mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-25 22:18:07 +00:00 
			
		
		
		
	* A static array of security mechanism type names was created. * ast_sip_str_to_security_mechanism_type() was refactored to do a lookup in the new array instead of using fixed "if/else if" statments. * security_mechanism_to_str() and ast_sip_security_mechanisms_to_str() were refactored to use ast_str instead of a fixed length buffer to store the result. * ast_sip_security_mechanism_type_to_str was removed in favor of just referencing the new type name array. Despite starting with "ast_sip_", it was a static function so removing it doesn't affect ABI. * Speaking of "ast_sip_", several other static functions that started with "ast_sip_" were renamed to avoid confusion about their public availability. * A few VECTOR free loops were replaced with AST_VECTOR_RESET(). * Fixed a meomry leak in pjsip_configuration.c endpoint_destructor caused by not calling ast_sip_security_mechanisms_vector_destroy(). * Fixed a memory leak in res_pjsip_outbound_registration.c add_security_headers() caused by not specifying OBJ_NODATA in an ao2_callback. * Fixed a few ao2_callback return code misuses. Resolves: #845
		
			
				
	
	
		
			383 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			383 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * Asterisk -- An open source telephony toolkit.
 | |
|  *
 | |
|  * Copyright (C) 2022, Commend International
 | |
|  *
 | |
|  * Maximilian Fridrich <m.fridrich@commend.com>
 | |
|  *
 | |
|  * See http://www.asterisk.org for more information about
 | |
|  * the Asterisk project. Please do not directly contact
 | |
|  * any of the maintainers of this project for assistance;
 | |
|  * the project provides a web site, mailing lists and IRC
 | |
|  * channels for your use.
 | |
|  *
 | |
|  * This program is free software, distributed under the terms of
 | |
|  * the GNU General Public License Version 2. See the LICENSE file
 | |
|  * at the top of the source tree.
 | |
|  */
 | |
| 
 | |
| /*!
 | |
|  * \file
 | |
|  *
 | |
|  * \brief Interact with security agreement negotiations and mechanisms
 | |
|  *
 | |
|  * \author Maximilian Fridrich <m.fridrich@commend.com>
 | |
|  */
 | |
| 
 | |
| #include "asterisk.h"
 | |
| 
 | |
| #include <pjsip.h>
 | |
| 
 | |
| #include "asterisk/res_pjsip.h"
 | |
| 
 | |
| static struct ast_sip_security_mechanism *security_mechanisms_alloc(size_t n_params)
 | |
| {
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 
 | |
| 	mech = ast_calloc(1, sizeof(struct ast_sip_security_mechanism));
 | |
| 	if (mech == NULL) {
 | |
| 		return NULL;
 | |
| 	}
 | |
| 	mech->qvalue = 0.0;
 | |
| 	if (AST_VECTOR_INIT(&mech->mechanism_parameters, n_params) != 0) {
 | |
| 		ast_free(mech);
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	return mech;
 | |
| }
 | |
| 
 | |
| static struct ast_sip_security_mechanism *security_mechanisms_copy(
 | |
| 	const struct ast_sip_security_mechanism *src)
 | |
| {
 | |
| 	struct ast_sip_security_mechanism *dst = NULL;
 | |
| 	int i, n_params;
 | |
| 	char *param;
 | |
| 
 | |
| 	n_params = AST_VECTOR_SIZE(&src->mechanism_parameters);
 | |
| 
 | |
| 	dst = security_mechanisms_alloc(n_params);
 | |
| 	if (dst == NULL) {
 | |
| 		return NULL;
 | |
| 	}
 | |
| 	dst->type = src->type;
 | |
| 	dst->qvalue = src->qvalue;
 | |
| 
 | |
| 	for (i = 0; i < n_params; i++) {
 | |
| 		param = ast_strdup(AST_VECTOR_GET(&src->mechanism_parameters, i));
 | |
| 		AST_VECTOR_APPEND(&dst->mechanism_parameters, param);
 | |
| 	}
 | |
| 
 | |
| 	return dst;
 | |
| }
 | |
| 
 | |
| static void security_mechanism_destroy(struct ast_sip_security_mechanism *mech)
 | |
| {
 | |
| 	AST_VECTOR_RESET(&mech->mechanism_parameters, ast_free);
 | |
| 	AST_VECTOR_FREE(&mech->mechanism_parameters);
 | |
| 	ast_free(mech);
 | |
| }
 | |
| 
 | |
| void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst,
 | |
| 	const struct ast_sip_security_mechanism_vector *src)
 | |
| {
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	int i;
 | |
| 
 | |
| 	ast_sip_security_mechanisms_vector_destroy(dst);
 | |
| 	for (i = 0; i < AST_VECTOR_SIZE(src); i++) {
 | |
| 		mech = AST_VECTOR_GET(src, i);
 | |
| 		AST_VECTOR_APPEND(dst, security_mechanisms_copy(mech));
 | |
| 	}
 | |
| };
 | |
| 
 | |
| void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms)
 | |
| {
 | |
| 	if (!security_mechanisms) {
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	AST_VECTOR_RESET(security_mechanisms, security_mechanism_destroy);
 | |
| 	AST_VECTOR_FREE(security_mechanisms);
 | |
| }
 | |
| 
 | |
| static char *mechanism_str[] = {
 | |
| 	[AST_SIP_SECURITY_MECH_NONE] = "none",
 | |
| 	[AST_SIP_SECURITY_MECH_MSRP_TLS] = "msrp-tls",
 | |
| 	[AST_SIP_SECURITY_MECH_SDES_SRTP] = "sdes-srtp",
 | |
| 	[AST_SIP_SECURITY_MECH_DTLS_SRTP] = "dtls-srtp",
 | |
| };
 | |
| 
 | |
| 
 | |
| static int str_to_security_mechanism_type(const char *security_mechanism) {
 | |
| 	int i = 0;
 | |
| 
 | |
| 	for (i = 0; i < ARRAY_LEN(mechanism_str); i++) {
 | |
| 		if (!strcasecmp(security_mechanism, mechanism_str[i])) {
 | |
| 			return i;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return -1;
 | |
| }
 | |
| 
 | |
| static int security_mechanism_to_str(const struct ast_sip_security_mechanism *security_mechanism, int add_qvalue, char **buf)
 | |
| {
 | |
| 	size_t size;
 | |
| 	int i;
 | |
| 	int rc = 0;
 | |
| 	RAII_VAR(struct ast_str *, str, ast_str_create(MAX_OBJECT_FIELD), ast_free);
 | |
| 
 | |
| 	if (str == NULL) {
 | |
| 		return ENOMEM;
 | |
| 	}
 | |
| 
 | |
| 	if (security_mechanism == NULL) {
 | |
| 		return EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	rc = ast_str_set(&str, 0, "%s", mechanism_str[security_mechanism->type]);
 | |
| 	if (rc <= 0) {
 | |
| 		return ENOMEM;
 | |
| 	}
 | |
| 	if (add_qvalue) {
 | |
| 		rc = ast_str_append(&str, 0, ";q=%f.4", security_mechanism->qvalue);
 | |
| 		if (rc <= 0) {
 | |
| 			return ENOMEM;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	size = AST_VECTOR_SIZE(&security_mechanism->mechanism_parameters);
 | |
| 	for (i = 0; i < size; ++i) {
 | |
| 		rc = ast_str_append(&str, 0, ";%s", AST_VECTOR_GET(&security_mechanism->mechanism_parameters, i));
 | |
| 		if (rc <= 0) {
 | |
| 			return ENOMEM;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	*buf = ast_strdup(ast_str_buffer(str));
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| int ast_sip_security_mechanisms_to_str(const struct ast_sip_security_mechanism_vector *security_mechanisms, int add_qvalue, char **buf)
 | |
| {
 | |
| 	size_t vec_size;
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	char *tmp_buf;
 | |
| 	RAII_VAR(struct ast_str *, str, ast_str_create(MAX_OBJECT_FIELD), ast_free);
 | |
| 	size_t i;
 | |
| 	int rc = 0;
 | |
| 
 | |
| 	if (str == NULL) {
 | |
| 		return ENOMEM;
 | |
| 	}
 | |
| 
 | |
| 	if (!security_mechanisms) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	vec_size = AST_VECTOR_SIZE(security_mechanisms);
 | |
| 	if (vec_size == 0) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	for (i = 0; i < vec_size; ++i) {
 | |
| 		mech = AST_VECTOR_GET(security_mechanisms, i);
 | |
| 		rc = security_mechanism_to_str(mech, add_qvalue, &tmp_buf);
 | |
| 		if (rc) {
 | |
| 			return rc;
 | |
| 		}
 | |
| 		rc = ast_str_append(&str, 0, "%s, ", tmp_buf);
 | |
| 		ast_free(tmp_buf);
 | |
| 		if (rc <= 0) {
 | |
| 			return ENOMEM;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	/* ast_str_truncate removes the trailing ", " on the last mechanism */
 | |
| 	*buf = ast_strdup(ast_str_truncate(str, -2));
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value)
 | |
| {
 | |
| 	struct pjsip_generic_string_hdr *hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, NULL);
 | |
| 	for (; hdr; hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, hdr->next)) {
 | |
| 		if (value == NULL || !pj_strcmp2(&hdr->hvalue, value)) {
 | |
| 			pj_list_erase(hdr);
 | |
| 		}
 | |
| 		if (hdr->next == hdr) {
 | |
| 			break;
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| /*!
 | |
|  * \internal
 | |
|  * \brief Parses a string representing a q_value to a float.
 | |
|  *
 | |
|  * Valid q values must be in the range from 0.0 to 1.0 inclusively.
 | |
|  *
 | |
|  * \param q_value
 | |
|  * \retval The parsed qvalue or -1.0 on failure.
 | |
|  */
 | |
| static float parse_qvalue(const char *q_value) {
 | |
| 	char *end;
 | |
| 	float ret = strtof(q_value, &end);
 | |
| 
 | |
| 	if (end == q_value) {
 | |
| 		/* Not a number. */
 | |
| 		return -1.0;
 | |
| 	} else if ('\0' != *end) {
 | |
| 		/* Extra character at end of input. */
 | |
| 		return -1.0;
 | |
| 	} else if (ret > 1.0 || ret < 0.0) {
 | |
| 		/* Out of valid range. */
 | |
| 		return -1.0;
 | |
| 	}
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value) {
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	char *param;
 | |
| 	char *tmp;
 | |
| 	char *mechanism = ast_strdupa(value);
 | |
| 	int err = 0;
 | |
| 	int type = -1;
 | |
| 
 | |
| 	mech = security_mechanisms_alloc(1);
 | |
| 	if (!mech) {
 | |
| 		err = ENOMEM;
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	tmp = ast_strsep(&mechanism, ';', AST_STRSEP_ALL);
 | |
| 	type = str_to_security_mechanism_type(tmp);
 | |
| 	if (type == -1) {
 | |
| 		err = EINVAL;
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	mech->type = type;
 | |
| 	while ((param = ast_strsep(&mechanism, ';', AST_STRSEP_ALL))) {
 | |
| 		if (!param) {
 | |
| 			err = EINVAL;
 | |
| 			goto out;
 | |
| 		}
 | |
| 		if (!strncmp(param, "q=", 2)) {
 | |
| 			mech->qvalue = parse_qvalue(¶m[2]);
 | |
| 			if (mech->qvalue < 0.0) {
 | |
| 				err = EINVAL;
 | |
| 				goto out;
 | |
| 			}
 | |
| 			continue;
 | |
| 		}
 | |
| 		param = ast_strdup(param);
 | |
| 		AST_VECTOR_APPEND(&mech->mechanism_parameters, param);
 | |
| 	}
 | |
| 
 | |
| 	*security_mechanism = mech;
 | |
| 
 | |
| out:
 | |
| 	if (err && (mech != NULL)) {
 | |
| 		security_mechanism_destroy(mech);
 | |
| 	}
 | |
| 	return err;
 | |
| }
 | |
| 
 | |
| int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms,
 | |
| 		const char *header_name, int add_qval, pjsip_tx_data *tdata) {
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	char *buf;
 | |
| 	int mech_cnt;
 | |
| 	int i;
 | |
| 	int add_qvalue = 1;
 | |
| 	static const pj_str_t proxy_require = { "Proxy-Require", 13 };
 | |
| 	static const pj_str_t require = { "Require", 7 };
 | |
| 
 | |
| 	if (!security_mechanisms || !tdata) {
 | |
| 		return EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	if (!strcmp(header_name, "Security-Client")) {
 | |
| 		add_qvalue = 0;
 | |
| 	} else if (strcmp(header_name, "Security-Server") &&
 | |
| 			strcmp(header_name, "Security-Verify")) {
 | |
| 		return EINVAL;
 | |
| 	}
 | |
| 	/* If we're adding Security-Client headers, don't add q-value
 | |
| 	 * even if the function caller requested it. */
 | |
| 	add_qvalue = add_qvalue && add_qval;
 | |
| 
 | |
| 	mech_cnt = AST_VECTOR_SIZE(security_mechanisms);
 | |
| 	for (i = 0; i < mech_cnt; ++i) {
 | |
| 		mech = AST_VECTOR_GET(security_mechanisms, i);
 | |
| 		if (security_mechanism_to_str(mech, add_qvalue, &buf)) {
 | |
| 			continue;
 | |
| 		}
 | |
| 		ast_sip_add_header(tdata, header_name, buf);
 | |
| 		ast_free(buf);
 | |
| 	}
 | |
| 
 | |
| 	if (pjsip_msg_find_hdr_by_name(tdata->msg, &require, NULL) == NULL) {
 | |
| 		ast_sip_add_header(tdata, "Require", "mediasec");
 | |
| 	}
 | |
| 	if (pjsip_msg_find_hdr_by_name(tdata->msg, &proxy_require, NULL) == NULL) {
 | |
| 		ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
 | |
| 	}
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr,
 | |
| 		struct ast_sip_security_mechanism_vector *security_mechanisms) {
 | |
| 
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	char buf[512];
 | |
| 	char *hdr_val;
 | |
| 	char *mechanism;
 | |
| 
 | |
| 	if (!security_mechanisms || !hdr) {
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	if (pj_stricmp2(&hdr->name, "Security-Client") && pj_stricmp2(&hdr->name, "Security-Server") &&
 | |
| 			pj_stricmp2(&hdr->name, "Security-Verify")) {
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	ast_copy_pj_str(buf, &hdr->hvalue, sizeof(buf));
 | |
| 	hdr_val = ast_skip_blanks(buf);
 | |
| 
 | |
| 	while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
 | |
| 		if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
 | |
| 			AST_VECTOR_APPEND(security_mechanisms, mech);
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value)
 | |
| {
 | |
| 	char *val = value ? ast_strdupa(value) : NULL;
 | |
| 	struct ast_sip_security_mechanism *mech;
 | |
| 	char *mechanism;
 | |
| 
 | |
| 	ast_sip_security_mechanisms_vector_destroy(security_mechanisms);
 | |
| 	if (AST_VECTOR_INIT(security_mechanisms, 1)) {
 | |
| 		return -1;
 | |
| 	}
 | |
| 
 | |
| 	if (!val) {
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	while ((mechanism = ast_strsep(&val, ',', AST_STRSEP_ALL))) {
 | |
| 		if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
 | |
| 			AST_VECTOR_APPEND(security_mechanisms, mech);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 |