kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-03 11:25:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

AST-2022-002 - res_stir_shaken/curl: Add ACL checks for Identity header.

Browse Source 
Adds a new configuration option, stir_shaken_profile, in pjsip.conf that
can be specified on a per endpoint basis. This option will reference a
stir_shaken_profile that can be configured in stir_shaken.conf. The type
of this option must be 'profile'. The stir_shaken option can be
specified on this object with the same values as before (attest, verify,
on), but it cannot be off since having the profile itself implies wanting
STIR/SHAKEN support. You can also specify an ACL from acl.conf (along
with permit and deny lines in the object itself) that will be used to
limit what interfaces Asterisk will attempt to retrieve information from
when reading the Identity header.

ASTERISK-29476

Change-Id: I87fa61f78a9ea0cd42530691a30da3c781842406
This commit is contained in:
Ben Ford
2022-02-28 11:19:54 -06:00
committed by Gerrit
parent 8f3dd86b8d
commit 0724b767a3
13 changed files with 558 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configs/samples/pjsip.conf.sample
View File

@@ -349,6 +349,7 @@
; STIR/SHAKEN support.
;
;stir_shaken=no
;stir_shaken_profile=my_profile
;[6001]
;type=auth
@@ -930,6 +931,9 @@
; happens to the call if verification fails; it's up to
; you to determine what to do with the results.
; (default: no)
;stir_shaken_profile =
; If a profile is specified (defined in stir_shaken.conf),
; this endpoint will follow the rules defined there.
;allow_unauthenticated_options =
; By default, chan_pjsip will challenge an incoming
; OPTIONS request for authentication credentials just

18
configs/samples/stir_shaken.conf.sample
View File

@@ -83,3 +83,21 @@
;
; Must have an attestation of A, B, or C
;attestation=C
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; Profiles can be defined here which can be referenced by channel drivers.
;[my_profile]
;
; type must be "profile"
;type=profile
;
; Set stir_shaken to 'attest', 'verify', or 'on', which is the default
;stir_shaken=on
;
; You can specify an ACL that will be used strictly for the Identity header when downloading public certificates
;acllist=myacllist
;
; You can also do permit / deny lines if you want (also supports IPv6)
;permit=0.0.0.0/0.0.0.0
;deny=127.0.0.1