Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

res_stir_shaken: Allow missing or anonymous CID to continue to the dialplan.

Browse Source 
The verification check for missing or anonymous callerid was happening before
the endpoint's profile was retrieved which meant that the failure_action
parameter wasn't available.  Therefore, if verification was enabled and there
was no callerid or it was "anonymous", the call was immediately terminated
instead of giving the dialplan the ability to decide what to do with the call.

* The callerid check now happens after the verification context is created and
  the endpoint's stir_shaken_profile is available.

* The check now processes the callerid failure just as it does for other
  verification failures and respects the failure_action parameter.  If set
  to "continue" or "continue_return_reason", `STIR_SHAKEN(0,verify_result)`
  in the dialplan will return "invalid_or_no_callerid".

* If the endpoint's failure_action is "reject_request", the call will be
  rejected with `433 "Anonymity Disallowed"`.

* If the endpoint's failure_action is "continue_return_reason", the call will
  continue but a `Reason: STIR; cause=433; text="Anonymity Disallowed"`
  header will be added to the next provisional or final response.

Resolves: #1112
pull/1145/head
George Joseph 8 months ago
parent 873c247f75
commit 0b6a3df331
3 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File

11
include/asterisk/res_stir_shaken.h
Unescape View File

@ -55,6 +55,7 @@ enum ast_stir_shaken_vs_response_code {
AST_STIR_SHAKEN_VS_NO_DEST_TN, AST_STIR_SHAKEN_VS_NO_DEST_TN,
AST_STIR_SHAKEN_VS_INVALID_HEADER, AST_STIR_SHAKEN_VS_INVALID_HEADER,
AST_STIR_SHAKEN_VS_INVALID_GRANT, AST_STIR_SHAKEN_VS_INVALID_GRANT,
AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID,
AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX
}; };
@ -233,6 +234,16 @@ enum stir_shaken_failure_action_enum
int ast_stir_shaken_vs_get_use_rfc9410_responses( int ast_stir_shaken_vs_get_use_rfc9410_responses(
struct ast_stir_shaken_vs_ctx *ctx); struct ast_stir_shaken_vs_ctx *ctx);
/*!
* \brief Get caller_id from context
*
* \param ctx VS context
*
* \retval Caller ID or NULL
*/
const char *ast_stir_shaken_vs_get_caller_id(
struct ast_stir_shaken_vs_ctx *ctx);
/*! /*!
* \brief Add a STIR/SHAKEN verification result to a channel * \brief Add a STIR/SHAKEN verification result to a channel
* *

25
res/res_pjsip_stir_shaken.c
Unescape View File

@ -44,10 +44,10 @@ enum sip_response_code {
SIP_RESPONSE_CODE_OK = 200, SIP_RESPONSE_CODE_OK = 200,
SIP_RESPONSE_CODE_STALE_DATE = 403, SIP_RESPONSE_CODE_STALE_DATE = 403,
SIP_RESPONSE_CODE_USE_IDENTITY_HEADER = 428, SIP_RESPONSE_CODE_USE_IDENTITY_HEADER = 428,
SIP_RESPONSE_CODE_ANONYMITY_DISALLOWED = 433,
SIP_RESPONSE_CODE_BAD_IDENTITY_INFO = 436, SIP_RESPONSE_CODE_BAD_IDENTITY_INFO = 436,
SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL = 437, SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL = 437,
SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER = 438, SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER = 438,
SIP_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT = 428,
SIP_RESPONSE_CODE_INTERNAL_ERROR = 500, SIP_RESPONSE_CODE_INTERNAL_ERROR = 500,
}; };
@ -55,7 +55,7 @@ enum sip_response_code {
/* Response strings from RFC8224 */ /* Response strings from RFC8224 */
#define SIP_RESPONSE_CODE_STALE_DATE_STR "Stale Date" #define SIP_RESPONSE_CODE_STALE_DATE_STR "Stale Date"
#define SIP_RESPONSE_CODE_USE_IDENTITY_HEADER_STR "Use Identity Header" #define SIP_RESPONSE_CODE_USE_IDENTITY_HEADER_STR "Use Identity Header"
#define SIP_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT_STR "Use Supported PASSporT Format" #define SIP_RESPONSE_CODE_ANONYMITY_DISALLOWED_STR "Anonymity Disallowed"
#define SIP_RESPONSE_CODE_BAD_IDENTITY_INFO_STR "Bad Identity Info" #define SIP_RESPONSE_CODE_BAD_IDENTITY_INFO_STR "Bad Identity Info"
#define SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL_STR "Unsupported Credential" #define SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL_STR "Unsupported Credential"
#define SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER_STR "Invalid Identity Header" #define SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER_STR "Invalid Identity Header"
@ -71,6 +71,7 @@ static const char *sip_response_code_to_str(enum sip_response_code code)
response_to_str(SIP_RESPONSE_CODE_OK) response_to_str(SIP_RESPONSE_CODE_OK)
response_to_str(SIP_RESPONSE_CODE_STALE_DATE) response_to_str(SIP_RESPONSE_CODE_STALE_DATE)
response_to_str(SIP_RESPONSE_CODE_USE_IDENTITY_HEADER) response_to_str(SIP_RESPONSE_CODE_USE_IDENTITY_HEADER)
response_to_str(SIP_RESPONSE_CODE_ANONYMITY_DISALLOWED)
response_to_str(SIP_RESPONSE_CODE_BAD_IDENTITY_INFO) response_to_str(SIP_RESPONSE_CODE_BAD_IDENTITY_INFO)
response_to_str(SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL) response_to_str(SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL)
response_to_str(SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER) response_to_str(SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER)
@ -127,6 +128,7 @@ static enum sip_response_code vs_code_to_sip_code(
translate_code(INVALID_GRANT, INVALID_IDENTITY_HEADER) translate_code(INVALID_GRANT, INVALID_IDENTITY_HEADER)
translate_code(INVALID_OR_NO_GRANTS, INVALID_IDENTITY_HEADER) translate_code(INVALID_OR_NO_GRANTS, INVALID_IDENTITY_HEADER)
translate_code(CID_ORIG_TN_MISMATCH, INVALID_IDENTITY_HEADER) translate_code(CID_ORIG_TN_MISMATCH, INVALID_IDENTITY_HEADER)
translate_code(INVALID_OR_NO_CID, ANONYMITY_DISALLOWED)
translate_code(RESPONSE_CODE_MAX, INVALID_IDENTITY_HEADER) translate_code(RESPONSE_CODE_MAX, INVALID_IDENTITY_HEADER)
} }
@ -227,12 +229,10 @@ static int stir_shaken_incoming_request(struct ast_sip_session *session, pjsip_r
} }
/* /*
* Shortcut: If there's no callerid or profile name, * Shortcut: If there's no profile name just bail now.
* just bail now.
*/ */
if (ast_strlen_zero(caller_id) if (ast_strlen_zero(session->endpoint->stir_shaken_profile)) {
|| ast_strlen_zero(session->endpoint->stir_shaken_profile)) { SCOPE_EXIT_RTN_VALUE(0, "%s: No profile name on endpoint. No action needed\n", session_name);
SCOPE_EXIT_RTN_VALUE(0, "%s: No callerid or profile name. No action needed\n", session_name);
} }
vs_rc = ast_stir_shaken_vs_ctx_create(caller_id, chan, vs_rc = ast_stir_shaken_vs_ctx_create(caller_id, chan,
@ -246,6 +246,17 @@ static int stir_shaken_incoming_request(struct ast_sip_session *session, pjsip_r
session_name); session_name);
} }
if (ast_strlen_zero(ast_stir_shaken_vs_get_caller_id(ctx))) {
p_rc = process_failure(ctx, caller_id, session, rdata,
AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID);
if (p_rc == PROCESS_FAILURE_CONTINUE) {
SCOPE_EXIT_RTN_VALUE(0, "%s: Invalid or no callerid found. Call continuing\n",
session_name);
}
SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: Invalid or no callerid found. Call terminated\n",
session_name);
}
identity_hdr_val = ast_sip_rdata_get_header_value(rdata, identity_hdr_str); identity_hdr_val = ast_sip_rdata_get_header_value(rdata, identity_hdr_str);
if (ast_strlen_zero(identity_hdr_val)) { if (ast_strlen_zero(identity_hdr_val)) {
p_rc = process_failure(ctx, caller_id, session, rdata, p_rc = process_failure(ctx, caller_id, session, rdata,

12
res/res_stir_shaken/verification.c
Unescape View File

@ -84,6 +84,7 @@ static const char *vs_rc_map[] = {
[AST_STIR_SHAKEN_VS_NO_DEST_TN] = "missing_dest_tn", [AST_STIR_SHAKEN_VS_NO_DEST_TN] = "missing_dest_tn",
[AST_STIR_SHAKEN_VS_INVALID_HEADER] = "invalid_header", [AST_STIR_SHAKEN_VS_INVALID_HEADER] = "invalid_header",
[AST_STIR_SHAKEN_VS_INVALID_GRANT] = "invalid_grant", [AST_STIR_SHAKEN_VS_INVALID_GRANT] = "invalid_grant",
[AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID] = "invalid_or_no_callerid",
}; };
const char *vs_response_code_to_str( const char *vs_response_code_to_str(
@ -629,6 +630,12 @@ int ast_stir_shaken_vs_get_use_rfc9410_responses(
return ctx->eprofile->vcfg_common.use_rfc9410_responses; return ctx->eprofile->vcfg_common.use_rfc9410_responses;
} }
const char *ast_stir_shaken_vs_get_caller_id(
struct ast_stir_shaken_vs_ctx *ctx)
{
return ctx->caller_id;
}
void ast_stir_shaken_vs_ctx_set_response_code( void ast_stir_shaken_vs_ctx_set_response_code(
struct ast_stir_shaken_vs_ctx *ctx, struct ast_stir_shaken_vs_ctx *ctx,
enum ast_stir_shaken_vs_response_code vs_rc) enum ast_stir_shaken_vs_response_code vs_rc)
@ -687,11 +694,6 @@ enum ast_stir_shaken_vs_response_code
LOG_ERROR, "%s: Must provide tag\n", t); LOG_ERROR, "%s: Must provide tag\n", t);
} }
if (ast_strlen_zero(canon_caller_id)) {
SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS,
LOG_ERROR, "%s: Must provide caller_id\n", t);
}
ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor, ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor,
AO2_ALLOC_OPT_LOCK_NOLOCK); AO2_ALLOC_OPT_LOCK_NOLOCK);
if (!ctx) { if (!ctx) {

Write Preview
Loading…
Cancel
Save