229 lines
6.9 KiB
C
229 lines
6.9 KiB
C
/*
|
|
* Asterisk -- An open source telephony toolkit.
|
|
*
|
|
* Copyright (C) 2013, Digium, Inc.
|
|
*
|
|
* Mark Michelson <mmichelson@digium.com>
|
|
*
|
|
* See http://www.asterisk.org for more information about
|
|
* the Asterisk project. Please do not directly contact
|
|
* any of the maintainers of this project for assistance;
|
|
* the project provides a web site, mailing lists and IRC
|
|
* channels for your use.
|
|
*
|
|
* This program is free software, distributed under the terms of
|
|
* the GNU General Public License Version 2. See the LICENSE file
|
|
* at the top of the source tree.
|
|
*/
|
|
|
|
/*** MODULEINFO
|
|
<depend>pjproject</depend>
|
|
<depend>res_pjsip</depend>
|
|
<support_level>core</support_level>
|
|
***/
|
|
|
|
#include "asterisk.h"
|
|
|
|
#include <pjsip.h>
|
|
|
|
#include "asterisk/res_pjsip.h"
|
|
#include "asterisk/logger.h"
|
|
#include "asterisk/module.h"
|
|
#include "asterisk/strings.h"
|
|
|
|
static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
|
|
const void *start)
|
|
{
|
|
pjsip_hdr_e search_type;
|
|
|
|
if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
|
|
search_type = PJSIP_H_WWW_AUTHENTICATE;
|
|
} else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
|
|
search_type = PJSIP_H_PROXY_AUTHENTICATE;
|
|
} else {
|
|
ast_log(LOG_ERROR,
|
|
"Status code %d was received when it should have been 401 or 407.\n",
|
|
challenge->msg_info.msg->line.status.code);
|
|
return NULL ;
|
|
}
|
|
|
|
return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
|
|
|
|
}
|
|
|
|
static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
|
|
const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge,
|
|
pjsip_www_authenticate_hdr *auth_hdr)
|
|
{
|
|
size_t auth_size = AST_VECTOR_SIZE(auth_vector);
|
|
struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
|
|
pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
|
|
int res = 0;
|
|
int i;
|
|
|
|
if (ast_sip_retrieve_auths(auth_vector, auths)) {
|
|
res = -1;
|
|
goto cleanup;
|
|
}
|
|
|
|
for (i = 0; i < auth_size; ++i) {
|
|
if (ast_strlen_zero(auths[i]->realm)) {
|
|
auth_creds[i].realm = auth_hdr->challenge.common.realm;
|
|
} else {
|
|
pj_cstr(&auth_creds[i].realm, auths[i]->realm);
|
|
}
|
|
pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
|
|
pj_cstr(&auth_creds[i].scheme, "digest");
|
|
switch (auths[i]->type) {
|
|
case AST_SIP_AUTH_TYPE_USER_PASS:
|
|
pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
|
|
auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
|
|
break;
|
|
case AST_SIP_AUTH_TYPE_MD5:
|
|
pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
|
|
auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
|
|
break;
|
|
case AST_SIP_AUTH_TYPE_ARTIFICIAL:
|
|
ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
|
|
break;
|
|
}
|
|
}
|
|
|
|
pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
|
|
|
|
cleanup:
|
|
ast_sip_cleanup_auths(auths, auth_size);
|
|
return res;
|
|
}
|
|
|
|
static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
|
|
pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
|
|
{
|
|
pjsip_auth_clt_sess auth_sess;
|
|
pjsip_cseq_hdr *cseq;
|
|
pj_status_t status;
|
|
struct ast_sip_endpoint *endpoint;
|
|
char *id = NULL;
|
|
const char *id_type;
|
|
pjsip_www_authenticate_hdr *auth_hdr;
|
|
struct ast_str *realms;
|
|
pjsip_dialog *dlg;
|
|
|
|
dlg = pjsip_rdata_get_dlg(challenge);
|
|
if (dlg) {
|
|
endpoint = ast_sip_dialog_get_endpoint(dlg);
|
|
id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
|
|
ao2_cleanup(endpoint);
|
|
id_type = "Endpoint";
|
|
}
|
|
/* If there was no dialog, then this is probably a REGISTER so no endpoint */
|
|
if (!id) {
|
|
id = ast_alloca(strlen(challenge->pkt_info.src_name) + 7 /* ':' + port + NULL */);
|
|
sprintf(id, "%s:%d", challenge->pkt_info.src_name, challenge->pkt_info.src_port);
|
|
id_type = "Host";
|
|
}
|
|
|
|
auth_hdr = get_auth_header(challenge, NULL);
|
|
if (auth_hdr == NULL) {
|
|
ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
|
|
id_type, id);
|
|
return -1;
|
|
}
|
|
|
|
if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
|
|
old_request->pool, 0) != PJ_SUCCESS) {
|
|
ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
|
|
id_type, id);
|
|
return -1;
|
|
}
|
|
|
|
if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
|
|
ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
|
|
id_type, id);
|
|
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
|
|
/* In case it is not a noop here in the future. */
|
|
pjsip_auth_clt_deinit(&auth_sess);
|
|
#endif
|
|
return -1;
|
|
}
|
|
|
|
status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
|
|
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
|
|
/* Release any cached auths */
|
|
pjsip_auth_clt_deinit(&auth_sess);
|
|
#endif
|
|
|
|
switch (status) {
|
|
case PJ_SUCCESS:
|
|
/* PJSIP creates a new transaction for new_request (meaning it creates a new
|
|
* branch). However, it recycles the Call-ID, from-tag, and CSeq from the
|
|
* original request. Some SIP implementations will not process the new request
|
|
* since the CSeq is the same as the original request. Incrementing it here
|
|
* fixes the interop issue
|
|
*/
|
|
cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
|
|
ast_assert(cseq != NULL);
|
|
++cseq->cseq;
|
|
return 0;
|
|
case PJSIP_ENOCREDENTIAL:
|
|
realms = ast_str_create(32);
|
|
if (realms) {
|
|
ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
|
|
auth_hdr->challenge.common.realm.ptr);
|
|
while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
|
|
ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
|
|
auth_hdr->challenge.common.realm.ptr);
|
|
}
|
|
}
|
|
ast_log(LOG_WARNING,
|
|
"%s: '%s': Unable to create request with auth. "
|
|
"No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
|
|
realms ? ast_str_buffer(realms) : "<unknown>");
|
|
ast_free(realms);
|
|
break;
|
|
case PJSIP_EAUTHSTALECOUNT:
|
|
ast_log(LOG_WARNING,
|
|
"%s: '%s': Unable to create request with auth. Number of stale retries exceeded.\n",
|
|
id_type, id);
|
|
break;
|
|
case PJSIP_EFAILEDCREDENTIAL:
|
|
ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
|
|
id_type, id);
|
|
break;
|
|
default:
|
|
ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
|
|
id_type, id);
|
|
break;
|
|
}
|
|
|
|
return -1;
|
|
}
|
|
|
|
static struct ast_sip_outbound_authenticator digest_authenticator = {
|
|
.create_request_with_auth = digest_create_request_with_auth,
|
|
};
|
|
|
|
static int load_module(void)
|
|
{
|
|
CHECK_PJSIP_MODULE_LOADED();
|
|
|
|
if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
|
|
return AST_MODULE_LOAD_DECLINE;
|
|
}
|
|
return AST_MODULE_LOAD_SUCCESS;
|
|
}
|
|
|
|
static int unload_module(void)
|
|
{
|
|
ast_sip_unregister_outbound_authenticator(&digest_authenticator);
|
|
return 0;
|
|
}
|
|
|
|
AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
|
|
.support_level = AST_MODULE_SUPPORT_CORE,
|
|
.load = load_module,
|
|
.unload = unload_module,
|
|
.load_pri = AST_MODPRI_CHANNEL_DEPEND,
|
|
.requires = "res_pjsip",
|
|
);
|