res/res_pjsip_outbound_authenticator_digest.c

   1 /*
   2  * Asterisk -- An open source telephony toolkit.
   3  *
   4  * Copyright (C) 2013, Digium, Inc.
   5  *
   6  * Mark Michelson <mmichelson@digium.com>
   7  *
   8  * See http://www.asterisk.org for more information about
   9  * the Asterisk project. Please do not directly contact
  10  * any of the maintainers of this project for assistance;
  11  * the project provides a web site, mailing lists and IRC
  12  * channels for your use.
  13  *
  14  * This program is free software, distributed under the terms of
  15  * the GNU General Public License Version 2. See the LICENSE file
  16  * at the top of the source tree.
  17  */
  18
  19 /*** MODULEINFO
  20         <depend>pjproject</depend>
  21         <depend>res_pjsip</depend>
  22         <support_level>core</support_level>
  23  ***/
  24
  25 #include "asterisk.h"
  26
  27 #include <pjsip.h>
  28
  29 #include "asterisk/res_pjsip.h"
  30 #include "asterisk/logger.h"
  31 #include "asterisk/module.h"
  32 #include "asterisk/strings.h"
  33
  34 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge) {
  35         pjsip_hdr_e search_type;
  36
  37         if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
  38                 search_type = PJSIP_H_WWW_AUTHENTICATE;
  39         } else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
  40                 search_type = PJSIP_H_PROXY_AUTHENTICATE;
  41         } else {
  42                 ast_log(LOG_ERROR,
  43                                 "Status code %d was received when it should have been 401 or 407.\n",
  44                                 challenge->msg_info.msg->line.status.code);
  45                 return NULL ;
  46         }
  47
  48         return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, NULL);
  49
  50 }
  51
  52 static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
  53                 const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge)
  54 {
  55         size_t auth_size = AST_VECTOR_SIZE(auth_vector);
  56         struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
  57         pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
  58         pjsip_www_authenticate_hdr *auth_hdr = NULL;
  59         int res = 0;
  60         int i;
  61
  62         if (ast_sip_retrieve_auths(auth_vector, auths)) {
  63                 res = -1;
  64                 goto cleanup;
  65         }
  66
  67         auth_hdr = get_auth_header(challenge);
  68         if (auth_hdr == NULL) {
  69                 res = -1;
  70                 ast_log(LOG_ERROR, "Unable to find authenticate header in challenge.\n");
  71                 goto cleanup;
  72         }
  73
  74         for (i = 0; i < auth_size; ++i) {
  75                 if (ast_strlen_zero(auths[i]->realm)) {
  76                         auth_creds[i].realm = auth_hdr->challenge.common.realm;
  77                 } else {
  78                         pj_cstr(&auth_creds[i].realm, auths[i]->realm);
  79                 }
  80                 pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
  81                 pj_cstr(&auth_creds[i].scheme, "digest");
  82                 switch (auths[i]->type) {
  83                 case AST_SIP_AUTH_TYPE_USER_PASS:
  84                         pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
  85                         auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
  86                         break;
  87                 case AST_SIP_AUTH_TYPE_MD5:
  88                         pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
  89                         auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
  90                         break;
  91                 case AST_SIP_AUTH_TYPE_ARTIFICIAL:
  92                         ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
  93                         break;
  94                 }
  95         }
  96
  97         pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
  98
  99 cleanup:
 100         ast_sip_cleanup_auths(auths, auth_size);
 101         return res;
 102 }
 103
 104 static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge,
 105                 pjsip_transaction *tsx, pjsip_tx_data **new_request)
 106 {
 107         pjsip_auth_clt_sess auth_sess;
 108
 109         if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
 110                                 tsx->pool, 0) != PJ_SUCCESS) {
 111                 ast_log(LOG_WARNING, "Failed to initialize client authentication session\n");
 112                 return -1;
 113         }
 114
 115         if (set_outbound_authentication_credentials(&auth_sess, auths, challenge)) {
 116                 ast_log(LOG_WARNING, "Failed to set authentication credentials\n");
 117                 return -1;
 118         }
 119
 120         switch (pjsip_auth_clt_reinit_req(&auth_sess, challenge,
 121                                 tsx->last_tx, new_request)) {
 122         case PJ_SUCCESS:
 123                 return 0;
 124         case PJSIP_ENOCREDENTIAL:
 125                 ast_log(LOG_WARNING, "Unable to create request with auth."
 126                                 "No auth credentials for any realms in challenge.\n");
 127                 break;
 128         case PJSIP_EAUTHSTALECOUNT:
 129                 ast_log(LOG_WARNING, "Unable to create request with auth."
 130                                 "Number of stale retries exceeded\n");
 131                 break;
 132         case PJSIP_EFAILEDCREDENTIAL:
 133                 ast_log(LOG_WARNING, "Authentication credentials not accepted by server\n");
 134                 break;
 135         default:
 136                 ast_log(LOG_WARNING, "Unable to create request with auth. Unknown failure\n");
 137                 break;
 138         }
 139
 140         return -1;
 141 }
 142
 143 static struct ast_sip_outbound_authenticator digest_authenticator = {
 144         .create_request_with_auth = digest_create_request_with_auth,
 145 };
 146
 147 static int load_module(void)
 148 {
 149         if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
 150                 return AST_MODULE_LOAD_DECLINE;
 151         }
 152         return AST_MODULE_LOAD_SUCCESS;
 153 }
 154
 155 static int unload_module(void)
 156 {
 157         ast_sip_unregister_outbound_authenticator(&digest_authenticator);
 158         return 0;
 159 }
 160
 161 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
 162                 .load = load_module,
 163                 .unload = unload_module,
 164                 .load_pri = AST_MODPRI_CHANNEL_DEPEND,
 165 );