<p>Maximilian Fridrich has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19740">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip: mediasec: Add Security-Client headers after 401<br><br>When using mediasec, requests sent after a 401 must still contain the<br>Security-Client header according to<br>draft-dawes-sipcore-mediasec-parameter.<br><br>ASTERISK-30276<br><br>Change-Id: Ief7857365f221b1ef28672a27cc3fb27384c8d0f<br>---<br>M res/res_pjsip_outbound_registration.c<br>M res/res_pjsip_rfc3329.c<br>2 files changed, 58 insertions(+), 10 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/40/19740/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/res/res_pjsip_outbound_registration.c b/res/res_pjsip_outbound_registration.c</span><br><span>index 538f65f..9aefefe 100644</span><br><span>--- a/res/res_pjsip_outbound_registration.c</span><br><span>+++ b/res/res_pjsip_outbound_registration.c</span><br><span>@@ -425,6 +425,8 @@</span><br><span> unsigned int destroy:1;</span><br><span> /*! \brief Non-zero if we have attempted sending a REGISTER with authentication */</span><br><span> unsigned int auth_attempted:1;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! \brief Status code of last response if we have tried to register before */</span><br><span style="color: hsl(120, 100%, 40%);">+ int last_status_code;</span><br><span> /*! \brief The name of the transport to be used for the registration */</span><br><span> char *transport_name;</span><br><span> /*! \brief The name of the registration sorcery object */</span><br><span>@@ -642,6 +644,8 @@</span><br><span> static void add_security_headers(struct sip_outbound_registration_client_state *client_state,</span><br><span> pjsip_tx_data *tdata)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ int add_require_header = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ int add_proxy_require_header = 1;</span><br><span> struct sip_outbound_registration *reg = NULL;</span><br><span> struct ast_sip_endpoint *endpt = NULL;</span><br><span> struct ao2_container *contact_container;</span><br><span>@@ -674,20 +678,27 @@</span><br><span> if (!contact_status && AST_VECTOR_SIZE(&client_state->server_security_mechanisms)) {</span><br><span> sec_mechs = &client_state->server_security_mechanisms;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- if (client_state->status == SIP_REGISTRATION_REGISTERED || client_state->status == SIP_REGISTRATION_REJECTED_TEMPORARY</span><br><span style="color: hsl(0, 100%, 40%);">- || client_state->auth_attempted) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (client_state->status == SIP_REGISTRATION_REJECTED_TEMPORARY || client_state->auth_attempted) {</span><br><span> if (sec_mechs != NULL && pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL) == NULL) {</span><br><span> ast_sip_add_security_headers(sec_mechs, "Security-Verify", 0, tdata);</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_remove_headers_by_name_and_value(tdata->msg, &security_client, NULL);</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_remove_headers_by_name_and_value(tdata->msg, &proxy_require, "mediasec");</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_remove_headers_by_name_and_value(tdata->msg, &require, "mediasec");</span><br><span style="color: hsl(120, 100%, 40%);">+ if (client_state->last_status_code == 494) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_remove_headers_by_name_and_value(tdata->msg, &security_client, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ add_require_header =</span><br><span style="color: hsl(120, 100%, 40%);">+ (pjsip_msg_find_hdr_by_name(tdata->msg, &require, NULL) == NULL) ? 1 : 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ add_proxy_require_header =</span><br><span style="color: hsl(120, 100%, 40%);">+ (pjsip_msg_find_hdr_by_name(tdata->msg, &proxy_require, NULL) == NULL) ? 1 : 0;</span><br><span> } else {</span><br><span> ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_add_header(tdata, "Require", "mediasec");</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sip_add_header(tdata, "Proxy-Require", "mediasec");</span><br><span style="color: hsl(120, 100%, 40%);">+ if (add_require_header) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_add_header(tdata, "Require", "mediasec");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (add_proxy_require_header) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_add_header(tdata, "Proxy-Require", "mediasec");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> /* Cleanup */</span><br><span> if (contact_status) {</span><br><span>@@ -1216,6 +1227,7 @@</span><br><span> pjsip_regc_get_info(response->client_state->client, &info);</span><br><span> ast_copy_pj_str(server_uri, &info.server_uri, sizeof(server_uri));</span><br><span> ast_copy_pj_str(client_uri, &info.client_uri, sizeof(client_uri));</span><br><span style="color: hsl(120, 100%, 40%);">+ response->client_state->last_status_code = response->code;</span><br><span> </span><br><span> ast_debug(1, "Processing REGISTER response %d from server '%s' for client '%s'\n",</span><br><span> response->code, server_uri, client_uri);</span><br><span>diff --git a/res/res_pjsip_rfc3329.c b/res/res_pjsip_rfc3329.c</span><br><span>index 167dfa0..ae0cded 100644</span><br><span>--- a/res/res_pjsip_rfc3329.c</span><br><span>+++ b/res/res_pjsip_rfc3329.c</span><br><span>@@ -34,6 +34,11 @@</span><br><span> #include "asterisk/causes.h"</span><br><span> #include "asterisk/threadpool.h"</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static pjsip_module rfc3329_module = {</span><br><span style="color: hsl(120, 100%, 40%);">+ .name = { "RFC 3329 Module", 15 },</span><br><span style="color: hsl(120, 100%, 40%);">+ .id = -1,</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static void rfc3329_incoming_response(struct ast_sip_session *session, struct pjsip_rx_data *rdata)</span><br><span> {</span><br><span> static const pj_str_t str_security_server = { "Security-Server", 15 };</span><br><span>@@ -45,7 +50,8 @@</span><br><span> char *mechanism;</span><br><span> </span><br><span> if (!session || !session->endpoint || !session->endpoint->security_negotiation</span><br><span style="color: hsl(0, 100%, 40%);">- || !session->contact || !(contact_status = ast_sip_get_contact_status(session->contact))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ || !session->contact || !(contact_status = ast_sip_get_contact_status(session->contact))</span><br><span style="color: hsl(120, 100%, 40%);">+ || !session->inv_session->dlg) {</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span>@@ -54,6 +60,10 @@</span><br><span> goto out;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (pjsip_dlg_has_usage(session->inv_session->dlg, &rfc3329_module) != PJ_TRUE) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_dlg_add_usage(session->inv_session->dlg, &rfc3329_module, rdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, NULL);</span><br><span> for (; header;</span><br><span> header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, header->next)) {</span><br><span>@@ -78,7 +88,9 @@</span><br><span> static const pj_str_t security_verify = { "Security-Verify", 15 };</span><br><span> struct pjsip_generic_string_hdr *hdr = NULL;</span><br><span> struct ast_sip_contact_status *contact_status = NULL;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_dialog *dlg = pjsip_tdata_get_dlg(tdata);</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_rx_data *last_rdata = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span> if (endpoint->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) {</span><br><span> return;</span><br><span> }</span><br><span>@@ -90,11 +102,17 @@</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (dlg && pjsip_dlg_has_usage(dlg, &rfc3329_module)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ last_rdata = pjsip_dlg_get_mod_data(dlg, rfc3329_module.id);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> ao2_lock(contact_status);</span><br><span> if (AST_VECTOR_SIZE(&contact_status->security_mechanisms) && hdr == NULL) {</span><br><span> /* Add Security-Verify headers (with q-value) */</span><br><span> ast_sip_add_security_headers(&contact_status->security_mechanisms, "Security-Verify", 0, tdata);</span><br><span style="color: hsl(0, 100%, 40%);">- } else if (!hdr && AST_VECTOR_SIZE(&endpoint->security_mechanisms)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((last_rdata && last_rdata->msg_info.msg->line.status.code == 401) ||</span><br><span style="color: hsl(120, 100%, 40%);">+ (!hdr && AST_VECTOR_SIZE(&endpoint->security_mechanisms))) {</span><br><span> /* Add Security-Client headers (no q-value) */</span><br><span> ast_sip_add_security_headers(&endpoint->security_mechanisms, "Security-Client", 0, tdata);</span><br><span> }</span><br><span>@@ -132,12 +150,15 @@</span><br><span> {</span><br><span> ast_sip_session_register_supplement(&rfc3329_supplement);</span><br><span> ast_sip_register_supplement(&rfc3329_options_supplement);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_register_service(&rfc3329_module);</span><br><span> return AST_MODULE_LOAD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span> static int unload_module(void)</span><br><span> {</span><br><span> ast_sip_session_unregister_supplement(&rfc3329_supplement);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_unregister_supplement(&rfc3329_options_supplement);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sip_unregister_service(&rfc3329_module);</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19740">change 19740</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19740"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: Ief7857365f221b1ef28672a27cc3fb27384c8d0f </div>
<div style="display:none"> Gerrit-Change-Number: 19740 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Maximilian Fridrich <m.fridrich@commend.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>