asterisk

Commit Graph

Author	SHA1	Message	Date
George Joseph	8b8a8c1475	res_stir_shaken.so: Handle X5U certificate chains. The verification process will now load a full certificate chain retrieved via the X5U URL instead of loading only the end user cert. * Renamed crypto_load_cert_from_file() and crypto_load_cert_from_memory() to crypto_load_cert_chain_from_file() and crypto_load_cert_chain_from_memory() respectively. * The two load functions now continue to load certs from the file or memory PEMs and store them in a separate stack of untrusted certs specific to the current verification context. * crypto_is_cert_trusted() now uses the stack of untrusted certs that were extracted from the PEM in addition to any untrusted certs that were passed in from the configuration (and any CA certs passed in from the config of course). Resolves: #1272 UserNote: The STIR/SHAKEN verification process will now load a full certificate chain retrieved via the X5U URL instead of loading only the end user cert.	4 months ago
George Joseph	fe341c2b0f	res_stir_shaken: Add "ignore_sip_date_header" config option. UserNote: A new STIR/SHAKEN verification option "ignore_sip_date_header" has been added that when set to true, will cause the verification process to not consider a missing or invalid SIP "Date" header to be a failure. This will make the IAT the sole "truth" for Date in the verification process. The option can be set in the "verification" and "profile" sections of stir_shaken.conf. Also fixed a bug in the port match logic. Resolves: #1251 Resolves: #1271	4 months ago
George Joseph	d558818ec1	res_stir_shaken: Allow missing or anonymous CID to continue to the dialplan. The verification check for missing or anonymous callerid was happening before the endpoint's profile was retrieved which meant that the failure_action parameter wasn't available. Therefore, if verification was enabled and there was no callerid or it was "anonymous", the call was immediately terminated instead of giving the dialplan the ability to decide what to do with the call. * The callerid check now happens after the verification context is created and the endpoint's stir_shaken_profile is available. * The check now processes the callerid failure just as it does for other verification failures and respects the failure_action parameter. If set to "continue" or "continue_return_reason", `STIR_SHAKEN(0,verify_result)` in the dialplan will return "invalid_or_no_callerid". * If the endpoint's failure_action is "reject_request", the call will be rejected with `433 "Anonymity Disallowed"`. * If the endpoint's failure_action is "continue_return_reason", the call will continue but a `Reason: STIR; cause=433; text="Anonymity Disallowed"` header will be added to the next provisional or final response. Resolves: #1112	9 months ago
Sean Bright	82bef2ed90	docs: Indent <since> tags. Also updates the 'since' of applications/functions that existed before XML documentation was introduced (1.6.2.0).	9 months ago
George Joseph	198b01c536	docs: Add version information to application and function XML elements * Do a git blame on the embedded XML application or function element. * From the commit hash, grab the summary line. * Do a git log --grep <summary> to find the cherry-pick commits in all branches that match. * Do a git patch-id to ensure the commits are all related and didn't get a false match on the summary. * Do a git tag --contains <commit> to find the tags that contain each commit. * Weed out all tags not ..0. * Sort and discard any .0.0 and following tags where the commit appeared in an earlier branch. * The result is a single tag for each branch where the application or function was defined. The applications and functions defined in the following files were done by hand because the XML was extracted from the C source file relatively recently. * channels/pjsip/dialplan_functions_doc.xml * main/logger_doc.xml * main/manager_doc.xml * res/res_geolocation/geoloc_doc.xml * res/res_stir_shaken/stir_shaken_doc.xml	9 months ago
George Joseph	316693ded9	docs: Add version information to configObject and configOption XML elements Most of the configObjects and configOptions that are implemented with ACO or Sorcery now have `<since>/<version>` elements added. There are probably some that the script I used didn't catch. The version tags were determined by the following... * Do a git blame on the API call that created the object or option. * From the commit hash, grab the summary line. * Do a `git log --grep <summary>` to find the cherry-pick commits in all branches that match. * Do a `git patch-id` to ensure the commits are all related and didn't get a false match on the summary. * Do a `git tag --contains <commit>` to find the tags that contain each commit. * Weed out all tags not <major>.<minor>.0. * Sort and discard any <major>.0.0 and following tags where the commit appeared in an earlier branch. * The result is a single tag for each branch where the API was last touched. configObjects and configOptions elements implemented with the base ast_config APIs were just not possible to find due to the non-deterministic way they are accessed. Also note that if the API call was on modified after it was added, the version will be the one it was last modified in. Final note: The configObject and configOption elements were introduced in 12.0.0 so options created before then may not have any XML documentation.	9 months ago
George Joseph	1646b78986	res_stir_shaken: Allow sending Identity headers for unknown TNs Added a new option "unknown_tn_attest_level" to allow Identity headers to be sent when a callerid TN isn't explicitly configured in stir_shaken.conf. Since there's no TN object, a private_key_file and public_cert_url must be configured in the attestation or profile objects. Since "unknown_tn_attest_level" uses the same enum as attest_level, some of the sorcery macros had to be refactored to allow sharing the enum and to/from string conversion functions. Also fixed a memory leak in crypto_utils:pem_file_cb(). Resolves: #921 UserNote: You can now set the "unknown_tn_attest_level" option in the attestation and/or profile objects in stir_shaken.conf to enable sending Identity headers for callerid TNs not explicitly configured.	11 months ago
George Joseph	4b998482bc	stir_shaken: Fix propagation of attest_level and a few other values attest_level, send_mky and check_tn_cert_public_url weren't propagating correctly from the attestation object to the profile and tn. * In the case of attest_level, the enum needed to be changed so the "0" value (the default) was "NOT_SET" instead of "A". This now allows the merging of the attestation object, profile and tn to detect when a value isn't set and use the higher level value. * For send_mky and check_tn_cert_public_url, the tn default was forced to "NO" which always overrode the profile and attestation objects. Their defaults are now "NOT_SET" so the propagation happens correctly. * Just to remove some redundant code in tn_config.c, a bunch of calls to generate_sorcery_enum_from_str() and generate_sorcery_enum_to_str() were replaced with a single call to generate_acfg_common_sorcery_handlers(). Resolves: #904	1 year ago
George Joseph	454ee03a0c	res_stir_shaken: Remove stale include for jansson.h in verification.c verification.c had an include for jansson.h left over from previous versions of the module. Since res_stir_shaken no longer has a dependency on jansson, the bundled version wasn't added to GCC's include path so if you didn't also have a jansson development package installed, the compile would fail. Removing the stale include was the only thing needed. Resolves: #889	1 year ago
George Joseph	dd348e55aa	res_stir_shaken: Check for disabled before param validation For both attestation and verification, we now check whether they've been disabled either globally or by the profile before validating things like callerid, orig_tn, dest_tn, etc. This prevents useless error messages. Resolves: #879	1 year ago
George Joseph	a02fc685a8	stir_shaken: CRL fixes and a new CLI command * Fixed a bug in crypto_show_cli_store that was causing asterisk to crash if there were certificate revocation lists in the verification certificate store. We're also now prefixing certificates with "Cert:" and CRLs with "CRL:" to distinguish them in the list. * Added 'untrusted_cert_file' and 'untrusted_cert_path' options to both verification and profile objects. If you have CRLs that are signed by a different CA than the incoming X5U certificate (indirect CRL), you'll need to provide the certificate of the CRL signer here. Thse will show up as 'Untrusted" when showing the verification or profile objects. * Fixed loading of crl_path. The OpenSSL API we were using to load CRLs won't actually load them from a directory, only a file. We now scan the directory ourselves and load the files one-by-one. * Fixed the verification flags being set on the certificate store. - Removed the CRL_CHECK_ALL flag as this was causing all certificates to be checked for CRL extensions and failing to verify the cert if there was none. This basically caused all certs to fail when a CRL was provided via crl_file or crl_path. - Added the EXTENDED_CRL_SUPPORT flag as it is required to handle indirect CRLs. * Added a new CLI command... `stir_shaken verify certificate_file <certificate_file> [ <profile> ]` which will assist troubleshooting certificate problems by allowing the user to manually verify a certificate file against either the global verification certificate store or the store for a specific profile. * Updated the XML documentation and the sample config file. Resolves: #809	1 year ago
George Joseph	758ed2b9fd	stir_shaken: Fix memory leak, typo in config, tn canonicalization * Fixed possible memory leak in tn_config:tn_get_etn() where we weren't releasing etn if tn or eprofile were null. * We now canonicalize TNs before using them for lookups or adding them to Identity headers. * Fixed a typo in stir_shaken.conf.sample. Resolves: #716	2 years ago
George Joseph	b23f089472	res_stir_shaken: Fix compilation for CentOS7 (openssl 1.0.2) * OpenSSL 1.0.2 doesn't support X509_get0_pubkey so we now use X509_get_pubkey. The difference is that X509_get_pubkey requires the caller to free the EVP_PKEY themselves so we now let RAII_VAR do that. * OpenSSL 1.0.2 doesn't support upreffing an X509_STORE so we now wrap it in an ao2 object. * OpenSSL 1.0.2 doesn't support X509_STORE_get0_objects to get all the certs from an X509_STORE and there's no easy way to polyfill it so the CLI commands that list profiles will show a "not supported" message instead of listing the certs in a store. Resolves: #676	2 years ago
George Joseph	d478002ad5	attestation_config.c: Use ast_free instead of ast_std_free In as_check_common_config, we were calling ast_std_free on raw_key but raw_key was allocated with ast_malloc so it should be freed with ast_free. Resolves: #636	2 years ago
George Joseph	628f8d7a43	Stir/Shaken Refactor Why do we need a refactor? The original stir/shaken implementation was started over 3 years ago when little was understood about practical implementation. The result was an implementation that wouldn't actually interoperate with any other stir-shaken implementations. There were also a number of stir-shaken features and RFC requirements that were never implemented such as TNAuthList certificate validation, sending Reason headers in SIP responses when verification failed but we wished to continue the call, and the ability to send Media Key(mky) grants in the Identity header when the call involved DTLS. Finally, there were some performance concerns around outgoing calls and selection of the correct certificate and private key. The configuration was keyed by an arbitrary name which meant that for every outgoing call, we had to scan the entire list of configured TNs to find the correct cert to use. With only a few TNs configured, this wasn't an issue but if you have a thousand, it could be. What's changed? * Configuration objects have been refactored to be clearer about their uses and to fix issues. * The "general" object was renamed to "verification" since it contains parameters specific to the incoming verification process. It also never handled ca_path and crl_path correctly. * A new "attestation" object was added that controls the outgoing attestation process. It sets default certificates, keys, etc. * The "certificate" object was renamed to "tn" and had it's key change to telephone number since outgoing call attestation needs to look up certificates by telephone number. * The "profile" object had more parameters added to it that can override default parameters specified in the "attestation" and "verification" objects. * The "store" object was removed altogther as it was never implemented. * We now use libjwt to create outgoing Identity headers and to parse and validate signatures on incoming Identiy headers. Our previous custom implementation was much of the source of the interoperability issues. * General code cleanup and refactor. * Moved things to better places. * Separated some of the complex functions to smaller ones. * Using context objects rather than passing tons of parameters in function calls. * Removed some complexity and unneeded encapsuation from the config objects. Resolves: #351 Resolves: #46 UserNote: Asterisk's stir-shaken feature has been refactored to correct interoperability, RFC compliance, and performance issues. See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more information. UpgradeNote: The stir-shaken refactor is a breaking change but since it's not working now we don't think it matters. The stir_shaken.conf file has changed significantly which means that existing ones WILL need to be changed. The stir_shaken.conf.sample file in configs/samples/ has quite a bit more information. This is also an ABI breaking change since some of the existing objects needed to be changed or removed, and new ones added. Additionally, if res_stir_shaken is enabled in menuselect, you'll need to either have the development package for libjwt v1.15.3 installed or use the --with-libjwt-bundled option with ./configure.	2 years ago
Ben Ford	0724b767a3	AST-2022-002 - res_stir_shaken/curl: Add ACL checks for Identity header. Adds a new configuration option, stir_shaken_profile, in pjsip.conf that can be specified on a per endpoint basis. This option will reference a stir_shaken_profile that can be configured in stir_shaken.conf. The type of this option must be 'profile'. The stir_shaken option can be specified on this object with the same values as before (attest, verify, on), but it cannot be off since having the profile itself implies wanting STIR/SHAKEN support. You can also specify an ACL from acl.conf (along with permit and deny lines in the object itself) that will be used to limit what interfaces Asterisk will attempt to retrieve information from when reading the Identity header. ASTERISK-29476 Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406	4 years ago
Ben Ford	8f3dd86b8d	AST-2022-001 - res_stir_shaken/curl: Limit file size and check start. Put checks in place to limit how much we will actually download, as well as a check for the data we receive at the start to ensure it begins with what we would expect a certificate to begin with. ASTERISK-29872 Change-Id: Ifd3c6b8bd52b8b6192a04166ccce4fc8a8000b46	4 years ago
Naveen Albert	e26b57984f	asterisk: Add macro for curl user agent. Currently, each module that uses libcurl duplicates the standard Asterisk curl user agent. This adds a global macro for the Asterisk user agent used for curl requests to eliminate this duplication. ASTERISK-29861 #close Change-Id: I9fc37935980384b4daf96ae54fa3c9adb962ed2d	4 years ago
Naveen Albert	1633410161	res_stir_shaken: refactor utility function Refactors temp file utility function into file.c. ASTERISK-29809 #close Change-Id: Ife478708c8f2b127239cb73c1755ef18c0bf431b	4 years ago
Alexander Traud	a85f2bf34d	res: Fix for Doxygen. These are the remaining issues found in /res. ASTERISK-29761 Change-Id: I572e6019c422780dde5ce8448b6c85c77af6046d	4 years ago
Josh Soref	9ae9893c63	res: Spelling fixes Correct typos of the following word families: identifying structures actcount initializer attributes statement enough locking declaration userevent provides unregister session execute searches verification suppressed prepared passwords recipients event because brief unidentified redundancy character the module reload operation backslashes accurate incorrect collision initializing instance interpreted buddies omitted manually requires queries generator scheduler configuration has owner resource performed masquerade apparently routable ASTERISK-29714 Change-Id: I88485116d2c59b776aa2e1f8b4ce8239a21decda	4 years ago
Ben Ford	0564d12280	STIR/SHAKEN: Switch to base64 URL encoding. STIR/SHAKEN encodes using base64 URL format. Currently, we just use base64. New functions have been added that convert to and from base64 encoding. The origid field should also be an UUID. This means there's no reason to have it as an option in stir_shaken.conf, as we can simply generate one when creating the Identity header. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Icf094a2a54e87db91d6b12244c9f5ba4fc2e0b8c	5 years ago
Ben Ford	05f7bc9c66	STIR/SHAKEN: OPENSSL_free serial hex from openssl. We're getting the serial number of the certificate from openssl and freeing it with ast_free(), but it needs to be freed with OPENSSL_free() instead. Now we duplicate the string and free the one from openssl with OPENSSL_free(), which means we can still use ast_free() on the returned string. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Ia6e1a4028c1933a0e1d204b769ebb9f5a11f00ab	5 years ago
Ben Ford	259ecfa289	STIR/SHAKEN: Fix certificate type and storage. During OpenSIPit, we found out that the public certificates must be of type X.509. When reading in public keys, we use the corresponding X.509 functions now. We also discovered that we needed a better naming scheme for the certificates since certificates with the same name would cause issues (overwriting certs, etc.). Now when we download a public certificate, we get the serial number from it and use that as the name of the cached certificate. The configuration option public_key_url in stir_shaken.conf has also been renamed to public_cert_url, which better describes what the option is for. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d	5 years ago
Alexander Traud	64d2de19ee	res_stir_shaken: Include OpenSSL headers where used actually. This avoids the inclusion of the OpenSSL headers in the public header, which avoids one external library dependency in res_pjsip_stir_shaken. Change-Id: I6a07e2d81d2b5442e24e99b8cc733a99f881dcf4	5 years ago
Ben Ford	deaa3742dc	res_stir_shaken: Fix memory allocation error in curl.c Fixed a memory allocation that was not passing in the correct size for the struct in curl.c. Change-Id: I5fb92fbbe84b075fa6aefa2423786df80e114c3a	5 years ago
Ben Ford	1274117102	res_stir_shaken: Add outbound INVITE support. Integrated STIR/SHAKEN support with outgoing INVITEs. When an INVITE is sent, the caller ID will be checked to see if there is a certificate that corresponds to it. If so, that information will be retrieved and an Identity header will be added to the SIP message. The format is: header.payload.signature;info=<public_key_url>alg=ES256;ppt=shaken Header, payload, and signature are all BASE64 encoded. The public key URL is retrieved from the certificate. Currently the algorithm and ppt are ES256 and shaken, respectively. This message is signed and can be used for verification on the receiving end. Two new configuration options have been added to the certificate object: attestation and origid. The attestation is required and must be A, B, or C. origid is the origination identifier. A new utility function has been added as well that takes a string, allocates space, BASE64 encodes it, then returns it, eliminating the need to calculate the size yourself. Change-Id: I1f84d6a5839cb2ed152ef4255b380cfc2de662b4	5 years ago
Ben Ford	3927f79cb5	res_stir_shaken: Add inbound INVITE support. Integrated STIR/SHAKEN support with incoming INVITES. Upon receiving an INVITE, the Identity header is retrieved, parsing the message to verify the signature. If any of the parsing fails, AST_STIR_SHAKEN_VERIFY_NOT_PRESENT will be added to the channel for this caller ID. If verification itself fails, AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED will be added. If anything in the payload does not line up with the SIP signaling, AST_STIR_SHAKEN_VERIFY_MISMATCH will be added. If all of the above steps pass, then AST_STIR_SHAKEN_VERIFY_PASSED will be added, completing the verification process. A new config option has been added to the general section for stir_shaken.conf. "signature_timeout" is the amount of time a signature will be considered valid. If an INVITE is received and the amount of time between when it was received and when it was signed is greater than signature_timeout, verification will fail. Some changes were also made to signing and verification. There was an error where the whole JSON string was being signed rather than the header combined with the payload. This has been changed to sign the correct thing. Verification has been changed to do this as well, and the unit tests have been updated to reflect these changes. A couple of utility functions have also been added. One decodes a BASE64 string and returns the decoded string, doing all the length calculations for you. The other retrieves a string value from a header in a rdata object. Change-Id: I855f857be3d1c63b64812ac35d9ce0534085b913	5 years ago
Ben Ford	f506cc4896	res_stir_shaken: Add unit tests for signing and verification. Added two unit tests, one for signing and another for verifying. stir_shaken_sign checks to make sure that all the required parameters are passed in and then signs the actual payload. If a signature is produced and a payload returned as a result, the test passes. stir_shaken_verify takes the signature from a signed payload to verify. This unit test also verifies that all the required information is passed in, and then attempts to verify the signature. If verification is successful and a payload is returned, the test passes. Change-Id: I9fa43380f861ccf710cd0f6b6c102a517c86ea13	6 years ago
Ben Ford	9acf840f7c	res_stir_shaken: Implemented signature verification. There are a lot of moving parts in this patch, but the focus of it is on the verification of the signature using a public key located at the public key URL provided in the JSON payload. First, we check the database to see if we have already downloaded the key. If so, check to see if it has expired. If it has, redownload from the URL. If we don't have an entry in the database, just go ahead and download the public key. The expiration is tested each time we download the file. After that, read the public key from the file and use it to verify the signature. All sanity checking is done when the payload is first received, so the verification is complete once this point is reached. The XML has also been added since a new config option was added to general (curl_timeout). The maximum amount of time to wait for a download can be configured through this option, with a low value by default. Change-Id: I3ba4c63880493bf8c7d17a9cfca1af0e934d1a1c	6 years ago
Ben Ford	57a457c26c	res_stir_shaken: Implemented signing of JSON payload. This change provides functions that take in a JSON payload, verify that the contents contain all the mandatory fields and required values (if any), and signs the payload with the private key. Four fields are added to the payload: x5u, attest, iat, and origid. As of now, these are just placeholder values that will be set to actual values once the logic is implemented for what to do when an actual payload is received, but the functions to add these values have all been implemented and are ready to use. Upon successful signing and the addition of those four values, a ast_stir_shaken_payload is returned, containing other useful information such as the algorithm and signature. Change-Id: I74fa41c0640ab2a64a1a80110155bd7062f13393	6 years ago
Ben Ford	211bb8a79c	res_stir_shaken: Initial commit and reading private key. This commit sets up some of the initial framework for the module and adds a way to read the private key from the specified file, which will then be appended to the certificate object. This works fine for now, but eventually some other structure will likely need to be used to store all this information. Similarly, the caller_id_number is specified on the certificate config object, but in the end we will want that information to be tied to the certificate itself and read it from there. A method has been added that will retrieve the private key associated with the caller_id_number passed in. Tab completion for certificates and stores has also been added. Change-Id: Ic4bc1416fab5d6afe15a8e2d32f7ddd4e023295f	6 years ago

32 Commits (8149554e9004c2a37e2fa8ca26dbe19d99241229)