7 +704,7 @@</span><br><span> ast_free(file_path);</span><br><span> file_path = curl_and_check_expiration(public_cert_url, dir_path, &curl);</span><br><span> if (!file_path) {</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL;</span><br><span> }</span><br><span> }</span><br><span> </span><br><span>@@ -720,14 +720,14 @@</span><br><span> ast_free(file_path);</span><br><span> file_path = curl_and_check_expiration(public_cert_url, dir_path, &curl);</span><br><span> if (!file_path) {</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL;</span><br><span> }</span><br><span> </span><br><span> public_key = stir_shaken_read_key(file_path, 0);</span><br><span> if (!public_key) {</span><br><span> ast_log(LOG_ERROR, "Failed to read public key from '%s'\n", file_path);</span><br><span> remove_public_key_from_astdb(public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL;</span><br><span> }</span><br><span> }</span><br><span> </span><br><span>@@ -737,13 +737,13 @@</span><br><span> if (!combined_str) {</span><br><span> ast_log(LOG_ERROR, "Failed to allocate space for message to verify\n");</span><br><span> EVP_PKEY_free(public_key);</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> snprintf(combined_str, combined_size, "%s.%s", header, payload);</span><br><span> if (stir_shaken_verify_signature(combined_str, signature, public_key)) {</span><br><span> ast_log(LOG_ERROR, "Failed to verify signature\n");</span><br><span> EVP_PKEY_free(public_key);</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL;</span><br><span> }</span><br><span> </span><br><span> /* We don't need the public key anymore */</span><br><span>@@ -752,28 +752,30 @@</span><br><span> ret_payload = ast_calloc(1, sizeof(*ret_payload));</span><br><span> if (!ret_payload) {</span><br><span> ast_log(LOG_ERROR, "Failed to allocate STIR/SHAKEN payload\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> ret_payload->header = ast_json_load_string(header, NULL);</span><br><span> if (!ret_payload->header) {</span><br><span> ast_log(LOG_ERROR, "Failed to create JSON from header\n");</span><br><span> ast_stir_shaken_payload_free(ret_payload);</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> ret_payload->payload = ast_json_load_string(payload, NULL);</span><br><span> if (!ret_payload->payload) {</span><br><span> ast_log(LOG_ERROR, "Failed to create JSON from payload\n");</span><br><span> ast_stir_shaken_payload_free(ret_payload);</span><br><span style="color: hsl(0, 100%, 40%);">- return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span> }</span><br><span> </span><br><span> ret_payload->signature = (unsigned char *)ast_strdup(signature);</span><br><span> ret_payload->algorithm = ast_strdup(algorithm);</span><br><span> ret_payload->public_cert_url = ast_strdup(public_cert_url);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return ret_payload;</span><br><span style="color: hsl(120, 100%, 40%);">+ *ss_payload = ret_payload;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> }</span><br><span> </span><br><span> /*!</span><br><span>@@ -834,15 +836,11 @@</span><br><span> goto cleanup;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* Check the alg value for "ES256" */</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Check to see if there is a value for alg */</span><br><span> val = ast_json_string_get(ast_json_object_get(obj, "alg"));</span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_strlen_zero(val)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "STIR/SHAKEN JWT did not have required field 'alg'\n");</span><br><span style="color: hsl(0, 100%, 40%);">- goto cleanup;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">- if (strcmp(val, STIR_SHAKEN_ENCRYPTION_ALGORITHM)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_ERROR, "STIR/SHAKEN JWT field 'alg' did not have "</span><br><span style="color: hsl(0, 100%, 40%);">- "required value '%s' (was '%s')\n", STIR_SHAKEN_ENCRYPTION_ALGORITHM, val);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!ast_strlen_zero(val) && !strcmp(val, STIR_SHAKEN_ENCRYPTION_ALGORITHM)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* If alg is not present that's fine; if it is and is not ES256, cleanup */</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_ERROR, "STIR/SHAKEN JWT did not have supported type for field 'alg' (was %s)\n", val);</span><br><span> goto cleanup;</span><br><span> }</span><br><span> </span><br><span>@@ -1494,6 +1492,7 @@</span><br><span> char *public_cert_url = "http://testing123";</span><br><span> char *header;</span><br><span> char *payload;</span><br><span style="color: hsl(120, 100%, 40%);">+ int ret;</span><br><span> struct ast_json *tmp_json;</span><br><span> char public_path[] = "/tmp/stir_shaken_public.XXXXXX";</span><br><span> char private_path[] = "/tmp/stir_shaken_public.XXXXXX";</span><br><span>@@ -1539,45 +1538,45 @@</span><br><span> payload = ast_json_dump_string(tmp_json);</span><br><span> </span><br><span> /* Test empty header parameter */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify("", payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(0, 100%, 40%);">- STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify("", payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(120, 100%, 40%);">+ STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url, &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret == 0) {</span><br><span> ast_test_status_update(test, "Verified a signature with missing 'header'\n");</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span> return AST_TEST_FAIL;</span><br><span> }</span><br><span> </span><br><span> /* Test empty payload parameter */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify(header, "", (const char *)signed_payload->signature,</span><br><span style="color: hsl(0, 100%, 40%);">- STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify(header, "", (const char *)signed_payload->signature,</span><br><span style="color: hsl(120, 100%, 40%);">+ STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url, &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret == 0) {</span><br><span> ast_test_status_update(test, "Verified a signature with missing 'payload'\n");</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span> return AST_TEST_FAIL;</span><br><span> }</span><br><span> </span><br><span> /* Test empty signature parameter */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify(header, payload, "",</span><br><span style="color: hsl(0, 100%, 40%);">- STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify(header, payload, "",</span><br><span style="color: hsl(120, 100%, 40%);">+ STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url, &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret == 0) {</span><br><span> ast_test_status_update(test, "Verified a signature with missing 'signature'\n");</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span> return AST_TEST_FAIL;</span><br><span> }</span><br><span> </span><br><span> /* Test empty algorithm parameter */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(0, 100%, 40%);">- "", public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(120, 100%, 40%);">+ "", public_cert_url, &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret == 0) {</span><br><span> ast_test_status_update(test, "Verified a signature with missing 'algorithm'\n");</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span> return AST_TEST_FAIL;</span><br><span> }</span><br><span> </span><br><span> /* Test empty public key URL */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(0, 100%, 40%);">- STIR_SHAKEN_ENCRYPTION_ALGORITHM, "");</span><br><span style="color: hsl(0, 100%, 40%);">- if (returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(120, 100%, 40%);">+ STIR_SHAKEN_ENCRYPTION_ALGORITHM, "", &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret == 0) {</span><br><span> ast_test_status_update(test, "Verified a signature with missing 'public key URL'\n");</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span> return AST_TEST_FAIL;</span><br><span>@@ -1587,9 +1586,9 @@</span><br><span> test_stir_shaken_add_fake_astdb_entry(public_cert_url, public_path);</span><br><span> </span><br><span> /* Verify a valid signature */</span><br><span style="color: hsl(0, 100%, 40%);">- returned_payload = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(0, 100%, 40%);">- STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url);</span><br><span style="color: hsl(0, 100%, 40%);">- if (!returned_payload) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = ast_stir_shaken_verify(header, payload, (const char *)signed_payload->signature,</span><br><span style="color: hsl(120, 100%, 40%);">+ STIR_SHAKEN_ENCRYPTION_ALGORITHM, public_cert_url, &returned_payload);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ret != 0) {</span><br><span> ast_test_status_update(test, "Failed to verify a valid signature\n");</span><br><span> remove_public_key_from_astdb(public_cert_url);</span><br><span> test_stir_shaken_cleanup_cert(caller_id_number);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/16526">change 16526</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/16526"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: I4ac1ecf652cd0e336006b0ca638dc826b5b1ebf7 </div>
<div style="display:none"> Gerrit-Change-Number: 16526 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>