2020-03-23 15:00:09 -05:00
|
|
|
/*
|
|
|
|
|
* Asterisk -- An open source telephony toolkit.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2020, Sangoma Technologies Corporation
|
|
|
|
|
*
|
|
|
|
|
* Kevin Harwell <kharwell@sangoma.com>
|
|
|
|
|
*
|
|
|
|
|
* See http://www.asterisk.org for more information about
|
|
|
|
|
* the Asterisk project. Please do not directly contact
|
|
|
|
|
* any of the maintainers of this project for assistance;
|
|
|
|
|
* the project provides a web site, mailing lists and IRC
|
|
|
|
|
* channels for your use.
|
|
|
|
|
*
|
|
|
|
|
* This program is free software, distributed under the terms of
|
|
|
|
|
* the GNU General Public License Version 2. See the LICENSE file
|
|
|
|
|
* at the top of the source tree.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef _RES_STIR_SHAKEN_H
|
|
|
|
|
#define _RES_STIR_SHAKEN_H
|
|
|
|
|
|
|
|
|
|
#include <openssl/evp.h>
|
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
|
2020-05-04 16:11:00 -05:00
|
|
|
enum ast_stir_shaken_verification_result {
|
|
|
|
|
AST_STIR_SHAKEN_VERIFY_NOT_PRESENT, /*! No STIR/SHAKEN information was available */
|
|
|
|
|
AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED, /*! Signature verification failed */
|
|
|
|
|
AST_STIR_SHAKEN_VERIFY_MISMATCH, /*! Contents of the signaling and the STIR/SHAKEN payload did not match */
|
|
|
|
|
AST_STIR_SHAKEN_VERIFY_PASSED, /*! Signature verified and contents match signaling */
|
|
|
|
|
};
|
|
|
|
|
|
2020-03-26 13:34:47 -05:00
|
|
|
struct ast_stir_shaken_payload;
|
|
|
|
|
|
|
|
|
|
struct ast_json;
|
|
|
|
|
|
res_stir_shaken: Add inbound INVITE support.
Integrated STIR/SHAKEN support with incoming INVITES. Upon receiving an
INVITE, the Identity header is retrieved, parsing the message to verify
the signature. If any of the parsing fails,
AST_STIR_SHAKEN_VERIFY_NOT_PRESENT will be added to the channel for this
caller ID. If verification itself fails,
AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED will be added. If anything in
the payload does not line up with the SIP signaling,
AST_STIR_SHAKEN_VERIFY_MISMATCH will be added. If all of the above steps
pass, then AST_STIR_SHAKEN_VERIFY_PASSED will be added, completing the
verification process.
A new config option has been added to the general section for
stir_shaken.conf. "signature_timeout" is the amount of time a signature
will be considered valid. If an INVITE is received and the amount of
time between when it was received and when it was signed is greater than
signature_timeout, verification will fail.
Some changes were also made to signing and verification. There was an
error where the whole JSON string was being signed rather than the
header combined with the payload. This has been changed to sign the
correct thing. Verification has been changed to do this as well, and the
unit tests have been updated to reflect these changes.
A couple of utility functions have also been added. One decodes a BASE64
string and returns the decoded string, doing all the length calculations
for you. The other retrieves a string value from a header in a rdata
object.
Change-Id: I855f857be3d1c63b64812ac35d9ce0534085b913
2020-05-19 14:46:45 -05:00
|
|
|
/*!
|
|
|
|
|
* \brief Retrieve the value for 'signature_timeout' from 'general' config object
|
|
|
|
|
*
|
|
|
|
|
* \retval The signature timeout
|
|
|
|
|
*/
|
|
|
|
|
unsigned int ast_stir_shaken_get_signature_timeout(void);
|
|
|
|
|
|
2020-05-04 16:11:00 -05:00
|
|
|
/*!
|
|
|
|
|
* \brief Add a STIR/SHAKEN verification result to a channel
|
|
|
|
|
*
|
|
|
|
|
* \param chan The channel
|
|
|
|
|
* \param identity The identity
|
|
|
|
|
* \param attestation The attestation
|
|
|
|
|
* \param result The verification result
|
|
|
|
|
*
|
|
|
|
|
* \retval -1 on failure
|
|
|
|
|
* \retval 0 on success
|
|
|
|
|
*/
|
|
|
|
|
int ast_stir_shaken_add_verification(struct ast_channel *chan, const char *identity, const char *attestation,
|
|
|
|
|
enum ast_stir_shaken_verification_result result);
|
|
|
|
|
|
2020-04-15 13:15:21 -05:00
|
|
|
/*!
|
|
|
|
|
* \brief Verify a JSON STIR/SHAKEN payload
|
|
|
|
|
*
|
|
|
|
|
* \param header The payload header
|
|
|
|
|
* \param payload The payload section
|
|
|
|
|
* \param signature The payload signature
|
|
|
|
|
* \param algorithm The signature algorithm
|
|
|
|
|
* \param public_key_url The public key URL
|
|
|
|
|
*
|
|
|
|
|
* \retval ast_stir_shaken_payload on success
|
|
|
|
|
* \retval NULL on failure
|
|
|
|
|
*/
|
|
|
|
|
struct ast_stir_shaken_payload *ast_stir_shaken_verify(const char *header, const char *payload, const char *signature,
|
|
|
|
|
const char *algorithm, const char *public_key_url);
|
|
|
|
|
|
2020-03-23 15:00:09 -05:00
|
|
|
/*!
|
|
|
|
|
* \brief Retrieve the stir/shaken sorcery context
|
|
|
|
|
*
|
|
|
|
|
* \retval The stir/shaken sorcery context
|
|
|
|
|
*/
|
|
|
|
|
struct ast_sorcery *ast_stir_shaken_sorcery(void);
|
|
|
|
|
|
|
|
|
|
/*!
|
2020-03-26 13:34:47 -05:00
|
|
|
* \brief Free a STIR/SHAKEN payload
|
|
|
|
|
*/
|
|
|
|
|
void ast_stir_shaken_payload_free(struct ast_stir_shaken_payload *payload);
|
|
|
|
|
|
|
|
|
|
/*!
|
|
|
|
|
* \brief Sign a JSON STIR/SHAKEN payload
|
2020-03-23 15:00:09 -05:00
|
|
|
*
|
2020-03-26 13:34:47 -05:00
|
|
|
* \note This function will automatically add the "attest", "iat", and "origid" fields.
|
2020-04-15 13:15:21 -05:00
|
|
|
*
|
|
|
|
|
* \param json The JWT to sign
|
|
|
|
|
*
|
|
|
|
|
* \retval ast_stir_shaken_payload on success
|
|
|
|
|
* \retval NULL on failure
|
2020-03-23 15:00:09 -05:00
|
|
|
*/
|
2020-03-26 13:34:47 -05:00
|
|
|
struct ast_stir_shaken_payload *ast_stir_shaken_sign(struct ast_json *json);
|
2020-03-23 15:00:09 -05:00
|
|
|
|
|
|
|
|
#endif /* _RES_STIR_SHAKEN_H */
|