123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500 |
- /*
- * Asterisk -- An open source telephony toolkit.
- *
- * Copyright (C) 2020, Sangoma Technologies Corporation
- *
- * Ben Ford <bford@sangoma.com>
- *
- * See http://www.asterisk.org for more information about
- * the Asterisk project. Please do not directly contact
- * any of the maintainers of this project for assistance;
- * the project provides a web site, mailing lists and IRC
- * channels for your use.
- *
- * This program is free software, distributed under the terms of
- * the GNU General Public License Version 2. See the LICENSE file
- * at the top of the source tree.
- */
- /*** MODULEINFO
- <depend>pjproject</depend>
- <depend>res_pjsip</depend>
- <depend>res_pjsip_session</depend>
- <depend>res_stir_shaken</depend>
- <support_level>core</support_level>
- ***/
- #include "asterisk.h"
- #define _TRACE_PREFIX_ "pjss",__LINE__, ""
- #include "asterisk/callerid.h"
- #include "asterisk/res_pjsip.h"
- #include "asterisk/res_pjsip_session.h"
- #include "asterisk/module.h"
- #include "asterisk/rtp_engine.h"
- #include "asterisk/res_stir_shaken.h"
- static const pj_str_t identity_hdr_str = { "Identity", 8 };
- static const pj_str_t date_hdr_str = { "Date", 4 };
- /* Response codes from RFC8224 */
- enum sip_response_code {
- SIP_RESPONSE_CODE_OK = 200,
- SIP_RESPONSE_CODE_STALE_DATE = 403,
- SIP_RESPONSE_CODE_USE_IDENTITY_HEADER = 428,
- SIP_RESPONSE_CODE_BAD_IDENTITY_INFO = 436,
- SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL = 437,
- SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER = 438,
- SIP_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT = 428,
- SIP_RESPONSE_CODE_INTERNAL_ERROR = 500,
- };
- #define SIP_RESPONSE_CODE_OK_STR "OK"
- /* Response strings from RFC8224 */
- #define SIP_RESPONSE_CODE_STALE_DATE_STR "Stale Date"
- #define SIP_RESPONSE_CODE_USE_IDENTITY_HEADER_STR "Use Identity Header"
- #define SIP_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT_STR "Use Supported PASSporT Format"
- #define SIP_RESPONSE_CODE_BAD_IDENTITY_INFO_STR "Bad Identity Info"
- #define SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL_STR "Unsupported Credential"
- #define SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER_STR "Invalid Identity Header"
- #define SIP_RESPONSE_CODE_INTERNAL_ERROR_STR "Internal Error"
- #define response_to_str(_code) \
- case _code: \
- return _code ## _STR;
- static const char *sip_response_code_to_str(enum sip_response_code code)
- {
- switch (code) {
- response_to_str(SIP_RESPONSE_CODE_OK)
- response_to_str(SIP_RESPONSE_CODE_STALE_DATE)
- response_to_str(SIP_RESPONSE_CODE_USE_IDENTITY_HEADER)
- response_to_str(SIP_RESPONSE_CODE_BAD_IDENTITY_INFO)
- response_to_str(SIP_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL)
- response_to_str(SIP_RESPONSE_CODE_INVALID_IDENTITY_HEADER)
- default:
- break;
- }
- return "";
- }
- #define translate_code(_vs_rc, _sip_rc) \
- case AST_STIR_SHAKEN_VS_ ## _vs_rc: \
- return SIP_RESPONSE_CODE_ ## _sip_rc;
- static enum sip_response_code vs_code_to_sip_code(
- enum ast_stir_shaken_vs_response_code vs_rc)
- {
- /*
- * We want to use a switch/case statement here because
- * it'll spit out an error if VS codes are added to the
- * enum but aren't present here.
- */
- switch (vs_rc) {
- translate_code(SUCCESS, OK)
- translate_code(DISABLED, OK)
- translate_code(INVALID_ARGUMENTS, INTERNAL_ERROR)
- translate_code(INTERNAL_ERROR, INTERNAL_ERROR)
- translate_code(NO_IDENTITY_HDR, USE_IDENTITY_HEADER)
- translate_code(NO_DATE_HDR, STALE_DATE)
- translate_code(DATE_HDR_PARSE_FAILURE, STALE_DATE)
- translate_code(DATE_HDR_EXPIRED, STALE_DATE)
- translate_code(NO_JWT_HDR, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_OR_NO_X5U, INVALID_IDENTITY_HEADER)
- translate_code(CERT_CACHE_MISS, INVALID_IDENTITY_HEADER)
- translate_code(CERT_CACHE_INVALID, INVALID_IDENTITY_HEADER)
- translate_code(CERT_CACHE_EXPIRED, INVALID_IDENTITY_HEADER)
- translate_code(CERT_RETRIEVAL_FAILURE, BAD_IDENTITY_INFO)
- translate_code(CERT_CONTENTS_INVALID, UNSUPPORTED_CREDENTIAL)
- translate_code(CERT_NOT_TRUSTED, UNSUPPORTED_CREDENTIAL)
- translate_code(CERT_DATE_INVALID, UNSUPPORTED_CREDENTIAL)
- translate_code(CERT_NO_TN_AUTH_EXT, UNSUPPORTED_CREDENTIAL)
- translate_code(CERT_NO_SPC_IN_TN_AUTH_EXT, UNSUPPORTED_CREDENTIAL)
- translate_code(NO_RAW_KEY, UNSUPPORTED_CREDENTIAL)
- translate_code(SIGNATURE_VALIDATION, INVALID_IDENTITY_HEADER)
- translate_code(NO_IAT, INVALID_IDENTITY_HEADER)
- translate_code(IAT_EXPIRED, STALE_DATE)
- translate_code(INVALID_OR_NO_PPT, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_OR_NO_ALG, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_OR_NO_TYP, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_OR_NO_ATTEST, INVALID_IDENTITY_HEADER)
- translate_code(NO_ORIGID, INVALID_IDENTITY_HEADER)
- translate_code(NO_ORIG_TN, INVALID_IDENTITY_HEADER)
- translate_code(NO_DEST_TN, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_HEADER, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_GRANT, INVALID_IDENTITY_HEADER)
- translate_code(INVALID_OR_NO_GRANTS, INVALID_IDENTITY_HEADER)
- translate_code(CID_ORIG_TN_MISMATCH, INVALID_IDENTITY_HEADER)
- translate_code(RESPONSE_CODE_MAX, INVALID_IDENTITY_HEADER)
- }
- return 500;
- }
- enum process_failure_rc {
- PROCESS_FAILURE_CONTINUE = 0,
- PROCESS_FAILURE_REJECT,
- PROCESS_FAILURE_SYSTEM_FAILURE,
- };
- static void reject_incoming_call(struct ast_sip_session *session,
- enum sip_response_code response_code)
- {
- ast_sip_session_terminate(session, response_code);
- ast_hangup(session->channel);
- }
- static enum process_failure_rc process_failure(struct ast_stir_shaken_vs_ctx *ctx,
- const char *caller_id, struct ast_sip_session *session,
- pjsip_rx_data *rdata, enum ast_stir_shaken_vs_response_code vs_rc)
- {
- enum sip_response_code response_code = vs_code_to_sip_code(vs_rc);
- pj_str_t response_str;
- const char *response_string =
- sip_response_code_to_str(response_code);
- enum stir_shaken_failure_action_enum failure_action =
- ast_stir_shaken_vs_get_failure_action(ctx);
- const char *tag = ast_sip_session_get_name(session);
- SCOPE_ENTER(1, "%s: FA: %d RC: %d\n", tag,
- failure_action, response_code);
- pj_cstr(&response_str, response_string);
- if (failure_action == stir_shaken_failure_action_REJECT_REQUEST) {
- reject_incoming_call(session, response_code);
- SCOPE_EXIT_RTN_VALUE(PROCESS_FAILURE_REJECT,
- "%s: Rejecting request and terminating session\n",
- tag);
- }
- ast_stir_shaken_vs_ctx_set_response_code(ctx, vs_rc);
- ast_stir_shaken_add_result_to_channel(ctx);
- if (failure_action == stir_shaken_failure_action_CONTINUE_RETURN_REASON) {
- int rc = ast_sip_session_add_reason_header(session,
- ast_stir_shaken_vs_get_use_rfc9410_responses(ctx) ? "STIR" : "SIP",
- response_code, response_str.ptr);
- if (rc != 0) {
- SCOPE_EXIT_RTN_VALUE(PROCESS_FAILURE_SYSTEM_FAILURE,
- "%s: Failed to add Reason header\n", tag);
- }
- SCOPE_EXIT_RTN_VALUE(PROCESS_FAILURE_CONTINUE,
- "%s: Attaching reason code to session\n", tag);
- }
- SCOPE_EXIT_RTN_VALUE(PROCESS_FAILURE_CONTINUE,
- "%s: Continuing\n", tag);
- }
- /*!
- * \internal
- * \brief Session supplement callback on an incoming INVITE request
- *
- * When we receive an INVITE, check it for STIR/SHAKEN information and
- * decide what to do from there
- *
- * \param session The session that has received an INVITE
- * \param rdata The incoming INVITE
- */
- static int stir_shaken_incoming_request(struct ast_sip_session *session, pjsip_rx_data *rdata)
- {
- RAII_VAR(struct ast_stir_shaken_vs_ctx *, ctx, NULL, ao2_cleanup);
- RAII_VAR(char *, header, NULL, ast_free);
- RAII_VAR(char *, payload, NULL, ast_free);
- char *identity_hdr_val;
- char *date_hdr_val;
- char *caller_id = session->id.number.str;
- const char *session_name = ast_sip_session_get_name(session);
- struct ast_channel *chan = session->channel;
- enum ast_stir_shaken_vs_response_code vs_rc;
- enum process_failure_rc p_rc;
- SCOPE_ENTER(1, "%s: Enter\n", session_name);
- if (!session) {
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "No session\n");
- }
- if (!session->channel) {
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: No channel\n", session_name);
- }
- if (!rdata) {
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: No rdata\n", session_name);
- }
- /* Check if this is a reinvite. If it is, we don't need to do anything */
- if (rdata->msg_info.to->tag.slen) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: Reinvite. No action needed\n", session_name);
- }
- /*
- * Shortcut: If there's no callerid or profile name,
- * just bail now.
- */
- if (ast_strlen_zero(caller_id)
- || ast_strlen_zero(session->endpoint->stir_shaken_profile)) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: No callerid or profile name. No action needed\n", session_name);
- }
- vs_rc = ast_stir_shaken_vs_ctx_create(caller_id, chan,
- session->endpoint->stir_shaken_profile,
- session_name, &ctx);
- if (vs_rc == AST_STIR_SHAKEN_VS_DISABLED) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: VS Disabled\n", session_name);
- } else if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
- reject_incoming_call(session, 500);
- SCOPE_EXIT_RTN_VALUE(1, "%s: Unable to create context. Call terminated\n",
- session_name);
- }
- identity_hdr_val = ast_sip_rdata_get_header_value(rdata, identity_hdr_str);
- if (ast_strlen_zero(identity_hdr_val)) {
- p_rc = process_failure(ctx, caller_id, session, rdata,
- AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR);
- if (p_rc == PROCESS_FAILURE_CONTINUE) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: No Identity header found. Call continuing\n",
- session_name);
- }
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: No Identity header found. Call terminated\n",
- session_name);
- }
- vs_rc = ast_stir_shaken_vs_ctx_add_identity_hdr(ctx, identity_hdr_val);
- if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
- reject_incoming_call(session, 500);
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: Unable to add Identity header. Call terminated.\n",
- session_name);
- }
- date_hdr_val = ast_sip_rdata_get_header_value(rdata, date_hdr_str);
- if (ast_strlen_zero(date_hdr_val)) {
- p_rc = process_failure(ctx, caller_id, session, rdata,
- AST_STIR_SHAKEN_VS_NO_DATE_HDR);
- if (p_rc == PROCESS_FAILURE_CONTINUE) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: No Date header found. Call continuing\n",
- session_name);
- }
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: No Date header found. Call terminated\n",
- session_name);
- }
- ast_stir_shaken_vs_ctx_add_date_hdr(ctx, date_hdr_val);
- if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
- reject_incoming_call(session, 500);
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: Unable to add Date header. Call terminated.\n",
- session_name);
- }
- vs_rc = ast_stir_shaken_vs_verify(ctx);
- if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
- p_rc = process_failure(ctx, caller_id, session, rdata, vs_rc);
- if (p_rc == PROCESS_FAILURE_CONTINUE) {
- SCOPE_EXIT_RTN_VALUE(0, "%s: Verification failed. Call continuing\n",
- session_name);
- }
- SCOPE_EXIT_LOG_RTN_VALUE(1, LOG_ERROR, "%s: Verification failed. Call terminated\n",
- session_name);
- }
- ast_stir_shaken_add_result_to_channel(ctx);
- SCOPE_EXIT_RTN_VALUE(0, "Passed\n");
- }
- static void add_fingerprints_if_present(struct ast_sip_session *session,
- struct ast_stir_shaken_as_ctx *ctx)
- {
- struct ast_sip_session_media_state *ms = session->pending_media_state;
- struct ast_sip_session_media *m = NULL;
- struct ast_rtp_engine_dtls *d = NULL;
- enum ast_rtp_dtls_hash h;
- int i;
- const char *tag = ast_sip_session_get_name(session);
- size_t count = AST_VECTOR_SIZE(&ms->sessions);
- SCOPE_ENTER(4, "%s: Check %zu media sessions for fingerprints\n",
- tag, count);
- if (!ast_stir_shaken_as_ctx_wants_fingerprints(ctx)) {
- SCOPE_EXIT_RTN("%s: Fingerprints not needed\n", tag);
- }
- for (i = 0; i < count; i++) {
- const char *f;
- m = AST_VECTOR_GET(&ms->sessions, i);
- if (!m|| !m->rtp) {
- ast_trace(1, "Session: %d: No session or rtp instance\n", i);
- continue;
- }
- d = ast_rtp_instance_get_dtls(m->rtp);
- h = d->get_fingerprint_hash(m->rtp);
- f = d->get_fingerprint(m->rtp);
- ast_stir_shaken_as_ctx_add_fingerprint(ctx,
- h == AST_RTP_DTLS_HASH_SHA256 ? "sha-256" : "sha-1", f);
- }
- SCOPE_EXIT_RTN("%s: Done\n", tag);
- }
- static char *get_dest_tn(pjsip_tx_data *tdata, const char *tag)
- {
- pjsip_fromto_hdr *to;
- pjsip_sip_uri *uri;
- char *dest_tn = NULL;
- SCOPE_ENTER(4, "%s: Enter\n", tag);
- to = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_TO, NULL);
- if (!to) {
- SCOPE_EXIT_RTN_VALUE(NULL, "%s: Failed to find To header\n", tag);
- }
- uri = pjsip_uri_get_uri(to->uri);
- if (!uri) {
- SCOPE_EXIT_RTN_VALUE(NULL,
- "%s: Failed to retrieve URI from To header\n", tag);
- }
- dest_tn = ast_malloc(uri->user.slen + 1);
- if (!dest_tn) {
- SCOPE_EXIT_RTN_VALUE(NULL,
- "%s: Failed to allocate memory for dest_tn\n", tag);
- }
- ast_copy_pj_str(dest_tn, &uri->user, uri->user.slen + 1);
- SCOPE_EXIT_RTN_VALUE(dest_tn, "%s: Done\n", tag);
- }
- static void add_date_header(const struct ast_sip_session *session, pjsip_tx_data *tdata)
- {
- pjsip_fromto_hdr *old_date;
- const char *session_name = ast_sip_session_get_name(session);
- SCOPE_ENTER(1, "%s: Enter\n", session_name);
- old_date = pjsip_msg_find_hdr_by_name(tdata->msg, &date_hdr_str, NULL);
- if (old_date) {
- SCOPE_EXIT_RTN("Found existing Date header, no need to add one\n");
- }
- ast_sip_add_date_header(tdata);
- SCOPE_EXIT_RTN("Done\n");
- }
- static void stir_shaken_outgoing_request(struct ast_sip_session *session,
- pjsip_tx_data *tdata)
- {
- struct ast_party_id effective_id;
- struct ast_party_id connected_id;
- pjsip_generic_string_hdr *old_identity;
- pjsip_generic_string_hdr *identity_hdr;
- pj_str_t identity_val;
- char *dest_tn;
- char *identity_str;
- struct ast_stir_shaken_as_ctx *ctx = NULL;
- enum ast_stir_shaken_as_response_code as_rc;
- const char *session_name = ast_sip_session_get_name(session);
- SCOPE_ENTER(1, "%s: Enter\n", session_name);
- if (!session) {
- SCOPE_EXIT_LOG_RTN(LOG_ERROR, "No session\n");
- }
- if (!session->channel) {
- SCOPE_EXIT_LOG_RTN(LOG_ERROR, "%s: No channel\n", session_name);
- }
- if (!tdata) {
- SCOPE_EXIT_LOG_RTN(LOG_ERROR, "%s: No tdata\n", session_name);
- }
- old_identity = pjsip_msg_find_hdr_by_name(tdata->msg, &identity_hdr_str, NULL);
- if (old_identity) {
- SCOPE_EXIT_RTN("Found an existing Identity header\n");
- }
- dest_tn = get_dest_tn(tdata, session_name);
- if (!dest_tn) {
- SCOPE_EXIT_LOG_RTN(LOG_ERROR, "%s: Unable to find destination tn\n",
- session_name);
- }
- ast_party_id_init(&connected_id);
- ast_channel_lock(session->channel);
- effective_id = ast_channel_connected_effective_id(session->channel);
- ast_party_id_copy(&connected_id, &effective_id);
- ast_channel_unlock(session->channel);
- if (!ast_sip_can_present_connected_id(session, &connected_id)) {
- ast_free(dest_tn);
- ast_party_id_free(&connected_id);
- SCOPE_EXIT_RTN("Unable to get caller id\n");
- }
- as_rc = ast_stir_shaken_as_ctx_create(connected_id.number.str,
- dest_tn, session->channel,
- session->endpoint->stir_shaken_profile,
- session_name, &ctx);
- ast_free(dest_tn);
- ast_party_id_free(&connected_id);
- if (as_rc == AST_STIR_SHAKEN_AS_DISABLED) {
- SCOPE_EXIT_RTN("%s: AS Disabled\n", session_name);
- } else if (as_rc != AST_STIR_SHAKEN_AS_SUCCESS) {
- SCOPE_EXIT_RTN("%s: Unable to create context\n",
- session_name);
- }
- add_date_header(session, tdata);
- add_fingerprints_if_present(session, ctx);
- as_rc = ast_stir_shaken_attest(ctx, &identity_str);
- if (as_rc != AST_STIR_SHAKEN_AS_SUCCESS) {
- ao2_cleanup(ctx);
- SCOPE_EXIT_LOG(LOG_ERROR,
- "%s: Failed to create attestation\n", session_name);
- }
- ast_trace(1, "%s: Identity header: %s\n", session_name, identity_str);
- identity_val = pj_str(identity_str);
- identity_hdr = pjsip_generic_string_hdr_create(tdata->pool, &identity_hdr_str, &identity_val);
- ast_free(identity_str);
- if (!identity_hdr) {
- ao2_cleanup(ctx);
- SCOPE_EXIT_LOG_RTN(LOG_ERROR,
- "%s: Unable to create Identity header\n", session_name);
- }
- pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *)identity_hdr);
- ao2_cleanup(ctx);
- SCOPE_EXIT_RTN("Done\n");
- }
- static struct ast_sip_session_supplement stir_shaken_supplement = {
- .method = "INVITE",
- .priority = AST_SIP_SUPPLEMENT_PRIORITY_CHANNEL + 1, /* Run AFTER channel creation */
- .incoming_request = stir_shaken_incoming_request,
- .outgoing_request = stir_shaken_outgoing_request,
- };
- static int unload_module(void)
- {
- ast_sip_session_unregister_supplement(&stir_shaken_supplement);
- return 0;
- }
- static int load_module(void)
- {
- ast_sip_session_register_supplement(&stir_shaken_supplement);
- return AST_MODULE_LOAD_SUCCESS;
- }
- #undef AST_BUILDOPT_SUM
- #define AST_BUILDOPT_SUM ""
- AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_GLOBAL_SYMBOLS | AST_MODFLAG_LOAD_ORDER, "PJSIP STIR/SHAKEN Module for Asterisk",
- .support_level = AST_MODULE_SUPPORT_CORE,
- .load = load_module,
- .unload = unload_module,
- .load_pri = AST_MODPRI_DEFAULT,
- .requires = "res_pjsip,res_pjsip_session,res_stir_shaken",
- );
|