asterisk

Commit Graph

Author	SHA1	Message	Date
George Joseph	edb8eebeff	res_stir_shaken.c: Fix crash when stir_shaken.conf is invalid * If the call to ast_config_load() returns CONFIG_STATUS_FILEINVALID, check_for_old_config() now returns LOAD_DECLINE instead of continuing on with a bad pointer. * If CONFIG_STATUS_FILEMISSING is returned, check_for_old_config() assumes the config is being loaded from realtime and now returns LOAD_SUCCESS. If it's actually not being loaded from realtime, sorcery will catch that later on. * Also refactored the error handling in load_module() a bit. Resolves: #884	7 months ago
George Joseph	628f8d7a43	Stir/Shaken Refactor Why do we need a refactor? The original stir/shaken implementation was started over 3 years ago when little was understood about practical implementation. The result was an implementation that wouldn't actually interoperate with any other stir-shaken implementations. There were also a number of stir-shaken features and RFC requirements that were never implemented such as TNAuthList certificate validation, sending Reason headers in SIP responses when verification failed but we wished to continue the call, and the ability to send Media Key(mky) grants in the Identity header when the call involved DTLS. Finally, there were some performance concerns around outgoing calls and selection of the correct certificate and private key. The configuration was keyed by an arbitrary name which meant that for every outgoing call, we had to scan the entire list of configured TNs to find the correct cert to use. With only a few TNs configured, this wasn't an issue but if you have a thousand, it could be. What's changed? * Configuration objects have been refactored to be clearer about their uses and to fix issues. * The "general" object was renamed to "verification" since it contains parameters specific to the incoming verification process. It also never handled ca_path and crl_path correctly. * A new "attestation" object was added that controls the outgoing attestation process. It sets default certificates, keys, etc. * The "certificate" object was renamed to "tn" and had it's key change to telephone number since outgoing call attestation needs to look up certificates by telephone number. * The "profile" object had more parameters added to it that can override default parameters specified in the "attestation" and "verification" objects. * The "store" object was removed altogther as it was never implemented. * We now use libjwt to create outgoing Identity headers and to parse and validate signatures on incoming Identiy headers. Our previous custom implementation was much of the source of the interoperability issues. * General code cleanup and refactor. * Moved things to better places. * Separated some of the complex functions to smaller ones. * Using context objects rather than passing tons of parameters in function calls. * Removed some complexity and unneeded encapsuation from the config objects. Resolves: #351 Resolves: #46 UserNote: Asterisk's stir-shaken feature has been refactored to correct interoperability, RFC compliance, and performance issues. See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more information. UpgradeNote: The stir-shaken refactor is a breaking change but since it's not working now we don't think it matters. The stir_shaken.conf file has changed significantly which means that existing ones WILL need to be changed. The stir_shaken.conf.sample file in configs/samples/ has quite a bit more information. This is also an ABI breaking change since some of the existing objects needed to be changed or removed, and new ones added. Additionally, if res_stir_shaken is enabled in menuselect, you'll need to either have the development package for libjwt v1.15.3 installed or use the --with-libjwt-bundled option with ./configure.	1 year ago
Naveen Albert	0119f3ad48	res_pjsip_stir_shaken: Fix JSON field ordering and disallowed TN characters. The current STIR/SHAKEN signing process is inconsistent with the RFCs in a couple ways that can cause interoperability issues. RFC8225 specifies that the keys must be ordered lexicographically, but currently the fields are simply ordered according to the order in which they were added to the JSON object, which is not compliant with the RFC and can cause issues with some carriers. To fix this, we now leverage libjansson's ability to dump a JSON object sorted by key value, yielding the correct field ordering. Additionally, telephone numbers must have any leading + prefix removed and must not contain characters outside of 0-9, *, and # in order to comply with the RFCs. Numbers are now properly formatted as such. ASTERISK-30407 #close Change-Id: Iab76d39447c4b8cf133de85657dba02fda07f9a2	2 years ago
Sean Bright	c85fc1278f	doxygen: Fix doxygen errors. Change-Id: Ic50e95b4fc10f74ab15416d908e8a87ee8ec2f85	2 years ago
Ben Ford	0724b767a3	AST-2022-002 - res_stir_shaken/curl: Add ACL checks for Identity header. Adds a new configuration option, stir_shaken_profile, in pjsip.conf that can be specified on a per endpoint basis. This option will reference a stir_shaken_profile that can be configured in stir_shaken.conf. The type of this option must be 'profile'. The stir_shaken option can be specified on this object with the same values as before (attest, verify, on), but it cannot be off since having the profile itself implies wanting STIR/SHAKEN support. You can also specify an ACL from acl.conf (along with permit and deny lines in the object itself) that will be used to limit what interfaces Asterisk will attempt to retrieve information from when reading the Identity header. ASTERISK-29476 Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406	3 years ago
Philip Prindeville	287a1a9126	time: add support for time64 libcs Treat time_t's as entirely unique and use the POSIX API's for converting to/from strings. Lastly, a 64-bit integer formats as 20 digits at most in base10. Don't need to have any 100 byte buffers to hold that. ASTERISK-29674 #close Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Change-Id: Id7b25bdca8f92e34229f6454f6c3e500f2cd6f56	3 years ago
Ben Ford	1031a1805b	STIR/SHAKEN: Option split and response codes. The stir_shaken configuration option now has 4 different choices to pick from: off, attest, verify, and on. Off and on behave the same way they do now. Attest will only perform attestation on the endpoint, and verify will only perform verification on the endpoint. Certain responses are required to be sent based on certain conditions for STIR/SHAKEN. For example, if we get a Date header that is outside of the time range that is considered valid, a 403 Stale Date response should be sent. This and several other responses have been added. Change-Id: I4ac1ecf652cd0e336006b0ca638dc826b5b1ebf7	4 years ago
Sean Bright	c0fc8adbb6	menuselect: Fix description of several modules. The text description needs to be the last thing on the AST_MODULE_INFO line to be pulled in properly by menuselect. Change-Id: I0c913e36fea8b661f42e56920b6c5513ae8fd832	4 years ago
Ben Ford	0564d12280	STIR/SHAKEN: Switch to base64 URL encoding. STIR/SHAKEN encodes using base64 URL format. Currently, we just use base64. New functions have been added that convert to and from base64 encoding. The origid field should also be an UUID. This means there's no reason to have it as an option in stir_shaken.conf, as we can simply generate one when creating the Identity header. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Icf094a2a54e87db91d6b12244c9f5ba4fc2e0b8c	4 years ago
Ben Ford	259ecfa289	STIR/SHAKEN: Fix certificate type and storage. During OpenSIPit, we found out that the public certificates must be of type X.509. When reading in public keys, we use the corresponding X.509 functions now. We also discovered that we needed a better naming scheme for the certificates since certificates with the same name would cause issues (overwriting certs, etc.). Now when we download a public certificate, we get the serial number from it and use that as the name of the cached certificate. The configuration option public_key_url in stir_shaken.conf has also been renamed to public_cert_url, which better describes what the option is for. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d	4 years ago
Alexander Traud	64d2de19ee	res_stir_shaken: Include OpenSSL headers where used actually. This avoids the inclusion of the OpenSSL headers in the public header, which avoids one external library dependency in res_pjsip_stir_shaken. Change-Id: I6a07e2d81d2b5442e24e99b8cc733a99f881dcf4	5 years ago
Alexander Traud	28faafd1c4	Compiler fixes for GCC when printf %s is NULL ASTERISK-29146 Change-Id: Ib04bdad87d729f805f5fc620ef9952f58ea96d41	5 years ago
Ben Ford	5fbed5af24	res_stir_shaken: Add stir_shaken option and general improvements. Added a new configuration option for PJSIP endpoints - stir_shaken. If set to yes, then STIR/SHAKEN support will be added to inbound and outbound INVITEs. The default is no. Alembic has been updated to include this option. Previously the dialplan function was not trimming the whitespace from the parameters it recieved. Now it does. Also added a conditional that, when TEST_FRAMEWORK is enabled, the timestamp in the identity header will be overlooked. This is just for testing, since the testsuite will rely on a SIPp scenario with a preset identity header to trigger the MISMATCH result. Change-Id: I43d67f1489b8c1c5729ed3ca8d71e35ddf438df1	5 years ago
Ben Ford	1274117102	res_stir_shaken: Add outbound INVITE support. Integrated STIR/SHAKEN support with outgoing INVITEs. When an INVITE is sent, the caller ID will be checked to see if there is a certificate that corresponds to it. If so, that information will be retrieved and an Identity header will be added to the SIP message. The format is: header.payload.signature;info=<public_key_url>alg=ES256;ppt=shaken Header, payload, and signature are all BASE64 encoded. The public key URL is retrieved from the certificate. Currently the algorithm and ppt are ES256 and shaken, respectively. This message is signed and can be used for verification on the receiving end. Two new configuration options have been added to the certificate object: attestation and origid. The attestation is required and must be A, B, or C. origid is the origination identifier. A new utility function has been added as well that takes a string, allocates space, BASE64 encodes it, then returns it, eliminating the need to calculate the size yourself. Change-Id: I1f84d6a5839cb2ed152ef4255b380cfc2de662b4	5 years ago
Ben Ford	3927f79cb5	res_stir_shaken: Add inbound INVITE support. Integrated STIR/SHAKEN support with incoming INVITES. Upon receiving an INVITE, the Identity header is retrieved, parsing the message to verify the signature. If any of the parsing fails, AST_STIR_SHAKEN_VERIFY_NOT_PRESENT will be added to the channel for this caller ID. If verification itself fails, AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED will be added. If anything in the payload does not line up with the SIP signaling, AST_STIR_SHAKEN_VERIFY_MISMATCH will be added. If all of the above steps pass, then AST_STIR_SHAKEN_VERIFY_PASSED will be added, completing the verification process. A new config option has been added to the general section for stir_shaken.conf. "signature_timeout" is the amount of time a signature will be considered valid. If an INVITE is received and the amount of time between when it was received and when it was signed is greater than signature_timeout, verification will fail. Some changes were also made to signing and verification. There was an error where the whole JSON string was being signed rather than the header combined with the payload. This has been changed to sign the correct thing. Verification has been changed to do this as well, and the unit tests have been updated to reflect these changes. A couple of utility functions have also been added. One decodes a BASE64 string and returns the decoded string, doing all the length calculations for you. The other retrieves a string value from a header in a rdata object. Change-Id: I855f857be3d1c63b64812ac35d9ce0534085b913	5 years ago
Ben Ford	f506cc4896	res_stir_shaken: Add unit tests for signing and verification. Added two unit tests, one for signing and another for verifying. stir_shaken_sign checks to make sure that all the required parameters are passed in and then signs the actual payload. If a signature is produced and a payload returned as a result, the test passes. stir_shaken_verify takes the signature from a signed payload to verify. This unit test also verifies that all the required information is passed in, and then attempts to verify the signature. If verification is successful and a payload is returned, the test passes. Change-Id: I9fa43380f861ccf710cd0f6b6c102a517c86ea13	5 years ago
Ben Ford	e29df34de0	res_stir_shaken: Added dialplan function and API call. Adds the "STIR_SHAKEN" dialplan function and an API call to add a STIR_SHAKEN verification result to a channel. This information will be held in a datastore on the channel that can later be queried through the "STIR_SHAKEN" dialplan funtion to get information on STIR_SHAKEN results including identity, attestation, and verify_result. Here are some examples: STIR_SHAKEN(count) STIR_SHAKEN(0, identity) STIR_SHAKEN(1, attestation) STIR_SHAKEN(2, verify_result) Getting the count can be used to iterate through the results and pull information by specifying the index and the field you want to retrieve. Change-Id: Ice6d52a3a7d6e4607c9c35b28a1f7c25f5284a82	5 years ago
Joshua C. Colp	1cfd30bd8a	res_stir_shaken: Use ast_asprintf for creating file path. Change-Id: Ice5d92ecea2f1101c80487484f48ef98be2f1824	5 years ago
Ben Ford	9acf840f7c	res_stir_shaken: Implemented signature verification. There are a lot of moving parts in this patch, but the focus of it is on the verification of the signature using a public key located at the public key URL provided in the JSON payload. First, we check the database to see if we have already downloaded the key. If so, check to see if it has expired. If it has, redownload from the URL. If we don't have an entry in the database, just go ahead and download the public key. The expiration is tested each time we download the file. After that, read the public key from the file and use it to verify the signature. All sanity checking is done when the payload is first received, so the verification is complete once this point is reached. The XML has also been added since a new config option was added to general (curl_timeout). The maximum amount of time to wait for a download can be configured through this option, with a low value by default. Change-Id: I3ba4c63880493bf8c7d17a9cfca1af0e934d1a1c	5 years ago
Alexander Traud	611529fa52	res_stir_shaken: Do not build without OpenSSL. Change-Id: Idba5151a3079f9dcc0076d635422c5df5845114f	5 years ago
Ben Ford	57a457c26c	res_stir_shaken: Implemented signing of JSON payload. This change provides functions that take in a JSON payload, verify that the contents contain all the mandatory fields and required values (if any), and signs the payload with the private key. Four fields are added to the payload: x5u, attest, iat, and origid. As of now, these are just placeholder values that will be set to actual values once the logic is implemented for what to do when an actual payload is received, but the functions to add these values have all been implemented and are ready to use. Upon successful signing and the addition of those four values, a ast_stir_shaken_payload is returned, containing other useful information such as the algorithm and signature. Change-Id: I74fa41c0640ab2a64a1a80110155bd7062f13393	5 years ago
Ben Ford	211bb8a79c	res_stir_shaken: Initial commit and reading private key. This commit sets up some of the initial framework for the module and adds a way to read the private key from the specified file, which will then be appended to the certificate object. This works fine for now, but eventually some other structure will likely need to be used to store all this information. Similarly, the caller_id_number is specified on the certificate config object, but in the end we will want that information to be tied to the certificate itself and read it from there. A method has been added that will retrieve the private key associated with the caller_id_number passed in. Tab completion for certificates and stores has also been added. Change-Id: Ic4bc1416fab5d6afe15a8e2d32f7ddd4e023295f	5 years ago

22 Commits (master)