[asterisk-dev] pjsip asterisk 13.24: sips / srtp and Deutsche Telekom doesn't work because of missing mediasec parameters

Michael Maier m1278468 at mailbox.org
Thu May 30 03:24:53 CDT 2019 

Hello!

I wrote some code, which adds basic media encryption support to be used with Deutsche Telekom. The attached patch is based on Asterisk 16.3
and works for me :-) - not fully tested yet. If you want to use it, you have to enable media_encryption=sdes for the extension (and
transport tls and tls1.2). Use at your own risk!


The current patch lacks a basic mediasec option, which prevents adding the mediasec headers to each *initial* REGISTER or to each INVITE (if
sdes is activated). As of today, I don't know how to solve this problem without too much changes.
Anyway: It looks like the additional HEADERs seem not to disrupt other ISPs (tested with one other ISP). This option should be accessible in
rtp, session and register environment. Maybe there is a possibility to exchange data between register, session and rtp environment. This way, it
would be possible to dynamically set mediasec in session and rtp based on the result of the initial register. It would be necessary at the
same time, to dynamically disable sdes encryption if activation of mediasec didn't succeed.

One more open point is the check for the 3 headers using the same name (Security-Server and Security-Verify). How can they be checked
regarding order? Is there a function to get each value of the same header? Maybe based on an array index? This way it would be possible to
create
the Security-Verify headers dynamically based on the 494 or 401 response.


Another yet missing point is the qualify OPTIONS package. I'm not sure where to add the mediasec headers exactly (which function?). At the
moment, the Response after OPTION request is (if already registered):

SIP/2.0 494 Security Agreement Required
CSeq: 21671 OPTIONS
Security-Server: msrp-tls;mediasec
Security-Server: sdes-srtp;mediasec
Security-Server: dtls-srtp;mediasec

If you are not already registered, you get a 403 Forbidden.


The UPDATE package (used as a watchdog circuit during a call each 15 minutes) seems not to be affected - I couldn't find any problem at this
point.
ReINVITEs seem to work fine, too.



What exactly does this patch? Below are the enhancements compared to a "normal" REGISTER or INVITE and the involved function in asterisk.

------------------------------------------
*Initial* REGISTER
==================

Request
REGISTER
Security-Client: sdes-srtp;mediasec
Proxy-Require: mediasec
Require: mediasec
asterisk: handle_client_registration()

Response
401 Unauthorized
Security-Server: msrp-tls;mediasec
Security-Server: sdes-srtp;mediasec
Security-Server: dtls-srtp;mediasec
WWW-Authenticate: ...

Request
REGISTER
Security-Client: sdes-srtp;mediasec
Proxy-Require: mediasec
Require: mediasec
Authorization: ...
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
(the last 3 headers must have this order)
asterisk: handle_registration_response() -> handle_client_registration()


Response
200 OK
------------------------------------------

------------------------------------------
ReREGISTER (variant 1)
======================

Request
REGISTER
(no additions)
asterisk: handle_client_registration()

Response
200 OK
------------------------------------------

------------------------------------------
ReREGISTER (variant 2)
======================

Request
REGISTER
(no additions)
asterisk: handle_registration_response()

Response
494 Security Agreement Required
Security-Server: msrp-tls;mediasec
Security-Server: sdes-srtp;mediasec
Security-Server: dtls-srtp;mediasec

Request
REGISTER
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
(the 3 headers must have this order)
asterisk: handle_registration_response() -> handle_client_registration()

Response
401 Unauthorized
Security-Server: msrp-tls;mediasec
Security-Server: sdes-srtp;mediasec
Security-Server: dtls-srtp;mediasec
WWW-Authenticate: ...

Request
REGISTER
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
(the 3 headers must have this order)
Authorization: ...
asterisk: handle_registration_response()

Response
200 OK
-------------------------------------------



An outbound call (INVITE) is done like this:

-------------------------------------------
INVITE
Security-Verify: msrp-tls;mediasec
Security-Verify: sdes-srtp;mediasec
Security-Verify: dtls-srtp;mediasec
(the 3 headers must have this order)
asterisk: ast_sip_session_create_invite()

SDP
a=3ge2ae:requested
asterisk: add_crypto_to_stream()
-------------------------------------------


Thanks
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mediasec18.patch
Type: text/x-patch
Size: 6903 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20190530/cf74c073/attachment.bin>

More information about the asterisk-dev mailing list