File 2-mediasec-18.12.patch of Package asterisk

Overview Repositories Revisions Requests Users Attributes Meta

File 2-mediasec-18.12.patch of Package asterisk

diff -Nurp asterisk-18.12.1/include/asterisk/res_pjsip.h asterisk-18.12.1-patched/include/asterisk/res_pjsip.h
--- asterisk-18.12.1/include/asterisk/res_pjsip.h	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/include/asterisk/res_pjsip.h	2022-06-10 16:59:52.773376863 +0200
@@ -945,6 +945,8 @@ struct ast_sip_endpoint {
 	unsigned int suppress_q850_reason_headers;
 	/*! Ignore 183 if no SDP is present */
 	unsigned int ignore_183_without_sdp;
+	/*! Support mediasec on endpoint */
+	unsigned int support_mediasec;
 	/*! Set which STIR/SHAKEN behaviors we want on this endpoint */
 	unsigned int stir_shaken;
 	/*! Should we authenticate OPTIONS requests per RFC 3261? */
diff -Nurp asterisk-18.12.1/res/res_pjsip/pjsip_configuration.c asterisk-18.12.1-patched/res/res_pjsip/pjsip_configuration.c
--- asterisk-18.12.1/res/res_pjsip/pjsip_configuration.c	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip/pjsip_configuration.c	2022-06-10 16:59:52.769376863 +0200
@@ -2174,6 +2174,7 @@ int ast_res_pjsip_initialize_configurati
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "follow_early_media_fork", "yes", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, media.rtp.follow_early_media_fork));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "accept_multiple_sdp_answers", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, media.rtp.accept_multiple_sdp_answers));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "suppress_q850_reason_headers", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, suppress_q850_reason_headers));
+	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "support_mediasec", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, support_mediasec));
 	ast_sorcery_object_field_register(sip_sorcery, "endpoint", "ignore_183_without_sdp", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, ignore_183_without_sdp));
 	ast_sorcery_object_field_register_custom(sip_sorcery, "endpoint", "incoming_call_offer_pref", "local",
 		call_offer_pref_handler, incoming_call_offer_pref_to_str, NULL, 0, 0);
diff -Nurp asterisk-18.12.1/res/res_pjsip/pjsip_config.xml asterisk-18.12.1-patched/res/res_pjsip/pjsip_config.xml
--- asterisk-18.12.1/res/res_pjsip/pjsip_config.xml	2022-05-19 17:51:28.000000000 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip/pjsip_config.xml	2022-06-10 16:59:52.773376863 +0200
@@ -1431,6 +1431,12 @@
 						several options and rules used for STIR/SHAKEN.</para>
 					</description>
 				</configOption>
+				<configOption name="support_mediasec">
+					<synopsis>Enables Medisec support for INVITE and SDP.</synopsis>
+					<description><para>
+						When this option is enabled, the Mediasec Headers are added and enforced.</para>
+					</description>
+				</configOption>
 				<configOption name="allow_unauthenticated_options" default="no">
 					<synopsis>Skip authentication when receiving OPTIONS requests</synopsis>
 					<description><para>
diff -Nurp asterisk-18.12.1/res/res_pjsip_outbound_registration.c asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c
--- asterisk-18.12.1/res/res_pjsip_outbound_registration.c	2022-06-10 17:02:51.365384143 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_outbound_registration.c	2022-06-10 16:59:52.769376863 +0200
@@ -181,6 +181,13 @@
 						header as necessary.
 					</para></description>
 				</configOption>
+				<configOption name="support_mediasec">
+					<synopsis>Enables Mediasec support for outbound REGISTER requests.</synopsis>
+					<description><para>
+						When this option is enabled, outbound REGISTER requests will advertise
+						support for Mediasec.
+					</para></description>
+				</configOption>
 				<configOption name="support_outbound">
 					<synopsis>Enables advertising SIP Outbound support (RFC5626) for outbound REGISTER requests.</synopsis>
 				</configOption>
@@ -335,6 +342,8 @@ struct sip_outbound_registration {
 	struct ast_sip_auth_vector outbound_auths;
 	/*! \brief Whether Path support is enabled */
 	unsigned int support_path;
+	/*! \brief Wether mediasec support is enabled */
+	unsigned int support_mediasec;
 	/*! \brief Whether Outbound support is enabled */
 	unsigned int support_outbound;
 };
@@ -376,6 +385,8 @@ struct sip_outbound_registration_client_
 	unsigned int auth_rejection_permanent;
 	/*! \brief Determines whether SIP Path support should be advertised */
 	unsigned int support_path;
+	/*! \brief Wether mediasec support is enabled */
+	unsigned int support_mediasec;
 	/*! \brief Determines whether SIP Outbound support should be advertised */
 	unsigned int support_outbound;
 	/*! CSeq number of last sent auth request. */
@@ -697,18 +708,19 @@ static int handle_client_registration(vo
 	}
 
 	/* Add some header for mediasec */
-	if (client_state->is494) {
-		/* answer for 494 */
-		ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
-		ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
-		ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
-	}
-	else {
-		ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
-		ast_sip_add_header(tdata,"Proxy-Require","mediasec");
-		ast_sip_add_header(tdata,"Require","mediasec");
+	if (client_state->support_mediasec) {
+		if (client_state->is494) {
+			/* answer for 494 */
+			ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+			ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+			ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+		}
+		else {
+			ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
+			ast_sip_add_header(tdata,"Proxy-Require","mediasec");
+			ast_sip_add_header(tdata,"Require","mediasec");
+		}
 	}
-
 	registration_client_send(client_state, tdata);
 
 	return 0;
@@ -1109,22 +1121,24 @@ static int handle_registration_response(
 					server_uri, client_uri);
 
 			/* Add MEDIASEC headers */
-			static const pj_str_t headerName = { "Security-Server", 15 };
-			pjsip_generic_string_hdr *secSrv;
-			secSrv = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &headerName, NULL);
-			if (secSrv) {
-				response->client_state->is494=0;
-
-				static const pj_str_t headerNameVrfy = { "Security-Verify", 15 };
-				pjsip_generic_string_hdr *secVrfy;
-				secVrfy = pjsip_msg_find_hdr_by_name(tdata->msg, &headerNameVrfy, NULL);
-
-				/* initial register doesn't contain it */
-				if (! secVrfy) {
-					ast_debug(3, "Adding MEDIASEC headers\n");
-					ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
-					ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
-					ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+			if (response->client_state->support_mediasec) {
+				static const pj_str_t headerName = { "Security-Server", 15 };
+				pjsip_generic_string_hdr *secSrv;
+				secSrv = pjsip_msg_find_hdr_by_name(response->rdata->msg_info.msg, &headerName, NULL);
+				if (secSrv) {
+					response->client_state->is494=0;
+
+					static const pj_str_t headerNameVrfy = { "Security-Verify", 15 };
+					pjsip_generic_string_hdr *secVrfy;
+					secVrfy = pjsip_msg_find_hdr_by_name(tdata->msg, &headerNameVrfy, NULL);
+
+					/* initial register doesn't contain it */
+					if (! secVrfy) {
+						ast_debug(3, "Adding MEDIASEC headers\n");
+						ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
+						ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
+						ast_sip_add_header(tdata,"Security-Verify","dtls-srtp;mediasec");
+					}
 				}
 			}
 
@@ -1782,6 +1796,7 @@ static int sip_outbound_registration_per
 	state->client_state->max_retries = registration->max_retries;
 	state->client_state->retries = 0;
 	state->client_state->support_path = registration->support_path;
+	state->client_state->support_mediasec = registration->support_mediasec;
 	state->client_state->support_outbound = registration->support_outbound;
 	state->client_state->auth_rejection_permanent = registration->auth_rejection_permanent;
 
@@ -1926,9 +1941,11 @@ static int unregister_task(void *obj)
 
 	if (pjsip_regc_unregister(client, &tdata) == PJ_SUCCESS
 		&& add_configured_supported_headers(state->client_state, tdata)) {
-		ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
-		ast_sip_add_header(tdata,"Proxy-Require","mediasec");
-		ast_sip_add_header(tdata,"Require","mediasec");
+		if (state->client_state->support_mediasec) {
+			ast_sip_add_header(tdata,"Security-Client","sdes-srtp;mediasec");
+			ast_sip_add_header(tdata,"Proxy-Require","mediasec");
+			ast_sip_add_header(tdata,"Require","mediasec");
+		}
 		registration_client_send(state->client_state, tdata);
 	}
 
@@ -2609,6 +2626,7 @@ static int load_module(void)
 	ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_outbound", "no", OPT_YESNO_T, 1, FLDSET(struct sip_outbound_registration, support_outbound));
 	ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "line", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, line));
 	ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "endpoint", "", OPT_STRINGFIELD_T, 0, STRFLDSET(struct sip_outbound_registration, endpoint));
+	ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_mediasec", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_mediasec));
 
 	/*
 	 * Register sorcery observers.
diff -Nurp asterisk-18.12.1/res/res_pjsip_sdp_rtp.c asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c
--- asterisk-18.12.1/res/res_pjsip_sdp_rtp.c	2022-06-10 17:02:51.369384143 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_sdp_rtp.c	2022-06-10 16:59:52.765376863 +0200
@@ -1623,8 +1623,10 @@ static int add_crypto_to_stream(struct a
 		}
 
 		tmp = session_media->srtp;
-		attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ);
-		media->attr[media->attr_count++] = attr;
+		if (session->endpoint->support_mediasec && ! session->inv_session->neg) {
+			attr = pjmedia_sdp_attr_create(pool, "3ge2ae", &STR_MEDSECREQ);
+			media->attr[media->attr_count++] = attr;
+		}
 
 		do {
 			crypto_attribute = ast_sdp_srtp_get_attrib(tmp,
diff -Nurp asterisk-18.12.1/res/res_pjsip_session.c asterisk-18.12.1-patched/res/res_pjsip_session.c
--- asterisk-18.12.1/res/res_pjsip_session.c	2022-06-10 17:02:51.369384143 +0200
+++ asterisk-18.12.1-patched/res/res_pjsip_session.c	2022-06-10 16:59:52.769376863 +0200
@@ -2514,7 +2514,7 @@ static int sip_session_refresh(struct as
 			SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_WARNING, "%s: on_request_creation failed.\n", ast_sip_session_get_name(session));
 		}
 	}
-	if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
+	if (session->endpoint->support_mediasec && session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
 		ast_debug(3, "INVITE: Adding MEDIASEC headers\n");
 		ast_sip_add_header(tdata,"Security-Verify","msrp-tls;mediasec");
 		ast_sip_add_header(tdata,"Security-Verify","sdes-srtp;mediasec");
@@ -2880,7 +2880,7 @@ int ast_sip_session_create_invite(struct
 		SCOPE_EXIT_RTN_VALUE(-1, "pjsip_inv_invite failed\n");
 	}
 
-	if (session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
+	if (session->endpoint->support_mediasec && session->endpoint->media.rtp.encryption == AST_SIP_MEDIA_ENCRYPT_SDES) {
 		ast_debug(3, "INVITE: Adding MEDIASEC headers\n");
 		ast_sip_add_header(*tdata,"Security-Verify","msrp-tls;mediasec");
 		ast_sip_add_header(*tdata,"Security-Verify","sdes-srtp;mediasec");

Places

File 2-mediasec-18.12.patch of Package asterisk

Places