Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:abergmann:voip:asterisk18
asterisk
1-mediasec-18.12.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1-mediasec-18.12.patch of Package asterisk
diff -Nurp asterisk-18.12.1/res/res_pjsip/pjsip_options.c asterisk-18.12.1-patched/res/res_pjsip/pjsip_options.c --- asterisk-18.12.1/res/res_pjsip/pjsip_options.c 2022-05-19 17:51:28.000000000 +0200 +++ asterisk-18.12.1-patched/res/res_pjsip/pjsip_options.c 2022-06-10 16:42:50.113418424 +0200 @@ -212,6 +212,8 @@ static struct ao2_container *sip_options */ static struct ast_taskprocessor *management_serializer; +static int sip_options_qualify_contact(void *obj, void *arg, int flags); + static pj_status_t send_options_response(pjsip_rx_data *rdata, int code) { pjsip_endpoint *endpt = ast_sip_get_pjsip_endpoint(); @@ -801,6 +803,15 @@ static void qualify_contact_cb(void *tok break; } + /* check for 494 */ + if (status == AVAILABLE && e->body.tsx_state.src.rdata->msg_info.msg->line.status.code == 494) { + /* need to resend the options request with mediasec headers */ + ast_debug(3,"detected 494 - call sip_options_qualify_contact again with mediasec header\n"); + sip_options_qualify_contact(contact_callback_data->contact, contact_callback_data->aor_options, 494); + ao2_ref(contact_callback_data, -1); + return; + } + /* Update the callback data with the new status, this will get handled in the AOR serializer */ contact_callback_data->status = status; @@ -905,6 +916,14 @@ static int sip_options_qualify_contact(v return 0; } + if (flags && flags == 494) { + /* add mediasec header */ + ast_debug(3,"OPTIONS: adding MEDIASEC headers\n"); + ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec"); + } + if (ast_sip_send_out_of_dialog_request(tdata, endpoint, (int)(aor_options->qualify_timeout * 1000), contact_callback_data, qualify_contact_cb)) { diff -Nurp asterisk-18.12.1/res/res_pjsip_outbound_registration.c asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c --- asterisk-18.12.1/res/res_pjsip_outbound_registration.c 2022-05-19 17:51:28.000000000 +0200 +++ asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c 2022-06-10 16:42:50.113418424 +0200 @@ -392,6 +392,8 @@ struct sip_outbound_registration_client_ char *transport_name; /*! \brief The name of the registration sorcery object */ char *registration_name; + /*! \brief Indicator, if there was a 494 response before */ + unsigned int is494; }; /*! \brief Outbound registration state information (persists for lifetime that registration should exist) */ @@ -694,6 +696,19 @@ static int handle_client_registration(vo return -1; } + /* Add some header for mediasec */ + if (client_state->is494) { + /* answer for 494 */ + ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec"); + } + else { + ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Proxy-Require","mediasec"); + ast_sip_add_header(tdata,"Require","mediasec"); + } + registration_client_send(client_state, tdata); return 0; @@ -1092,6 +1107,27 @@ static int handle_registration_response( response->client_state->auth_attempted = 1; ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n", server_uri, client_uri); + + /* Add MEDIASEC headers */ + static const pj_str_t headerName = { "Security-Server", 15 }; + pjsip_generic_string_hdr *secSrv; + secSrv = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &headerName, NULL); + if (secSrv) { + response->client_state->is494=0; + + static const pj_str_t headerNameVrfy = { "Security-Verify", 15 }; + pjsip_generic_string_hdr *secVrfy; + secVrfy = pjsip_msg_find_hdr_by_name(tdata->msg, &headerNameVrfy, NULL); + + /* initial register doesn't contain it */ + if (! secVrfy) { + ast_debug(3, "Adding MEDIASEC headers\n"); + ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec"); + } + } + pjsip_tx_data_add_ref(tdata); res = registration_client_send(response->client_state, tdata); @@ -1118,6 +1154,8 @@ static int handle_registration_response( if (response->expiration) { int next_registration_round; + response->client_state->is494=0; + /* If the registration went fine simply reschedule registration for the future */ ast_debug(1, "Outbound registration to '%s' with client '%s' successful\n", server_uri, client_uri); update_client_state_status(response->client_state, SIP_REGISTRATION_REGISTERED); @@ -1134,6 +1172,8 @@ static int handle_registration_response( response->client_state->registration_name); } else { ast_debug(1, "Outbound unregistration to '%s' with client '%s' successful\n", server_uri, client_uri); + response->client_state->is494=0; + update_client_state_status(response->client_state, SIP_REGISTRATION_UNREGISTERED); ast_sip_transport_monitor_unregister(response->rdata->tp_info.transport, registration_transport_shutdown_cb, response->client_state->registration_name, @@ -1143,6 +1183,22 @@ static int handle_registration_response( save_response_fields_to_transport(response); } else if (response->client_state->destroy) { /* We need to deal with the pending destruction instead. */ + } else if (response->code == 494) { + if (response->client_state->is494) { + ast_log(LOG_WARNING, "MEDIASEC registration to '%s' with client '%s' failed (494-loop detected), stopping registration attempt\n", + server_uri, client_uri); + /* 494 loop detected! This is fatal! */ + update_client_state_status(response->client_state, SIP_REGISTRATION_REJECTED_PERMANENT); + /* reset is494 */ + response->client_state->is494=0; + } else { + /* Try (initial) registration again - but now with additional headers */ + response->client_state->is494=1; + ao2_ref(response->client_state, +1); + handle_client_registration(response->client_state); + ao2_ref(response, -1); + return 0; + } } else if (response->retry_after) { /* If we have been instructed to retry after a period of time, schedule it as such */ schedule_retry(response, response->retry_after, server_uri, client_uri); @@ -1870,6 +1926,9 @@ static int unregister_task(void *obj) if (pjsip_regc_unregister(client, &tdata) == PJ_SUCCESS && add_configured_supported_headers(state->client_state, tdata)) { + ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Proxy-Require","mediasec"); + ast_sip_add_header(tdata,"Require","mediasec"); registration_client_send(state->client_state, tdata); } diff -Nurp asterisk-18.12.1/res/res_pjsip_sdp_rtp.c asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c --- asterisk-18.12.1/res/res_pjsip_sdp_rtp.c 2022-05-19 17:51:28.000000000 +0200 +++ asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c 2022-06-10 16:42:50.117418424 +0200 @@ -1607,6 +1607,7 @@ static int add_crypto_to_stream(struct a static const pj_str_t STR_PASSIVE = { "passive", 7 }; static const pj_str_t STR_ACTPASS = { "actpass", 7 }; static const pj_str_t STR_HOLDCONN = { "holdconn", 8 }; + static const pj_str_t STR_MEDSECREQ = { "requested", 9 }; enum ast_rtp_dtls_setup setup; switch (session_media->encryption) { @@ -1622,6 +1623,8 @@ static int add_crypto_to_stream(struct a } tmp = session_media->srtp; + attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ); + media->attr[media->attr_count++] = attr; do { crypto_attribute = ast_sdp_srtp_get_attrib(tmp, diff -Nurp asterisk-18.12.1/res/res_pjsip_session.c asterisk-18.12.1-patched/res/res_pjsip_session.c --- asterisk-18.12.1/res/res_pjsip_session.c 2022-05-19 17:51:28.000000000 +0200 +++ asterisk-18.12.1-patched/res/res_pjsip_session.c 2022-06-10 16:42:50.121418424 +0200 @@ -2514,6 +2514,13 @@ static int sip_session_refresh(struct as SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_WARNING, "%s: on_request_creation failed.\n", ast_sip_session_get_name(session)); } } + if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) { + ast_debug(3, "INVITE: Adding MEDIASEC headers\n"); + ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec"); + ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec"); + } + ast_sip_session_send_request_with_cb(session, tdata, on_response); ast_sip_session_media_state_free(active_media_state); @@ -2873,6 +2880,13 @@ int ast_sip_session_create_invite(struct SCOPE_EXIT_RTN_VALUE(-1, "pjsip_inv_invite failed\n"); } + if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) { + ast_debug(3, "INVITE: Adding MEDIASEC headers\n"); + ast_sip_add_header(*tdata,"Security-Verify","msrp-tls;mediasec"); + ast_sip_add_header(*tdata,"Security-Verify","sdes-srtp;mediasec"); + ast_sip_add_header(*tdata,"Security-Verify","dtls-srtp;mediasec"); + } + SCOPE_EXIT_RTN_VALUE(0); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor