[Asterisk-code-review] res_pjsip: Add tests for security agreements (testsuite[master])
Maximilian Fridrich
asteriskteam at digium.com
Thu Sep 29 04:16:11 CDT 2022
Maximilian Fridrich has uploaded this change for review. ( https://gerrit.asterisk.org/c/testsuite/+/19393 )
Change subject: res_pjsip: Add tests for security agreements
......................................................................
res_pjsip: Add tests for security agreements
Adds tests that check the basic functionality of security agreement
mechanisms of outbound registrations. Passes if registrations succeed
after initial temporary rejection.
ASTERISK-30032
Change-Id: Iad40d0f1987d1de19b1fe1c5c53394853179ce61
---
A tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
A tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
A tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
A tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
M tests/channels/pjsip/registration/outbound/tests.yaml
5 files changed, 328 insertions(+), 0 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/testsuite refs/changes/93/19393/1
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf b/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
new file mode 100644
index 0000000..131baf8
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/configs/ast1/pjsip.conf
@@ -0,0 +1,32 @@
+[global]
+type = global
+debug = yes
+
+[trans]
+type = transport
+protocol = udp
+bind = 127.0.0.1:5060
+
+[outreg-1]
+type = registration
+security_negotiation = mediasec
+security_mechanisms = sdes-srtp\;mediasec
+server_uri = sip:them at 127.0.0.1:5061
+client_uri = sip:us at 127.0.0.1
+outbound_auth = regauth
+expiration=12
+
+[outreg-2]
+type = registration
+security_negotiation = mediasec
+security_mechanisms = sdes-srtp\;mediasec
+server_uri = sip:them at 127.0.0.1:5062
+client_uri = sip:us at 127.0.0.1
+outbound_auth = regauth
+expiration=12
+
+[regauth]
+type = auth
+auth_type = userpass
+username = myself
+password = me-me
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
new file mode 100644
index 0000000..96b0295
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-401-scenario.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Security agreement scenario 2: 401 response received">
+ <recv request="REGISTER" crlf="true">
+ <action>
+ <ereg regexp="sdes-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Security-Client: "
+ assign_to="1" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Require: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Proxy-Require: "
+ assign_to="4" />
+ </action>
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 401 Unauthorized
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Security-Server: msrp-tls;mediasec
+ Security-Server: sdes-srtp;mediasec
+ Security-Server: dtls-srtp;mediasec
+ WWW-Authenticate: Digest realm="asterisk", nonce="47ebe028cda119c35d4877b383027d28da013815"
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <recv request="REGISTER">
+ <action>
+ <ereg regexp="msrp-tls;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="1"
+ header="Security-Verify: "
+ assign_to="2" />
+ <ereg regexp="sdes-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="2"
+ header="Security-Verify: "
+ assign_to="3" />
+ <ereg regexp="dtls-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="3"
+ header="Security-Verify: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Require: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Proxy-Require: "
+ assign_to="4" />
+ </action>
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Expires: 12
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <!-- This could be a re- or un- register -->
+ <recv request="REGISTER" crlf="true">
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Expires: 0
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <Reference variables="1,2,3,4" />
+
+</scenario>
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
new file mode 100644
index 0000000..bac4e0c
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/sipp/uas-reg-494-scenario.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Security agreement scenario 1: 494 response received">
+ <recv request="REGISTER" crlf="true">
+ <action>
+ <ereg regexp="sdes-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Security-Client: "
+ assign_to="1" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Require: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Proxy-Require: "
+ assign_to="4" />
+ </action>
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 494 Security Agreement Required
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Security-Server: msrp-tls;mediasec
+ Security-Server: sdes-srtp;mediasec
+ Security-Server: dtls-srtp;mediasec
+ WWW-Authenticate: Digest realm="asterisk", nonce="47ebe028cda119c35d4877b383027d28da013815"
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <recv request="REGISTER">
+ <action>
+ <ereg regexp="msrp-tls;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="1"
+ header="Security-Verify: "
+ assign_to="2" />
+ <ereg regexp="sdes-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="2"
+ header="Security-Verify: "
+ assign_to="3" />
+ <ereg regexp="dtls-srtp;mediasec"
+ search_in="hdr"
+ check_it="true"
+ occurrence="3"
+ header="Security-Verify: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Require: "
+ assign_to="4" />
+ <ereg regexp="mediasec"
+ search_in="hdr"
+ check_it="true"
+ header="Proxy-Require: "
+ assign_to="4" />
+ </action>
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Expires: 12
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <!-- This could be a re- or un- register -->
+ <recv request="REGISTER" crlf="true">
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[pid]SIPpTag01[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[local_ip]:[local_port];transport=[transport]>
+ Expires: 0
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <Reference variables="1,2,3,4" />
+
+</scenario>
diff --git a/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml b/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
new file mode 100644
index 0000000..4486b78
--- /dev/null
+++ b/tests/channels/pjsip/registration/outbound/sec_agreement_required/test-config.yaml
@@ -0,0 +1,62 @@
+testinfo:
+ summary: 'Check handling of security agreement mechanisms'
+ description: |
+ 'Asterisk attempts to use the security agreement mechanisms as defined
+ in RFC 3329. The server rejects the initial registration with a 494
+ Security Agreement Required or some non-RFC compliant servers with 401
+ Unauthorized. Asterisk should then attempt to register with the correct
+ Security-Verify headers which have been obtained from the server's
+ response.
+
+ There are two scenarios:
+ 1) The server responds with status code 494.
+ 2) The server responds with status code 401.'
+
+test-modules:
+ test-object:
+ config-section: sipp-config
+ typename: 'sipp.SIPpTestCase'
+ modules:
+ -
+ typename: 'ami.AMIEventModule'
+ config-section: ami-config
+
+sipp-config:
+ test-iterations:
+ -
+ scenarios:
+ - { 'key-args': { 'scenario': 'uas-reg-494-scenario.xml', '-p': '5061'} }
+ - { 'key-args': { 'scenario': 'uas-reg-401-scenario.xml', '-p': '5062'} }
+
+ami-config:
+ -
+ type: 'headermatch'
+ conditions:
+ match:
+ Event: 'Registry'
+ ChannelType: 'PJSIP'
+ Username: 'sip:us at 127.0.0.1'
+ Domain: 'sip:them at 127.0.0.1:5061'
+ Status: 'Registered'
+ count: '1'
+ -
+ type: 'headermatch'
+ conditions:
+ match:
+ Event: 'Registry'
+ ChannelType: 'PJSIP'
+ Username: 'sip:us at 127.0.0.1'
+ Domain: 'sip:them at 127.0.0.1:5062'
+ Status: 'Registered'
+ count: '1'
+
+properties:
+ dependencies:
+ - python: 'starpy'
+ - sipp:
+ version: 'v3.1'
+ - asterisk: 'res_pjsip'
+ - asterisk: 'res_pjsip_outbound_authenticator_digest'
+ - asterisk: 'res_pjsip_outbound_registration'
+ tags:
+ - pjsip
diff --git a/tests/channels/pjsip/registration/outbound/tests.yaml b/tests/channels/pjsip/registration/outbound/tests.yaml
index c0e9dd3..9128691 100644
--- a/tests/channels/pjsip/registration/outbound/tests.yaml
+++ b/tests/channels/pjsip/registration/outbound/tests.yaml
@@ -7,3 +7,4 @@
- test: 'forbidden_retry'
- test: 'interval_too_brief'
- test: 'line_parameter'
+ - test: 'sec_agreement_required'
--
To view, visit https://gerrit.asterisk.org/c/testsuite/+/19393
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: testsuite
Gerrit-Branch: master
Gerrit-Change-Id: Iad40d0f1987d1de19b1fe1c5c53394853179ce61
Gerrit-Change-Number: 19393
Gerrit-PatchSet: 1
Gerrit-Owner: Maximilian Fridrich <m.fridrich at commend.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20220929/40865742/attachment-0001.html>
More information about the asterisk-code-review
mailing list