From 204845843e66820f3d1bc9ba038869eec876d27a Mon Sep 17 00:00:00 2001 From: Olle Johansson Date: Mon, 3 Nov 2008 15:16:33 +0000 Subject: Adding a separation of remote authentication and our authentication. remotesecret => our password for a remote service secret => our authentication when someone calls us Secret => still has both functions if remotesecret is not used. git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@153904 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- CHANGES | 4 ++++ channels/chan_sip.c | 21 +++++++++++++++------ configs/sip.conf.sample | 6 ++++-- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index d508c3f69..623bd9eb3 100644 --- a/CHANGES +++ b/CHANGES @@ -11,6 +11,10 @@ SIP Changes making the new/old message count available to local devices. * Added support for setting the domain in the URI for caller of an outbound call by using the SIPFROMDOMAIN channel variable. + * Added a new configuration option "remotesecret" for authentication to + remote services. For backwards compatibility, "secret" still has the + same function as before, but now you can configure both a remote secret and a + local secret for mutual authentication. Skinny Changes -------------- diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 0177fbbca..1b21a419b 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -1751,14 +1751,17 @@ struct sip_mailbox { AST_LIST_ENTRY(sip_mailbox) entry; }; -/*! \brief Structure for SIP peer data, we place calls to peers if registered or fixed IP address (host) */ +/*! \brief Structure for SIP peer data, we place calls to peers if registered or fixed IP address (host) + \note This structure needs stringfields! Please! +*/ /* XXX field 'name' must be first otherwise sip_addrcmp() will fail */ struct sip_peer { char name[80]; /*!< peer->name is the unique name of this object */ struct sip_socket socket; /*!< Socket used for this peer */ unsigned int transports:3; /*!< Transports (enum sip_transport) that are acceptable for this peer */ - char secret[80]; /*!< Password */ + char secret[80]; /*!< Password for inbound auth */ char md5secret[80]; /*!< Password in MD5 */ + char remotesecret[80]; /*!< Remote secret (trunks, remote devices) */ struct sip_auth *auth; /*!< Realm authentication list */ char context[AST_MAX_CONTEXT]; /*!< Default context for incoming calls */ char subscribecontext[AST_MAX_CONTEXT]; /*!< Default context for subscriptions */ @@ -10420,8 +10423,9 @@ static int transmit_register(struct sip_registry *r, int sipmethod, const char * ast_set_flag(&p->flags[0], SIP_OUTGOING); /* Registration is outgoing call */ r->call = dialog_ref(p, "copying dialog into registry r->call"); /* Save pointer to SIP dialog */ p->registry = registry_addref(r, "transmit_register: addref to p->registry in transmit_register"); /* Add pointer to registry in packet */ - if (!ast_strlen_zero(r->secret)) /* Secret (password) */ + if (!ast_strlen_zero(r->secret)) { /* Secret (password) */ ast_string_field_set(p, peersecret, r->secret); + } if (!ast_strlen_zero(r->md5secret)) ast_string_field_set(p, peermd5secret, r->md5secret); /* User name in this realm @@ -13899,6 +13903,7 @@ static char *_sip_show_peer(int type, int fd, struct mansession *s, const struct } ast_cli(fd, " Secret : %s\n", ast_strlen_zero(peer->secret)?"":""); ast_cli(fd, " MD5Secret : %s\n", ast_strlen_zero(peer->md5secret)?"":""); + ast_cli(fd, " Remote Secret: %s\n", ast_strlen_zero(peer->remotesecret)?"":""); for (auth = peer->auth; auth; auth = auth->next) { ast_cli(fd, " Realm-auth : Realm %-15.15s User %-10.20s ", auth->realm, auth->username); ast_cli(fd, "%s\n", !ast_strlen_zero(auth->secret)?"":(!ast_strlen_zero(auth->md5secret)?"" : "")); @@ -14011,6 +14016,7 @@ static char *_sip_show_peer(int type, int fd, struct mansession *s, const struct astman_append(s, "ObjectName: %s\r\n", peer->name); astman_append(s, "ChanObjectType: peer\r\n"); astman_append(s, "SecretExist: %s\r\n", ast_strlen_zero(peer->secret)?"N":"Y"); + astman_append(s, "RemoteSecretExist: %s\r\n", ast_strlen_zero(peer->remotesecret)?"N":"Y"); astman_append(s, "MD5SecretExist: %s\r\n", ast_strlen_zero(peer->md5secret)?"N":"Y"); astman_append(s, "Context: %s\r\n", peer->context); astman_append(s, "Language: %s\r\n", peer->language); @@ -21695,6 +21701,7 @@ static void set_peer_defaults(struct sip_peer *peer) peer->call_limit=999; strcpy(peer->vmexten, default_vmexten); peer->secret[0] = '\0'; + peer->remotesecret[0] = '\0'; peer->md5secret[0] = '\0'; peer->cid_num[0] = '\0'; peer->cid_name[0] = '\0'; @@ -21866,9 +21873,11 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str } else if (!strcasecmp(v->name, "type")) { if (!strcasecmp(v->value, "peer")) peer->onlymatchonip = TRUE; /* For realtime support, add type=peer in the table */ - } else if (!strcasecmp(v->name, "secret")) + } else if (!strcasecmp(v->name, "remotesecret")) { + ast_copy_string(peer->remotesecret, v->value, sizeof(peer->remotesecret)); + } else if (!strcasecmp(v->name, "secret")) { ast_copy_string(peer->secret, v->value, sizeof(peer->secret)); - else if (!strcasecmp(v->name, "md5secret")) + } else if (!strcasecmp(v->name, "md5secret")) ast_copy_string(peer->md5secret, v->value, sizeof(peer->md5secret)); else if (!strcasecmp(v->name, "auth")) peer->auth = add_realm_authentication(peer->auth, v->value, v->lineno); @@ -22205,7 +22214,7 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str if (!ast_strlen_zero(callback)) { /* build string from peer info */ char *reg_string; - if (asprintf(®_string, "%s:%s@%s/%s", peer->username, peer->secret, peer->tohost, callback) < 0) { + if (asprintf(®_string, "%s:%s@%s/%s", peer->username, peer->remotesecret ? peer->remotesecret : peer->secret, peer->tohost, callback) < 0) { ast_log(LOG_WARNING, "asprintf() failed: %s\n", strerror(errno)); } else if (reg_string) { sip_register(reg_string, 0); /* XXX TODO: count in registry_count */ diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index e10fa0fe5..8050b9d25 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -712,6 +712,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; callingpres callingpres ; permit permit ; deny deny +; remotesecret ; secret secret ; md5secret md5secret ; transport transport @@ -782,7 +783,7 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;[sip_proxy-out] ;type=peer ; we only want to call out, not be called -;secret=guessit +;remotesecret=guessit ; Our password to their service ;defaultuser=yourusername ; Authentication user for outbound proxies ;fromuser=yourusername ; Many SIP providers require this! ;fromdomain=provider.sip.domain @@ -802,7 +803,8 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ;type=peer ;host=sip.provider1.com ;fromuser=4015552299 ; how your provider knows you -;secret=youwillneverguessit +;remotesecret=youwillneverguessit ; The password we use to authenticate to them +;secret=gissadetdu ; The password they use to contact us ;callbackextension=123 ; Register with this server and require calls coming back to this extension ;transport=udp,tcp ; This sets the transport type to udp for outgoing, and will ; ; accept both tcp and udp. Default is udp. The first transport -- cgit v1.2.3