File 1-mediasec-18.12.patch of Package asterisk

Overview Repositories Revisions Requests Users Attributes Meta

File 1-mediasec-18.12.patch of Package asterisk

diff -Nurp asterisk-18.12.1/res/res_pjsip/pjsip_options.c asterisk-18.12.1-patched/res/res_pjsip/pjsip_options.c
--- asterisk-18.12.1/res/res_pjsip/pjsip_options.c	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip/pjsip_options.c	2022-06-10 16:42:50.113418424 +0200
@@ -212,6 +212,8 @@ static struct ao2_container *sip_options
  */
 static struct ast_taskprocessor *management_serializer;
 
+static int sip_options_qualify_contact(void *obj, void *arg, int flags);
+
 static pj_status_t send_options_response(pjsip_rx_data *rdata, int code)
 {
 	pjsip_endpoint *endpt = ast_sip_get_pjsip_endpoint();
@@ -801,6 +803,15 @@ static void qualify_contact_cb(void *tok
 		break;
 	}
 
+	/* check for 494 */
+	if (status == AVAILABLE && e->body.tsx_state.src.rdata->msg_info.msg->line.status.code == 494) {
+		/* need to resend the options request with mediasec headers */
+		ast_debug(3,"detected 494 - call sip_options_qualify_contact again with mediasec header\n");
+		sip_options_qualify_contact(contact_callback_data->contact, contact_callback_data->aor_options, 494);
+		ao2_ref(contact_callback_data, -1);
+		return;
+	}
+
 	/* Update the callback data with the new status, this will get handled in the AOR serializer */
 	contact_callback_data->status = status;
 
@@ -905,6 +916,14 @@ static int sip_options_qualify_contact(v
 		return 0;
 	}
 
+	if (flags && flags == 494) {
+		/* add mediasec header */
+		ast_debug(3,"OPTIONS: adding MEDIASEC headers\n");
+		ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+	}
+
 	if (ast_sip_send_out_of_dialog_request(tdata, endpoint,
 		(int)(aor_options->qualify_timeout * 1000), contact_callback_data,
 		qualify_contact_cb)) {
diff -Nurp asterisk-18.12.1/res/res_pjsip_outbound_registration.c asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c
--- asterisk-18.12.1/res/res_pjsip_outbound_registration.c	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c	2022-06-10 16:42:50.113418424 +0200
@@ -392,6 +392,8 @@ struct sip_outbound_registration_client_
 	char *transport_name;
 	/*! \brief The name of the registration sorcery object */
 	char *registration_name;
+	/*! \brief Indicator, if there was a 494 response before */
+	unsigned int is494;
 };
 
 /*! \brief Outbound registration state information (persists for lifetime that registration should exist) */
@@ -694,6 +696,19 @@ static int handle_client_registration(vo
 		return -1;
 	}
 
+	/* Add some header for mediasec */
+	if (client_state->is494) {
+		/* answer for 494 */
+		ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+	}
+	else {
+		ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
+		ast_sip_add_header(tdata,"Proxy-Require","mediasec");
+		ast_sip_add_header(tdata,"Require","mediasec");
+	}
+
 	registration_client_send(client_state, tdata);
 
 	return 0;
@@ -1092,6 +1107,27 @@ static int handle_registration_response(
 			response->client_state->auth_attempted = 1;
 			ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n",
 					server_uri, client_uri);
+
+			/* Add MEDIASEC headers */
+			static const pj_str_t headerName = { "Security-Server", 15 };
+			pjsip_generic_string_hdr *secSrv;
+			secSrv = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &headerName, NULL);
+			if (secSrv) {
+				response->client_state->is494=0;
+
+				static const pj_str_t headerNameVrfy = { "Security-Verify", 15 };
+				pjsip_generic_string_hdr *secVrfy;
+				secVrfy = pjsip_msg_find_hdr_by_name(tdata->msg, &headerNameVrfy, NULL);
+
+				/* initial register doesn't contain it */
+				if (! secVrfy) {
+					ast_debug(3, "Adding MEDIASEC headers\n");
+					ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+					ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+					ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+				}
+			}
+
 			pjsip_tx_data_add_ref(tdata);
 			res = registration_client_send(response->client_state, tdata);
 
@@ -1118,6 +1154,8 @@ static int handle_registration_response(
 		if (response->expiration) {
 			int next_registration_round;
 
+			response->client_state->is494=0;
+
 			/* If the registration went fine simply reschedule registration for the future */
 			ast_debug(1, "Outbound registration to '%s' with client '%s' successful\n", server_uri, client_uri);
 			update_client_state_status(response->client_state, SIP_REGISTRATION_REGISTERED);
@@ -1134,6 +1172,8 @@ static int handle_registration_response(
 				response->client_state->registration_name);
 		} else {
 			ast_debug(1, "Outbound unregistration to '%s' with client '%s' successful\n", server_uri, client_uri);
+			response->client_state->is494=0;
+
 			update_client_state_status(response->client_state, SIP_REGISTRATION_UNREGISTERED);
 			ast_sip_transport_monitor_unregister(response->rdata->tp_info.transport,
 				registration_transport_shutdown_cb, response->client_state->registration_name,
@@ -1143,6 +1183,22 @@ static int handle_registration_response(
 		save_response_fields_to_transport(response);
 	} else if (response->client_state->destroy) {
 		/* We need to deal with the pending destruction instead. */
+	} else if (response->code == 494) {
+		if (response->client_state->is494) {
+			ast_log(LOG_WARNING, "MEDIASEC registration to '%s' with client '%s' failed (494-loop detected), stopping registration attempt\n",
+				server_uri, client_uri);
+			/* 494 loop detected! This is fatal! */
+			update_client_state_status(response->client_state, SIP_REGISTRATION_REJECTED_PERMANENT);
+			/* reset is494 */
+			response->client_state->is494=0;
+		} else {
+			/* Try (initial) registration again - but now with additional headers */
+			response->client_state->is494=1;
+			ao2_ref(response->client_state, +1);
+			handle_client_registration(response->client_state);
+			ao2_ref(response, -1);
+			return 0;
+		}
 	} else if (response->retry_after) {
 		/* If we have been instructed to retry after a period of time, schedule it as such */
 		schedule_retry(response, response->retry_after, server_uri, client_uri);
@@ -1870,6 +1926,9 @@ static int unregister_task(void *obj)
 
 	if (pjsip_regc_unregister(client, &tdata) == PJ_SUCCESS
 		&& add_configured_supported_headers(state->client_state, tdata)) {
+		ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
+		ast_sip_add_header(tdata,"Proxy-Require","mediasec");
+		ast_sip_add_header(tdata,"Require","mediasec");
 		registration_client_send(state->client_state, tdata);
 	}
 
diff -Nurp asterisk-18.12.1/res/res_pjsip_sdp_rtp.c asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c
--- asterisk-18.12.1/res/res_pjsip_sdp_rtp.c	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c	2022-06-10 16:42:50.117418424 +0200
@@ -1607,6 +1607,7 @@ static int add_crypto_to_stream(struct a
 	static const pj_str_t STR_PASSIVE = { "passive", 7 };
 	static const pj_str_t STR_ACTPASS = { "actpass", 7 };
 	static const pj_str_t STR_HOLDCONN = { "holdconn", 8 };
+	static const pj_str_t STR_MEDSECREQ = { "requested", 9 };
 	enum ast_rtp_dtls_setup setup;
 
 	switch (session_media->encryption) {
@@ -1622,6 +1623,8 @@ static int add_crypto_to_stream(struct a
 		}
 
 		tmp = session_media->srtp;
+		attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ);
+		media->attr[media->attr_count++] = attr;
 
 		do {
 			crypto_attribute = ast_sdp_srtp_get_attrib(tmp,
diff -Nurp asterisk-18.12.1/res/res_pjsip_session.c asterisk-18.12.1-patched/res/res_pjsip_session.c
--- asterisk-18.12.1/res/res_pjsip_session.c	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_session.c	2022-06-10 16:42:50.121418424 +0200
@@ -2514,6 +2514,13 @@ static int sip_session_refresh(struct as
 			SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_WARNING, "%s: on_request_creation failed.\n", ast_sip_session_get_name(session));
 		}
 	}
+	if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
+		ast_debug(3, "INVITE: Adding MEDIASEC headers\n");
+		ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+		ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+	}
+
 	ast_sip_session_send_request_with_cb(session, tdata, on_response);
 	ast_sip_session_media_state_free(active_media_state);
 
@@ -2873,6 +2880,13 @@ int ast_sip_session_create_invite(struct
 		SCOPE_EXIT_RTN_VALUE(-1, "pjsip_inv_invite failed\n");
 	}
 
+	if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
+		ast_debug(3, "INVITE: Adding MEDIASEC headers\n");
+		ast_sip_add_header(*tdata,"Security-Verify","msrp-tls;mediasec");
+		ast_sip_add_header(*tdata,"Security-Verify","sdes-srtp;mediasec");
+		ast_sip_add_header(*tdata,"Security-Verify","dtls-srtp;mediasec");
+	}
+
 	SCOPE_EXIT_RTN_VALUE(0);
 }

Places

File 1-mediasec-18.12.patch of Package asterisk

Places