kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-06 04:30:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

security_agreement.c: Always add the Require and Proxy-Require headers

Browse Source 
The `Require: mediasec` and `Proxy-Require: mediasec` headers need
to be sent whenever we send `Security-Client` or `Security-Verify`
headers but the logic to do that was only in add_security_headers()
in res_pjsip_outbound_register.  So while we were sending them on
REGISTER requests, we weren't sending them on INVITE requests.

This commit moves the logic to send the two headers out of
res_pjsip_outbound_register:add_security_headers() and into
security_agreement:ast_sip_add_security_headers().  This way
they're always sent when we send `Security-Client` or
`Security-Verify`.

Resolves: #789
This commit is contained in:
George Joseph
2024-07-03 14:50:47 -06:00
parent 51edc5062d
commit 35528195b2
2 changed files with 9 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
res/res_pjsip/security_agreements.c
View File

@@ -290,6 +290,8 @@ int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *secur
int mech_cnt; int mech_cnt;
int i; int i;
int add_qvalue = 1; int add_qvalue = 1;
static const pj_str_t proxy_require = { "Proxy-Require", 13 };
static const pj_str_t require = { "Require", 7 };
if (!security_mechanisms || !tdata) { if (!security_mechanisms || !tdata) {
return EINVAL; return EINVAL;
@@ -314,6 +316,13 @@ int ast_sip_add_security_headers(struct ast_sip_security_mechanism_vector *secur
ast_sip_add_header(tdata, header_name, buf); ast_sip_add_header(tdata, header_name, buf);
ast_free(buf); ast_free(buf);
} }
if (pjsip_msg_find_hdr_by_name(tdata->msg, &require, NULL) == NULL) {
ast_sip_add_header(tdata, "Require", "mediasec");
}
if (pjsip_msg_find_hdr_by_name(tdata->msg, &proxy_require, NULL) == NULL) {
ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
}
return 0; return 0;
} }

14
res/res_pjsip_outbound_registration.c
View File

@@ -644,8 +644,6 @@ out:
static void add_security_headers(struct sip_outbound_registration_client_state *client_state, static void add_security_headers(struct sip_outbound_registration_client_state *client_state,
pjsip_tx_data *tdata) pjsip_tx_data *tdata)
{ {
int add_require_header = 1;
int add_proxy_require_header = 1;
int add_sec_client_header = 0; int add_sec_client_header = 0;
struct sip_outbound_registration *reg = NULL; struct sip_outbound_registration *reg = NULL;
struct ast_sip_endpoint *endpt = NULL; struct ast_sip_endpoint *endpt = NULL;
@@ -654,8 +652,6 @@ static void add_security_headers(struct sip_outbound_registration_client_state *
struct ast_sip_security_mechanism_vector *sec_mechs = NULL; struct ast_sip_security_mechanism_vector *sec_mechs = NULL;
static const pj_str_t security_verify = { "Security-Verify", 15 }; static const pj_str_t security_verify = { "Security-Verify", 15 };
static const pj_str_t security_client = { "Security-Client", 15 }; static const pj_str_t security_client = { "Security-Client", 15 };
static const pj_str_t proxy_require = { "Proxy-Require", 13 };
static const pj_str_t require = { "Require", 7 };
if (client_state->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) { if (client_state->security_negotiation != AST_SIP_SECURITY_NEG_MEDIASEC) {
return; return;
@@ -689,20 +685,10 @@ static void add_security_headers(struct sip_outbound_registration_client_state *
/* necessary if a retry occures */ /* necessary if a retry occures */
add_sec_client_header = (pjsip_msg_find_hdr_by_name(tdata->msg, &security_client, NULL) == NULL) ? 1 : 0; add_sec_client_header = (pjsip_msg_find_hdr_by_name(tdata->msg, &security_client, NULL) == NULL) ? 1 : 0;
} }
add_require_header =
(pjsip_msg_find_hdr_by_name(tdata->msg, &require, NULL) == NULL) ? 1 : 0;
add_proxy_require_header =
(pjsip_msg_find_hdr_by_name(tdata->msg, &proxy_require, NULL) == NULL) ? 1 : 0;
} else { } else {
ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata); ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata);
} }
if (add_require_header) {
ast_sip_add_header(tdata, "Require", "mediasec");
}
if (add_proxy_require_header) {
ast_sip_add_header(tdata, "Proxy-Require", "mediasec");
}
if (add_sec_client_header) { if (add_sec_client_header) {
ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata); ast_sip_add_security_headers(&client_state->security_mechanisms, "Security-Client", 0, tdata);
} }