Asterisk - The Open Source Telephony Project  21.4.1
security_agreements.c
Go to the documentation of this file.
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2022, Commend International
5  *
6  * Maximilian Fridrich <m.fridrich@commend.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18 
19 /*!
20  * \file
21  *
22  * \brief Interact with security agreement negotiations and mechanisms
23  *
24  * \author Maximilian Fridrich <m.fridrich@commend.com>
25  */
26 
27 #include "asterisk.h"
28 
29 #include <pjsip.h>
30 
31 #include "asterisk/res_pjsip.h"
32 
33 static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_alloc(size_t n_params)
34 {
35  struct ast_sip_security_mechanism *mech;
36 
37  mech = ast_calloc(1, sizeof(struct ast_sip_security_mechanism));
38  if (mech == NULL) {
39  return NULL;
40  }
41  mech->qvalue = 0.0;
42  if (AST_VECTOR_INIT(&mech->mechanism_parameters, n_params) != 0) {
43  ast_free(mech);
44  return NULL;
45  }
46 
47  return mech;
48 }
49 
50 static struct ast_sip_security_mechanism *ast_sip_security_mechanisms_copy(
51  const struct ast_sip_security_mechanism *src)
52 {
53  struct ast_sip_security_mechanism *dst = NULL;
54  int i, n_params;
55  char *param;
56 
57  n_params = AST_VECTOR_SIZE(&src->mechanism_parameters);
58 
59  dst = ast_sip_security_mechanisms_alloc(n_params);
60  if (dst == NULL) {
61  return NULL;
62  }
63  dst->type = src->type;
64  dst->qvalue = src->qvalue;
65 
66  for (i = 0; i < n_params; i++) {
67  param = ast_strdup(AST_VECTOR_GET(&src->mechanism_parameters, i));
68  AST_VECTOR_APPEND(&dst->mechanism_parameters, param);
69  }
70 
71  return dst;
72 }
73 
74 static void ast_sip_security_mechanisms_destroy(struct ast_sip_security_mechanism *mech)
75 {
76  int i;
77 
78  for (i = 0; i < AST_VECTOR_SIZE(&mech->mechanism_parameters); i++) {
79  ast_free(AST_VECTOR_GET(&mech->mechanism_parameters, i));
80  }
81  AST_VECTOR_FREE(&mech->mechanism_parameters);
82  ast_free(mech);
83 }
84 
86  const struct ast_sip_security_mechanism_vector *src)
87 {
88  struct ast_sip_security_mechanism *mech;
89  int i;
90 
92  for (i = 0; i < AST_VECTOR_SIZE(src); i++) {
93  mech = AST_VECTOR_GET(src, i);
94  AST_VECTOR_APPEND(dst, ast_sip_security_mechanisms_copy(mech));
95  }
96 };
97 
99 {
100  struct ast_sip_security_mechanism *mech;
101  int i;
102 
103  if (!security_mechanisms) {
104  return;
105  }
106 
107  for (i = 0; i < AST_VECTOR_SIZE(security_mechanisms); i++) {
108  mech = AST_VECTOR_GET(security_mechanisms, i);
109  ast_sip_security_mechanisms_destroy(mech);
110  }
111  AST_VECTOR_FREE(security_mechanisms);
112 }
113 
114 static int ast_sip_str_to_security_mechanism_type(const char *security_mechanism) {
115  int result = -1;
116 
117  if (!strcasecmp(security_mechanism, "msrp-tls")) {
118  result = AST_SIP_SECURITY_MECH_MSRP_TLS;
119  } else if (!strcasecmp(security_mechanism, "sdes-srtp")) {
120  result = AST_SIP_SECURITY_MECH_SDES_SRTP;
121  } else if (!strcasecmp(security_mechanism, "dtls-srtp")) {
122  result = AST_SIP_SECURITY_MECH_DTLS_SRTP;
123  }
124 
125  return result;
126 }
127 
128 static char *ast_sip_security_mechanism_type_to_str(enum ast_sip_security_mechanism_type mech_type) {
129  if (mech_type == AST_SIP_SECURITY_MECH_MSRP_TLS) {
130  return "msrp-tls";
131  } else if (mech_type == AST_SIP_SECURITY_MECH_SDES_SRTP) {
132  return "sdes-srtp";
133  } else if (mech_type == AST_SIP_SECURITY_MECH_DTLS_SRTP) {
134  return "dtls-srtp";
135  } else {
136  return NULL;
137  }
138 }
139 
140 static int security_mechanism_to_str(const struct ast_sip_security_mechanism *security_mechanism, int add_qvalue, char **buf)
141 {
142  size_t size;
143  size_t buf_size = 128;
144  int i;
145  char *ret = ast_calloc(buf_size, sizeof(char));
146 
147  if (ret == NULL) {
148  return ENOMEM;
149  }
150  if (security_mechanism == NULL) {
151  ast_free(ret);
152  return EINVAL;
153  }
154 
155  snprintf(ret, buf_size - 1, "%s", ast_sip_security_mechanism_type_to_str(security_mechanism->type));
156  if (add_qvalue) {
157  snprintf(ret + strlen(ret), buf_size - 1, ";q=%f.4", security_mechanism->qvalue);
158  }
159 
160  size = AST_VECTOR_SIZE(&security_mechanism->mechanism_parameters);
161  for (i = 0; i < size; ++i) {
162  snprintf(ret + strlen(ret), buf_size - 1, ";%s", AST_VECTOR_GET(&security_mechanism->mechanism_parameters, i));
163  }
164 
165  *buf = ret;
166  return 0;
167 }
168 
169 int ast_sip_security_mechanisms_to_str(const struct ast_sip_security_mechanism_vector *security_mechanisms, int add_qvalue, char **buf)
170 {
171  size_t vec_size;
172  struct ast_sip_security_mechanism *mech;
173  char *tmp_buf;
174  char ret[512];
175  size_t i;
176 
177  if (!security_mechanisms) {
178  return -1;
179  }
180 
181  vec_size = AST_VECTOR_SIZE(security_mechanisms);
182  ret[0] = '\0';
183 
184  for (i = 0; i < vec_size; ++i) {
185  mech = AST_VECTOR_GET(security_mechanisms, i);
186  if (security_mechanism_to_str(mech, add_qvalue, &tmp_buf)) {
187  continue;
188  }
189  snprintf(ret + strlen(ret), sizeof(ret) - 1, "%s%s",
190  tmp_buf, i == vec_size - 1 ? "" : ", ");
191  ast_free(tmp_buf);
192  }
193 
194  *buf = ast_strdup(ret);
195 
196  return 0;
197 }
198 
199 void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char* value)
200 {
201  struct pjsip_generic_string_hdr *hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, NULL);
202  for (; hdr; hdr = pjsip_msg_find_hdr_by_name(msg, hdr_name, hdr->next)) {
203  if (value == NULL || !pj_strcmp2(&hdr->hvalue, value)) {
204  pj_list_erase(hdr);
205  }
206  if (hdr->next == hdr) {
207  break;
208  }
209  }
210 }
211 
212 /*!
213  * \internal
214  * \brief Parses a string representing a q_value to a float.
215  *
216  * Valid q values must be in the range from 0.0 to 1.0 inclusively.
217  *
218  * \param q_value
219  * \retval The parsed qvalue or -1.0 on failure.
220  */
221 static float parse_qvalue(const char *q_value) {
222  char *end;
223  float ret = strtof(q_value, &end);
224 
225  if (end == q_value) {
226  /* Not a number. */
227  return -1.0;
228  } else if ('\0' != *end) {
229  /* Extra character at end of input. */
230  return -1.0;
231  } else if (ret > 1.0 || ret < 0.0) {
232  /* Out of valid range. */
233  return -1.0;
234  }
235  return ret;
236 }
237 
238 int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value) {
239  struct ast_sip_security_mechanism *mech;
240  char *param;
241  char *tmp;
242  char *mechanism = ast_strdupa(value);
243  int err = 0;
244  int type = -1;
245 
246  mech = ast_sip_security_mechanisms_alloc(1);
247  if (!mech) {
248  err = ENOMEM;
249  goto out;
250  }
251 
252  tmp = ast_strsep(&mechanism, ';', AST_STRSEP_ALL);
253  type = ast_sip_str_to_security_mechanism_type(tmp);
254  if (type == -1) {
255  err = EINVAL;
256  goto out;
257  }
258 
259  mech->type = type;
260  while ((param = ast_strsep(&mechanism, ';', AST_STRSEP_ALL))) {
261  if (!param) {
262  err = EINVAL;
263  goto out;
264  }
265  if (!strncmp(param, "q=", 2)) {
266  mech->qvalue = parse_qvalue(&param[2]);
267  if (mech->qvalue < 0.0) {
268  err = EINVAL;
269  goto out;
270  }
271  continue;
272  }
273  param = ast_strdup(param);
274  AST_VECTOR_APPEND(&mech->mechanism_parameters, param);
275  }
276 
277  *security_mechanism = mech;
278 
279 out:
280  if (err && (mech != NULL)) {
281  ast_sip_security_mechanisms_destroy(mech);
282  }
283  return err;
284 }
285 
287  const char *header_name, int add_qval, pjsip_tx_data *tdata) {
288  struct ast_sip_security_mechanism *mech;
289  char *buf;
290  int mech_cnt;
291  int i;
292  int add_qvalue = 1;
293  static const pj_str_t proxy_require = { "Proxy-Require", 13 };
294  static const pj_str_t require = { "Require", 7 };
295 
296  if (!security_mechanisms || !tdata) {
297  return EINVAL;
298  }
299 
300  if (!strcmp(header_name, "Security-Client")) {
301  add_qvalue = 0;
302  } else if (strcmp(header_name, "Security-Server") &&
303  strcmp(header_name, "Security-Verify")) {
304  return EINVAL;
305  }
306  /* If we're adding Security-Client headers, don't add q-value
307  * even if the function caller requested it. */
308  add_qvalue = add_qvalue && add_qval;
309 
310  mech_cnt = AST_VECTOR_SIZE(security_mechanisms);
311  for (i = 0; i < mech_cnt; ++i) {
312  mech = AST_VECTOR_GET(security_mechanisms, i);
313  if (security_mechanism_to_str(mech, add_qvalue, &buf)) {
314  continue;
315  }
316  ast_sip_add_header(tdata, header_name, buf);
317  ast_free(buf);
318  }
319 
320  if (pjsip_msg_find_hdr_by_name(tdata->msg, &require, NULL) == NULL) {
321  ast_sip_add_header(tdata, "Require", "mediasec");
322  }
323  if (pjsip_msg_find_hdr_by_name(tdata->msg, &proxy_require, NULL) == NULL) {
324  ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
325  }
326  return 0;
327 }
328 
329 void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr,
330  struct ast_sip_security_mechanism_vector *security_mechanisms) {
331 
332  struct ast_sip_security_mechanism *mech;
333  char buf[512];
334  char *hdr_val;
335  char *mechanism;
336 
337  if (!security_mechanisms || !hdr) {
338  return;
339  }
340 
341  if (pj_stricmp2(&hdr->name, "Security-Client") && pj_stricmp2(&hdr->name, "Security-Server") &&
342  pj_stricmp2(&hdr->name, "Security-Verify")) {
343  return;
344  }
345 
346  ast_copy_pj_str(buf, &hdr->hvalue, sizeof(buf));
347  hdr_val = ast_skip_blanks(buf);
348 
349  while ((mechanism = ast_strsep(&hdr_val, ',', AST_STRSEP_ALL))) {
350  if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
351  AST_VECTOR_APPEND(security_mechanisms, mech);
352  }
353  }
354 }
355 
356 int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value)
357 {
358  char *val = value ? ast_strdupa(value) : NULL;
359  struct ast_sip_security_mechanism *mech;
360  char *mechanism;
361 
362  ast_sip_security_mechanisms_vector_destroy(security_mechanisms);
363  if (AST_VECTOR_INIT(security_mechanisms, 1)) {
364  return -1;
365  }
366 
367  if (!val) {
368  return 0;
369  }
370 
371  while ((mechanism = ast_strsep(&val, ',', AST_STRSEP_ALL))) {
372  if (!ast_sip_str_to_security_mechanism(&mech, mechanism)) {
373  AST_VECTOR_APPEND(security_mechanisms, mech);
374  }
375  }
376 
377  return 0;
378 }
#define AST_VECTOR_FREE(vec)
Deallocates this vector.
Definition: vector.h:174
Asterisk main include file. File version handling, generic pbx functions.
int ast_sip_security_mechanism_vector_init(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *value)
Initialize security mechanism vector from string of security mechanisms.
#define AST_VECTOR_APPEND(vec, elem)
Append an element to a vector, growing the vector if needed.
Definition: vector.h:256
#define ast_strdup(str)
A wrapper for strdup()
Definition: astmm.h:241
int ast_sip_security_mechanisms_to_str(const struct ast_sip_security_mechanism_vector *security_mechanisms, int add_qvalue, char **buf)
Writes the security mechanisms of an endpoint into a buffer as a string and returns the buffer...
void ast_sip_security_mechanisms_vector_copy(struct ast_sip_security_mechanism_vector *dst, const struct ast_sip_security_mechanism_vector *src)
Duplicate a security mechanism.
int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *security_mechanisms, const char *header_name, int add_qval, pjsip_tx_data *tdata)
Add security headers to transmission data.
Structure representing a security mechanism as defined in RFC 3329.
Definition: res_pjsip.h:378
#define AST_VECTOR_INIT(vec, size)
Initialize a vector.
Definition: vector.h:113
void ast_sip_remove_headers_by_name_and_value(pjsip_msg *msg, const pj_str_t *hdr_name, const char *value)
Removes all headers of a specific name and value from a pjsip_msg.
#define ast_strdupa(s)
duplicate a string in memory from the stack
Definition: astmm.h:298
char * ast_strsep(char **s, const char sep, uint32_t flags)
Act like strsep but ignore separators inside quotes.
Definition: utils.c:1835
char * ast_skip_blanks(const char *str)
Gets a pointer to the first non-whitespace character in a string.
Definition: strings.h:161
#define ast_calloc(num, len)
A wrapper for calloc()
Definition: astmm.h:202
#define AST_VECTOR_GET(vec, idx)
Get an element from a vector.
Definition: vector.h:680
int ast_sip_str_to_security_mechanism(struct ast_sip_security_mechanism **security_mechanism, const char *value)
Allocate a security mechanism from a string.
void ast_sip_header_to_security_mechanism(const pjsip_generic_string_hdr *hdr, struct ast_sip_security_mechanism_vector *security_mechanisms)
Append to security mechanism vector from SIP header.
void ast_sip_security_mechanisms_vector_destroy(struct ast_sip_security_mechanism_vector *security_mechanisms)
Free contents of a security mechanism vector.
#define AST_VECTOR_SIZE(vec)
Get the number of elements in a vector.
Definition: vector.h:609