1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2013, Digium, Inc.
*
* Mark Michelson <mmichelson@digium.com>
*
* See http://www.asterisk.org for more information about
* the Asterisk project. Please do not directly contact
* any of the maintainers of this project for assistance;
* the project provides a web site, mailing lists and IRC
* channels for your use.
*
* This program is free software, distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree.
*/
/*** MODULEINFO
<depend>pjproject</depend>
<depend>res_pjsip</depend>
<support_level>core</support_level>
***/
#include "asterisk.h"
#include <pjsip.h>
#include "asterisk/res_pjsip.h"
#include "asterisk/logger.h"
#include "asterisk/module.h"
#include "asterisk/strings.h"
static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
const void *start)
{
pjsip_hdr_e search_type;
if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
search_type = PJSIP_H_WWW_AUTHENTICATE;
} else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
search_type = PJSIP_H_PROXY_AUTHENTICATE;
} else {
ast_log(LOG_ERROR,
"Status code %d was received when it should have been 401 or 407.\n",
challenge->msg_info.msg->line.status.code);
return NULL ;
}
return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
}
static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge,
pjsip_www_authenticate_hdr *auth_hdr)
{
size_t auth_size = AST_VECTOR_SIZE(auth_vector);
struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
int res = 0;
int i;
if (ast_sip_retrieve_auths(auth_vector, auths)) {
res = -1;
goto cleanup;
}
for (i = 0; i < auth_size; ++i) {
if (ast_strlen_zero(auths[i]->realm)) {
auth_creds[i].realm = auth_hdr->challenge.common.realm;
} else {
pj_cstr(&auth_creds[i].realm, auths[i]->realm);
}
pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
pj_cstr(&auth_creds[i].scheme, "digest");
switch (auths[i]->type) {
case AST_SIP_AUTH_TYPE_USER_PASS:
pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
break;
case AST_SIP_AUTH_TYPE_MD5:
pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
break;
case AST_SIP_AUTH_TYPE_ARTIFICIAL:
ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
break;
}
}
pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
cleanup:
ast_sip_cleanup_auths(auths, auth_size);
return res;
}
static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
{
pjsip_auth_clt_sess auth_sess;
pjsip_cseq_hdr *cseq;
pj_status_t status;
struct ast_sip_endpoint *endpoint;
char *id = NULL;
const char *id_type;
pjsip_www_authenticate_hdr *auth_hdr;
struct ast_str *realms;
pjsip_dialog *dlg;
dlg = pjsip_rdata_get_dlg(challenge);
if (dlg) {
endpoint = ast_sip_dialog_get_endpoint(dlg);
id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
ao2_cleanup(endpoint);
id_type = "Endpoint";
}
/* If there was no dialog, then this is probably a REGISTER so no endpoint */
if (!id) {
id = ast_alloca(strlen(challenge->pkt_info.src_name) + 7 /* ':' + port + NULL */);
sprintf(id, "%s:%d", challenge->pkt_info.src_name, challenge->pkt_info.src_port);
id_type = "Host";
}
auth_hdr = get_auth_header(challenge, NULL);
if (auth_hdr == NULL) {
ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
id_type, id);
return -1;
}
if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
old_request->pool, 0) != PJ_SUCCESS) {
ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
id_type, id);
return -1;
}
if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
id_type, id);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* In case it is not a noop here in the future. */
pjsip_auth_clt_deinit(&auth_sess);
#endif
return -1;
}
status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* Release any cached auths */
pjsip_auth_clt_deinit(&auth_sess);
#endif
switch (status) {
case PJ_SUCCESS:
/* PJSIP creates a new transaction for new_request (meaning it creates a new
* branch). However, it recycles the Call-ID, from-tag, and CSeq from the
* original request. Some SIP implementations will not process the new request
* since the CSeq is the same as the original request. Incrementing it here
* fixes the interop issue
*/
cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
ast_assert(cseq != NULL);
++cseq->cseq;
return 0;
case PJSIP_ENOCREDENTIAL:
realms = ast_str_create(32);
if (realms) {
ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
}
}
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. "
"No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
realms ? ast_str_buffer(realms) : "<unknown>");
ast_free(realms);
break;
case PJSIP_EAUTHSTALECOUNT:
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. Number of stale retries exceeded.\n",
id_type, id);
break;
case PJSIP_EFAILEDCREDENTIAL:
ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
id_type, id);
break;
default:
ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
id_type, id);
break;
}
return -1;
}
static struct ast_sip_outbound_authenticator digest_authenticator = {
.create_request_with_auth = digest_create_request_with_auth,
};
static int load_module(void)
{
if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
return AST_MODULE_LOAD_DECLINE;
}
return AST_MODULE_LOAD_SUCCESS;
}
static int unload_module(void)
{
ast_sip_unregister_outbound_authenticator(&digest_authenticator);
return 0;
}
AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
.support_level = AST_MODULE_SUPPORT_CORE,
.load = load_module,
.unload = unload_module,
.load_pri = AST_MODPRI_CHANNEL_DEPEND,
.requires = "res_pjsip",
);
|
