res/res_pjsip_outbound_authenticator_digest.c

   1 /*
   2  * Asterisk -- An open source telephony toolkit.
   3  *
   4  * Copyright (C) 2013, Digium, Inc.
   5  *
   6  * Mark Michelson <mmichelson@digium.com>
   7  *
   8  * See http://www.asterisk.org for more information about
   9  * the Asterisk project. Please do not directly contact
  10  * any of the maintainers of this project for assistance;
  11  * the project provides a web site, mailing lists and IRC
  12  * channels for your use.
  13  *
  14  * This program is free software, distributed under the terms of
  15  * the GNU General Public License Version 2. See the LICENSE file
  16  * at the top of the source tree.
  17  */
  18
  19 /*** MODULEINFO
  20         <depend>pjproject</depend>
  21         <depend>res_pjsip</depend>
  22         <support_level>core</support_level>
  23  ***/
  24
  25 #include "asterisk.h"
  26
  27 #include <pjsip.h>
  28
  29 #include "asterisk/res_pjsip.h"
  30 #include "asterisk/logger.h"
  31 #include "asterisk/module.h"
  32 #include "asterisk/strings.h"
  33
  34 static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge) {
  35         pjsip_hdr_e search_type;
  36
  37         if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
  38                 search_type = PJSIP_H_WWW_AUTHENTICATE;
  39         } else if (challenge->msg_info.msg->line.status.code == PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED) {
  40                 search_type = PJSIP_H_PROXY_AUTHENTICATE;
  41         } else {
  42                 ast_log(LOG_ERROR,
  43                                 "Status code %d was received when it should have been 401 or 407.\n",
  44                                 challenge->msg_info.msg->line.status.code);
  45                 return NULL ;
  46         }
  47
  48         return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, NULL);
  49
  50 }
  51
  52 static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
  53                 const struct ast_sip_auth_array *array, pjsip_rx_data *challenge)
  54 {
  55         struct ast_sip_auth **auths = ast_alloca(array->num * sizeof(*auths));
  56         pjsip_cred_info *auth_creds = ast_alloca(array->num * sizeof(*auth_creds));
  57         pjsip_www_authenticate_hdr *auth_hdr = NULL;
  58         int res = 0;
  59         int i;
  60
  61         if (ast_sip_retrieve_auths(array, auths)) {
  62                 res = -1;
  63                 goto cleanup;
  64         }
  65
  66         auth_hdr = get_auth_header(challenge);
  67         if (auth_hdr == NULL) {
  68                 res = -1;
  69                 ast_log(LOG_ERROR, "Unable to find authenticate header in challenge.\n");
  70                 goto cleanup;
  71         }
  72
  73         for (i = 0; i < array->num; ++i) {
  74                 if (ast_strlen_zero(auths[i]->realm)) {
  75                         auth_creds[i].realm = auth_hdr->challenge.common.realm;
  76                 } else {
  77                         pj_cstr(&auth_creds[i].realm, auths[i]->realm);
  78                 }
  79                 pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
  80                 pj_cstr(&auth_creds[i].scheme, "digest");
  81                 switch (auths[i]->type) {
  82                 case AST_SIP_AUTH_TYPE_USER_PASS:
  83                         pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
  84                         auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
  85                         break;
  86                 case AST_SIP_AUTH_TYPE_MD5:
  87                         pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
  88                         auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
  89                         break;
  90                 case AST_SIP_AUTH_TYPE_ARTIFICIAL:
  91                         ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
  92                         break;
  93                 }
  94         }
  95
  96         pjsip_auth_clt_set_credentials(auth_sess, array->num, auth_creds);
  97
  98 cleanup:
  99         ast_sip_cleanup_auths(auths, array->num);
 100         return res;
 101 }
 102
 103 static int digest_create_request_with_auth(const struct ast_sip_auth_array *auths, pjsip_rx_data *challenge,
 104                 pjsip_transaction *tsx, pjsip_tx_data **new_request)
 105 {
 106         pjsip_auth_clt_sess auth_sess;
 107
 108         if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
 109                                 tsx->pool, 0) != PJ_SUCCESS) {
 110                 ast_log(LOG_WARNING, "Failed to initialize client authentication session\n");
 111                 return -1;
 112         }
 113
 114         if (set_outbound_authentication_credentials(&auth_sess, auths, challenge)) {
 115                 ast_log(LOG_WARNING, "Failed to set authentication credentials\n");
 116                 return -1;
 117         }
 118
 119         switch (pjsip_auth_clt_reinit_req(&auth_sess, challenge,
 120                                 tsx->last_tx, new_request)) {
 121         case PJ_SUCCESS:
 122                 return 0;
 123         case PJSIP_ENOCREDENTIAL:
 124                 ast_log(LOG_WARNING, "Unable to create request with auth."
 125                                 "No auth credentials for any realms in challenge.\n");
 126                 break;
 127         case PJSIP_EAUTHSTALECOUNT:
 128                 ast_log(LOG_WARNING, "Unable to create request with auth."
 129                                 "Number of stale retries exceeded\n");
 130                 break;
 131         case PJSIP_EFAILEDCREDENTIAL:
 132                 ast_log(LOG_WARNING, "Authentication credentials not accepted by server\n");
 133                 break;
 134         default:
 135                 ast_log(LOG_WARNING, "Unable to create request with auth. Unknown failure\n");
 136                 break;
 137         }
 138
 139         return -1;
 140 }
 141
 142 static struct ast_sip_outbound_authenticator digest_authenticator = {
 143         .create_request_with_auth = digest_create_request_with_auth,
 144 };
 145
 146 static int load_module(void)
 147 {
 148         if (ast_sip_register_outbound_authenticator(&digest_authenticator)) {
 149                 return AST_MODULE_LOAD_DECLINE;
 150         }
 151         return AST_MODULE_LOAD_SUCCESS;
 152 }
 153
 154 static int unload_module(void)
 155 {
 156         ast_sip_unregister_outbound_authenticator(&digest_authenticator);
 157         return 0;
 158 }
 159
 160 AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
 161                 .load = load_module,
 162                 .unload = unload_module,
 163                 .load_pri = AST_MODPRI_CHANNEL_DEPEND,
 164 );