Stir/Shaken Refactor #524
Merged
Stir/Shaken Refactor #524
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
cherry-pick-to: 18 |
github-actions
bot
added
pr-submit-tests-failed
and removed
pr-submit-testing-in-progress
labels
seanbright
reviewed
Jan 10, 2024
|
I'm moving this back to draft because setting any of the profile config fields will wither result in a segfault or the wrong structure member being set. I'm refactoring how the profiles work to prevent the duplication of fields and to more easily prevent disagreements. |
gtjoseph
force-pushed
the
master-stir-shaken-refactor
branch
from
987b643
to
88b8bcd
Compare
github-actions
bot
added
pr-submit-testing-in-progress
and removed
pr-submit-tests-failed
labels
|
Still trying to decide what can be unit tested vs testsuite tested. |
github-actions
bot
added
pr-submit-tests-passed
and removed
pr-submit-testing-in-progress
labels
gtjoseph
force-pushed
the
master-stir-shaken-refactor
branch
from
88b8bcd
to
cc3eded
Compare
github-actions
bot
added
pr-submit-testing-in-progress
pr-submit-tests-passed
and removed
pr-submit-tests-passed
pr-submit-testing-in-progress
labels
|
Super excited for this!!!!!! You guys rock!! |
Thanks @lukeescude! Would it be possible for you to test at all? |
gtjoseph
force-pushed
the
master-stir-shaken-refactor
branch
from
cc3eded
to
32be8f0
Compare
github-actions
bot
added
pr-submit-testing-in-progress
pr-submit-tests-passed
and removed
pr-submit-tests-passed
pr-submit-testing-in-progress
labels
Absolutely, do you happen to know where I can find the docs for configuring the module? (Not sure if it's still following the same syntax as the original stir_shaken.conf) - I don't mind looking at the code to extrapolate docs, just need to know where. |
github-actions
bot
added
cherry-pick-testing-in-progress
mbradeen
previously approved these changes
Feb 27, 2024
bkford
reviewed
Feb 27, 2024
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: asterisk#351
Resolves: asterisk#46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
gtjoseph
force-pushed
the
master-stir-shaken-refactor
branch
from
be6d1ba
to
f38dee0
Compare
github-actions
bot
added
pr-submit-testing-in-progress
pr-submit-tests-passed
and removed
cherry-pick-checks-failed
github-actions
bot
added
cherry-pick-testing-in-progress
github-actions
bot
added
pre-merge-testing-in-progress
pre-merge-checks-passed
merge-in-progress
and removed
merge-approved
pre-merge-testing-in-progress
labels
asterisk-org-access-app
bot
merged commit 628f8d7
into
asterisk:master
62 checks passed
|
Successfully merged to branch master and cherry-picked to ["18","20","21"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
Configuration objects have been refactored to be clearer about
their uses and to fix issues.
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
outgoing attestation process. It sets default certificates,
keys, etc.
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
override default parameters specified in the "attestation"
and "verification" objects.
implemented.
We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
General code cleanup and refactor.
in function calls.
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.