res_stir_shaken: Add inbound INVITE support.

Integrated STIR/SHAKEN support with incoming INVITES. Upon receiving an INVITE, the Identity header is retrieved, parsing the message to verify the signature. If any of the parsing fails, AST_STIR_SHAKEN_VERIFY_NOT_PRESENT will be added to the channel for this caller ID. If verification itself fails, AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED will be added. If anything in the payload does not line up with the SIP signaling, AST_STIR_SHAKEN_VERIFY_MISMATCH will be added. If all of the above steps pass, then AST_STIR_SHAKEN_VERIFY_PASSED will be added, completing the verification process. A new config option has been added to the general section for stir_shaken.conf. "signature_timeout" is the amount of time a signature will be considered valid. If an INVITE is received and the amount of time between when it was received and when it was signed is greater than signature_timeout, verification will fail. Some changes were also made to signing and verification. There was an error where the whole JSON string was being signed rather than the header combined with the payload. This has been changed to sign the correct thing. Verification has been changed to do this as well, and the unit tests have been updated to reflect these changes. A couple of utility functions have also been added. One decodes a BASE64 string and returns the decoded string, doing all the length calculations for you. The other retrieves a string value from a header in a rdata object. Change-Id: I855f857be3d1c63b64812ac35d9ce0534085b913
2025-11-20 08:40:16 +00:00 · 2020-05-19 14:46:45 -05:00
parent 1fcb6b1b21
commit 3927f79cb5
10 changed files with 344 additions and 34 deletions
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -2218,6 +2218,19 @@ int ast_sip_create_request_with_auth(const struct ast_sip_auth_vector *auths, pj
 */
 struct ast_sip_endpoint *ast_sip_identify_endpoint(pjsip_rx_data *rdata);

+/*!
+ * \brief Get a specific header value from rdata
+ *
+ * \note The returned value does not need to be freed since it's from the rdata pool
+ *
+ * \param rdata The rdata
+ * \param str The header to find
+ *
+ * \retval NULL on failure
+ * \retval The header value on success
+ */
+char *ast_sip_rdata_get_header_value(pjsip_rx_data *rdata, const pj_str_t str);
+
 /*!
 * \brief Set the outbound proxy for an outbound SIP message
 *
--- a/include/asterisk/res_stir_shaken.h
+++ b/include/asterisk/res_stir_shaken.h
@@ -32,6 +32,13 @@ struct ast_stir_shaken_payload;

 struct ast_json;

+/*!
+ * \brief Retrieve the value for 'signature_timeout' from 'general' config object
+ *
+ * \retval The signature timeout
+ */
+unsigned int ast_stir_shaken_get_signature_timeout(void);
+
 /*!
 * \brief Add a STIR/SHAKEN verification result to a channel
 *
--- a/include/asterisk/utils.h
+++ b/include/asterisk/utils.h
@@ -250,6 +250,19 @@ int ast_base64encode(char *dst, const unsigned char *src, int srclen, int max);
 */
 int ast_base64decode(unsigned char *dst, const char *src, int max);

+/*!
+ * \brief Same as ast_base64decode, but does the math for you and returns
+ * a decoded string
+ *
+ * \note The returned string will need to be freed later
+ *
+ * \param src The source buffer
+ *
+ * \retval NULL on failure
+ * \retval Decoded string on success
+ */
+char *ast_base64decode_string(const char *src);
+
 #define AST_URI_ALPHANUM     (1 << 0)
 #define AST_URI_MARK         (1 << 1)
 #define AST_URI_UNRESERVED   (AST_URI_ALPHANUM | AST_URI_MARK)