sysmocom/asterisk
11
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
asterisk/res/res_pjsip_outbound_authenticator_digest.c
Nick French 37b2e68628 res_pjsip: Implement additional SIP RFCs for Google Voice trunk compatability 
This change implements a few different generic things which were brought
on by Google Voice SIP.

1.  The concept of flow transports have been introduced.  These are
configurable transports in pjsip.conf which can be used to reference a
flow of signaling to a target.  These have runtime configuration that can
be changed by the signaling itself (such as Service-Routes and
P-Preferred-Identity).  When used these guarantee an individual connection
(in the case of TCP or TLS) even if multiple flow transports exist to the
same target.

2.  Service-Routes (RFC 3608) support has been added to the outbound
registration module which when received will be stored on the flow
transport and used for requests referencing it.

3.  P-Associated-URI / P-Preferred-Identity (RFC 3325) support has been
added to the outbound registration module.  If a P-Associated-URI header
is received it will be used on requests as the P-Preferred-Identity.

4.  Configurable outbound extension support has been added to the outbound
registration module.  When set the extension will be placed in the
Supported header.

5.  Header parameters can now be configured on an outbound registration
which will be placed in the Contact header.

6.  Google specific OAuth / Bearer token authentication
(draft-ietf-sipcore-sip-authn-02) has been added to the outbound
registration module.

All functionality changes are controlled by pjsip.conf configuration
options and do not affect non-configured pjsip endpoints otherwise.

ASTERISK-27971 #close

Change-Id: Id214c2d1c550a41fcf564b7df8f3da7be565bd58
2018-10-24 07:51:25 -05:00

230 lines
7 KiB
C
Raw Blame History

/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2013, Digium, Inc.
*
* Mark Michelson <mmichelson@digium.com>
*
* See http://www.asterisk.org for more information about
* the Asterisk project. Please do not directly contact
* any of the maintainers of this project for assistance;
* the project provides a web site, mailing lists and IRC
* channels for your use.
*
* This program is free software, distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree.
*/
/*** MODULEINFO
<depend>pjproject</depend>
<depend>res_pjsip</depend>
<support_level>core</support_level>
***/
#include "asterisk.h"
#include <pjsip.h>
#include "asterisk/res_pjsip.h"
#include "asterisk/logger.h"
#include "asterisk/module.h"
#include "asterisk/strings.h"
static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
const void *start)
{
pjsip_hdr_e search_type;
if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
search_type = PJSIP_H_WWW_AUTHENTICATE;
} else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
search_type = PJSIP_H_PROXY_AUTHENTICATE;
} else {
ast_log(LOG_ERROR,
"Status code %d was received when it should have been 401 or 407.\n",
challenge->msg_info.msg->line.status.code);
return NULL ;
}
return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
}
static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge,
pjsip_www_authenticate_hdr *auth_hdr)
{
size_t auth_size = AST_VECTOR_SIZE(auth_vector);
struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
int res = 0;
int i;
if (ast_sip_retrieve_auths(auth_vector, auths)) {
res = -1;
goto cleanup;
}
for (i = 0; i < auth_size; ++i) {
if (ast_strlen_zero(auths[i]->realm)) {
auth_creds[i].realm = auth_hdr->challenge.common.realm;
} else {
pj_cstr(&auth_creds[i].realm, auths[i]->realm);
}
pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
pj_cstr(&auth_creds[i].scheme, "digest");
switch (auths[i]->type) {
case AST_SIP_AUTH_TYPE_USER_PASS:
pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
break;
case AST_SIP_AUTH_TYPE_MD5:
pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
break;
case AST_SIP_AUTH_TYPE_GOOGLE_OAUTH:
/* nothing to do. handled seperately in res_pjsip_outbound_registration */
break;
case AST_SIP_AUTH_TYPE_ARTIFICIAL:
ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
break;
}
}
pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
cleanup:
ast_sip_cleanup_auths(auths, auth_size);
return res;
}
static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
{
pjsip_auth_clt_sess auth_sess;
pjsip_cseq_hdr *cseq;
pj_status_t status;
struct ast_sip_endpoint *endpoint;
char *id = NULL;
const char *id_type;
pjsip_www_authenticate_hdr *auth_hdr;
struct ast_str *realms;
pjsip_dialog *dlg;
dlg = pjsip_rdata_get_dlg(challenge);
if (dlg) {
endpoint = ast_sip_dialog_get_endpoint(dlg);
id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
ao2_cleanup(endpoint);
id_type = "Endpoint";
}
/* If there was no dialog, then this is probably a REGISTER so no endpoint */
if (!id) {
id = ast_alloca(AST_SOCKADDR_BUFLEN);
pj_sockaddr_print(&challenge->pkt_info.src_addr, id, AST_SOCKADDR_BUFLEN, 3);
id_type = "Host";
}
auth_hdr = get_auth_header(challenge, NULL);
if (auth_hdr == NULL) {
ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
id_type, id);
return -1;
}
if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
old_request->pool, 0) != PJ_SUCCESS) {
ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
id_type, id);
return -1;
}
if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
id_type, id);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* In case it is not a noop here in the future. */
pjsip_auth_clt_deinit(&auth_sess);
#endif
return -1;
}
status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* Release any cached auths */
pjsip_auth_clt_deinit(&auth_sess);
#endif
switch (status) {
case PJ_SUCCESS:
/* PJSIP creates a new transaction for new_request (meaning it creates a new
* branch). However, it recycles the Call-ID, from-tag, and CSeq from the
* original request. Some SIP implementations will not process the new request
* since the CSeq is the same as the original request. Incrementing it here
* fixes the interop issue
*/
cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
ast_assert(cseq != NULL);
++cseq->cseq;
return 0;
case PJSIP_ENOCREDENTIAL:
realms = ast_str_create(32);
if (realms) {
ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
}
}
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. "
"No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
realms ? ast_str_buffer(realms) : "<unknown>");
ast_free(realms);
break;
case PJSIP_EAUTHSTALECOUNT:
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. Number of stale retries exceeded.\n",
id_type, id);
break;
case PJSIP_EFAILEDCREDENTIAL:
ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
id_type, id);
break;
default:
ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
id_type, id);
break;
}
return -1;
}
static struct ast_sip_outbound_authenticator digest_authenticator = {
.create_request_with_auth = digest_create_request_with_auth,
};
static int load_module(void)
{
if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
return AST_MODULE_LOAD_DECLINE;
}
return AST_MODULE_LOAD_SUCCESS;
}
static int unload_module(void)
{
ast_sip_unregister_outbound_authenticator(&digest_authenticator);
return 0;
}
AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
.support_level = AST_MODULE_SUPPORT_CORE,
.load = load_module,
.unload = unload_module,
.load_pri = AST_MODPRI_CHANNEL_DEPEND,
.requires = "res_pjsip",
);
Reference in a new issue View git blame Copy permalink