sysmocom
/
asterisk
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WIP VoLTE support for Asterisk

This commit is contained in:
Andreas Eversberg 2024-04-10 17:08:04 +02:00
parent 85a439080c
commit b84efadfa1
1 changed files with 113 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
res/res_pjsip_volte.c
View File

@ -3,6 +3,7 @@
<depend>pjproject</depend>
<depend>res_pjsip</depend>
<depend>res_pjsip_session</depend>
<depend>res_pjsip_outbound_authenticator_digest</depend>
<support_level>core</support_level>
***/
@ -21,6 +22,7 @@
#include "asterisk/threadpool.h"
#include "res_pjsip_volte/netlink_xfrm.h"
#include "res_pjsip_volte/milenage.h"
#define PJ_CONSUME PJ_TRUE
@ -29,6 +31,7 @@ const pj_str_t STR_REQUIRE = { "Require", 7 };
const pj_str_t STR_PROXY_REQUIRE = { "Proxy-Require", 13 };
const pj_str_t STR_PATH = { "path", 4 };
const pj_str_t STR_SEC_AGREE = { "sec-agree", 9 };
const pj_str_t STR_AUTHORIZATION = { "Authorization", 13 };
const pj_str_t STR_SECURITY_CLIENT = { "Security-Client", 15 };
const pj_str_t STR_SECURITY_SERVER = { "Security-Server", 15 };
@ -45,10 +48,12 @@ const struct ipsec_alg ipsec_alg[] = {
};
const struct ipsec_alg ipsec_ealg[] = {
{ "null", "cipher_null" },
{ "null", "ecb(cipher_null)" },
{ NULL, NULL }
};
static unsigned char aka_res[8];
static struct mnl_socket *g_mnl_socket = NULL;
struct sockaddr_storage g_src_addr, g_dst_addr;
static uint32_t g_spi_c, g_spi_s;
@ -88,6 +93,7 @@ static char *sockaddr_storage_to_string(const struct sockaddr_storage *addr, cha
return ip_string;
}
/* Delete old SA and SP entries upon new registration or module exit. */
static void cleanup_xfrm(void)
{
if (g_spi_c_valid) {
@ -99,6 +105,7 @@ static void cleanup_xfrm(void)
g_spi_s_valid = PJ_FALSE;
}
}
static pj_status_t on_load(pjsip_endpoint *endpt)
{
printf("endpoint!\n");
@ -111,23 +118,29 @@ static pj_bool_t is_ims(const pjsip_msg *msg)
{
pjsip_fromto_hdr *hdr;
pjsip_sip_uri *uri;
size_t uri_len;
size_t host_len;
/* Get URI. */
hdr = pjsip_msg_find_hdr(msg, PJSIP_H_TO, NULL);
if (!hdr)
return PJ_FALSE;
uri = pjsip_uri_get_uri(hdr->uri);
uri_len = strlen(uri->host.ptr);
host_len = uri->host.slen;
if (uri_len < 20)
if (host_len < 20) {
ast_log(LOG_DEBUG, "SIP message is not IMS message, ignoring.");
return PJ_FALSE;
}
if (!!strncmp(uri->host.ptr, "ims.", 4))
if (!!strncmp(uri->host.ptr, "ims.", 4)) {
ast_log(LOG_DEBUG, "SIP message is not IMS message, ignoring.");
return PJ_FALSE;
}
if (!!strncmp(uri->host.ptr + uri_len - 16, ".3gppnetwork.org", 16))
if (!!strncmp(uri->host.ptr + host_len - 16, ".3gppnetwork.org", 16)) {
ast_log(LOG_DEBUG, "SIP message is not IMS message, ignoring.");
return PJ_FALSE;
}
return PJ_TRUE;
}
@ -205,54 +218,63 @@ static void add_value_array_hdr(pjsip_tx_data *tdata, const pj_str_t *name, cons
static pj_status_t on_tx_register_request(pjsip_tx_data *tdata)
{
char src_str[64], dst_str[64];
pjsip_generic_array_hdr *hdr;
int rc;
ast_log(LOG_ERROR, "Unsetting RES paassword.\n");
volte_auth = NULL;
if (!is_ims(tdata->msg))
return PJ_SUCCESS;
/* Get local and remote peer address. */
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_src_addr);
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_dst_addr);
ast_log(LOG_DEBUG, "peers %s->%s\n", sockaddr_storage_to_string(&g_src_addr, src_str, sizeof(src_str)), sockaddr_storage_to_string(&g_dst_addr, dst_str, sizeof(dst_str)));
/* Allocate SPI-C and SPI-S towards remote peer. */
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_spi_c, (const struct sockaddr *)&g_src_addr, (const struct sockaddr *)&g_dst_addr);
if (rc < 0) {
spi_alloc_failed:
ast_log(LOG_ERROR, "Failed to request SPI.\n");
return PJ_CONSUME;
}
g_spi_s_valid = PJ_TRUE;
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_spi_s, (const struct sockaddr *)&g_src_addr, (const struct sockaddr *)&g_dst_addr);
if (rc < 0)
goto spi_alloc_failed;
g_spi_c_valid = PJ_TRUE;
ast_log(LOG_DEBUG, "SPI-C=0x%08x SPI-S=0x%08x\n", g_spi_s, g_spi_c);
/* "Require: sec-agree" */
add_value_array_hdr(tdata, &STR_REQUIRE, &STR_SEC_AGREE);
/* "Proxy-Require: sec-agree" */
add_value_string_hdr(tdata, &STR_PROXY_REQUIRE, &STR_SEC_AGREE);
/* "Supported: path,sec-agree" */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_PATH);
/* "Security-Client: ..." */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_SEC_AGREE);
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_spi_c, g_spi_s, 43419, 42318);
pj_bool_t created = PJ_FALSE;
/* Create header, if not yet created. */
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
if (!hdr) {
puts("first register\n");
cleanup_xfrm();
/* Get local and remote peer address. */
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_src_addr);
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_dst_addr);
ast_log(LOG_DEBUG, "peers %s->%s\n", sockaddr_storage_to_string(&g_src_addr, src_str, sizeof(src_str)), sockaddr_storage_to_string(&g_dst_addr, dst_str, sizeof(dst_str)));
/* Allocate SPI-C and SPI-S towards remote peer. */
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_spi_c, (const struct sockaddr *)&g_src_addr, (const struct sockaddr *)&g_dst_addr);
if (rc < 0) {
spi_alloc_failed:
ast_log(LOG_ERROR, "Failed to request SPI.\n");
return PJ_CONSUME;
}
g_spi_s_valid = PJ_TRUE;
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_spi_s, (const struct sockaddr *)&g_src_addr, (const struct sockaddr *)&g_dst_addr);
if (rc < 0)
goto spi_alloc_failed;
g_spi_c_valid = PJ_TRUE;
ast_log(LOG_DEBUG, "SPI-C=0x%08x SPI-S=0x%08x\n", g_spi_s, g_spi_c);
/* "Require: sec-agree" */
add_value_array_hdr(tdata, &STR_REQUIRE, &STR_SEC_AGREE);
/* "Proxy-Require: sec-agree" */
add_value_string_hdr(tdata, &STR_PROXY_REQUIRE, &STR_SEC_AGREE);
/* "Supported: path,sec-agree" */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_PATH);
/* "Security-Client: ..." */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_SEC_AGREE);
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_spi_c, g_spi_s, 43419, 42318);
#warning HACKING: Asterisk must do this on first register! Or we must do it!
const pj_str_t STR_AUTHORIZATION = { "Authorization", 13 };
char xxx[] = "Digest uri=\"sip:ims.mnc001.mcc238.3gppnetwork.org\",username=\"238010000090828@ims.mnc001.mcc238.3gppnetwork.org\",response=\"\",realm=\"ims.mnc001.mcc238.3gppnetwork.org\",nonce=\"\"";
const pj_str_t STR_XXX = { xxx, strlen(xxx)};
add_value_string_hdr(tdata, &STR_AUTHORIZATION, &STR_XXX);
char xxx[] = "Digest uri=\"sip:ims.mnc001.mcc238.3gppnetwork.org\",username=\"238010000090828@ims.mnc001.mcc238.3gppnetwork.org\",response=\"\",realm=\"ims.mnc001.mcc238.3gppnetwork.org\",nonce=\"\"";
const pj_str_t STR_XXX = { xxx, strlen(xxx)};
add_value_string_hdr(tdata, &STR_AUTHORIZATION, &STR_XXX);
} else {
puts("second register\n");
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
if (hdr)
pj_list_erase(hdr);
}
return PJ_SUCCESS;
}
@ -288,11 +310,14 @@ static pj_bool_t on_rx_401_response(pjsip_rx_data *rdata)
{
pjsip_generic_string_hdr *hdr;
if (!is_ims(rdata->msg_info.msg))
return PJ_FALSE;
/* Get Security-Server from header. */
hdr = pjsip_msg_find_hdr_by_name(rdata->msg_info.msg, &STR_SECURITY_SERVER, NULL);
if (!hdr) {
ast_log(LOG_ERROR, "Missing 'Security-Server' in REGISTER reply.");
return PJ_CONSUME;
return PJ_FALSE;
}
#if 0
if (!hdr->count) {
@ -303,6 +328,48 @@ static pj_bool_t on_rx_401_response(pjsip_rx_data *rdata)
puts("1");
printf("hurra: %s\n", hdr->hvalue.ptr);
pjsip_www_authenticate_hdr *auth_hdr = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_WWW_AUTHENTICATE, NULL);
if (!auth_hdr || !auth_hdr->challenge.digest.nonce.ptr || !auth_hdr->challenge.digest.algorithm.ptr) {
ast_log(LOG_ERROR, "Authentication header missing or incomplete.\n");
return PJ_FALSE;
}
printf("NONCE: %s\n", auth_hdr->challenge.digest.nonce.ptr);
printf("algo: %s\n", auth_hdr->challenge.digest.algorithm.ptr);
if (!strncmp(auth_hdr->challenge.digest.algorithm.ptr, "AKAv2-MD5", 9)) {
ast_log(LOG_ERROR, "Authentication algorithm not supported. See third-party/pjproject/source/pjsip/src/pjsip/sip_auth_aka.c for implementation.\n");
return PJ_FALSE;
}
if (!!strncmp(auth_hdr->challenge.digest.algorithm.ptr, "AKAv1-MD5", 9)) {
ast_log(LOG_ERROR, "Authentication algorithm not supported.\n");
return PJ_FALSE;
}
#if 1
#warning hacking
const uint8_t opc[16] = { 0x77, 0x5A, 0x1F, 0x88, 0x7D, 0x2A, 0xD6, 0x6F, 0x97, 0x19, 0xC2, 0xC7, 0x9F, 0x84, 0x7B, 0x50 };
const uint8_t ki[16] = { 0xD5, 0x34, 0xE0, 0x78, 0x54, 0xB7, 0x5E, 0x47, 0x5C, 0x66, 0x7A, 0x85, 0x6A, 0xA3, 0x1F, 0x9C };
const uint8_t amf[2] = { 0x80, 0x00 };
const uint8_t sqn[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t rand_auth[32], *rand = rand_auth, *auth = rand_auth + 16;
uint8_t out_autn[16], out_ik[16], out_ck[16];
size_t out_res_len = 8;
ast_base64decode(rand_auth, auth_hdr->challenge.digest.nonce.ptr, sizeof(rand_auth));
hexdump(LOG_DEBUG, "nonce", rand_auth, 32);
milenage_generate(opc, amf, ki, sqn, rand, out_autn, out_ik, out_ck, aka_res, &out_res_len);
if (out_res_len != 8) {
ast_log(LOG_ERROR, "Milenage computation failed.\n");
}
hexdump(LOG_DEBUG, "IK", out_ik, 16);
hexdump(LOG_DEBUG, "CK", out_ck, 16);
ast_log(LOG_ERROR, "Setting RES as paassword.\n");
volte_auth = aka_res;
#endif
return PJ_FALSE;
}
@ -408,18 +475,14 @@ static int load_module(void)
return AST_MODULE_LOAD_SUCCESS;
}
static int unload_module(void)
{
ast_sip_unregister_service(&volte_module);
xfrm_exit_mnl_socket(g_mnl_socket);
cleanup_xfrm();
xfrm_exit_mnl_socket(g_mnl_socket);
return 0;
}