From 3c645e8520794b8ba7644897a07c2db4e238bf24 Mon Sep 17 00:00:00 2001 From: Jonathan Rose Date: Thu, 7 Nov 2013 23:42:31 +0000 Subject: PJSIP: Improve error handling in digest authenticator Previously, regardless of whether failure to authenticate was due to lacking any authentication or actually failing authentication, the Digest Authenticator would simply return that a challenge was still needed. It will continue to do that when no authentication information is in the received SIP digest, but when authentication information is present and does not pass authentication, that will be treated as an authentication error. This is to ensure that PJSIP will issue security events indicated failed auths. ........ Merged revisions 402537 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@402538 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- res/res_pjsip_authenticator_digest.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/res/res_pjsip_authenticator_digest.c b/res/res_pjsip_authenticator_digest.c index cc312b1e0..30da26cfd 100644 --- a/res/res_pjsip_authenticator_digest.c +++ b/res/res_pjsip_authenticator_digest.c @@ -290,6 +290,8 @@ enum digest_verify_result { AUTH_SUCCESS, /*! Authentication credentials correct but nonce mismatch */ AUTH_STALE, + /*! Authentication credentials were not provided */ + AUTH_NOAUTH, }; /*! @@ -330,6 +332,11 @@ static int verify(struct ast_sip_auth *auth, pjsip_rx_data *rdata, pj_pool_t *po return AUTH_SUCCESS; } } + + if (authed == PJSIP_EAUTHNOAUTH) { + return AUTH_NOAUTH; + } + return AUTH_FAIL; } @@ -376,6 +383,7 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint enum digest_verify_result *verify_res; enum ast_sip_check_auth_result res; int i; + int failures = 0; RAII_VAR(struct ast_sip_endpoint *, artificial_endpoint, ast_sip_get_artificial_endpoint(), ao2_cleanup); @@ -403,13 +411,20 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint res = AST_SIP_AUTHENTICATION_SUCCESS; goto cleanup; } + if (verify_res[i] == AUTH_FAIL) { + failures++; + } } for (i = 0; i < endpoint->inbound_auths.num; ++i) { challenge(auths[i]->realm, tdata, rdata, verify_res[i] == AUTH_STALE); } - res = AST_SIP_AUTHENTICATION_CHALLENGE; + if (failures == endpoint->inbound_auths.num) { + res = AST_SIP_AUTHENTICATION_FAILED; + } else { + res = AST_SIP_AUTHENTICATION_CHALLENGE; + } cleanup: ast_sip_cleanup_auths(auths, endpoint->inbound_auths.num); -- cgit v1.2.3