loader: Add dependency fields to module structures.
[asterisk/asterisk.git] / res / res_pjsip_outbound_authenticator_digest.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2013, Digium, Inc.
5  *
6  * Mark Michelson <mmichelson@digium.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18
19 /*** MODULEINFO
20         <depend>pjproject</depend>
21         <depend>res_pjsip</depend>
22         <support_level>core</support_level>
23  ***/
24
25 #include "asterisk.h"
26
27 #include <pjsip.h>
28
29 #include "asterisk/res_pjsip.h"
30 #include "asterisk/logger.h"
31 #include "asterisk/module.h"
32 #include "asterisk/strings.h"
33
34 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
35         const void *start)
36 {
37         pjsip_hdr_e search_type;
38
39         if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
40                 search_type = PJSIP_H_WWW_AUTHENTICATE;
41         } else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
42                 search_type = PJSIP_H_PROXY_AUTHENTICATE;
43         } else {
44                 ast_log(LOG_ERROR,
45                                 "Status code %d was received when it should have been 401 or 407.\n",
46                                 challenge->msg_info.msg->line.status.code);
47                 return NULL ;
48         }
49
50         return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
51
52 }
53
54 static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
55                 const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge,
56                 pjsip_www_authenticate_hdr *auth_hdr)
57 {
58         size_t auth_size = AST_VECTOR_SIZE(auth_vector);
59         struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
60         pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
61         int res = 0;
62         int i;
63
64         if (ast_sip_retrieve_auths(auth_vector, auths)) {
65                 res = -1;
66                 goto cleanup;
67         }
68
69         for (i = 0; i < auth_size; ++i) {
70                 if (ast_strlen_zero(auths[i]->realm)) {
71                         auth_creds[i].realm = auth_hdr->challenge.common.realm;
72                 } else {
73                         pj_cstr(&auth_creds[i].realm, auths[i]->realm);
74                 }
75                 pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
76                 pj_cstr(&auth_creds[i].scheme, "digest");
77                 switch (auths[i]->type) {
78                 case AST_SIP_AUTH_TYPE_USER_PASS:
79                         pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
80                         auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
81                         break;
82                 case AST_SIP_AUTH_TYPE_MD5:
83                         pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
84                         auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
85                         break;
86                 case AST_SIP_AUTH_TYPE_ARTIFICIAL:
87                         ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
88                         break;
89                 }
90         }
91
92         pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
93
94 cleanup:
95         ast_sip_cleanup_auths(auths, auth_size);
96         return res;
97 }
98
99 static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
100         pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
101 {
102         pjsip_auth_clt_sess auth_sess;
103         pjsip_cseq_hdr *cseq;
104         pj_status_t status;
105         struct ast_sip_endpoint *endpoint;
106         char *id = NULL;
107         const char *id_type;
108         pjsip_www_authenticate_hdr *auth_hdr;
109         struct ast_str *realms;
110         pjsip_dialog *dlg;
111
112         dlg = pjsip_rdata_get_dlg(challenge);
113         if (dlg) {
114                 endpoint = ast_sip_dialog_get_endpoint(dlg);
115                 id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
116                 ao2_cleanup(endpoint);
117                 id_type = "Endpoint";
118         }
119         /* If there was no dialog, then this is probably a REGISTER so no endpoint */
120         if (!id) {
121                 id = ast_alloca(strlen(challenge->pkt_info.src_name) + 7 /* ':' + port + NULL */);
122                 sprintf(id, "%s:%d", challenge->pkt_info.src_name, challenge->pkt_info.src_port);
123                 id_type = "Host";
124         }
125
126         auth_hdr = get_auth_header(challenge, NULL);
127         if (auth_hdr == NULL) {
128                 ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
129                         id_type, id);
130                 return -1;
131         }
132
133         if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
134                                 old_request->pool, 0) != PJ_SUCCESS) {
135                 ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
136                         id_type, id);
137                 return -1;
138         }
139
140         if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
141                 ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
142                         id_type, id);
143 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
144                 /* In case it is not a noop here in the future. */
145                 pjsip_auth_clt_deinit(&auth_sess);
146 #endif
147                 return -1;
148         }
149
150         status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
151 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
152         /* Release any cached auths */
153         pjsip_auth_clt_deinit(&auth_sess);
154 #endif
155
156         switch (status) {
157         case PJ_SUCCESS:
158                 /* PJSIP creates a new transaction for new_request (meaning it creates a new
159                  * branch). However, it recycles the Call-ID, from-tag, and CSeq from the
160                  * original request. Some SIP implementations will not process the new request
161                  * since the CSeq is the same as the original request. Incrementing it here
162                  * fixes the interop issue
163                  */
164                 cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
165                 ast_assert(cseq != NULL);
166                 ++cseq->cseq;
167                 return 0;
168         case PJSIP_ENOCREDENTIAL:
169                 realms = ast_str_create(32);
170                 if (realms) {
171                         ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
172                                 auth_hdr->challenge.common.realm.ptr);
173                         while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
174                                 ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
175                                         auth_hdr->challenge.common.realm.ptr);
176                         }
177                 }
178                 ast_log(LOG_WARNING,
179                         "%s: '%s': Unable to create request with auth. "
180                         "No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
181                         realms ? ast_str_buffer(realms) : "<unknown>");
182                 ast_free(realms);
183                 break;
184         case PJSIP_EAUTHSTALECOUNT:
185                 ast_log(LOG_WARNING,
186                         "%s: '%s': Unable to create request with auth.  Number of stale retries exceeded.\n",
187                         id_type, id);
188                 break;
189         case PJSIP_EFAILEDCREDENTIAL:
190                 ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
191                         id_type, id);
192                 break;
193         default:
194                 ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
195                         id_type, id);
196                 break;
197         }
198
199         return -1;
200 }
201
202 static struct ast_sip_outbound_authenticator digest_authenticator = {
203         .create_request_with_auth = digest_create_request_with_auth,
204 };
205
206 static int load_module(void)
207 {
208         CHECK_PJSIP_MODULE_LOADED();
209
210         if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
211                 return AST_MODULE_LOAD_DECLINE;
212         }
213         return AST_MODULE_LOAD_SUCCESS;
214 }
215
216 static int unload_module(void)
217 {
218         ast_sip_unregister_outbound_authenticator(&digest_authenticator);
219         return 0;
220 }
221
222 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
223         .support_level = AST_MODULE_SUPPORT_CORE,
224         .load = load_module,
225         .unload = unload_module,
226         .load_pri = AST_MODPRI_CHANNEL_DEPEND,
227         .requires = "res_pjsip",
228 );