#include "asterisk/sorcery.h"

Include dependency graph for res_stir_shaken.h:

This graph shows which files directly or indirectly include this file:

Enumerations
enum	ast_stir_shaken_as_response_code { AST_STIR_SHAKEN_AS_SUCCESS = 0 , AST_STIR_SHAKEN_AS_DISABLED , AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS , AST_STIR_SHAKEN_AS_MISSING_PARAMETERS , AST_STIR_SHAKEN_AS_INTERNAL_ERROR , AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID , AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL , AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL , AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL , AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS , AST_STIR_SHAKEN_AS_NO_TO_HDR , AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI , AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE , AST_STIR_SHAKEN_AS_RESPONSE_CODE_MAX }

enum	ast_stir_shaken_vs_response_code { AST_STIR_SHAKEN_VS_SUCCESS = 0 , AST_STIR_SHAKEN_VS_DISABLED , AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS , AST_STIR_SHAKEN_VS_INTERNAL_ERROR , AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR , AST_STIR_SHAKEN_VS_NO_DATE_HDR , AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE , AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED , AST_STIR_SHAKEN_VS_NO_JWT_HDR , AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U , AST_STIR_SHAKEN_VS_CERT_CACHE_MISS , AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID , AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED , AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE , AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID , AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED , AST_STIR_SHAKEN_VS_CERT_DATE_INVALID , AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT , AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT , AST_STIR_SHAKEN_VS_NO_RAW_KEY , AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION , AST_STIR_SHAKEN_VS_NO_IAT , AST_STIR_SHAKEN_VS_IAT_EXPIRED , AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT , AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG , AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP , AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS , AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST , AST_STIR_SHAKEN_VS_NO_ORIGID , AST_STIR_SHAKEN_VS_NO_ORIG_TN , AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH , AST_STIR_SHAKEN_VS_NO_DEST_TN , AST_STIR_SHAKEN_VS_INVALID_HEADER , AST_STIR_SHAKEN_VS_INVALID_GRANT , AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID , AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX }

enum	stir_shaken_failure_action_enum { stir_shaken_failure_action_UNKNOWN = -1 , stir_shaken_failure_action_CONTINUE = 0 , stir_shaken_failure_action_REJECT_REQUEST , stir_shaken_failure_action_CONTINUE_RETURN_REASON , stir_shaken_failure_action_NOT_SET }

Functions
int	ast_stir_shaken_add_result_to_channel (struct ast_stir_shaken_vs_ctx *ctx)
	Add a STIR/SHAKEN verification result to a channel. More...

enum ast_stir_shaken_as_response_code	ast_stir_shaken_as_ctx_add_fingerprint (struct ast_stir_shaken_as_ctx ctx, const char alg, const char *fingerprint)
	Add DTLS fingerprints to AS context. More...

enum ast_stir_shaken_as_response_code	ast_stir_shaken_as_ctx_create (const char caller_id, const char dest_tn, struct ast_channel chan, const char profile_name, const char tag, struct ast_stir_shaken_as_ctx *ctxout)
	Create Attestation Service Context. More...

int	ast_stir_shaken_as_ctx_wants_fingerprints (struct ast_stir_shaken_as_ctx *ctx)
	Indicates if the AS context needs DTLS fingerprints. More...

enum ast_stir_shaken_as_response_code	ast_stir_shaken_attest (struct ast_stir_shaken_as_ctx ctx, char *header)
	Attest and return Identity header value. More...

enum ast_stir_shaken_vs_response_code	ast_stir_shaken_vs_ctx_add_date_hdr (struct ast_stir_shaken_vs_ctx ctx, const char date_hdr)
	Add the received Date header value to the VS context. More...

enum ast_stir_shaken_vs_response_code	ast_stir_shaken_vs_ctx_add_identity_hdr (struct ast_stir_shaken_vs_ctx ctx, const char identity_hdr)
	Add the received Identity header value to the VS context. More...

enum ast_stir_shaken_vs_response_code	ast_stir_shaken_vs_ctx_create (const char caller_id, struct ast_channel chan, const char profile_name, const char tag, struct ast_stir_shaken_vs_ctx **ctxout)
	Create Verification Service context. More...

void	ast_stir_shaken_vs_ctx_set_response_code (struct ast_stir_shaken_vs_ctx *ctx, enum ast_stir_shaken_vs_response_code vs_rc)
	Sets response code on VS context. More...

const char *	ast_stir_shaken_vs_get_caller_id (struct ast_stir_shaken_vs_ctx *ctx)
	Get caller_id from context. More...

enum stir_shaken_failure_action_enum	ast_stir_shaken_vs_get_failure_action (struct ast_stir_shaken_vs_ctx *ctx)
	Get failure_action from context. More...

int	ast_stir_shaken_vs_get_use_rfc9410_responses (struct ast_stir_shaken_vs_ctx *ctx)
	Get use_rfc9410_responses from context. More...

enum ast_stir_shaken_vs_response_code	ast_stir_shaken_vs_verify (struct ast_stir_shaken_vs_ctx *ctx)
	Perform incoming call verification. More...

Enumeration Type Documentation

◆ ast_stir_shaken_as_response_code

enum ast_stir_shaken_as_response_code

Enumerator
AST_STIR_SHAKEN_AS_SUCCESS
AST_STIR_SHAKEN_AS_DISABLED
AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS
AST_STIR_SHAKEN_AS_MISSING_PARAMETERS
AST_STIR_SHAKEN_AS_INTERNAL_ERROR
AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID
AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL
AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL
AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL
AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS
AST_STIR_SHAKEN_AS_NO_TO_HDR
AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI
AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE
AST_STIR_SHAKEN_AS_RESPONSE_CODE_MAX

Definition at line 62 of file res_stir_shaken.h.

                                      {
    AST_STIR_SHAKEN_AS_SUCCESS = 0,
    AST_STIR_SHAKEN_AS_DISABLED,
    AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
    AST_STIR_SHAKEN_AS_MISSING_PARAMETERS,
    AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
    AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID,
    AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL,
    AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL,
    AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL,
    AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS,
    AST_STIR_SHAKEN_AS_NO_TO_HDR,
    AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI,
    AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE,
    AST_STIR_SHAKEN_AS_RESPONSE_CODE_MAX
};

◆ ast_stir_shaken_vs_response_code

enum ast_stir_shaken_vs_response_code

Enumerator
AST_STIR_SHAKEN_VS_SUCCESS
AST_STIR_SHAKEN_VS_DISABLED
AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS
AST_STIR_SHAKEN_VS_INTERNAL_ERROR
AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR
AST_STIR_SHAKEN_VS_NO_DATE_HDR
AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE
AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED
AST_STIR_SHAKEN_VS_NO_JWT_HDR
AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U
AST_STIR_SHAKEN_VS_CERT_CACHE_MISS
AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID
AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED
AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE
AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID
AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED
AST_STIR_SHAKEN_VS_CERT_DATE_INVALID
AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT
AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT
AST_STIR_SHAKEN_VS_NO_RAW_KEY
AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION
AST_STIR_SHAKEN_VS_NO_IAT
AST_STIR_SHAKEN_VS_IAT_EXPIRED
AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT
AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG
AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP
AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS
AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST
AST_STIR_SHAKEN_VS_NO_ORIGID
AST_STIR_SHAKEN_VS_NO_ORIG_TN
AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH
AST_STIR_SHAKEN_VS_NO_DEST_TN
AST_STIR_SHAKEN_VS_INVALID_HEADER
AST_STIR_SHAKEN_VS_INVALID_GRANT
AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID
AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX

Definition at line 23 of file res_stir_shaken.h.

                                      {
    AST_STIR_SHAKEN_VS_SUCCESS = 0,
    AST_STIR_SHAKEN_VS_DISABLED,
    AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS,
    AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
    AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR,
    AST_STIR_SHAKEN_VS_NO_DATE_HDR,
    AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE,
    AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED,
    AST_STIR_SHAKEN_VS_NO_JWT_HDR,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U,
    AST_STIR_SHAKEN_VS_CERT_CACHE_MISS,
    AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID,
    AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED,
    AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE,
    AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
    AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED,
    AST_STIR_SHAKEN_VS_CERT_DATE_INVALID,
    AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT,
    AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT,
    AST_STIR_SHAKEN_VS_NO_RAW_KEY,
    AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION,
    AST_STIR_SHAKEN_VS_NO_IAT,
    AST_STIR_SHAKEN_VS_IAT_EXPIRED,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
    AST_STIR_SHAKEN_VS_NO_ORIGID,
    AST_STIR_SHAKEN_VS_NO_ORIG_TN,
    AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH,
    AST_STIR_SHAKEN_VS_NO_DEST_TN,
    AST_STIR_SHAKEN_VS_INVALID_HEADER,
    AST_STIR_SHAKEN_VS_INVALID_GRANT,
    AST_STIR_SHAKEN_VS_INVALID_OR_NO_CID,
    AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX
};

◆ stir_shaken_failure_action_enum

enum stir_shaken_failure_action_enum

Enumerator
stir_shaken_failure_action_UNKNOWN	Unknown value
stir_shaken_failure_action_CONTINUE	Continue and let dialplan decide action
stir_shaken_failure_action_REJECT_REQUEST	Reject request with respone codes defined in RFC8224
stir_shaken_failure_action_CONTINUE_RETURN_REASON	Continue but return a Reason header in next provisional response
stir_shaken_failure_action_NOT_SET	Not set in config

Definition at line 79 of file res_stir_shaken.h.

                                     {
    /*! Unknown value */
    stir_shaken_failure_action_UNKNOWN = -1,
    /*! Continue and let dialplan decide action */
    stir_shaken_failure_action_CONTINUE = 0,
    /*! Reject request with respone codes defined in RFC8224 */
    stir_shaken_failure_action_REJECT_REQUEST,
    /*! Continue but return a Reason header in next provisional response  */
    stir_shaken_failure_action_CONTINUE_RETURN_REASON,
    /*! Not set in config */
    stir_shaken_failure_action_NOT_SET,
};

Function Documentation

◆ ast_stir_shaken_add_result_to_channel()

int ast_stir_shaken_add_result_to_channel ( struct ast_stir_shaken_vs_ctx * ctx )

Add a STIR/SHAKEN verification result to a channel.

Parameters

ctx	VS context

Return values

-1	on failure
0	on success

Definition at line 89 of file res_stir_shaken.c.

{
    struct stir_datastore *stir_datastore;
    struct ast_datastore *chan_datastore;
    const char *chan_name;
 
    if (!ctx->chan) {
        ast_log(LOG_ERROR, "Channel is required to add STIR/SHAKEN verification\n");
        return -1;
    }
 
    chan_name = ast_channel_name(ctx->chan);
 
    if (!ctx->identity_hdr) {
        ast_log(LOG_ERROR, "No identity to add STIR/SHAKEN verification to channel "
            "%s\n", chan_name);
        return -1;
    }
 
    if (!ctx->attestation) {
        ast_log(LOG_ERROR, "Attestation cannot be NULL to add STIR/SHAKEN verification to "
            "channel %s\n", chan_name);
        return -1;
    }
 
    stir_datastore = ast_calloc(1, sizeof(*stir_datastore));
    if (!stir_datastore) {
        ast_log(LOG_ERROR, "Failed to allocate space for STIR/SHAKEN datastore for "
            "channel %s\n", chan_name);
        return -1;
    }
 
    stir_datastore->identity = ast_strdup(ctx->identity_hdr);
    if (!stir_datastore->identity) {
        ast_log(LOG_ERROR, "Failed to allocate space for STIR/SHAKEN datastore "
            "identity for channel %s\n", chan_name);
        stir_datastore_free(stir_datastore);
        return -1;
    }
 
    stir_datastore->attestation = ast_strdup(ctx->attestation);
    if (!stir_datastore->attestation) {
        ast_log(LOG_ERROR, "Failed to allocate space for STIR/SHAKEN datastore "
            "attestation for channel %s\n", chan_name);
        stir_datastore_free(stir_datastore);
        return -1;
    }
 
    stir_datastore->verify_result = ctx->failure_reason;
 
    chan_datastore = ast_datastore_alloc(&stir_shaken_datastore_info, NULL);
    if (!chan_datastore) {
        ast_log(LOG_ERROR, "Failed to allocate space for datastore for channel "
            "%s\n", chan_name);
        stir_datastore_free(stir_datastore);
        return -1;
    }
 
    chan_datastore->data = stir_datastore;
 
    ast_channel_lock(ctx->chan);
    ast_channel_datastore_add(ctx->chan, chan_datastore);
    ast_channel_unlock(ctx->chan);
 
    return 0;
}

References ast_calloc, ast_channel_datastore_add(), ast_channel_lock, ast_channel_name(), ast_channel_unlock, ast_datastore_alloc, ast_log, ast_strdup, stir_datastore::attestation, ast_stir_shaken_vs_ctx::attestation, ast_stir_shaken_vs_ctx::chan, ast_datastore::data, ast_stir_shaken_vs_ctx::failure_reason, stir_datastore::identity, ast_stir_shaken_vs_ctx::identity_hdr, LOG_ERROR, NULL, stir_datastore_free(), stir_shaken_datastore_info, and stir_datastore::verify_result.

Referenced by process_failure(), and stir_shaken_incoming_request().

◆ ast_stir_shaken_as_ctx_add_fingerprint()

enum ast_stir_shaken_as_response_code ast_stir_shaken_as_ctx_add_fingerprint	(	struct ast_stir_shaken_as_ctx *	ctx,
		const char *	alg,
		const char *	fingerprint
	)

Add DTLS fingerprints to AS context.

Parameters

ctx	AS context
alg	Fingerprint algorithm ("sha-1" or "sha-256")
fingerprint	Fingerprint

Return values

AST_STIR_SHAKEN_AS_SUCCESS	if successful
Other	AST_STIR_SHAKEN_AS errors.

Definition at line 206 of file attestation.c.

{
    char *compacted_fp = ast_alloca(strlen(fingerprint) + 1);
    const char *f = fingerprint;
    char *fp = compacted_fp;
    char *combined;
    int rc;
    SCOPE_ENTER(4, "%s: Add fingerprint %s:%s\n", ctx ? ctx->tag : "",
        alg, fingerprint);
 
    if (!ctx || ast_strlen_zero(alg) || ast_strlen_zero(fingerprint)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            "%s: Missing arguments\n", ctx->tag);
    }
 
    if (!ENUM_BOOL(ctx->etn->acfg_common.send_mky, send_mky)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
            "%s: Not needed\n", ctx->tag);
    }
 
    /* De-colonize */
    while (*f != '\0') {
        if (*f != ':') {
            *fp++ = *f;
        }
        f++;
    }
    *fp = '\0';
    rc = ast_asprintf(&combined, "%s:%s", alg, compacted_fp);
    if (rc < 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            "%s: Can't allocate memory for comobined string\n", ctx->tag);
    }
 
    rc = AST_VECTOR_ADD_SORTED(&ctx->fingerprints, combined, strcasecmp);
    if (rc < 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            "%s: Can't add entry to vector\n", ctx->tag);
    }
 
    SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_SUCCESS,
        "%s: Done\n", ctx->tag);
}

References tn_cfg::acfg_common, ast_alloca, ast_asprintf, AST_STIR_SHAKEN_AS_DISABLED, AST_STIR_SHAKEN_AS_INTERNAL_ERROR, AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS, AST_STIR_SHAKEN_AS_SUCCESS, ast_strlen_zero(), AST_VECTOR_ADD_SORTED, ENUM_BOOL, ast_stir_shaken_as_ctx::etn, ast_stir_shaken_as_ctx::fingerprints, SCOPE_ENTER, SCOPE_EXIT_RTN_VALUE, attestation_cfg_common::send_mky, and ast_stir_shaken_as_ctx::tag.

Referenced by add_fingerprints_if_present().

◆ ast_stir_shaken_as_ctx_create()

enum ast_stir_shaken_as_response_code ast_stir_shaken_as_ctx_create	(	const char *	caller_id,
		const char *	dest_tn,
		struct ast_channel *	chan,
		const char *	profile_name,
		const char *	tag,
		struct ast_stir_shaken_as_ctx **	ctxout
	)

Create Attestation Service Context.

Parameters

caller_id	The caller_id for the outgoing call
dest_tn	Canonicalized destination tn
chan	The outgoing channel
profile_name	The profile name on the endpoint May be NULL.
tag	Identifying string to output in log and trace messages.
ctxout	Receives a pointer to the newly created context The caller must release with ao2_ref or ao2_cleanup.

Return values

AST_STIR_SHAKEN_AS_SUCCESS	if successful.
AST_STIR_SHAKEN_AS_DISABLED	if attestation is disabled by the endpoint itself, the profile or globally.
Other	AST_STIR_SHAKEN_AS errors.

Definition at line 66 of file attestation.c.

{
    RAII_VAR(struct ast_stir_shaken_as_ctx *, ctx, NULL, ao2_cleanup);
    RAII_VAR(struct profile_cfg *, eprofile, NULL, ao2_cleanup);
    RAII_VAR(struct attestation_cfg *, as_cfg, NULL, ao2_cleanup);
    RAII_VAR(struct tn_cfg *, etn, NULL, ao2_cleanup);
    RAII_VAR(char *, canon_dest_tn , canonicalize_tn_alloc(dest_tn), ast_free);
    RAII_VAR(char *, canon_orig_tn , canonicalize_tn_alloc(orig_tn), ast_free);
 
    const char *t = S_OR(tag, S_COR(chan, ast_channel_name(chan), ""));
    SCOPE_ENTER(3, "%s: Enter\n", t);
 
    as_cfg = as_get_cfg();
    if (as_cfg->global_disable) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
            "%s: Globally disabled\n", t);
    }
 
    if (ast_strlen_zero(profile_name)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
            "%s: Disabled due to missing profile name\n", t);
    }
 
    eprofile = eprofile_get_cfg(profile_name);
    if (!eprofile) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
        LOG_ERROR, "%s: No profile for profile name '%s'.  Call will continue\n", tag,
            profile_name);
    }
 
    if (!PROFILE_ALLOW_ATTEST(eprofile)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
            "%s: Disabled by profile '%s'\n", t, profile_name);
    }
 
    if (ast_strlen_zero(tag)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Must provide tag\n", t);
    }
 
    if (!canon_orig_tn) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Must provide caller_id/orig_tn\n", tag);
    }
 
    if (!canon_dest_tn) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Must provide dest_tn\n", tag);
    }
 
    if (!ctxout) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Must provide ctxout\n", tag);
    }
 
    etn = tn_get_etn(canon_orig_tn, eprofile);
    if (!etn) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_DISABLED,
            "%s: No tn for orig_tn '%s'\n", tag, canon_orig_tn);
    }
 
    /* We don't need eprofile or as_cfg anymore so let's clean em up */
    ao2_cleanup(as_cfg);
    as_cfg = NULL;
    ao2_cleanup(eprofile);
    eprofile = NULL;
 
 
    if (etn->acfg_common.attest_level == attest_level_NOT_SET) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_MISSING_PARAMETERS,
            LOG_ERROR,
            "'%s': No attest_level specified in tn, profile or attestation objects\n",
            tag);
    }
 
    if (ast_strlen_zero(etn->acfg_common.public_cert_url)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL,
            LOG_ERROR, "%s: No public cert url in tn %s, profile or attestation objects\n",
            tag, canon_orig_tn);
    }
 
    if (etn->acfg_common.raw_key_length == 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL,
            LOG_ERROR, "%s: No private key in tn %s, profile or attestation objects\n",
            canon_orig_tn, tag);
    }
 
    ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor,
        AO2_ALLOC_OPT_LOCK_NOLOCK);
    if (!ctx) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    if (ast_string_field_init(ctx, 1024) != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    if (ast_string_field_set(ctx, tag, tag) != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    if (ast_string_field_set(ctx, orig_tn, canon_orig_tn) != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    if (ast_string_field_set(ctx, dest_tn, canon_dest_tn)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    ctx->chan = chan;
    ast_channel_ref(ctx->chan);
 
    if (AST_VECTOR_INIT(&ctx->fingerprints, 1) != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
    }
 
    /* Transfer the references */
    ctx->etn = etn;
    etn = NULL;
    *ctxout = ctx;
    ctx = NULL;
 
    SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_SUCCESS, "%s: Done\n", tag);
}

References tn_cfg::acfg_common, AO2_ALLOC_OPT_LOCK_NOLOCK, ao2_alloc_options, ao2_cleanup, as_get_cfg(), ast_channel_name(), ast_channel_ref, ast_free, AST_STIR_SHAKEN_AS_DISABLED, AST_STIR_SHAKEN_AS_INTERNAL_ERROR, AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS, AST_STIR_SHAKEN_AS_MISSING_PARAMETERS, AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL, AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL, AST_STIR_SHAKEN_AS_SUCCESS, ast_string_field_init, ast_string_field_set, ast_strlen_zero(), AST_VECTOR_INIT, attestation_cfg_common::attest_level, canonicalize_tn_alloc(), ast_stir_shaken_as_ctx::chan, ctx_destructor(), ast_stir_shaken_as_ctx::dest_tn, eprofile_get_cfg(), ast_stir_shaken_as_ctx::etn, LOG_ERROR, NULL, ast_stir_shaken_as_ctx::orig_tn, PROFILE_ALLOW_ATTEST, attestation_cfg_common::public_cert_url, RAII_VAR, attestation_cfg_common::raw_key_length, S_COR, S_OR, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_as_ctx::tag, and tn_get_etn().

Referenced by stir_shaken_outgoing_request().

◆ ast_stir_shaken_as_ctx_wants_fingerprints()

int ast_stir_shaken_as_ctx_wants_fingerprints ( struct ast_stir_shaken_as_ctx * ctx )

Indicates if the AS context needs DTLS fingerprints.

Parameters

ctx	AS Context

Return values

0	Not needed
1	Needed

Definition at line 200 of file attestation.c.

{
    return ENUM_BOOL(ctx->etn->acfg_common.send_mky, send_mky);
}

References tn_cfg::acfg_common, ENUM_BOOL, ast_stir_shaken_as_ctx::etn, and attestation_cfg_common::send_mky.

Referenced by add_fingerprints_if_present().

◆ ast_stir_shaken_attest()

enum ast_stir_shaken_as_response_code ast_stir_shaken_attest	(	struct ast_stir_shaken_as_ctx *	ctx,
		char **	header
	)

Attest and return Identity header value.

Parameters

ctx	AS Context
header	Pointer to buffer to receive the header value Must be freed with ast_free when done

Return values

AST_STIR_SHAKEN_AS_SUCCESS	if successful
Other	AST_STIR_SHAKEN_AS errors.

Definition at line 364 of file attestation.c.

{
    RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
    jwt_alg_t alg;
    char *encoded = NULL;
    enum ast_stir_shaken_as_response_code as_rc;
    int rc = 0;
    SCOPE_ENTER(3, "%s: Attestation: orig: %s dest: %s\n",
        ctx ? ctx->tag : "NULL", ctx ? ctx->orig_tn : "NULL",
        ctx ? ctx->dest_tn : "NULL");
 
    if (!ctx) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
            "%s: No context object!\n", "NULL");
    }
 
    if (header == NULL) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Header buffer was NULL\n", ctx->tag);
    }
 
    rc = jwt_new(&jwt);
    if (rc != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Cannot create JWT\n", ctx->tag);
    }
 
    /*
     * All headers added need to be in alphabetical order!
     */
    alg = jwt_str_alg(STIR_SHAKEN_ENCRYPTION_ALGORITHM);
    jwt_set_alg(jwt, alg, (const unsigned char *)ctx->etn->acfg_common.raw_key,
        ctx->etn->acfg_common.raw_key_length);
    jwt_add_header(jwt, "ppt", STIR_SHAKEN_PPT);
    jwt_add_header(jwt, "typ", STIR_SHAKEN_TYPE);
    jwt_add_header(jwt, "x5u", ctx->etn->acfg_common.public_cert_url);
 
    as_rc = pack_payload(ctx, jwt);
    if (as_rc != AST_STIR_SHAKEN_AS_SUCCESS) {
        SCOPE_EXIT_LOG_RTN_VALUE(as_rc,
            LOG_ERROR, "%s: Cannot pack payload\n", ctx->tag);
    }
 
    encoded = jwt_encode_str(jwt);
    if (!encoded) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE,
            LOG_ERROR, "%s: Unable to sign/encode JWT\n", ctx->tag);
    }
 
    rc = ast_asprintf(header, "%s;info=<%s>;alg=%s;ppt=%s",
        encoded, ctx->etn->acfg_common.public_cert_url, jwt_alg_str(alg),
        STIR_SHAKEN_PPT);
    ast_std_free(encoded);
    if (rc < 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
            LOG_ERROR, "%s: Unable to allocate memory for identity header\n",
            ctx->tag);
    }
 
    SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_AS_SUCCESS, "%s: Done\n", ctx->tag);
}

References tn_cfg::acfg_common, ast_asprintf, ast_std_free(), AST_STIR_SHAKEN_AS_INTERNAL_ERROR, AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS, AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE, AST_STIR_SHAKEN_AS_SUCCESS, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, ast_stir_shaken_as_ctx::dest_tn, ast_stir_shaken_as_ctx::etn, LOG_ERROR, NULL, ast_stir_shaken_as_ctx::orig_tn, pack_payload(), attestation_cfg_common::public_cert_url, RAII_VAR, attestation_cfg_common::raw_key, attestation_cfg_common::raw_key_length, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, STIR_SHAKEN_ENCRYPTION_ALGORITHM, STIR_SHAKEN_PPT, STIR_SHAKEN_TYPE, and ast_stir_shaken_as_ctx::tag.

Referenced by stir_shaken_outgoing_request().

◆ ast_stir_shaken_vs_ctx_add_date_hdr()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_date_hdr	(	struct ast_stir_shaken_vs_ctx *	ctx,
		const char *	date_hdr
	)

Add the received Date header value to the VS context.

Parameters

ctx	VS context
date_hdr	Date header value

Return values

AST_STIR_SHAKEN_VS_SUCCESS	if successful
Other	AST_STIR_SHAKEN_VS errors.

Definition at line 613 of file verification.c.

{
    return ast_string_field_set(ctx, date_hdr, date_hdr) == 0 ?
        AST_STIR_SHAKEN_VS_SUCCESS : AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
}

References AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, and ast_string_field_set.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_add_identity_hdr()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_add_identity_hdr	(	struct ast_stir_shaken_vs_ctx *	ctx,
		const char *	identity_hdr
	)

Add the received Identity header value to the VS context.

Parameters

ctx	VS context
identity_hdr	Identity header value

Return values

AST_STIR_SHAKEN_VS_SUCCESS	if successful
Other	AST_STIR_SHAKEN_VS errors.

Definition at line 605 of file verification.c.

{
    return ast_string_field_set(ctx, identity_hdr, identity_hdr) == 0 ?
        AST_STIR_SHAKEN_VS_SUCCESS : AST_STIR_SHAKEN_VS_INTERNAL_ERROR;
}

References AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_SUCCESS, and ast_string_field_set.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_create()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_ctx_create	(	const char *	caller_id,
		struct ast_channel *	chan,
		const char *	profile_name,
		const char *	tag,
		struct ast_stir_shaken_vs_ctx **	ctxout
	)

Create Verification Service context.

Parameters

caller_id	Incoming caller id
chan	Incoming channel
profile_name	The profile name on the endpoint May be NULL.
endpoint_behavior	Behavior associated to the specific endpoint
tag	Identifying string to output in log and trace messages.
ctxout	Receives a pointer to the newly created context The caller must release with ao2_ref or ao2_cleanup.

Return values

AST_STIR_SHAKEN_VS_SUCCESS	if successful.
AST_STIR_SHAKEN_VS_DISABLED	if verification is disabled by the endpoint itself, the profile or globally.
Other	AST_STIR_SHAKEN_VS errors.

Definition at line 657 of file verification.c.

{
    RAII_VAR(struct ast_stir_shaken_vs_ctx *, ctx, NULL, ao2_cleanup);
    RAII_VAR(struct profile_cfg *, profile, NULL, ao2_cleanup);
    RAII_VAR(struct verification_cfg *, vs, NULL, ao2_cleanup);
    RAII_VAR(char *, canon_caller_id , canonicalize_tn_alloc(caller_id), ast_free);
 
    const char *t = S_OR(tag, S_COR(chan, ast_channel_name(chan), ""));
    SCOPE_ENTER(3, "%s: Enter\n", t);
 
    vs = vs_get_cfg();
    if (vs->global_disable) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
            "%s: Globally disabled\n", t);
    }
 
    if (ast_strlen_zero(profile_name)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
            "%s: Disabled due to missing profile name\n", t);
    }
 
    profile = eprofile_get_cfg(profile_name);
    if (!profile) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
        LOG_ERROR, "%s: No profile for profile name '%s'.  Call will continue\n", tag,
            profile_name);
    }
 
    if (!PROFILE_ALLOW_VERIFY(profile)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_DISABLED,
            "%s: Disabled by profile '%s'\n", t, profile_name);
    }
 
    if (ast_strlen_zero(tag)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS,
            LOG_ERROR, "%s: Must provide tag\n", t);
    }
 
    ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor,
        AO2_ALLOC_OPT_LOCK_NOLOCK);
    if (!ctx) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
    }
    if (ast_string_field_init(ctx, 1024) != 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
    }
 
    if (ast_string_field_set(ctx, tag, tag) != 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
    }
 
    ctx->chan = chan;
    if (ast_string_field_set(ctx, caller_id, canon_caller_id) != 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR);
    }
 
    /* Transfer references to ctx */
    ctx->eprofile = profile;
    profile = NULL;
 
    ao2_ref(ctx, +1);
    *ctxout = ctx;
    SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS, "%s: Done\n", t);
}

References AO2_ALLOC_OPT_LOCK_NOLOCK, ao2_alloc_options, ao2_cleanup, ao2_ref, ast_channel_name(), ast_free, AST_STIR_SHAKEN_VS_DISABLED, AST_STIR_SHAKEN_VS_INTERNAL_ERROR, AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS, AST_STIR_SHAKEN_VS_SUCCESS, ast_string_field_init, ast_string_field_set, ast_strlen_zero(), ast_stir_shaken_vs_ctx::caller_id, canonicalize_tn_alloc(), ast_stir_shaken_vs_ctx::chan, ctx_destructor(), eprofile_get_cfg(), LOG_ERROR, NULL, PROFILE_ALLOW_VERIFY, RAII_VAR, S_COR, S_OR, SCOPE_ENTER, SCOPE_EXIT_LOG_RTN_VALUE, SCOPE_EXIT_RTN_VALUE, ast_stir_shaken_vs_ctx::tag, and vs_get_cfg().

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_ctx_set_response_code()

void ast_stir_shaken_vs_ctx_set_response_code	(	struct ast_stir_shaken_vs_ctx *	ctx,
		enum ast_stir_shaken_vs_response_code	vs_rc
	)

Sets response code on VS context.

Parameters

ctx	VS context
vs_rc	ast_stir_shaken_vs_response_code to set

Definition at line 639 of file verification.c.

{
    ctx->failure_reason = vs_rc;
}

References ast_stir_shaken_vs_ctx::failure_reason.

Referenced by process_failure().

◆ ast_stir_shaken_vs_get_caller_id()

const char * ast_stir_shaken_vs_get_caller_id ( struct ast_stir_shaken_vs_ctx * ctx )

Get caller_id from context.

Parameters

ctx	VS context

Return values

Caller ID or NULL

Definition at line 633 of file verification.c.

{
    return ctx->caller_id;
}

References ast_stir_shaken_vs_ctx::caller_id.

Referenced by stir_shaken_incoming_request().

◆ ast_stir_shaken_vs_get_failure_action()

enum stir_shaken_failure_action_enum ast_stir_shaken_vs_get_failure_action ( struct ast_stir_shaken_vs_ctx * ctx )

Get failure_action from context.

Parameters

ctx	VS context

Return values

ast_stir_shaken_failure_action

Definition at line 621 of file verification.c.

{
    return ctx->eprofile->vcfg_common.stir_shaken_failure_action;
}

References ast_stir_shaken_vs_ctx::eprofile, verification_cfg_common::stir_shaken_failure_action, and profile_cfg::vcfg_common.

Referenced by process_failure().

◆ ast_stir_shaken_vs_get_use_rfc9410_responses()

int ast_stir_shaken_vs_get_use_rfc9410_responses ( struct ast_stir_shaken_vs_ctx * ctx )

Get use_rfc9410_responses from context.

Parameters

ctx	VS context

Return values

1	if true
0	if false

Definition at line 627 of file verification.c.

{
    return ctx->eprofile->vcfg_common.use_rfc9410_responses;
}

References ast_stir_shaken_vs_ctx::eprofile, verification_cfg_common::use_rfc9410_responses, and profile_cfg::vcfg_common.

Referenced by process_failure().

◆ ast_stir_shaken_vs_verify()

enum ast_stir_shaken_vs_response_code ast_stir_shaken_vs_verify ( struct ast_stir_shaken_vs_ctx * ctx )

Perform incoming call verification.

Parameters

ctx	VS context

Return values

AST_STIR_SHAKEN_AS_SUCCESS	if successful
Other	AST_STIR_SHAKEN_AS errors.

Definition at line 884 of file verification.c.

{
    RAII_VAR(char *, jwt_encoded, NULL, ast_free);
    RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
    RAII_VAR(struct ast_json *, grants, NULL, ast_json_unref);
    char *p = NULL;
    char *grants_str = NULL;
    const char *x5u;
    const char *ppt_header = NULL;
    const char *grant = NULL;
    time_t now_s = time(NULL);
    time_t iat;
    struct ast_json *grant_obj = NULL;
    int len;
    int rc;
    enum ast_stir_shaken_vs_response_code vs_rc;
    SCOPE_ENTER(3, "%s: Verifying\n", ctx ? ctx->tag : "NULL");
 
    if (!ctx) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
            "%s: No context object!\n", "NULL");
    }
 
    if (ast_strlen_zero(ctx->identity_hdr)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
            "%s: No identity header in ctx\n", ctx->tag);
    }
 
    p = strchr(ctx->identity_hdr, ';');
    len = p - ctx->identity_hdr + 1;
    jwt_encoded = ast_malloc(len);
    if (!jwt_encoded) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
            "%s: Failed to allocate memory for encoded jwt\n", ctx->tag);
    }
 
    memcpy(jwt_encoded, ctx->identity_hdr, len);
    jwt_encoded[len - 1] = '\0';
 
    jwt_decode(&jwt, jwt_encoded, NULL, 0);
 
    ppt_header = jwt_get_header(jwt, "ppt");
    if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT, "%s: %s\n",
            ctx->tag, vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT));
    }
 
    vs_rc = check_date_header(ctx);
    if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
        SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
            "%s: Date header verification failed\n", ctx->tag);
    }
 
    x5u = jwt_get_header(jwt, "x5u");
    if (ast_strlen_zero(x5u)) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U, LOG_ERROR,
            "%s: No x5u in Identity header\n", ctx->tag);
    }
 
    rc = check_x5u_url(ctx, x5u);
    if (rc != AST_STIR_SHAKEN_VS_SUCCESS) {
        SCOPE_EXIT_RTN_VALUE(vs_rc,
            "%s: x5u URL verification failed\n", ctx->tag);
    }
 
    ast_trace(3, "%s: Decoded enough to get x5u: '%s'\n", ctx->tag, x5u);
    if (ast_string_field_set(ctx, public_url, x5u) != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_INTERNAL_ERROR, LOG_ERROR,
            "%s: Failed to set public_url '%s'\n", ctx->tag, x5u);
    }
 
    iat = jwt_get_grant_int(jwt, "iat");
    if (iat == 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_IAT, LOG_ERROR,
            "%s: No 'iat' in Identity header\n", ctx->tag);
    }
    ast_trace(1, "date_hdr: %zu  iat: %zu  diff: %zu\n",
        ctx->date_hdr_time, iat, ctx->date_hdr_time - iat);
    if (iat + ctx->eprofile->vcfg_common.max_iat_age < now_s) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_IAT_EXPIRED,
            "%s: iat %ld older than %u seconds\n", ctx->tag,
            iat, ctx->eprofile->vcfg_common.max_iat_age);
    }
    ctx->validity_check_time = iat;
 
    vs_rc = ctx_populate(ctx);
    if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
        SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
            "%s: Unable to populate ctx\n", ctx->tag);
    }
 
    vs_rc = retrieve_verification_cert(ctx);
    if (vs_rc != AST_STIR_SHAKEN_VS_SUCCESS) {
        SCOPE_EXIT_LOG_RTN_VALUE(vs_rc, LOG_ERROR,
            "%s: Could not get valid cert from '%s'\n", ctx->tag, ctx->public_url);
    }
 
    jwt_free(jwt);
    jwt = NULL;
 
    rc = jwt_decode(&jwt, jwt_encoded, ctx->raw_key, ctx->raw_key_len);
    if (rc != 0) {
        SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION,
            LOG_ERROR, "%s: Signature validation failed for '%s'\n",
            ctx->tag, ctx->public_url);
    }
 
    ast_trace(1, "%s: Decoding succeeded\n", ctx->tag);
 
    ppt_header = jwt_get_header(jwt, "alg");
    if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_ENCRYPTION_ALGORITHM)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG,
            "%s: %s\n", ctx->tag,
            vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG));
    }
 
    ppt_header = jwt_get_header(jwt, "ppt");
    if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_PPT)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT,
            "%s: %s\n", ctx->tag,
            vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT));
    }
 
    ppt_header = jwt_get_header(jwt, "typ");
    if (!ppt_header || strcmp(ppt_header, STIR_SHAKEN_TYPE)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP,
            "%s: %s\n", ctx->tag,
            vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP));
    }
 
    grants_str = jwt_get_grants_json(jwt, NULL);
    if (ast_strlen_zero(grants_str)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
            "%s: %s\n", ctx->tag,
            vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS));
    }
    ast_trace(1, "grants: %s\n", grants_str);
    grants = ast_json_load_string(grants_str, NULL);
    ast_std_free(grants_str);
    if (!grants) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
            "%s: %s\n", ctx->tag,
            vs_response_code_to_str(AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS));
    }
 
    grant = ast_json_object_string_get(grants, "attest");
    if (ast_strlen_zero(grant)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
            "%s: No 'attest' in Identity header\n", ctx->tag);
    }
    if (grant[0] < 'A' || grant[0] > 'C') {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
            "%s: Invalid attest value '%s'\n", ctx->tag, grant);
    }
    ast_string_field_set(ctx, attestation, grant);
    ast_trace(1, "got attest: %s\n", grant);
 
    grant_obj = ast_json_object_get(grants, "dest");
    if (!grant_obj) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_DEST_TN,
            "%s: No 'dest' in Identity header\n", ctx->tag);
    }
    if (TRACE_ATLEAST(3)) {
        char *otn = ast_json_dump_string(grant_obj);
        ast_trace(1, "got dest: %s\n", otn);
        ast_json_free(otn);
    }
 
    grant_obj = ast_json_object_get(grants, "orig");
    if (!grant_obj) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIG_TN,
            "%s: No 'orig' in Identity header\n", ctx->tag);
    }
    if (TRACE_ATLEAST(3)) {
        char *otn = ast_json_dump_string(grant_obj);
        ast_trace(1, "got orig: %s\n", otn);
        ast_json_free(otn);
    }
    grant = ast_json_object_string_get(grant_obj, "tn");
    if (!grant) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIG_TN,
            "%s: No 'orig.tn' in Indentity header\n", ctx->tag);
    }
    ast_string_field_set(ctx, orig_tn, grant);
    if (strcmp(ctx->caller_id, ctx->orig_tn) != 0) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH,
            "%s: Mismatched cid '%s' and orig_tn '%s'\n", ctx->tag,
            ctx->caller_id, grant);
    }
 
    grant = ast_json_object_string_get(grants, "origid");
    if (ast_strlen_zero(grant)) {
        SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_NO_ORIGID,
            "%s: No 'origid' in Identity header\n", ctx->tag);
    }
 
    SCOPE_EXIT_RTN_VALUE(AST_STIR_SHAKEN_VS_SUCCESS,
        "%s: verification succeeded\n", ctx->tag);
}

Referenced by stir_shaken_incoming_request().

Enumerations

Functions

Enumeration Type Documentation

◆ ast_stir_shaken_as_response_code

◆ ast_stir_shaken_vs_response_code

◆ stir_shaken_failure_action_enum

Function Documentation

◆ ast_stir_shaken_add_result_to_channel()

◆ ast_stir_shaken_as_ctx_add_fingerprint()

◆ ast_stir_shaken_as_ctx_create()

◆ ast_stir_shaken_as_ctx_wants_fingerprints()

◆ ast_stir_shaken_attest()

◆ ast_stir_shaken_vs_ctx_add_date_hdr()

◆ ast_stir_shaken_vs_ctx_add_identity_hdr()

◆ ast_stir_shaken_vs_ctx_create()

◆ ast_stir_shaken_vs_ctx_set_response_code()

◆ ast_stir_shaken_vs_get_caller_id()

◆ ast_stir_shaken_vs_get_failure_action()

◆ ast_stir_shaken_vs_get_use_rfc9410_responses()

◆ ast_stir_shaken_vs_verify()