Removing registrar_expire from basic-pbx config
[asterisk/asterisk.git] / res / res_pjsip_outbound_authenticator_digest.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2013, Digium, Inc.
5  *
6  * Mark Michelson <mmichelson@digium.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18
19 /*** MODULEINFO
20         <depend>pjproject</depend>
21         <depend>res_pjsip</depend>
22         <support_level>core</support_level>
23  ***/
24
25 #include "asterisk.h"
26
27 #include <pjsip.h>
28
29 #include "asterisk/res_pjsip.h"
30 #include "asterisk/logger.h"
31 #include "asterisk/module.h"
32 #include "asterisk/strings.h"
33
34 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
35         const void *start)
36 {
37         pjsip_hdr_e search_type;
38
39         if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
40                 search_type = PJSIP_H_WWW_AUTHENTICATE;
41         } else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
42                 search_type = PJSIP_H_PROXY_AUTHENTICATE;
43         } else {
44                 ast_log(LOG_ERROR,
45                                 "Status code %d was received when it should have been 401 or 407.\n",
46                                 challenge->msg_info.msg->line.status.code);
47                 return NULL ;
48         }
49
50         return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
51
52 }
53
54 static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
55                 const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge,
56                 pjsip_www_authenticate_hdr *auth_hdr)
57 {
58         size_t auth_size = AST_VECTOR_SIZE(auth_vector);
59         struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
60         pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
61         int res = 0;
62         int i;
63
64         if (ast_sip_retrieve_auths(auth_vector, auths)) {
65                 res = -1;
66                 goto cleanup;
67         }
68
69         for (i = 0; i < auth_size; ++i) {
70                 if (ast_strlen_zero(auths[i]->realm)) {
71                         auth_creds[i].realm = auth_hdr->challenge.common.realm;
72                 } else {
73                         pj_cstr(&auth_creds[i].realm, auths[i]->realm);
74                 }
75                 pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
76                 pj_cstr(&auth_creds[i].scheme, "digest");
77                 switch (auths[i]->type) {
78                 case AST_SIP_AUTH_TYPE_USER_PASS:
79                         pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
80                         auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
81                         break;
82                 case AST_SIP_AUTH_TYPE_MD5:
83                         pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
84                         auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
85                         break;
86                 case AST_SIP_AUTH_TYPE_GOOGLE_OAUTH:
87                         /* nothing to do. handled seperately in res_pjsip_outbound_registration */
88                         break;
89                 case AST_SIP_AUTH_TYPE_ARTIFICIAL:
90                         ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
91                         break;
92                 }
93         }
94
95         pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
96
97 cleanup:
98         ast_sip_cleanup_auths(auths, auth_size);
99         return res;
100 }
101
102 static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
103         pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
104 {
105         pjsip_auth_clt_sess auth_sess;
106         pjsip_cseq_hdr *cseq;
107         pj_status_t status;
108         struct ast_sip_endpoint *endpoint;
109         char *id = NULL;
110         const char *id_type;
111         pjsip_www_authenticate_hdr *auth_hdr;
112         struct ast_str *realms;
113         pjsip_dialog *dlg;
114
115         dlg = pjsip_rdata_get_dlg(challenge);
116         if (dlg) {
117                 endpoint = ast_sip_dialog_get_endpoint(dlg);
118                 id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
119                 ao2_cleanup(endpoint);
120                 id_type = "Endpoint";
121         }
122         /* If there was no dialog, then this is probably a REGISTER so no endpoint */
123         if (!id) {
124                 id = ast_alloca(AST_SOCKADDR_BUFLEN);
125                 pj_sockaddr_print(&challenge->pkt_info.src_addr, id, AST_SOCKADDR_BUFLEN, 3);
126                 id_type = "Host";
127         }
128
129         auth_hdr = get_auth_header(challenge, NULL);
130         if (auth_hdr == NULL) {
131                 ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
132                         id_type, id);
133                 return -1;
134         }
135
136         if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
137                                 old_request->pool, 0) != PJ_SUCCESS) {
138                 ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
139                         id_type, id);
140                 return -1;
141         }
142
143         if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
144                 ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
145                         id_type, id);
146 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
147                 /* In case it is not a noop here in the future. */
148                 pjsip_auth_clt_deinit(&auth_sess);
149 #endif
150                 return -1;
151         }
152
153         status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
154 #if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
155         /* Release any cached auths */
156         pjsip_auth_clt_deinit(&auth_sess);
157 #endif
158
159         switch (status) {
160         case PJ_SUCCESS:
161                 /* PJSIP creates a new transaction for new_request (meaning it creates a new
162                  * branch). However, it recycles the Call-ID, from-tag, and CSeq from the
163                  * original request. Some SIP implementations will not process the new request
164                  * since the CSeq is the same as the original request. Incrementing it here
165                  * fixes the interop issue
166                  */
167                 cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
168                 ast_assert(cseq != NULL);
169                 ++cseq->cseq;
170                 return 0;
171         case PJSIP_ENOCREDENTIAL:
172                 realms = ast_str_create(32);
173                 if (realms) {
174                         ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
175                                 auth_hdr->challenge.common.realm.ptr);
176                         while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
177                                 ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
178                                         auth_hdr->challenge.common.realm.ptr);
179                         }
180                 }
181                 ast_log(LOG_WARNING,
182                         "%s: '%s': Unable to create request with auth. "
183                         "No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
184                         realms ? ast_str_buffer(realms) : "<unknown>");
185                 ast_free(realms);
186                 break;
187         case PJSIP_EAUTHSTALECOUNT:
188                 ast_log(LOG_WARNING,
189                         "%s: '%s': Unable to create request with auth.  Number of stale retries exceeded.\n",
190                         id_type, id);
191                 break;
192         case PJSIP_EFAILEDCREDENTIAL:
193                 ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
194                         id_type, id);
195                 break;
196         default:
197                 ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
198                         id_type, id);
199                 break;
200         }
201
202         return -1;
203 }
204
205 static struct ast_sip_outbound_authenticator digest_authenticator = {
206         .create_request_with_auth = digest_create_request_with_auth,
207 };
208
209 static int load_module(void)
210 {
211         if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
212                 return AST_MODULE_LOAD_DECLINE;
213         }
214         return AST_MODULE_LOAD_SUCCESS;
215 }
216
217 static int unload_module(void)
218 {
219         ast_sip_unregister_outbound_authenticator(&digest_authenticator);
220         return 0;
221 }
222
223 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
224         .support_level = AST_MODULE_SUPPORT_CORE,
225         .load = load_module,
226         .unload = unload_module,
227         .load_pri = AST_MODPRI_CHANNEL_DEPEND,
228         .requires = "res_pjsip",
229 );