Merge "rtp_engine/res_rtp_asterisk: Fix RTP struct reentrancy crashes."
[asterisk/asterisk.git] / res / res_pjsip_outbound_authenticator_digest.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2013, Digium, Inc.
5  *
6  * Mark Michelson <mmichelson@digium.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18
19 /*** MODULEINFO
20         <depend>pjproject</depend>
21         <depend>res_pjsip</depend>
22         <support_level>core</support_level>
23  ***/
24
25 #include "asterisk.h"
26
27 #include <pjsip.h>
28
29 #include "asterisk/res_pjsip.h"
30 #include "asterisk/logger.h"
31 #include "asterisk/module.h"
32 #include "asterisk/strings.h"
33
34 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge) {
35         pjsip_hdr_e search_type;
36
37         if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
38                 search_type = PJSIP_H_WWW_AUTHENTICATE;
39         } else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
40                 search_type = PJSIP_H_PROXY_AUTHENTICATE;
41         } else {
42                 ast_log(LOG_ERROR,
43                                 "Status code %d was received when it should have been 401 or 407.\n",
44                                 challenge->msg_info.msg->line.status.code);
45                 return NULL ;
46         }
47
48         return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, NULL);
49
50 }
51
52 static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
53                 const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge)
54 {
55         size_t auth_size = AST_VECTOR_SIZE(auth_vector);
56         struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
57         pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
58         pjsip_www_authenticate_hdr *auth_hdr = NULL;
59         int res = 0;
60         int i;
61
62         if (ast_sip_retrieve_auths(auth_vector, auths)) {
63                 res = -1;
64                 goto cleanup;
65         }
66
67         auth_hdr = get_auth_header(challenge);
68         if (auth_hdr == NULL) {
69                 res = -1;
70                 ast_log(LOG_ERROR, "Unable to find authenticate header in challenge.\n");
71                 goto cleanup;
72         }
73
74         for (i = 0; i < auth_size; ++i) {
75                 if (ast_strlen_zero(auths[i]->realm)) {
76                         auth_creds[i].realm = auth_hdr->challenge.common.realm;
77                 } else {
78                         pj_cstr(&auth_creds[i].realm, auths[i]->realm);
79                 }
80                 pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
81                 pj_cstr(&auth_creds[i].scheme, "digest");
82                 switch (auths[i]->type) {
83                 case AST_SIP_AUTH_TYPE_USER_PASS:
84                         pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
85                         auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
86                         break;
87                 case AST_SIP_AUTH_TYPE_MD5:
88                         pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
89                         auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
90                         break;
91                 case AST_SIP_AUTH_TYPE_ARTIFICIAL:
92                         ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
93                         break;
94                 }
95         }
96
97         pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
98
99 cleanup:
100         ast_sip_cleanup_auths(auths, auth_size);
101         return res;
102 }
103
104 static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge,
105                 pjsip_tx_data *old_request, pjsip_tx_data **new_request)
106 {
107         pjsip_auth_clt_sess auth_sess;
108         pjsip_cseq_hdr *cseq;
109         pj_status_t status;
110
111         if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
112                                 old_request->pool, 0) != PJ_SUCCESS) {
113                 ast_log(LOG_WARNING, "Failed to initialize client authentication session\n");
114                 return -1;
115         }
116
117         if (set_outbound_authentication_credentials(&auth_sess, auths, challenge)) {
118                 ast_log(LOG_WARNING, "Failed to set authentication credentials\n");
119 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
120                 /* In case it is not a noop here in the future. */
121                 pjsip_auth_clt_deinit(&auth_sess);
122 #endif
123                 return -1;
124         }
125
126         status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
127 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
128         /* Release any cached auths */
129         pjsip_auth_clt_deinit(&auth_sess);
130 #endif
131         switch (status) {
132         case PJ_SUCCESS:
133                 /* PJSIP creates a new transaction for new_request (meaning it creates a new
134                  * branch). However, it recycles the Call-ID, from-tag, and CSeq from the
135                  * original request. Some SIP implementations will not process the new request
136                  * since the CSeq is the same as the original request. Incrementing it here
137                  * fixes the interop issue
138                  */
139                 cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
140                 ast_assert(cseq != NULL);
141                 ++cseq->cseq;
142                 return 0;
143         case PJSIP_ENOCREDENTIAL:
144                 ast_log(LOG_WARNING,
145                         "Unable to create request with auth.  No auth credentials for any realms in challenge.\n");
146                 break;
147         case PJSIP_EAUTHSTALECOUNT:
148                 ast_log(LOG_WARNING,
149                         "Unable to create request with auth.  Number of stale retries exceeded.\n");
150                 break;
151         case PJSIP_EFAILEDCREDENTIAL:
152                 ast_log(LOG_WARNING, "Authentication credentials not accepted by server.\n");
153                 break;
154         default:
155                 ast_log(LOG_WARNING, "Unable to create request with auth. Unknown failure.\n");
156                 break;
157         }
158
159         return -1;
160 }
161
162 static struct ast_sip_outbound_authenticator digest_authenticator = {
163         .create_request_with_auth = digest_create_request_with_auth,
164 };
165
166 static int load_module(void)
167 {
168         CHECK_PJSIP_MODULE_LOADED();
169
170         if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
171                 return AST_MODULE_LOAD_DECLINE;
172         }
173         return AST_MODULE_LOAD_SUCCESS;
174 }
175
176 static int unload_module(void)
177 {
178         ast_sip_unregister_outbound_authenticator(&digest_authenticator);
179         return 0;
180 }
181
182 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
183         .support_level = AST_MODULE_SUPPORT_CORE,
184         .load = load_module,
185         .unload = unload_module,
186         .load_pri = AST_MODPRI_CHANNEL_DEPEND,
187 );