Ticket #287: selectively disable authentication for several STUN error responses
git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@1290 74dad513-b988-da41-8d7b-12977e46ad98
This commit is contained in:
parent
eb92128714
commit
edd4ffa870
|
@ -294,6 +294,19 @@ PJ_DECL(pj_status_t) pj_stun_authenticate_request(const pj_uint8_t *pkt,
|
||||||
pj_stun_msg **p_response);
|
pj_stun_msg **p_response);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if STUN message can be authenticated. Some STUN error
|
||||||
|
* responses cannot be authenticated since they cannot contain STUN
|
||||||
|
* MESSAGE-INTEGRITY attribute. STUN Indication messages also cannot
|
||||||
|
* be authenticated.
|
||||||
|
*
|
||||||
|
* @param msg The STUN message.
|
||||||
|
*
|
||||||
|
* @return Non-zero if the STUN message can be authenticated.
|
||||||
|
*/
|
||||||
|
PJ_DECL(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg);
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify credential in the STUN response. Note that before calling this
|
* Verify credential in the STUN response. Note that before calling this
|
||||||
* function, application must have checked that the message contains
|
* function, application must have checked that the message contains
|
||||||
|
|
|
@ -21,8 +21,10 @@
|
||||||
#include <pjlib-util/hmac_sha1.h>
|
#include <pjlib-util/hmac_sha1.h>
|
||||||
#include <pjlib-util/sha1.h>
|
#include <pjlib-util/sha1.h>
|
||||||
#include <pj/assert.h>
|
#include <pj/assert.h>
|
||||||
|
#include <pj/log.h>
|
||||||
#include <pj/string.h>
|
#include <pj/string.h>
|
||||||
|
|
||||||
|
#define THIS_FILE "stun_auth.c"
|
||||||
|
|
||||||
/* Duplicate credential */
|
/* Duplicate credential */
|
||||||
PJ_DEF(void) pj_stun_auth_cred_dup( pj_pool_t *pool,
|
PJ_DEF(void) pj_stun_auth_cred_dup( pj_pool_t *pool,
|
||||||
|
@ -348,6 +350,47 @@ PJ_DEF(pj_status_t) pj_stun_authenticate_request(const pj_uint8_t *pkt,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* Determine if STUN message can be authenticated */
|
||||||
|
PJ_DEF(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg)
|
||||||
|
{
|
||||||
|
unsigned msg_type = msg->hdr.type;
|
||||||
|
const pj_stun_errcode_attr *err_attr;
|
||||||
|
|
||||||
|
/* STUN requests and success response can be authenticated */
|
||||||
|
if (!PJ_STUN_IS_ERROR_RESPONSE(msg_type) &&
|
||||||
|
!PJ_STUN_IS_INDICATION(msg_type))
|
||||||
|
{
|
||||||
|
return PJ_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* STUN Indication cannot be authenticated */
|
||||||
|
if (PJ_STUN_IS_INDICATION(msg_type))
|
||||||
|
return PJ_FALSE;
|
||||||
|
|
||||||
|
/* Authentication for STUN error responses depend on the error
|
||||||
|
* code.
|
||||||
|
*/
|
||||||
|
err_attr = (const pj_stun_errcode_attr*)
|
||||||
|
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_ERROR_CODE, 0);
|
||||||
|
if (err_attr == NULL) {
|
||||||
|
PJ_LOG(4,(THIS_FILE, "STUN error code attribute not present in "
|
||||||
|
"error response"));
|
||||||
|
return PJ_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (err_attr->err_code) {
|
||||||
|
case PJ_STUN_SC_UNAUTHORIZED:
|
||||||
|
case PJ_STUN_SC_MISSING_USERNAME:
|
||||||
|
case PJ_STUN_SC_MISSING_REALM:
|
||||||
|
case PJ_STUN_SC_UNKNOWN_USERNAME:
|
||||||
|
case PJ_STUN_SC_INTEGRITY_CHECK_FAILURE:
|
||||||
|
return PJ_FALSE;
|
||||||
|
default:
|
||||||
|
return PJ_TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Authenticate MESSAGE-INTEGRITY in the response */
|
/* Authenticate MESSAGE-INTEGRITY in the response */
|
||||||
PJ_DEF(pj_status_t) pj_stun_authenticate_response(const pj_uint8_t *pkt,
|
PJ_DEF(pj_status_t) pj_stun_authenticate_response(const pj_uint8_t *pkt,
|
||||||
unsigned pkt_len,
|
unsigned pkt_len,
|
||||||
|
|
|
@ -267,8 +267,7 @@ static pj_status_t apply_msg_options(pj_stun_session *sess,
|
||||||
&sess->srv_name);
|
&sess->srv_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
need_auth = PJ_STUN_IS_REQUEST(msg->hdr.type) ||
|
need_auth = pj_stun_auth_valid_for_msg(msg);
|
||||||
PJ_STUN_IS_SUCCESS_RESPONSE(msg->hdr.type);
|
|
||||||
|
|
||||||
if (sess->cred && sess->cred->type == PJ_STUN_AUTH_CRED_STATIC &&
|
if (sess->cred && sess->cred->type == PJ_STUN_AUTH_CRED_STATIC &&
|
||||||
need_auth)
|
need_auth)
|
||||||
|
@ -843,7 +842,8 @@ static pj_status_t on_incoming_response(pj_stun_session *sess,
|
||||||
/* Authenticate the message, unless PJ_STUN_NO_AUTHENTICATE
|
/* Authenticate the message, unless PJ_STUN_NO_AUTHENTICATE
|
||||||
* is specified in the option.
|
* is specified in the option.
|
||||||
*/
|
*/
|
||||||
if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0)
|
if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0
|
||||||
|
&& pj_stun_auth_valid_for_msg(msg))
|
||||||
{
|
{
|
||||||
status = pj_stun_authenticate_response(pkt, pkt_len, msg,
|
status = pj_stun_authenticate_response(pkt, pkt_len, msg,
|
||||||
&tdata->auth_key);
|
&tdata->auth_key);
|
||||||
|
|
Loading…
Reference in New Issue