res_pjsip: Add mediasec capabilities.
This patch adds support for mediasec SIP headers and SDP attributes. These are defined in RFC 3329, 3GPP TS 24.229 and draft-dawes-sipcore-mediasec-parameter. The new features are implemented so that a backbone for RFC 3329 is present to streamline future work on RFC 3329. With this patch, Asterisk can communicate with Deutsche Telekom trunks which require these fields. ASTERISK-30032 Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2
This commit is contained in:
parent
7f80830ced
commit
0d2e140123
|
@ -0,0 +1,49 @@
|
|||
"""add security_negotiation and security_mechanisms to endpoint
|
||||
|
||||
Revision ID: 417c0247fd7e
|
||||
Revises: 539f68bede2c
|
||||
Create Date: 2022-08-08 15:35:31.416964
|
||||
|
||||
"""
|
||||
|
||||
# revision identifiers, used by Alembic.
|
||||
revision = '417c0247fd7e'
|
||||
down_revision = '539f68bede2c'
|
||||
|
||||
from alembic import op
|
||||
import sqlalchemy as sa
|
||||
from sqlalchemy.dialects.postgresql import ENUM
|
||||
|
||||
SECURITY_NEGOTIATION_NAME = 'security_negotiation_values'
|
||||
SECURITY_NEGOTIATION_VALUES = ['no', 'mediasec']
|
||||
|
||||
def upgrade():
|
||||
context = op.get_context()
|
||||
|
||||
if context.bind.dialect.name == 'postgresql':
|
||||
security_negotiation_values = ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME)
|
||||
security_negotiation_values.create(op.get_bind(), checkfirst=False)
|
||||
|
||||
op.add_column('ps_endpoints', sa.Column('security_negotiation',
|
||||
ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME, create_type=False)))
|
||||
op.add_column('ps_endpoints', sa.Column('security_mechanisms', sa.String(512)))
|
||||
|
||||
op.add_column('ps_registrations', sa.Column('security_negotiation',
|
||||
ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME, create_type=False)))
|
||||
op.add_column('ps_registrations', sa.Column('security_mechanisms', sa.String(512)))
|
||||
|
||||
def downgrade():
|
||||
context = op.get_context()
|
||||
|
||||
if context.bind.dialect.name == 'mssql':
|
||||
op.drop_constraint('ck_ps_endpoints_security_negotiation_security_negotiation_values', 'ps_endpoints')
|
||||
op.drop_constraint('ck_ps_registrations_security_negotiation_security_negotiation_values', 'ps_registrations')
|
||||
|
||||
op.drop_column('ps_endpoints', 'security_negotiation')
|
||||
op.drop_column('ps_endpoints', 'security_mechanisms')
|
||||
op.drop_column('ps_registrations', 'security_negotiation')
|
||||
op.drop_column('ps_registrations', 'security_mechanisms')
|
||||
|
||||
if context.bind.dialect.name == 'postgresql':
|
||||
enum = ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME)
|
||||
enum.drop(op.get_bind(), checkfirst=False)
|
|
@ -0,0 +1,6 @@
|
|||
Subject: res_pjsip
|
||||
|
||||
Added options "security_negotiation" and "security_mechanisms" to pjsip
|
||||
endpoints and registrations. "security_negotiation" can be set to "no" (default)
|
||||
or "mediasec", and "security_mechanisms" can be a list of comma-separated
|
||||
security_mechanisms in the form defined by RFC 3329 section 2.2.
|
|
@ -319,6 +319,45 @@ struct ast_sip_nat_hook {
|
|||
void (*outgoing_external_message)(struct pjsip_tx_data *tdata, struct ast_sip_transport *transport);
|
||||
};
|
||||
|
||||
/*!
|
||||
* \brief The kind of security negotiation
|
||||
*/
|
||||
enum ast_sip_security_negotiation {
|
||||
/*! No security mechanism negotiation */
|
||||
AST_SIP_SECURITY_NEG_NONE = 0,
|
||||
/*! Use mediasec security mechanism negotiation */
|
||||
AST_SIP_SECURITY_NEG_MEDIASEC,
|
||||
/* Add RFC 3329 (sec-agree) mechanism negotiation in the future */
|
||||
};
|
||||
|
||||
/*!
|
||||
* \brief The security mechanism type
|
||||
*/
|
||||
enum ast_sip_security_mechanism_type {
|
||||
AST_SIP_SECURITY_MECH_NONE = 0,
|
||||
/* Use msrp-tls as security mechanism */
|
||||
AST_SIP_SECURITY_MECH_MSRP_TLS,
|
||||
/* Use sdes-srtp as security mechanism */
|
||||
AST_SIP_SECURITY_MECH_SDES_SRTP,
|
||||
/* Use dtls-srtp as security mechanism */
|
||||
AST_SIP_SECURITY_MECH_DTLS_SRTP,
|
||||
/* Add RFC 3329 (sec-agree) mechanisms like tle, digest, ipsec-ike in the future */
|
||||
};
|
||||
|
||||
/*!
|
||||
* \brief Structure representing a security mechanism as defined in RFC 3329
|
||||
*/
|
||||
struct ast_sip_security_mechanism {
|
||||
/* Used to determine which security mechanism to use. */
|
||||
enum ast_sip_security_mechanism_type type;
|
||||
/* The preference of this security mechanism. The higher the value, the more preferred. */
|
||||
float qvalue;
|
||||
/* Optional mechanism parameters. */
|
||||
struct ast_vector_string mechanism_parameters;
|
||||
};
|
||||
|
||||
AST_VECTOR(ast_sip_security_mechanism_vector, struct ast_sip_security_mechanism *);
|
||||
|
||||
/*!
|
||||
* \brief Contact associated with an address of record
|
||||
*/
|
||||
|
@ -390,6 +429,13 @@ struct ast_sip_contact_status {
|
|||
);
|
||||
/*! The round trip time in microseconds */
|
||||
int64_t rtt;
|
||||
/*!
|
||||
* The security mechanism list of the contact (RFC 3329).
|
||||
* Stores the values of Security-Server headers in 401/421/494 responses to an
|
||||
* in-dialog request or successful outbound registration which will be used to
|
||||
* set the Security-Verify headers of all subsequent requests to the contact.
|
||||
*/
|
||||
struct ast_sip_security_mechanism_vector security_mechanisms;
|
||||
/*! Current status for a contact (default - unavailable) */
|
||||
enum ast_sip_contact_status_type status;
|
||||
/*! Last status for a contact (default - unavailable) */
|
||||
|
@ -987,6 +1033,10 @@ struct ast_sip_endpoint {
|
|||
unsigned int suppress_q850_reason_headers;
|
||||
/*! Ignore 183 if no SDP is present */
|
||||
unsigned int ignore_183_without_sdp;
|
||||
/*! Type of security negotiation to use (RFC 3329). */
|
||||
enum ast_sip_security_negotiation security_negotiation;
|
||||
/*! Client security mechanisms (RFC 3329). */
|
||||
struct ast_sip_security_mechanism_vector security_mechanisms;
|
||||
/*! Set which STIR/SHAKEN behaviors we want on this endpoint */
|
||||
unsigned int stir_shaken;
|
||||
/*! Should we authenticate OPTIONS requests per RFC 3261? */
|
||||
|
@ -1037,6 +1087,87 @@ int ast_sip_are_media_types_equal(pjsip_media_type *a, pjsip_media_type *b);
|
|||
*/
|
||||
int ast_sip_is_media_type_in(pjsip_media_type *a, ...) attribute_sentinel;
|
||||
|
||||
/*!
|
||||
* \brief Add security headers to transmission data
|
||||
*
|
||||
* \param security_mechanisms Vector of security mechanisms.
|
||||
* \param header_name The header name under which to add the security mechanisms.
|
||||
* One of Security-Client, Security-Server, Security-Verify.
|
||||
* \param add_qval If zero, don't add the q-value to the header.
|
||||
* \param tdata The transmission data.
|
||||
* \retval 0 Success
|
||||
* \retval non-zero Failure
|
||||
*/
|
||||
int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms,
|
||||
const char *header_name, int add_qval, pjsip_tx_data *tdata);
|
||||
|
||||
/*!
|
||||
* \brief Append to security mechanism vector from SIP header
|
||||
*
|
||||
* \param hdr The header of the security mechanisms.
|
||||
* \param security_mechanisms Vector of security mechanisms to append to.
|
||||
* Header name must be one of Security-Client, Security-Server, Security-Verify.
|
||||
*/
|
||||
void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr,
|
||||
struct ast_sip_security_mechanism_vector *security_mechanisms);
|
||||
|
||||
/*!
|
||||
* \brief Initialize security mechanism vector from string of security mechanisms.
|
||||
*
|
||||
* \param security_mechanisms Pointer to vector of security mechanisms to initialize.
|
||||
* \param value String of security mechanisms as defined in RFC 3329.
|
||||
* \retval 0 Success
|
||||
* \retval non-zero Failure
|
||||
*/
|
||||
int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanism, const char *value);
|
||||
|
||||
/*!
|
||||
* \brief Removes all headers of a specific name and value from a pjsip_msg.
|
||||
*
|
||||
* \param msg PJSIP message from which to remove headers.
|
||||
* \param hdr_name Name of the header to remove.
|
||||
* \param value Optional string value of the header to remove.
|
||||
* If NULL, remove all headers of given hdr_name.
|
||||
*/
|
||||
void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value);
|
||||
|
||||
/*!
|
||||
* \brief Duplicate a security mechanism.
|
||||
*
|
||||
* \param dst Security mechanism to duplicate to.
|
||||
* \param src Security mechanism to duplicate.
|
||||
*/
|
||||
void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst,
|
||||
const struct ast_sip_security_mechanism_vector *src);
|
||||
|
||||
/*!
|
||||
* \brief Free contents of a security mechanism vector.
|
||||
*
|
||||
* \param security_mechanisms Vector whose contents are to be freed
|
||||
*/
|
||||
void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms);
|
||||
|
||||
/*!
|
||||
* \brief Allocate a security mechanism from a string.
|
||||
*
|
||||
* \param security_mechanism Pointer-pointer to the security mechanism to allocate.
|
||||
* \param value The security mechanism string as defined in RFC 3329 (section 2.2)
|
||||
* \param ... in the form <mechanism_name>;q=<q_value>;<mechanism_parameters>
|
||||
* \retval 0 Success
|
||||
* \retval non-zero Failure
|
||||
*/
|
||||
int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value);
|
||||
|
||||
/*!
|
||||
* \brief Set the security negotiation based on a given string.
|
||||
*
|
||||
* \param security_negotiation Security negotiation enum to set.
|
||||
* \param val String that represents a security_negotiation value.
|
||||
* \retval 0 Success
|
||||
* \retval non-zero Failure
|
||||
*/
|
||||
int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val);
|
||||
|
||||
/*!
|
||||
* \brief Initialize an auth vector with the configured values.
|
||||
*
|
||||
|
|
|
@ -33,6 +33,8 @@
|
|||
/* Needed for pjmedia_sdp_session and pjsip_inv_session */
|
||||
#include <pjsip_ua.h>
|
||||
|
||||
/* Needed for ast_sip_security_mechanism_vector */
|
||||
#include "asterisk/res_pjsip.h"
|
||||
|
||||
/* Forward declarations */
|
||||
struct ast_sip_endpoint;
|
||||
|
|
|
@ -1472,6 +1472,22 @@
|
|||
responses.</para>
|
||||
</description>
|
||||
</configOption>
|
||||
<configOption name="security_negotiation" default="no">
|
||||
<synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
|
||||
<description>
|
||||
<enumlist>
|
||||
<enum name="no" />
|
||||
<enum name="mediasec" />
|
||||
</enumlist>
|
||||
</description>
|
||||
</configOption>
|
||||
<configOption name="security_mechanisms">
|
||||
<synopsis>List of security mechanisms supported.</synopsis>
|
||||
<description><para>
|
||||
This is a comma-delimited list of security mechanisms to use. Each security mechanism
|
||||
must be in the form defined by RFC 3329 section 2.2.
|
||||
</para></description>
|
||||
</configOption>
|
||||
<configOption name="geoloc_incoming_call_profile" default="">
|
||||
<synopsis>Geolocation profile to apply to incoming calls</synopsis>
|
||||
<description><para>
|
||||
|
|
|
@ -256,6 +256,31 @@ static int timers_to_str(const void *obj, const intptr_t *args, char **buf)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int security_mechanism_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
||||
{
|
||||
struct ast_sip_endpoint *endpoint = obj;
|
||||
|
||||
return ast_sip_security_mechanism_vector_init(&endpoint->security_mechanisms, var->value);
|
||||
}
|
||||
|
||||
int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val) {
|
||||
if (!strcasecmp("no", val)) {
|
||||
*security_negotiation = AST_SIP_SECURITY_NEG_NONE;
|
||||
} else if (!strcasecmp("mediasec", val)) {
|
||||
*security_negotiation = AST_SIP_SECURITY_NEG_MEDIASEC;
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
||||
{
|
||||
struct ast_sip_endpoint *endpoint = obj;
|
||||
|
||||
return ast_sip_set_security_negotiation(&endpoint->security_negotiation, var->value);
|
||||
}
|
||||
|
||||
void ast_sip_auth_vector_destroy(struct ast_sip_auth_vector *auths)
|
||||
{
|
||||
int i;
|
||||
|
@ -2236,6 +2261,8 @@ int ast_res_pjsip_initialize_configuration(void)
|
|||
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));
|
||||
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_incoming_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_incoming_call_profile));
|
||||
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_outgoing_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_outgoing_call_profile));
|
||||
ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_mechanisms", "", security_mechanism_handler, NULL, NULL, 0, 0);
|
||||
ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0);
|
||||
|
||||
if (ast_sip_initialize_sorcery_transport()) {
|
||||
ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
|
||||
|
|
|
@ -348,6 +348,8 @@ static void sip_contact_status_dtor(void *obj)
|
|||
{
|
||||
struct ast_sip_contact_status *contact_status = obj;
|
||||
|
||||
ast_sip_security_mechanisms_vector_destroy(&contact_status->security_mechanisms);
|
||||
|
||||
ast_string_field_free_memory(contact_status);
|
||||
}
|
||||
|
||||
|
@ -365,6 +367,7 @@ static struct ast_sip_contact_status *sip_contact_status_alloc(const char *name)
|
|||
ao2_ref(contact_status, -1);
|
||||
return NULL;
|
||||
}
|
||||
AST_VECTOR_INIT(&contact_status->security_mechanisms, 0);
|
||||
strcpy(contact_status->name, name); /* SAFE */
|
||||
return contact_status;
|
||||
}
|
||||
|
@ -385,6 +388,8 @@ static struct ast_sip_contact_status *sip_contact_status_copy(const struct ast_s
|
|||
dst->rtt = src->rtt;
|
||||
dst->status = src->status;
|
||||
dst->last_status = src->last_status;
|
||||
|
||||
ast_sip_security_mechanisms_vector_copy(&dst->security_mechanisms, &src->security_mechanisms);
|
||||
return dst;
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,340 @@
|
|||
/*
|
||||
* Asterisk -- An open source telephony toolkit.
|
||||
*
|
||||
* Copyright (C) 2022, Commend International
|
||||
*
|
||||
* Maximilian Fridrich <m.fridrich@commend.com>
|
||||
*
|
||||
* See http://www.asterisk.org for more information about
|
||||
* the Asterisk project. Please do not directly contact
|
||||
* any of the maintainers of this project for assistance;
|
||||
* the project provides a web site, mailing lists and IRC
|
||||
* channels for your use.
|
||||
*
|
||||
* This program is free software, distributed under the terms of
|
||||
* the GNU General Public License Version 2. See the LICENSE file
|
||||
* at the top of the source tree.
|
||||
*/
|
||||
|
||||
/*!
|
||||
* \file
|
||||
*
|
||||
* \brief Interact with security agreement negotiations and mechanisms
|
||||
*
|
||||
* \author Maximilian Fridrich <m.fridrich@commend.com>
|
||||
*/
|
||||
|
||||
#include "asterisk.h"
|
||||
|
||||
#include <pjsip.h>
|
||||
|
||||
#include "asterisk/res_pjsip.h"
|
||||
|
||||
static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_alloc(size_t n_params)
|
||||
{
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
|
||||
mech = ast_calloc(1, sizeof(struct ast_sip_security_mechanism));
|
||||
if (mech == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
mech->qvalue = 0.0;
|
||||
if (AST_VECTOR_INIT(&mech->mechanism_parameters, n_params) != 0) {
|
||||
ast_free(mech);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return mech;
|
||||
}
|
||||
|
||||
static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_copy(
|
||||
const struct ast_sip_security_mechanism *src)
|
||||
{
|
||||
struct ast_sip_security_mechanism *dst = NULL;
|
||||
int i, n_params;
|
||||
char *param;
|
||||
|
||||
n_params = AST_VECTOR_SIZE(&src->mechanism_parameters);
|
||||
|
||||
dst = ast_sip_security_mechanisms_alloc(n_params);
|
||||
if (dst == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
dst->type = src->type;
|
||||
dst->qvalue = src->qvalue;
|
||||
|
||||
for (i = 0; i < n_params; i++) {
|
||||
param = ast_strdup(AST_VECTOR_GET(&src->mechanism_parameters, i));
|
||||
AST_VECTOR_APPEND(&dst->mechanism_parameters, param);
|
||||
}
|
||||
|
||||
return dst;
|
||||
}
|
||||
|
||||
static void ast_sip_security_mechanisms_destroy(struct ast_sip_security_mechanism *mech)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < AST_VECTOR_SIZE(&mech->mechanism_parameters); i++) {
|
||||
ast_free(AST_VECTOR_GET(&mech->mechanism_parameters, i));
|
||||
}
|
||||
AST_VECTOR_FREE(&mech->mechanism_parameters);
|
||||
ast_free(mech);
|
||||
}
|
||||
|
||||
void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst,
|
||||
const struct ast_sip_security_mechanism_vector *src)
|
||||
{
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
int i;
|
||||
|
||||
ast_sip_security_mechanisms_vector_destroy(dst);
|
||||
for (i = 0; i < AST_VECTOR_SIZE(src); i++) {
|
||||
mech = AST_VECTOR_GET(src, i);
|
||||
AST_VECTOR_APPEND(dst, ast_sip_security_mechanisms_copy(mech));
|
||||
}
|
||||
};
|
||||
|
||||
void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms)
|
||||
{
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
int i;
|
||||
|
||||
if (!security_mechanisms) {
|
||||
return;
|
||||
}
|
||||
|
||||
for (i = 0; i < AST_VECTOR_SIZE(security_mechanisms); i++) {
|
||||
mech = AST_VECTOR_GET(security_mechanisms, i);
|
||||
ast_sip_security_mechanisms_destroy(mech);
|
||||
}
|
||||
AST_VECTOR_FREE(security_mechanisms);
|
||||
}
|
||||
|
||||
static int ast_sip_str_to_security_mechanism_type(const char *security_mechanism) {
|
||||
int result = -1;
|
||||
|
||||
if (!strcasecmp(security_mechanism, "msrp-tls")) {
|
||||
result = AST_SIP_SECURITY_MECH_MSRP_TLS;
|
||||
} else if (!strcasecmp(security_mechanism, "sdes-srtp")) {
|
||||
result = AST_SIP_SECURITY_MECH_SDES_SRTP;
|
||||
} else if (!strcasecmp(security_mechanism, "dtls-srtp")) {
|
||||
result = AST_SIP_SECURITY_MECH_DTLS_SRTP;
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
static char *ast_sip_security_mechanism_type_to_str(enum ast_sip_security_mechanism_type mech_type) {
|
||||
if (mech_type == AST_SIP_SECURITY_MECH_MSRP_TLS) {
|
||||
return "msrp-tls";
|
||||
} else if (mech_type == AST_SIP_SECURITY_MECH_SDES_SRTP) {
|
||||
return "sdes-srtp";
|
||||
} else if (mech_type == AST_SIP_SECURITY_MECH_DTLS_SRTP) {
|
||||
return "dtls-srtp";
|
||||
} else {
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
static int ast_sip_security_mechanism_to_str(const struct ast_sip_security_mechanism *security_mechanism, int add_qvalue, char **buf) {
|
||||
char tmp[64];
|
||||
size_t size;
|
||||
size_t buf_size = 128;
|
||||
int i;
|
||||
char *ret = ast_calloc(buf_size, sizeof(char));
|
||||
|
||||
if (ret == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
if (security_mechanism == NULL) {
|
||||
ast_free(ret);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
strncat(ret, ast_sip_security_mechanism_type_to_str(security_mechanism->type), buf_size - strlen(ret) - 1);
|
||||
if (add_qvalue) {
|
||||
snprintf(tmp, sizeof(tmp), ";q=%f.4", security_mechanism->qvalue);
|
||||
strncat(ret, tmp, buf_size - strlen(ret) - 1);
|
||||
}
|
||||
|
||||
size = AST_VECTOR_SIZE(&security_mechanism->mechanism_parameters);
|
||||
for (i = 0; i < size; ++i) {
|
||||
snprintf(tmp, sizeof(tmp), ";%s", AST_VECTOR_GET(&security_mechanism->mechanism_parameters, i));
|
||||
strncat(ret, tmp, buf_size - strlen(ret) - 1);
|
||||
}
|
||||
|
||||
*buf = ret;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value)
|
||||
{
|
||||
struct pjsip_generic_string_hdr *hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, NULL);
|
||||
for (; hdr; hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, hdr->next)) {
|
||||
if (value == NULL || !pj_strcmp2(&hdr->hvalue, value)) {
|
||||
pj_list_erase(hdr);
|
||||
}
|
||||
if (hdr->next == hdr) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*!
|
||||
* \internal
|
||||
* \brief Parses a string representing a q_value to a float.
|
||||
*
|
||||
* Valid q values must be in the range from 0.0 to 1.0 inclusively.
|
||||
*
|
||||
* \param q_value
|
||||
* \retval The parsed qvalue or -1.0 on failure.
|
||||
*/
|
||||
static float parse_qvalue(const char *q_value) {
|
||||
char *end;
|
||||
float ret = strtof(q_value, &end);
|
||||
|
||||
if (end == q_value) {
|
||||
/* Not a number. */
|
||||
return -1.0;
|
||||
} else if ('\0' != *end) {
|
||||
/* Extra character at end of input. */
|
||||
return -1.0;
|
||||
} else if (ret > 1.0 || ret < 0.0) {
|
||||
/* Out of valid range. */
|
||||
return -1.0;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value) {
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
char *param;
|
||||
char *tmp;
|
||||
char *mechanism = ast_strdupa(value);
|
||||
int err = 0;
|
||||
int type = -1;
|
||||
|
||||
mech = ast_sip_security_mechanisms_alloc(1);
|
||||
if (!mech) {
|
||||
err = ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
tmp = ast_strsep(&mechanism, ';', AST_STRSEP_ALL);
|
||||
type = ast_sip_str_to_security_mechanism_type(tmp);
|
||||
if (type == -1) {
|
||||
err = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
mech->type = type;
|
||||
while ((param = ast_strsep(&mechanism, ';', AST_STRSEP_ALL))) {
|
||||
if (!param) {
|
||||
err = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
if (!strncmp(param, "q=0", 4) || !strncmp(param, "q=1", 4)) {
|
||||
mech->qvalue = parse_qvalue(¶m[2]);
|
||||
if (mech->qvalue < 0.0) {
|
||||
goto out;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
param = ast_strdup(param);
|
||||
AST_VECTOR_APPEND(&mech->mechanism_parameters, param);
|
||||
}
|
||||
|
||||
*security_mechanism = mech;
|
||||
|
||||
out:
|
||||
if (err && (mech != NULL)) {
|
||||
ast_sip_security_mechanisms_destroy(mech);
|
||||
}
|
||||
return err;
|
||||
}
|
||||
|
||||
int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms,
|
||||
const char *header_name, int add_qval, pjsip_tx_data *tdata) {
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
char *buf;
|
||||
int mech_cnt;
|
||||
int i;
|
||||
int add_qvalue = 1;
|
||||
|
||||
if (!security_mechanisms || !tdata) {
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if (!strcmp(header_name, "Security-Client")) {
|
||||
add_qvalue = 0;
|
||||
} else if (strcmp(header_name, "Security-Server") &&
|
||||
strcmp(header_name, "Security-Verify")) {
|
||||
return EINVAL;
|
||||
}
|
||||
/* If we're adding Security-Client headers, don't add q-value
|
||||
* even if the function caller requested it. */
|
||||
add_qvalue = add_qvalue && add_qval;
|
||||
|
||||
mech_cnt = AST_VECTOR_SIZE(security_mechanisms);
|
||||
for (i = 0; i < mech_cnt; ++i) {
|
||||
mech = AST_VECTOR_GET(security_mechanisms, i);
|
||||
if (ast_sip_security_mechanism_to_str(mech, add_qvalue, &buf)) {
|
||||
continue;
|
||||
}
|
||||
ast_sip_add_header(tdata, header_name, buf);
|
||||
ast_free(buf);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr,
|
||||
struct ast_sip_security_mechanism_vector *security_mechanisms) {
|
||||
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
char buf[512];
|
||||
char *hdr_val;
|
||||
char *mechanism;
|
||||
|
||||
if (!security_mechanisms || !hdr) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (pj_stricmp2(&hdr->name, "Security-Client") && pj_stricmp2(&hdr->name, "Security-Server") &&
|
||||
pj_stricmp2(&hdr->name, "Security-Verify")) {
|
||||
return;
|
||||
}
|
||||
|
||||
ast_copy_pj_str(buf, &hdr->hvalue, sizeof(buf));
|
||||
hdr_val = ast_skip_blanks(buf);
|
||||
|
||||
while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
|
||||
if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
|
||||
AST_VECTOR_APPEND(security_mechanisms, mech);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value)
|
||||
{
|
||||
char *val = value ? ast_strdupa(value) : NULL;
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
char *mechanism;
|
||||
|
||||
ast_sip_security_mechanisms_vector_destroy(security_mechanisms);
|
||||
if (AST_VECTOR_INIT(security_mechanisms, 1)) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!val) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
while ((mechanism = ast_strsep(&val, ',', AST_STRSEP_ALL))) {
|
||||
if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
|
||||
AST_VECTOR_APPEND(security_mechanisms, mech);
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -92,6 +92,22 @@
|
|||
are made.
|
||||
</para></description>
|
||||
</configOption>
|
||||
<configOption name="security_negotiation" default="no">
|
||||
<synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
|
||||
<description>
|
||||
<enumlist>
|
||||
<enum name="no" />
|
||||
<enum name="mediasec" />
|
||||
</enumlist>
|
||||
</description>
|
||||
</configOption>
|
||||
<configOption name="security_mechanisms">
|
||||
<synopsis>List of security mechanisms supported.</synopsis>
|
||||
<description><para>
|
||||
This is a comma-delimited list of security mechanisms to use. Each security mechanism
|
||||
must be in the form defined by RFC 3329 section 2.2.
|
||||
</para></description>
|
||||
</configOption>
|
||||
<configOption name="outbound_auth" default="">
|
||||
<synopsis>Authentication object(s) to be used for outbound registrations.</synopsis>
|
||||
<description><para>
|
||||
|
@ -342,6 +358,10 @@ struct sip_outbound_registration {
|
|||
unsigned int max_retries;
|
||||
/*! \brief Whether to add a line parameter to the outbound Contact or not */
|
||||
unsigned int line;
|
||||
/*! \brief Type of security negotiation to use (RFC 3329). */
|
||||
enum ast_sip_security_negotiation security_negotiation;
|
||||
/*! \brief Client security mechanisms (RFC 3329). */
|
||||
struct ast_sip_security_mechanism_vector security_mechanisms;
|
||||
/*! \brief Configured authentication credentials */
|
||||
struct ast_sip_auth_vector outbound_auths;
|
||||
/*! \brief Whether Path support is enabled */
|
||||
|
@ -389,6 +409,12 @@ struct sip_outbound_registration_client_state {
|
|||
unsigned int support_path;
|
||||
/*! \brief Determines whether SIP Outbound support should be advertised */
|
||||
unsigned int support_outbound;
|
||||
/*! \brief Type of security negotiation to use (RFC 3329). */
|
||||
enum ast_sip_security_negotiation security_negotiation;
|
||||
/*! \brief Client security mechanisms (RFC 3329). */
|
||||
struct ast_sip_security_mechanism_vector security_mechanisms;
|
||||
/*! \brief Security mechanisms of the peer (RFC 3329). */
|
||||
struct ast_sip_security_mechanism_vector server_security_mechanisms;
|
||||
/*! CSeq number of last sent auth request. */
|
||||
unsigned int auth_cseq;
|
||||
/*! \brief Serializer for stuff and things */
|
||||
|
@ -561,6 +587,117 @@ static void cancel_registration(struct sip_outbound_registration_client_state *c
|
|||
static pj_str_t PATH_NAME = { "path", 4 };
|
||||
static pj_str_t OUTBOUND_NAME = { "outbound", 8 };
|
||||
|
||||
AST_VECTOR(pjsip_generic_string_hdr_vector, pjsip_generic_string_hdr *);
|
||||
|
||||
/*!
|
||||
* \internal
|
||||
* \brief Callback function which finds a contact whose contact_status has security mechanisms.
|
||||
*
|
||||
* \param obj Pointer to the ast_sip_contact.
|
||||
* \param arg Pointer-pointer to a contact_status that will be set to the contact_status found by this function.
|
||||
* \param flags Flags used by the ao2_callback function.
|
||||
*
|
||||
* \note The refcount of the found contact_status must be decremented by the caller.
|
||||
*/
|
||||
static int contact_has_security_mechanisms(void *obj, void *arg, int flags)
|
||||
{
|
||||
struct ast_sip_contact *contact = obj;
|
||||
struct ast_sip_contact_status **ret = arg;
|
||||
struct ast_sip_contact_status *contact_status = ast_sip_get_contact_status(contact);
|
||||
|
||||
if (!contact_status) {
|
||||
return -1;
|
||||
}
|
||||
if (!AST_VECTOR_SIZE(&contact_status->security_mechanisms)) {
|
||||
ao2_cleanup(contact_status);
|
||||
return -1;
|
||||
}
|
||||
*ret = contact_status;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int contact_add_security_headers_to_status(void *obj, void *arg, int flags)
|
||||
{
|
||||
struct ast_sip_contact *contact = obj;
|
||||
struct pjsip_generic_string_hdr_vector *header_vector = arg;
|
||||
struct ast_sip_contact_status *contact_status = ast_sip_get_contact_status(contact);
|
||||
|
||||
if (!contact_status) {
|
||||
return -1;
|
||||
}
|
||||
if (AST_VECTOR_SIZE(&contact_status->security_mechanisms)) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
ao2_lock(contact_status);
|
||||
AST_VECTOR_CALLBACK_VOID(header_vector, ast_sip_header_to_security_mechanism, &contact_status->security_mechanisms);
|
||||
ao2_unlock(contact_status);
|
||||
|
||||
out:
|
||||
ao2_cleanup(contact_status);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*! \brief Adds security negotiation mechanisms of outbound registration client state as Security headers to tdata. */
|
||||
static void add_security_headers(struct sip_outbound_registration_client_state *client_state,
|
||||
pjsip_tx_data *tdata)
|
||||
{
|
||||
struct sip_outbound_registration *reg = NULL;
|
||||
struct ast_sip_endpoint *endpt = NULL;
|
||||
struct ao2_container *contact_container;
|
||||
struct ast_sip_contact_status *contact_status = NULL;
|
||||
struct ast_sip_security_mechanism_vector *sec_mechs = NULL;
|
||||
static const pj_str_t security_verify = { "Security-Verify", 15 };
|
||||
static const pj_str_t security_client = { "Security-Client", 15 };
|
||||
static const pj_str_t proxy_require = { "Proxy-Require", 13 };
|
||||
static const pj_str_t require = { "Require", 7 };
|
||||
|
||||
if (client_state->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Get contact status through registration -> endpoint name -> aor -> contact (if set) */
|
||||
if ((reg = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "registration", client_state->registration_name))
|
||||
&& !ast_strlen_zero(reg->endpoint) && (endpt = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", reg->endpoint))
|
||||
&& (contact_container = ast_sip_location_retrieve_contacts_from_aor_list(endpt->aors))) {
|
||||
/* Retrieve all contacts associated with aors from this endpoint
|
||||
* and find the first one that has security mechanisms.
|
||||
*/
|
||||
ao2_callback(contact_container, 0, contact_has_security_mechanisms, &contact_status);
|
||||
if (contact_status) {
|
||||
ao2_lock(contact_status);
|
||||
sec_mechs = &contact_status->security_mechanisms;
|
||||
}
|
||||
ao2_cleanup(contact_container);
|
||||
}
|
||||
/* Use client_state->server_security_mechanisms if contact_status does not exist. */
|
||||
if (!contact_status && AST_VECTOR_SIZE(&client_state->server_security_mechanisms)) {
|
||||
sec_mechs = &client_state->server_security_mechanisms;
|
||||
}
|
||||
if (client_state->status == SIP_REGISTRATION_REGISTERED || client_state->status == SIP_REGISTRATION_REJECTED_TEMPORARY
|
||||
|| client_state->auth_attempted) {
|
||||
if (sec_mechs != NULL && pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL) == NULL) {
|
||||
ast_sip_add_security_headers(sec_mechs, "Security-Verify", 0, tdata);
|
||||
}
|
||||
ast_sip_remove_headers_by_name_and_value(tdata->msg, &security_client, NULL);
|
||||
ast_sip_remove_headers_by_name_and_value(tdata->msg, &proxy_require, "mediasec");
|
||||
ast_sip_remove_headers_by_name_and_value(tdata->msg, &require, "mediasec");
|
||||
} else {
|
||||
ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata);
|
||||
}
|
||||
|
||||
ast_sip_add_header(tdata, "Require", "mediasec");
|
||||
ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
|
||||
|
||||
/* Cleanup */
|
||||
if (contact_status) {
|
||||
ao2_unlock(contact_status);
|
||||
ao2_cleanup(contact_status);
|
||||
}
|
||||
ao2_cleanup(endpt);
|
||||
ao2_cleanup(reg);
|
||||
}
|
||||
|
||||
/*! \brief Helper function which sends a message and cleans up, if needed, on failure */
|
||||
static pj_status_t registration_client_send(struct sip_outbound_registration_client_state *client_state,
|
||||
pjsip_tx_data *tdata)
|
||||
|
@ -585,6 +722,9 @@ static pj_status_t registration_client_send(struct sip_outbound_registration_cli
|
|||
*/
|
||||
pjsip_tx_data_add_ref(tdata);
|
||||
|
||||
/* Add Security-Verify or Security-Client headers */
|
||||
add_security_headers(client_state, tdata);
|
||||
|
||||
/*
|
||||
* Set the transport in case transports were reloaded.
|
||||
* When pjproject removes the extraneous error messages produced,
|
||||
|
@ -832,6 +972,8 @@ static int handle_client_state_destruction(void *data)
|
|||
|
||||
update_client_state_status(client_state, SIP_REGISTRATION_STOPPED);
|
||||
ast_sip_auth_vector_destroy(&client_state->outbound_auths);
|
||||
ast_sip_security_mechanisms_vector_destroy(&client_state->security_mechanisms);
|
||||
ast_sip_security_mechanisms_vector_destroy(&client_state->server_security_mechanisms);
|
||||
ao2_ref(client_state, -1);
|
||||
|
||||
return 0;
|
||||
|
@ -1089,19 +1231,60 @@ static int handle_registration_response(void *data)
|
|||
return 0;
|
||||
}
|
||||
}
|
||||
} else if ((response->code == 401 || response->code == 407)
|
||||
} else if ((response->code == 401 || response->code == 407 || response->code == 494)
|
||||
&& (!response->client_state->auth_attempted
|
||||
|| response->rdata->msg_info.cseq->cseq != response->client_state->auth_cseq)) {
|
||||
int res;
|
||||
pjsip_cseq_hdr *cseq_hdr;
|
||||
pjsip_tx_data *tdata;
|
||||
|
||||
if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths,
|
||||
if (response->client_state->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) {
|
||||
struct sip_outbound_registration *reg = NULL;
|
||||
struct ast_sip_endpoint *endpt = NULL;
|
||||
struct ao2_container *contact_container = NULL;
|
||||
pjsip_generic_string_hdr *header;
|
||||
struct pjsip_generic_string_hdr_vector header_vector;
|
||||
static const pj_str_t security_server = { "Security-Server", 15 };
|
||||
|
||||
if ((reg = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "registration",
|
||||
response->client_state->registration_name)) && reg->endpoint &&
|
||||
(endpt = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", reg->endpoint))) {
|
||||
/* Retrieve all contacts associated with aors from this endpoint (if set). */
|
||||
contact_container = ast_sip_location_retrieve_contacts_from_aor_list(endpt->aors);
|
||||
}
|
||||
/* Add server list of security mechanism to client_state and contact status if exists. */
|
||||
AST_VECTOR_INIT(&header_vector, 1);
|
||||
header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, NULL);
|
||||
for (; header;
|
||||
header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, header->next)) {
|
||||
AST_VECTOR_APPEND(&header_vector, header);
|
||||
ast_sip_header_to_security_mechanism(header, &response->client_state->server_security_mechanisms);
|
||||
}
|
||||
if (contact_container) {
|
||||
/* Add server security mechanisms to contact status of all associated contacts to be able to send correct
|
||||
* Security-Verify headers on subsequent non-REGISTER requests through this outbound registration.
|
||||
*/
|
||||
ao2_callback(contact_container, OBJ_NODATA, contact_add_security_headers_to_status, &header_vector);
|
||||
ao2_cleanup(contact_container);
|
||||
}
|
||||
AST_VECTOR_FREE(&header_vector);
|
||||
ao2_cleanup(endpt);
|
||||
ao2_cleanup(reg);
|
||||
}
|
||||
|
||||
if (response->code == 494) {
|
||||
update_client_state_status(response->client_state, SIP_REGISTRATION_REJECTED_TEMPORARY);
|
||||
response->client_state->retries++;
|
||||
schedule_registration(response->client_state, 0);
|
||||
ao2_ref(response, -1);
|
||||
return 0;
|
||||
} else if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths,
|
||||
response->rdata, response->old_request, &tdata)) {
|
||||
response->client_state->auth_attempted = 1;
|
||||
ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n",
|
||||
server_uri, client_uri);
|
||||
pjsip_tx_data_add_ref(tdata);
|
||||
|
||||
res = registration_client_send(response->client_state, tdata);
|
||||
|
||||
/* Save the cseq that actually got sent. */
|
||||
|
@ -1372,6 +1555,7 @@ static void sip_outbound_registration_destroy(void *obj)
|
|||
struct sip_outbound_registration *registration = obj;
|
||||
|
||||
ast_sip_auth_vector_destroy(®istration->outbound_auths);
|
||||
ast_sip_security_mechanisms_vector_destroy(®istration->security_mechanisms);
|
||||
|
||||
ast_string_field_free_memory(registration);
|
||||
}
|
||||
|
@ -1721,6 +1905,8 @@ static int sip_outbound_registration_perform(void *data)
|
|||
|
||||
/* Just in case the client state is being reused for this registration, free the auth information */
|
||||
ast_sip_auth_vector_destroy(&state->client_state->outbound_auths);
|
||||
ast_sip_security_mechanisms_vector_destroy(&state->client_state->security_mechanisms);
|
||||
ast_sip_security_mechanisms_vector_destroy(&state->client_state->server_security_mechanisms);
|
||||
|
||||
AST_VECTOR_INIT(&state->client_state->outbound_auths, AST_VECTOR_SIZE(®istration->outbound_auths));
|
||||
for (i = 0; i < AST_VECTOR_SIZE(®istration->outbound_auths); ++i) {
|
||||
|
@ -1730,6 +1916,8 @@ static int sip_outbound_registration_perform(void *data)
|
|||
ast_free(name);
|
||||
}
|
||||
}
|
||||
ast_sip_security_mechanisms_vector_copy(&state->client_state->security_mechanisms,
|
||||
®istration->security_mechanisms);
|
||||
state->client_state->retry_interval = registration->retry_interval;
|
||||
state->client_state->forbidden_retry_interval = registration->forbidden_retry_interval;
|
||||
state->client_state->fatal_retry_interval = registration->fatal_retry_interval;
|
||||
|
@ -1737,6 +1925,7 @@ static int sip_outbound_registration_perform(void *data)
|
|||
state->client_state->retries = 0;
|
||||
state->client_state->support_path = registration->support_path;
|
||||
state->client_state->support_outbound = registration->support_outbound;
|
||||
state->client_state->security_negotiation = registration->security_negotiation;
|
||||
state->client_state->auth_rejection_permanent = registration->auth_rejection_permanent;
|
||||
max_delay = registration->max_random_initial_delay;
|
||||
|
||||
|
@ -1835,6 +2024,20 @@ static int sip_outbound_registration_apply(const struct ast_sorcery *sorcery, vo
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int security_mechanisms_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
||||
{
|
||||
struct sip_outbound_registration *registration = obj;
|
||||
|
||||
return ast_sip_security_mechanism_vector_init(®istration->security_mechanisms, var->value);
|
||||
}
|
||||
|
||||
static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
||||
{
|
||||
struct sip_outbound_registration *registration = obj;
|
||||
|
||||
return ast_sip_set_security_negotiation(®istration->security_negotiation, var->value);
|
||||
}
|
||||
|
||||
static int outbound_auth_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
|
||||
{
|
||||
struct sip_outbound_registration *registration = obj;
|
||||
|
@ -2564,6 +2767,8 @@ static int load_module(void)
|
|||
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "outbound_auth", "", outbound_auth_handler, outbound_auths_to_str, outbound_auths_to_var_list, 0, 0);
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_path", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_path));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_outbound", "no", OPT_YESNO_T, 1, FLDSET(struct sip_outbound_registration, support_outbound));
|
||||
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0);
|
||||
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_mechanisms", "", security_mechanisms_handler, NULL, NULL, 0, 0);
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "line", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, line));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "endpoint", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct sip_outbound_registration, endpoint));
|
||||
|
||||
|
|
|
@ -0,0 +1,150 @@
|
|||
/*
|
||||
* Asterisk -- An open source telephony toolkit.
|
||||
*
|
||||
* Copyright (C) 2022, Commend International
|
||||
*
|
||||
* Maximilian Fridrich <m.fridrich@commend.com>
|
||||
*
|
||||
* See http://www.asterisk.org for more information about
|
||||
* the Asterisk project. Please do not directly contact
|
||||
* any of the maintainers of this project for assistance;
|
||||
* the project provides a web site, mailing lists and IRC
|
||||
* channels for your use.
|
||||
*
|
||||
* This program is free software, distributed under the terms of
|
||||
* the GNU General Public License Version 2. See the LICENSE file
|
||||
* at the top of the source tree.
|
||||
*/
|
||||
|
||||
/*** MODULEINFO
|
||||
<depend>pjproject</depend>
|
||||
<depend>res_pjsip</depend>
|
||||
<depend>res_pjsip_session</depend>
|
||||
<support_level>core</support_level>
|
||||
***/
|
||||
|
||||
#include "asterisk.h"
|
||||
|
||||
#include <pjsip.h>
|
||||
#include <pjsip_ua.h>
|
||||
|
||||
#include "asterisk/res_pjsip.h"
|
||||
#include "asterisk/res_pjsip_session.h"
|
||||
#include "asterisk/module.h"
|
||||
#include "asterisk/causes.h"
|
||||
#include "asterisk/threadpool.h"
|
||||
|
||||
static void rfc3329_incoming_response(struct ast_sip_session *session, struct pjsip_rx_data *rdata)
|
||||
{
|
||||
static const pj_str_t str_security_server = { "Security-Server", 15 };
|
||||
struct ast_sip_contact_status *contact_status = NULL;
|
||||
struct ast_sip_security_mechanism *mech;
|
||||
pjsip_generic_string_hdr *header;
|
||||
char buf[128];
|
||||
char *hdr_val;
|
||||
char *mechanism;
|
||||
|
||||
if (!session || !session->endpoint || !session->endpoint->security_negotiation
|
||||
|| !session->contact || !(contact_status = ast_sip_get_contact_status(session->contact))) {
|
||||
return;
|
||||
}
|
||||
|
||||
ao2_lock(contact_status);
|
||||
if (AST_VECTOR_SIZE(&contact_status->security_mechanisms)) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, NULL);
|
||||
for (; header;
|
||||
header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, header->next)) {
|
||||
/* Parse Security-Server headers and add to contact status to use for future requests. */
|
||||
ast_copy_pj_str(buf, &header->hvalue, sizeof(buf));
|
||||
hdr_val = ast_skip_blanks(buf);
|
||||
|
||||
while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
|
||||
if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
|
||||
AST_VECTOR_APPEND(&contact_status->security_mechanisms, mech);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
ao2_unlock(contact_status);
|
||||
ao2_cleanup(contact_status);
|
||||
}
|
||||
|
||||
static void add_outgoing_request_headers(struct ast_sip_endpoint *endpoint, struct ast_sip_contact *contact, struct pjsip_tx_data *tdata)
|
||||
{
|
||||
static const pj_str_t security_verify = { "Security-Verify", 15 };
|
||||
struct pjsip_generic_string_hdr *hdr = NULL;
|
||||
struct ast_sip_contact_status *contact_status = NULL;
|
||||
|
||||
if (endpoint->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) {
|
||||
return;
|
||||
}
|
||||
|
||||
contact_status = ast_sip_get_contact_status(contact);
|
||||
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL);
|
||||
|
||||
if (contact_status == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
ao2_lock(contact_status);
|
||||
if (AST_VECTOR_SIZE(&contact_status->security_mechanisms) && hdr == NULL) {
|
||||
/* Add Security-Verify headers (with q-value) */
|
||||
ast_sip_add_security_headers(&contact_status->security_mechanisms, "Security-Verify", 0, tdata);
|
||||
} else if (!hdr && AST_VECTOR_SIZE(&endpoint->security_mechanisms)) {
|
||||
/* Add Security-Client headers (no q-value) */
|
||||
ast_sip_add_security_headers(&endpoint->security_mechanisms, "Security-Client", 0, tdata);
|
||||
}
|
||||
ao2_unlock(contact_status);
|
||||
ast_sip_add_header(tdata, "Require", "mediasec");
|
||||
ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
|
||||
|
||||
ao2_cleanup(contact_status);
|
||||
}
|
||||
|
||||
static void rfc3329_outgoing_request(struct ast_sip_session *session, struct pjsip_tx_data *tdata)
|
||||
{
|
||||
if (session->contact == NULL) {
|
||||
return;
|
||||
}
|
||||
add_outgoing_request_headers(session->endpoint, session->contact, tdata);
|
||||
}
|
||||
|
||||
static struct ast_sip_session_supplement rfc3329_supplement = {
|
||||
.incoming_response = rfc3329_incoming_response,
|
||||
.outgoing_request = rfc3329_outgoing_request,
|
||||
};
|
||||
|
||||
static void rfc3329_options_request(struct ast_sip_endpoint *endpoint, struct ast_sip_contact *contact, struct pjsip_tx_data *tdata)
|
||||
{
|
||||
add_outgoing_request_headers(endpoint, contact, tdata);
|
||||
}
|
||||
|
||||
static struct ast_sip_supplement rfc3329_options_supplement = {
|
||||
.method = "OPTIONS",
|
||||
.outgoing_request = rfc3329_options_request,
|
||||
};
|
||||
|
||||
static int load_module(void)
|
||||
{
|
||||
ast_sip_session_register_supplement(&rfc3329_supplement);
|
||||
ast_sip_register_supplement(&rfc3329_options_supplement);
|
||||
return AST_MODULE_LOAD_SUCCESS;
|
||||
}
|
||||
|
||||
static int unload_module(void)
|
||||
{
|
||||
ast_sip_session_unregister_supplement(&rfc3329_supplement);
|
||||
return 0;
|
||||
}
|
||||
|
||||
AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP RFC 3329 Support (partial)",
|
||||
.support_level = AST_MODULE_SUPPORT_CORE,
|
||||
.load = load_module,
|
||||
.unload = unload_module,
|
||||
.load_pri = AST_MODPRI_APP_DEPEND,
|
||||
.requires = "res_pjsip,res_pjsip_session",
|
||||
);
|
|
@ -1607,6 +1607,7 @@ static int add_crypto_to_stream(struct ast_sip_session *session,
|
|||
static const pj_str_t STR_PASSIVE = { "passive", 7 };
|
||||
static const pj_str_t STR_ACTPASS = { "actpass", 7 };
|
||||
static const pj_str_t STR_HOLDCONN = { "holdconn", 8 };
|
||||
static const pj_str_t STR_MEDSECREQ = { "requested", 9 };
|
||||
enum ast_rtp_dtls_setup setup;
|
||||
|
||||
switch (session_media->encryption) {
|
||||
|
@ -1637,6 +1638,11 @@ static int add_crypto_to_stream(struct ast_sip_session *session,
|
|||
media->attr[media->attr_count++] = attr;
|
||||
} while ((tmp = AST_LIST_NEXT(tmp, sdp_srtp_list)));
|
||||
|
||||
if (session->endpoint->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) {
|
||||
attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ);
|
||||
media->attr[media->attr_count++] = attr;
|
||||
}
|
||||
|
||||
break;
|
||||
case AST_SIP_MEDIA_ENCRYPT_DTLS:
|
||||
if (setup_dtls_srtp(session, session_media)) {
|
||||
|
|
|
@ -4816,7 +4816,8 @@ static void session_inv_on_tsx_state_changed(pjsip_inv_session *inv, pjsip_trans
|
|||
ast_debug(1, "%s: reINVITE received final response code %d\n",
|
||||
ast_sip_session_get_name(session),
|
||||
tsx->status_code);
|
||||
if ((tsx->status_code == 401 || tsx->status_code == 407)
|
||||
if ((tsx->status_code == 401 || tsx->status_code == 407
|
||||
|| (session->endpoint->security_negotiation && tsx->status_code == 494))
|
||||
&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
|
||||
&& !ast_sip_create_request_with_auth(
|
||||
&session->endpoint->outbound_auths,
|
||||
|
@ -4910,7 +4911,7 @@ static void session_inv_on_tsx_state_changed(pjsip_inv_session *inv, pjsip_trans
|
|||
ast_sip_session_get_name(session),
|
||||
(int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),
|
||||
tsx->status_code);
|
||||
if ((tsx->status_code == 401 || tsx->status_code == 407)
|
||||
if ((tsx->status_code == 401 || tsx->status_code == 407 || tsx->status_code == 494)
|
||||
&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
|
||||
&& !ast_sip_create_request_with_auth(
|
||||
&session->endpoint->outbound_auths,
|
||||
|
|
Loading…
Reference in New Issue