From: Maximilian Fridrich Date: Tue, 26 Jul 2022 12:01:04 +0000 (+0200) Subject: res_pjsip: Add mediasec capabilities. X-Git-Tag: 16.30.0-rc1~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc6f91eebbdad88923568fc72fe79bdee24944bf;p=thirdparty%2Fasterisk.git res_pjsip: Add mediasec capabilities. This patch adds support for mediasec SIP headers and SDP attributes. These are defined in RFC 3329, 3GPP TS 24.229 and draft-dawes-sipcore-mediasec-parameter. The new features are implemented so that a backbone for RFC 3329 is present to streamline future work on RFC 3329. With this patch, Asterisk can communicate with Deutsche Telekom trunks which require these fields. ASTERISK-30032 Change-Id: Ia7f5b5ba42db18074fdd5428c4e1838728586be2 --- diff --git a/contrib/ast-db-manage/config/versions/417c0247fd7e_add_security_negotiation_and_security_.py b/contrib/ast-db-manage/config/versions/417c0247fd7e_add_security_negotiation_and_security_.py new file mode 100644 index 0000000000..34847fcb56 --- /dev/null +++ b/contrib/ast-db-manage/config/versions/417c0247fd7e_add_security_negotiation_and_security_.py @@ -0,0 +1,49 @@ +"""add security_negotiation and security_mechanisms to endpoint + +Revision ID: 417c0247fd7e +Revises: 539f68bede2c +Create Date: 2022-08-08 15:35:31.416964 + +""" + +# revision identifiers, used by Alembic. +revision = '417c0247fd7e' +down_revision = '539f68bede2c' + +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects.postgresql import ENUM + +SECURITY_NEGOTIATION_NAME = 'security_negotiation_values' +SECURITY_NEGOTIATION_VALUES = ['no', 'mediasec'] + +def upgrade(): + context = op.get_context() + + if context.bind.dialect.name == 'postgresql': + security_negotiation_values = ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME) + security_negotiation_values.create(op.get_bind(), checkfirst=False) + + op.add_column('ps_endpoints', sa.Column('security_negotiation', + ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME, create_type=False))) + op.add_column('ps_endpoints', sa.Column('security_mechanisms', sa.String(512))) + + op.add_column('ps_registrations', sa.Column('security_negotiation', + ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME, create_type=False))) + op.add_column('ps_registrations', sa.Column('security_mechanisms', sa.String(512))) + +def downgrade(): + context = op.get_context() + + if context.bind.dialect.name == 'mssql': + op.drop_constraint('ck_ps_endpoints_security_negotiation_security_negotiation_values', 'ps_endpoints') + op.drop_constraint('ck_ps_registrations_security_negotiation_security_negotiation_values', 'ps_registrations') + + op.drop_column('ps_endpoints', 'security_negotiation') + op.drop_column('ps_endpoints', 'security_mechanisms') + op.drop_column('ps_registrations', 'security_negotiation') + op.drop_column('ps_registrations', 'security_mechanisms') + + if context.bind.dialect.name == 'postgresql': + enum = ENUM(*SECURITY_NEGOTIATION_VALUES, name=SECURITY_NEGOTIATION_NAME) + enum.drop(op.get_bind(), checkfirst=False) \ No newline at end of file diff --git a/doc/CHANGES-staging/res_pjsip_rfc3329.txt b/doc/CHANGES-staging/res_pjsip_rfc3329.txt new file mode 100644 index 0000000000..06510b5661 --- /dev/null +++ b/doc/CHANGES-staging/res_pjsip_rfc3329.txt @@ -0,0 +1,6 @@ +Subject: res_pjsip + +Added options "security_negotiation" and "security_mechanisms" to pjsip +endpoints and registrations. "security_negotiation" can be set to "no" (default) +or "mediasec", and "security_mechanisms" can be a list of comma-separated +security_mechanisms in the form defined by RFC 3329 section 2.2. diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h index cc526afe49..087bbbc294 100644 --- a/include/asterisk/res_pjsip.h +++ b/include/asterisk/res_pjsip.h @@ -299,6 +299,45 @@ struct ast_sip_nat_hook { void (*outgoing_external_message)(struct pjsip_tx_data *tdata, struct ast_sip_transport *transport); }; +/*! + * \brief The kind of security negotiation + */ +enum ast_sip_security_negotiation { + /*! No security mechanism negotiation */ + AST_SIP_SECURITY_NEG_NONE = 0, + /*! Use mediasec security mechanism negotiation */ + AST_SIP_SECURITY_NEG_MEDIASEC, + /* Add RFC 3329 (sec-agree) mechanism negotiation in the future */ +}; + +/*! + * \brief The security mechanism type + */ +enum ast_sip_security_mechanism_type { + AST_SIP_SECURITY_MECH_NONE = 0, + /* Use msrp-tls as security mechanism */ + AST_SIP_SECURITY_MECH_MSRP_TLS, + /* Use sdes-srtp as security mechanism */ + AST_SIP_SECURITY_MECH_SDES_SRTP, + /* Use dtls-srtp as security mechanism */ + AST_SIP_SECURITY_MECH_DTLS_SRTP, + /* Add RFC 3329 (sec-agree) mechanisms like tle, digest, ipsec-ike in the future */ +}; + +/*! + * \brief Structure representing a security mechanism as defined in RFC 3329 + */ +struct ast_sip_security_mechanism { + /* Used to determine which security mechanism to use. */ + enum ast_sip_security_mechanism_type type; + /* The preference of this security mechanism. The higher the value, the more preferred. */ + float qvalue; + /* Optional mechanism parameters. */ + struct ast_vector_string mechanism_parameters; +}; + +AST_VECTOR(ast_sip_security_mechanism_vector, struct ast_sip_security_mechanism *); + /*! * \brief Contact associated with an address of record */ @@ -370,6 +409,13 @@ struct ast_sip_contact_status { ); /*! The round trip time in microseconds */ int64_t rtt; + /*! + * The security mechanism list of the contact (RFC 3329). + * Stores the values of Security-Server headers in 401/421/494 responses to an + * in-dialog request or successful outbound registration which will be used to + * set the Security-Verify headers of all subsequent requests to the contact. + */ + struct ast_sip_security_mechanism_vector security_mechanisms; /*! Current status for a contact (default - unavailable) */ enum ast_sip_contact_status_type status; /*! Last status for a contact (default - unavailable) */ @@ -911,6 +957,10 @@ struct ast_sip_endpoint { unsigned int send_connected_line; /*! Ignore 183 if no SDP is present */ unsigned int ignore_183_without_sdp; + /*! Type of security negotiation to use (RFC 3329). */ + enum ast_sip_security_negotiation security_negotiation; + /*! Client security mechanisms (RFC 3329). */ + struct ast_sip_security_mechanism_vector security_mechanisms; /*! Set which STIR/SHAKEN behaviors we want on this endpoint */ unsigned int stir_shaken; /*! Should we authenticate OPTIONS requests per RFC 3261? */ @@ -961,6 +1011,87 @@ int ast_sip_are_media_types_equal(pjsip_media_type *a, pjsip_media_type *b); */ int ast_sip_is_media_type_in(pjsip_media_type *a, ...) attribute_sentinel; +/*! + * \brief Add security headers to transmission data + * + * \param security_mechanisms Vector of security mechanisms. + * \param header_name The header name under which to add the security mechanisms. + * One of Security-Client, Security-Server, Security-Verify. + * \param add_qval If zero, don't add the q-value to the header. + * \param tdata The transmission data. + * \retval 0 Success + * \retval non-zero Failure + */ +int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms, + const char *header_name, int add_qval, pjsip_tx_data *tdata); + +/*! + * \brief Append to security mechanism vector from SIP header + * + * \param hdr The header of the security mechanisms. + * \param security_mechanisms Vector of security mechanisms to append to. + * Header name must be one of Security-Client, Security-Server, Security-Verify. + */ +void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr, + struct ast_sip_security_mechanism_vector *security_mechanisms); + +/*! + * \brief Initialize security mechanism vector from string of security mechanisms. + * + * \param security_mechanisms Pointer to vector of security mechanisms to initialize. + * \param value String of security mechanisms as defined in RFC 3329. + * \retval 0 Success + * \retval non-zero Failure + */ +int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanism, const char *value); + +/*! + * \brief Removes all headers of a specific name and value from a pjsip_msg. + * + * \param msg PJSIP message from which to remove headers. + * \param hdr_name Name of the header to remove. + * \param value Optional string value of the header to remove. + * If NULL, remove all headers of given hdr_name. + */ +void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value); + +/*! + * \brief Duplicate a security mechanism. + * + * \param dst Security mechanism to duplicate to. + * \param src Security mechanism to duplicate. + */ +void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst, + const struct ast_sip_security_mechanism_vector *src); + +/*! + * \brief Free contents of a security mechanism vector. + * + * \param security_mechanisms Vector whose contents are to be freed + */ +void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms); + +/*! + * \brief Allocate a security mechanism from a string. + * + * \param security_mechanism Pointer-pointer to the security mechanism to allocate. + * \param value The security mechanism string as defined in RFC 3329 (section 2.2) + * \param ... in the form ;q=; + * \retval 0 Success + * \retval non-zero Failure + */ +int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value); + +/*! + * \brief Set the security negotiation based on a given string. + * + * \param security_negotiation Security negotiation enum to set. + * \param val String that represents a security_negotiation value. + * \retval 0 Success + * \retval non-zero Failure + */ +int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val); + /*! * \brief Initialize an auth vector with the configured values. * diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h index e7a94575d2..30fd8baa3d 100644 --- a/include/asterisk/res_pjsip_session.h +++ b/include/asterisk/res_pjsip_session.h @@ -30,6 +30,8 @@ #include "asterisk/sdp_srtp.h" /* Needed for ast_media_type */ #include "asterisk/codec.h" +/* Needed for ast_sip_security_mechanism_vector */ +#include "asterisk/res_pjsip.h" /* Forward declarations */ struct ast_sip_endpoint; diff --git a/res/res_pjsip/pjsip_config.xml b/res/res_pjsip/pjsip_config.xml index c10b1c4534..8d5cf1d022 100644 --- a/res/res_pjsip/pjsip_config.xml +++ b/res/res_pjsip/pjsip_config.xml @@ -1166,6 +1166,22 @@ responses. + + The kind of security agreement negotiation to use. Currently, only mediasec is supported. + + + + + + + + + List of security mechanisms supported. + + This is a comma-delimited list of security mechanisms to use. Each security mechanism + must be in the form defined by RFC 3329 section 2.2. + + Geolocation profile to apply to incoming calls diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c index 30d1c4f711..197b4312fe 100644 --- a/res/res_pjsip/pjsip_configuration.c +++ b/res/res_pjsip/pjsip_configuration.c @@ -256,6 +256,31 @@ static int timers_to_str(const void *obj, const intptr_t *args, char **buf) return 0; } +static int security_mechanism_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) +{ + struct ast_sip_endpoint *endpoint = obj; + + return ast_sip_security_mechanism_vector_init(&endpoint->security_mechanisms, var->value); +} + +int ast_sip_set_security_negotiation(enum ast_sip_security_negotiation *security_negotiation, const char *val) { + if (!strcasecmp("no", val)) { + *security_negotiation = AST_SIP_SECURITY_NEG_NONE; + } else if (!strcasecmp("mediasec", val)) { + *security_negotiation = AST_SIP_SECURITY_NEG_MEDIASEC; + } else { + return -1; + } + return 0; +} + +static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) +{ + struct ast_sip_endpoint *endpoint = obj; + + return ast_sip_set_security_negotiation(&endpoint->security_negotiation, var->value); +} + void ast_sip_auth_vector_destroy(struct ast_sip_auth_vector *auths) { int i; @@ -2051,6 +2076,8 @@ int ast_res_pjsip_initialize_configuration(void) ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options)); ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_incoming_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_incoming_call_profile)); ast_sorcery_object_field_register(sip_sorcery, "endpoint", "geoloc_outgoing_call_profile", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_endpoint, geoloc_outgoing_call_profile)); + ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_mechanisms", "", security_mechanism_handler, NULL, NULL, 0, 0); + ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0); if (ast_sip_initialize_sorcery_transport()) { ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n"); diff --git a/res/res_pjsip/pjsip_options.c b/res/res_pjsip/pjsip_options.c index 7632deadd7..220a947762 100644 --- a/res/res_pjsip/pjsip_options.c +++ b/res/res_pjsip/pjsip_options.c @@ -348,6 +348,8 @@ static void sip_contact_status_dtor(void *obj) { struct ast_sip_contact_status *contact_status = obj; + ast_sip_security_mechanisms_vector_destroy(&contact_status->security_mechanisms); + ast_string_field_free_memory(contact_status); } @@ -365,6 +367,7 @@ static struct ast_sip_contact_status *sip_contact_status_alloc(const char *name) ao2_ref(contact_status, -1); return NULL; } + AST_VECTOR_INIT(&contact_status->security_mechanisms, 0); strcpy(contact_status->name, name); /* SAFE */ return contact_status; } @@ -385,6 +388,8 @@ static struct ast_sip_contact_status *sip_contact_status_copy(const struct ast_s dst->rtt = src->rtt; dst->status = src->status; dst->last_status = src->last_status; + + ast_sip_security_mechanisms_vector_copy(&dst->security_mechanisms, &src->security_mechanisms); return dst; } diff --git a/res/res_pjsip/security_agreements.c b/res/res_pjsip/security_agreements.c new file mode 100644 index 0000000000..e542e7c352 --- /dev/null +++ b/res/res_pjsip/security_agreements.c @@ -0,0 +1,340 @@ +/* + * Asterisk -- An open source telephony toolkit. + * + * Copyright (C) 2022, Commend International + * + * Maximilian Fridrich + * + * See http://www.asterisk.org for more information about + * the Asterisk project. Please do not directly contact + * any of the maintainers of this project for assistance; + * the project provides a web site, mailing lists and IRC + * channels for your use. + * + * This program is free software, distributed under the terms of + * the GNU General Public License Version 2. See the LICENSE file + * at the top of the source tree. + */ + +/*! + * \file + * + * \brief Interact with security agreement negotiations and mechanisms + * + * \author Maximilian Fridrich + */ + +#include "asterisk.h" + +#include + +#include "asterisk/res_pjsip.h" + +static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_alloc(size_t n_params) +{ + struct ast_sip_security_mechanism *mech; + + mech = ast_calloc(1, sizeof(struct ast_sip_security_mechanism)); + if (mech == NULL) { + return NULL; + } + mech->qvalue = 0.0; + if (AST_VECTOR_INIT(&mech->mechanism_parameters, n_params) != 0) { + ast_free(mech); + return NULL; + } + + return mech; +} + +static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_copy( + const struct ast_sip_security_mechanism *src) +{ + struct ast_sip_security_mechanism *dst = NULL; + int i, n_params; + char *param; + + n_params = AST_VECTOR_SIZE(&src->mechanism_parameters); + + dst = ast_sip_security_mechanisms_alloc(n_params); + if (dst == NULL) { + return NULL; + } + dst->type = src->type; + dst->qvalue = src->qvalue; + + for (i = 0; i < n_params; i++) { + param = ast_strdup(AST_VECTOR_GET(&src->mechanism_parameters, i)); + AST_VECTOR_APPEND(&dst->mechanism_parameters, param); + } + + return dst; +} + +static void ast_sip_security_mechanisms_destroy(struct ast_sip_security_mechanism *mech) +{ + int i; + + for (i = 0; i < AST_VECTOR_SIZE(&mech->mechanism_parameters); i++) { + ast_free(AST_VECTOR_GET(&mech->mechanism_parameters, i)); + } + AST_VECTOR_FREE(&mech->mechanism_parameters); + ast_free(mech); +} + +void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst, + const struct ast_sip_security_mechanism_vector *src) +{ + struct ast_sip_security_mechanism *mech; + int i; + + ast_sip_security_mechanisms_vector_destroy(dst); + for (i = 0; i < AST_VECTOR_SIZE(src); i++) { + mech = AST_VECTOR_GET(src, i); + AST_VECTOR_APPEND(dst, ast_sip_security_mechanisms_copy(mech)); + } +}; + +void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms) +{ + struct ast_sip_security_mechanism *mech; + int i; + + if (!security_mechanisms) { + return; + } + + for (i = 0; i < AST_VECTOR_SIZE(security_mechanisms); i++) { + mech = AST_VECTOR_GET(security_mechanisms, i); + ast_sip_security_mechanisms_destroy(mech); + } + AST_VECTOR_FREE(security_mechanisms); +} + +static int ast_sip_str_to_security_mechanism_type(const char *security_mechanism) { + int result = -1; + + if (!strcasecmp(security_mechanism, "msrp-tls")) { + result = AST_SIP_SECURITY_MECH_MSRP_TLS; + } else if (!strcasecmp(security_mechanism, "sdes-srtp")) { + result = AST_SIP_SECURITY_MECH_SDES_SRTP; + } else if (!strcasecmp(security_mechanism, "dtls-srtp")) { + result = AST_SIP_SECURITY_MECH_DTLS_SRTP; + } + + return result; +} + +static char *ast_sip_security_mechanism_type_to_str(enum ast_sip_security_mechanism_type mech_type) { + if (mech_type == AST_SIP_SECURITY_MECH_MSRP_TLS) { + return "msrp-tls"; + } else if (mech_type == AST_SIP_SECURITY_MECH_SDES_SRTP) { + return "sdes-srtp"; + } else if (mech_type == AST_SIP_SECURITY_MECH_DTLS_SRTP) { + return "dtls-srtp"; + } else { + return NULL; + } +} + +static int ast_sip_security_mechanism_to_str(const struct ast_sip_security_mechanism *security_mechanism, int add_qvalue, char **buf) { + char tmp[64]; + size_t size; + size_t buf_size = 128; + int i; + char *ret = ast_calloc(buf_size, sizeof(char)); + + if (ret == NULL) { + return ENOMEM; + } + if (security_mechanism == NULL) { + ast_free(ret); + return EINVAL; + } + + strncat(ret, ast_sip_security_mechanism_type_to_str(security_mechanism->type), buf_size - strlen(ret) - 1); + if (add_qvalue) { + snprintf(tmp, sizeof(tmp), ";q=%f.4", security_mechanism->qvalue); + strncat(ret, tmp, buf_size - strlen(ret) - 1); + } + + size = AST_VECTOR_SIZE(&security_mechanism->mechanism_parameters); + for (i = 0; i < size; ++i) { + snprintf(tmp, sizeof(tmp), ";%s", AST_VECTOR_GET(&security_mechanism->mechanism_parameters, i)); + strncat(ret, tmp, buf_size - strlen(ret) - 1); + } + + *buf = ret; + return 0; +} + +void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value) +{ + struct pjsip_generic_string_hdr *hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, NULL); + for (; hdr; hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, hdr->next)) { + if (value == NULL || !pj_strcmp2(&hdr->hvalue, value)) { + pj_list_erase(hdr); + } + if (hdr->next == hdr) { + break; + } + } +} + +/*! + * \internal + * \brief Parses a string representing a q_value to a float. + * + * Valid q values must be in the range from 0.0 to 1.0 inclusively. + * + * \param q_value + * \retval The parsed qvalue or -1.0 on failure. + */ +static float parse_qvalue(const char *q_value) { + char *end; + float ret = strtof(q_value, &end); + + if (end == q_value) { + /* Not a number. */ + return -1.0; + } else if ('\0' != *end) { + /* Extra character at end of input. */ + return -1.0; + } else if (ret > 1.0 || ret < 0.0) { + /* Out of valid range. */ + return -1.0; + } + return ret; +} + +int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value) { + struct ast_sip_security_mechanism *mech; + char *param; + char *tmp; + char *mechanism = ast_strdupa(value); + int err = 0; + int type = -1; + + mech = ast_sip_security_mechanisms_alloc(1); + if (!mech) { + err = ENOMEM; + goto out; + } + + tmp = ast_strsep(&mechanism, ';', AST_STRSEP_ALL); + type = ast_sip_str_to_security_mechanism_type(tmp); + if (type == -1) { + err = EINVAL; + goto out; + } + + mech->type = type; + while ((param = ast_strsep(&mechanism, ';', AST_STRSEP_ALL))) { + if (!param) { + err = EINVAL; + goto out; + } + if (!strncmp(param, "q=0", 4) || !strncmp(param, "q=1", 4)) { + mech->qvalue = parse_qvalue(¶m[2]); + if (mech->qvalue < 0.0) { + goto out; + } + continue; + } + param = ast_strdup(param); + AST_VECTOR_APPEND(&mech->mechanism_parameters, param); + } + + *security_mechanism = mech; + +out: + if (err && (mech != NULL)) { + ast_sip_security_mechanisms_destroy(mech); + } + return err; +} + +int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms, + const char *header_name, int add_qval, pjsip_tx_data *tdata) { + struct ast_sip_security_mechanism *mech; + char *buf; + int mech_cnt; + int i; + int add_qvalue = 1; + + if (!security_mechanisms || !tdata) { + return EINVAL; + } + + if (!strcmp(header_name, "Security-Client")) { + add_qvalue = 0; + } else if (strcmp(header_name, "Security-Server") && + strcmp(header_name, "Security-Verify")) { + return EINVAL; + } + /* If we're adding Security-Client headers, don't add q-value + * even if the function caller requested it. */ + add_qvalue = add_qvalue && add_qval; + + mech_cnt = AST_VECTOR_SIZE(security_mechanisms); + for (i = 0; i < mech_cnt; ++i) { + mech = AST_VECTOR_GET(security_mechanisms, i); + if (ast_sip_security_mechanism_to_str(mech, add_qvalue, &buf)) { + continue; + } + ast_sip_add_header(tdata, header_name, buf); + ast_free(buf); + } + return 0; +} + +void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr, + struct ast_sip_security_mechanism_vector *security_mechanisms) { + + struct ast_sip_security_mechanism *mech; + char buf[512]; + char *hdr_val; + char *mechanism; + + if (!security_mechanisms || !hdr) { + return; + } + + if (pj_stricmp2(&hdr->name, "Security-Client") && pj_stricmp2(&hdr->name, "Security-Server") && + pj_stricmp2(&hdr->name, "Security-Verify")) { + return; + } + + ast_copy_pj_str(buf, &hdr->hvalue, sizeof(buf)); + hdr_val = ast_skip_blanks(buf); + + while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) { + if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) { + AST_VECTOR_APPEND(security_mechanisms, mech); + } + } +} + +int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value) +{ + char *val = value ? ast_strdupa(value) : NULL; + struct ast_sip_security_mechanism *mech; + char *mechanism; + + ast_sip_security_mechanisms_vector_destroy(security_mechanisms); + if (AST_VECTOR_INIT(security_mechanisms, 1)) { + return -1; + } + + if (!val) { + return 0; + } + + while ((mechanism = ast_strsep(&val, ',', AST_STRSEP_ALL))) { + if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) { + AST_VECTOR_APPEND(security_mechanisms, mech); + } + } + + return 0; +} diff --git a/res/res_pjsip_outbound_registration.c b/res/res_pjsip_outbound_registration.c index da4fff2e69..565425290b 100644 --- a/res/res_pjsip_outbound_registration.c +++ b/res/res_pjsip_outbound_registration.c @@ -87,6 +87,22 @@ are made. + + The kind of security agreement negotiation to use. Currently, only mediasec is supported. + + + + + + + + + List of security mechanisms supported. + + This is a comma-delimited list of security mechanisms to use. Each security mechanism + must be in the form defined by RFC 3329 section 2.2. + + Authentication object(s) to be used for outbound registrations. @@ -328,6 +344,10 @@ struct sip_outbound_registration { unsigned int max_retries; /*! \brief Whether to add a line parameter to the outbound Contact or not */ unsigned int line; + /*! \brief Type of security negotiation to use (RFC 3329). */ + enum ast_sip_security_negotiation security_negotiation; + /*! \brief Client security mechanisms (RFC 3329). */ + struct ast_sip_security_mechanism_vector security_mechanisms; /*! \brief Configured authentication credentials */ struct ast_sip_auth_vector outbound_auths; /*! \brief Whether Path support is enabled */ @@ -371,6 +391,12 @@ struct sip_outbound_registration_client_state { unsigned int auth_rejection_permanent; /*! \brief Determines whether SIP Path support should be advertised */ unsigned int support_path; + /*! \brief Type of security negotiation to use (RFC 3329). */ + enum ast_sip_security_negotiation security_negotiation; + /*! \brief Client security mechanisms (RFC 3329). */ + struct ast_sip_security_mechanism_vector security_mechanisms; + /*! \brief Security mechanisms of the peer (RFC 3329). */ + struct ast_sip_security_mechanism_vector server_security_mechanisms; /*! CSeq number of last sent auth request. */ unsigned int auth_cseq; /*! \brief Serializer for stuff and things */ @@ -542,6 +568,117 @@ static void cancel_registration(struct sip_outbound_registration_client_state *c static pj_str_t PATH_NAME = { "path", 4 }; +AST_VECTOR(pjsip_generic_string_hdr_vector, pjsip_generic_string_hdr *); + +/*! + * \internal + * \brief Callback function which finds a contact whose contact_status has security mechanisms. + * + * \param obj Pointer to the ast_sip_contact. + * \param arg Pointer-pointer to a contact_status that will be set to the contact_status found by this function. + * \param flags Flags used by the ao2_callback function. + * + * \note The refcount of the found contact_status must be decremented by the caller. + */ +static int contact_has_security_mechanisms(void *obj, void *arg, int flags) +{ + struct ast_sip_contact *contact = obj; + struct ast_sip_contact_status **ret = arg; + struct ast_sip_contact_status *contact_status = ast_sip_get_contact_status(contact); + + if (!contact_status) { + return -1; + } + if (!AST_VECTOR_SIZE(&contact_status->security_mechanisms)) { + ao2_cleanup(contact_status); + return -1; + } + *ret = contact_status; + return 0; +} + +static int contact_add_security_headers_to_status(void *obj, void *arg, int flags) +{ + struct ast_sip_contact *contact = obj; + struct pjsip_generic_string_hdr_vector *header_vector = arg; + struct ast_sip_contact_status *contact_status = ast_sip_get_contact_status(contact); + + if (!contact_status) { + return -1; + } + if (AST_VECTOR_SIZE(&contact_status->security_mechanisms)) { + goto out; + } + + ao2_lock(contact_status); + AST_VECTOR_CALLBACK_VOID(header_vector, ast_sip_header_to_security_mechanism, &contact_status->security_mechanisms); + ao2_unlock(contact_status); + +out: + ao2_cleanup(contact_status); + return 0; +} + +/*! \brief Adds security negotiation mechanisms of outbound registration client state as Security headers to tdata. */ +static void add_security_headers(struct sip_outbound_registration_client_state *client_state, + pjsip_tx_data *tdata) +{ + struct sip_outbound_registration *reg = NULL; + struct ast_sip_endpoint *endpt = NULL; + struct ao2_container *contact_container; + struct ast_sip_contact_status *contact_status = NULL; + struct ast_sip_security_mechanism_vector *sec_mechs = NULL; + static const pj_str_t security_verify = { "Security-Verify", 15 }; + static const pj_str_t security_client = { "Security-Client", 15 }; + static const pj_str_t proxy_require = { "Proxy-Require", 13 }; + static const pj_str_t require = { "Require", 7 }; + + if (client_state->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) { + return; + } + + /* Get contact status through registration -> endpoint name -> aor -> contact (if set) */ + if ((reg = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "registration", client_state->registration_name)) + && !ast_strlen_zero(reg->endpoint) && (endpt = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", reg->endpoint)) + && (contact_container = ast_sip_location_retrieve_contacts_from_aor_list(endpt->aors))) { + /* Retrieve all contacts associated with aors from this endpoint + * and find the first one that has security mechanisms. + */ + ao2_callback(contact_container, 0, contact_has_security_mechanisms, &contact_status); + if (contact_status) { + ao2_lock(contact_status); + sec_mechs = &contact_status->security_mechanisms; + } + ao2_cleanup(contact_container); + } + /* Use client_state->server_security_mechanisms if contact_status does not exist. */ + if (!contact_status && AST_VECTOR_SIZE(&client_state->server_security_mechanisms)) { + sec_mechs = &client_state->server_security_mechanisms; + } + if (client_state->status == SIP_REGISTRATION_REGISTERED || client_state->status == SIP_REGISTRATION_REJECTED_TEMPORARY + || client_state->auth_attempted) { + if (sec_mechs != NULL && pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL) == NULL) { + ast_sip_add_security_headers(sec_mechs, "Security-Verify", 0, tdata); + } + ast_sip_remove_headers_by_name_and_value(tdata->msg, &security_client, NULL); + ast_sip_remove_headers_by_name_and_value(tdata->msg, &proxy_require, "mediasec"); + ast_sip_remove_headers_by_name_and_value(tdata->msg, &require, "mediasec"); + } else { + ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata); + } + + ast_sip_add_header(tdata, "Require", "mediasec"); + ast_sip_add_header(tdata, "Proxy-Require", "mediasec"); + + /* Cleanup */ + if (contact_status) { + ao2_unlock(contact_status); + ao2_cleanup(contact_status); + } + ao2_cleanup(endpt); + ao2_cleanup(reg); +} + /*! \brief Helper function which sends a message and cleans up, if needed, on failure */ static pj_status_t registration_client_send(struct sip_outbound_registration_client_state *client_state, pjsip_tx_data *tdata) @@ -566,6 +703,9 @@ static pj_status_t registration_client_send(struct sip_outbound_registration_cli */ pjsip_tx_data_add_ref(tdata); + /* Add Security-Verify or Security-Client headers */ + add_security_headers(client_state, tdata); + /* * Set the transport in case transports were reloaded. * When pjproject removes the extraneous error messages produced, @@ -779,6 +919,8 @@ static int handle_client_state_destruction(void *data) update_client_state_status(client_state, SIP_REGISTRATION_STOPPED); ast_sip_auth_vector_destroy(&client_state->outbound_auths); + ast_sip_security_mechanisms_vector_destroy(&client_state->security_mechanisms); + ast_sip_security_mechanisms_vector_destroy(&client_state->server_security_mechanisms); ao2_ref(client_state, -1); return 0; @@ -967,19 +1109,60 @@ static int handle_registration_response(void *data) return 0; } } - } else if ((response->code == 401 || response->code == 407) + } else if ((response->code == 401 || response->code == 407 || response->code == 494) && (!response->client_state->auth_attempted || response->rdata->msg_info.cseq->cseq != response->client_state->auth_cseq)) { int res; pjsip_cseq_hdr *cseq_hdr; pjsip_tx_data *tdata; - if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths, + if (response->client_state->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) { + struct sip_outbound_registration *reg = NULL; + struct ast_sip_endpoint *endpt = NULL; + struct ao2_container *contact_container = NULL; + pjsip_generic_string_hdr *header; + struct pjsip_generic_string_hdr_vector header_vector; + static const pj_str_t security_server = { "Security-Server", 15 }; + + if ((reg = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "registration", + response->client_state->registration_name)) && reg->endpoint && + (endpt = ast_sorcery_retrieve_by_id(ast_sip_get_sorcery(), "endpoint", reg->endpoint))) { + /* Retrieve all contacts associated with aors from this endpoint (if set). */ + contact_container = ast_sip_location_retrieve_contacts_from_aor_list(endpt->aors); + } + /* Add server list of security mechanism to client_state and contact status if exists. */ + AST_VECTOR_INIT(&header_vector, 1); + header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, NULL); + for (; header; + header = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &security_server, header->next)) { + AST_VECTOR_APPEND(&header_vector, header); + ast_sip_header_to_security_mechanism(header, &response->client_state->server_security_mechanisms); + } + if (contact_container) { + /* Add server security mechanisms to contact status of all associated contacts to be able to send correct + * Security-Verify headers on subsequent non-REGISTER requests through this outbound registration. + */ + ao2_callback(contact_container, OBJ_NODATA, contact_add_security_headers_to_status, &header_vector); + ao2_cleanup(contact_container); + } + AST_VECTOR_FREE(&header_vector); + ao2_cleanup(endpt); + ao2_cleanup(reg); + } + + if (response->code == 494) { + update_client_state_status(response->client_state, SIP_REGISTRATION_REJECTED_TEMPORARY); + response->client_state->retries++; + schedule_registration(response->client_state, 0); + ao2_ref(response, -1); + return 0; + } else if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths, response->rdata, response->old_request, &tdata)) { response->client_state->auth_attempted = 1; ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n", server_uri, client_uri); pjsip_tx_data_add_ref(tdata); + res = registration_client_send(response->client_state, tdata); /* Save the cseq that actually got sent. */ @@ -1248,6 +1431,7 @@ static void sip_outbound_registration_destroy(void *obj) struct sip_outbound_registration *registration = obj; ast_sip_auth_vector_destroy(®istration->outbound_auths); + ast_sip_security_mechanisms_vector_destroy(®istration->security_mechanisms); ast_string_field_free_memory(registration); } @@ -1474,6 +1658,8 @@ static int sip_outbound_registration_perform(void *data) /* Just in case the client state is being reused for this registration, free the auth information */ ast_sip_auth_vector_destroy(&state->client_state->outbound_auths); + ast_sip_security_mechanisms_vector_destroy(&state->client_state->security_mechanisms); + ast_sip_security_mechanisms_vector_destroy(&state->client_state->server_security_mechanisms); AST_VECTOR_INIT(&state->client_state->outbound_auths, AST_VECTOR_SIZE(®istration->outbound_auths)); for (i = 0; i < AST_VECTOR_SIZE(®istration->outbound_auths); ++i) { @@ -1483,12 +1669,15 @@ static int sip_outbound_registration_perform(void *data) ast_free(name); } } + ast_sip_security_mechanisms_vector_copy(&state->client_state->security_mechanisms, + ®istration->security_mechanisms); state->client_state->retry_interval = registration->retry_interval; state->client_state->forbidden_retry_interval = registration->forbidden_retry_interval; state->client_state->fatal_retry_interval = registration->fatal_retry_interval; state->client_state->max_retries = registration->max_retries; state->client_state->retries = 0; state->client_state->support_path = registration->support_path; + state->client_state->security_negotiation = registration->security_negotiation; state->client_state->auth_rejection_permanent = registration->auth_rejection_permanent; max_delay = registration->max_random_initial_delay; @@ -1587,6 +1776,20 @@ static int sip_outbound_registration_apply(const struct ast_sorcery *sorcery, vo return 0; } +static int security_mechanisms_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) +{ + struct sip_outbound_registration *registration = obj; + + return ast_sip_security_mechanism_vector_init(®istration->security_mechanisms, var->value); +} + +static int security_negotiation_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) +{ + struct sip_outbound_registration *registration = obj; + + return ast_sip_set_security_negotiation(®istration->security_negotiation, var->value); +} + static int outbound_auth_handler(const struct aco_option *opt, struct ast_variable *var, void *obj) { struct sip_outbound_registration *registration = obj; @@ -2313,6 +2516,8 @@ static int load_module(void) ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "auth_rejection_permanent", "yes", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, auth_rejection_permanent)); ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "outbound_auth", "", outbound_auth_handler, outbound_auths_to_str, outbound_auths_to_var_list, 0, 0); ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_path", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_path)); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_negotiation", "no", security_negotiation_handler, NULL, NULL, 0, 0); + ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "security_mechanisms", "", security_mechanisms_handler, NULL, NULL, 0, 0); ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "line", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, line)); ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "endpoint", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct sip_outbound_registration, endpoint)); diff --git a/res/res_pjsip_rfc3329.c b/res/res_pjsip_rfc3329.c new file mode 100644 index 0000000000..167dfa016d --- /dev/null +++ b/res/res_pjsip_rfc3329.c @@ -0,0 +1,150 @@ +/* + * Asterisk -- An open source telephony toolkit. + * + * Copyright (C) 2022, Commend International + * + * Maximilian Fridrich + * + * See http://www.asterisk.org for more information about + * the Asterisk project. Please do not directly contact + * any of the maintainers of this project for assistance; + * the project provides a web site, mailing lists and IRC + * channels for your use. + * + * This program is free software, distributed under the terms of + * the GNU General Public License Version 2. See the LICENSE file + * at the top of the source tree. + */ + +/*** MODULEINFO + pjproject + res_pjsip + res_pjsip_session + core + ***/ + +#include "asterisk.h" + +#include +#include + +#include "asterisk/res_pjsip.h" +#include "asterisk/res_pjsip_session.h" +#include "asterisk/module.h" +#include "asterisk/causes.h" +#include "asterisk/threadpool.h" + +static void rfc3329_incoming_response(struct ast_sip_session *session, struct pjsip_rx_data *rdata) +{ + static const pj_str_t str_security_server = { "Security-Server", 15 }; + struct ast_sip_contact_status *contact_status = NULL; + struct ast_sip_security_mechanism *mech; + pjsip_generic_string_hdr *header; + char buf[128]; + char *hdr_val; + char *mechanism; + + if (!session || !session->endpoint || !session->endpoint->security_negotiation + || !session->contact || !(contact_status = ast_sip_get_contact_status(session->contact))) { + return; + } + + ao2_lock(contact_status); + if (AST_VECTOR_SIZE(&contact_status->security_mechanisms)) { + goto out; + } + + header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, NULL); + for (; header; + header = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &str_security_server, header->next)) { + /* Parse Security-Server headers and add to contact status to use for future requests. */ + ast_copy_pj_str(buf, &header->hvalue, sizeof(buf)); + hdr_val = ast_skip_blanks(buf); + + while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) { + if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) { + AST_VECTOR_APPEND(&contact_status->security_mechanisms, mech); + } + } + } + +out: + ao2_unlock(contact_status); + ao2_cleanup(contact_status); +} + +static void add_outgoing_request_headers(struct ast_sip_endpoint *endpoint, struct ast_sip_contact *contact, struct pjsip_tx_data *tdata) +{ + static const pj_str_t security_verify = { "Security-Verify", 15 }; + struct pjsip_generic_string_hdr *hdr = NULL; + struct ast_sip_contact_status *contact_status = NULL; + + if (endpoint->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) { + return; + } + + contact_status = ast_sip_get_contact_status(contact); + hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &security_verify, NULL); + + if (contact_status == NULL) { + return; + } + + ao2_lock(contact_status); + if (AST_VECTOR_SIZE(&contact_status->security_mechanisms) && hdr == NULL) { + /* Add Security-Verify headers (with q-value) */ + ast_sip_add_security_headers(&contact_status->security_mechanisms, "Security-Verify", 0, tdata); + } else if (!hdr && AST_VECTOR_SIZE(&endpoint->security_mechanisms)) { + /* Add Security-Client headers (no q-value) */ + ast_sip_add_security_headers(&endpoint->security_mechanisms, "Security-Client", 0, tdata); + } + ao2_unlock(contact_status); + ast_sip_add_header(tdata, "Require", "mediasec"); + ast_sip_add_header(tdata, "Proxy-Require", "mediasec"); + + ao2_cleanup(contact_status); +} + +static void rfc3329_outgoing_request(struct ast_sip_session *session, struct pjsip_tx_data *tdata) +{ + if (session->contact == NULL) { + return; + } + add_outgoing_request_headers(session->endpoint, session->contact, tdata); +} + +static struct ast_sip_session_supplement rfc3329_supplement = { + .incoming_response = rfc3329_incoming_response, + .outgoing_request = rfc3329_outgoing_request, +}; + +static void rfc3329_options_request(struct ast_sip_endpoint *endpoint, struct ast_sip_contact *contact, struct pjsip_tx_data *tdata) +{ + add_outgoing_request_headers(endpoint, contact, tdata); +} + +static struct ast_sip_supplement rfc3329_options_supplement = { + .method = "OPTIONS", + .outgoing_request = rfc3329_options_request, +}; + +static int load_module(void) +{ + ast_sip_session_register_supplement(&rfc3329_supplement); + ast_sip_register_supplement(&rfc3329_options_supplement); + return AST_MODULE_LOAD_SUCCESS; +} + +static int unload_module(void) +{ + ast_sip_session_unregister_supplement(&rfc3329_supplement); + return 0; +} + +AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP RFC 3329 Support (partial)", + .support_level = AST_MODULE_SUPPORT_CORE, + .load = load_module, + .unload = unload_module, + .load_pri = AST_MODPRI_APP_DEPEND, + .requires = "res_pjsip,res_pjsip_session", +); diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c index 35b2932b15..20ffcabd79 100644 --- a/res/res_pjsip_sdp_rtp.c +++ b/res/res_pjsip_sdp_rtp.c @@ -1526,6 +1526,7 @@ static int add_crypto_to_stream(struct ast_sip_session *session, static const pj_str_t STR_PASSIVE = { "passive", 7 }; static const pj_str_t STR_ACTPASS = { "actpass", 7 }; static const pj_str_t STR_HOLDCONN = { "holdconn", 8 }; + static const pj_str_t STR_MEDSECREQ = { "requested", 9 }; enum ast_rtp_dtls_setup setup; switch (session_media->encryption) { @@ -1556,6 +1557,11 @@ static int add_crypto_to_stream(struct ast_sip_session *session, media->attr[media->attr_count++] = attr; } while ((tmp = AST_LIST_NEXT(tmp, sdp_srtp_list))); + if (session->endpoint->security_negotiation == AST_SIP_SECURITY_NEG_MEDIASEC) { + attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ); + media->attr[media->attr_count++] = attr; + } + break; case AST_SIP_MEDIA_ENCRYPT_DTLS: if (setup_dtls_srtp(session, session_media)) { diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c index f42dd2f970..bbb2b39bf5 100644 --- a/res/res_pjsip_session.c +++ b/res/res_pjsip_session.c @@ -4759,7 +4759,8 @@ static void session_inv_on_tsx_state_changed(pjsip_inv_session *inv, pjsip_trans ast_debug(1, "%s: reINVITE received final response code %d\n", ast_sip_session_get_name(session), tsx->status_code); - if ((tsx->status_code == 401 || tsx->status_code == 407) + if ((tsx->status_code == 401 || tsx->status_code == 407 + || (session->endpoint->security_negotiation && tsx->status_code == 494)) && ++session->authentication_challenge_count < MAX_RX_CHALLENGES && !ast_sip_create_request_with_auth( &session->endpoint->outbound_auths, @@ -4853,7 +4854,7 @@ static void session_inv_on_tsx_state_changed(pjsip_inv_session *inv, pjsip_trans ast_sip_session_get_name(session), (int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name), tsx->status_code); - if ((tsx->status_code == 401 || tsx->status_code == 407) + if ((tsx->status_code == 401 || tsx->status_code == 407 || tsx->status_code == 494) && ++session->authentication_challenge_count < MAX_RX_CHALLENGES && !ast_sip_create_request_with_auth( &session->endpoint->outbound_auths,