Asterisk - The Open Source Telephony Project GIT-master-3dae2cf
|
#include "asterisk.h"
#include <pjsip.h>
#include "asterisk/res_pjsip.h"
#include "asterisk/logger.h"
#include "asterisk/module.h"
#include "asterisk/strings.h"
#include "asterisk/test.h"
Go to the source code of this file.
Enumerations | |
enum | digest_verify_result { AUTH_FAIL = 0 , AUTH_SUCCESS , AUTH_STALE , AUTH_NOAUTH } |
Result of digest verification. More... | |
Functions | |
static void | __init_auth_store (void) |
Thread-local storage for ast_sip_auth. More... | |
static void | __reg_module (void) |
static void | __unreg_module (void) |
AO2_GLOBAL_OBJ_STATIC (entity_id) | |
struct ast_module * | AST_MODULE_SELF_SYM (void) |
static void | auth_store_cleanup (void *data) |
static int | build_entity_id (void) |
static int | build_nonce (struct ast_str **nonce, const char *timestamp, const pjsip_rx_data *rdata, const char *realm) |
Calculate a nonce. More... | |
static void | challenge (const char *realm, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale) |
astobj2 callback for adding digest challenges to responses More... | |
static int | check_nonce (const char *candidate, const pjsip_rx_data *rdata, const struct ast_sip_auth *auth) |
Ensure that a nonce on an incoming request is sane. More... | |
static enum ast_sip_check_auth_result | digest_check_auth (struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pjsip_tx_data *tdata) |
Check authentication using Digest scheme. More... | |
static pj_status_t | digest_lookup (pj_pool_t *pool, const pj_str_t *realm, const pj_str_t *acc_name, pjsip_cred_info *info) |
Lookup callback for authentication verification. More... | |
static int | digest_requires_authentication (struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata) |
Determine if authentication is required. More... | |
static int | find_challenge (const pjsip_rx_data *rdata, const struct ast_sip_auth *auth) |
static const struct ast_sip_auth * | get_auth (void) |
Retrieve shallow copy authentication information from thread-local storage. More... | |
static void | global_loaded (const char *object_type) |
static int | load_module (void) |
static int | reload_module (void) |
static int | remove_auth (void) |
Remove shallow copy authentication information from thread-local storage. More... | |
static void | setup_auth_srv (pj_pool_t *pool, pjsip_auth_srv *auth_server, const char *realm) |
Common code for initializing a pjsip_auth_srv. More... | |
static int | store_auth (const struct ast_sip_auth *auth) |
Store shallow copy authentication information in thread-local storage. More... | |
static int | unload_module (void) |
static int | verify (const struct ast_sip_auth *auth, pjsip_rx_data *rdata, pj_pool_t *pool) |
astobj2 callback for verifying incoming credentials More... | |
Variables | |
static struct ast_module_info | __mod_info = { .name = AST_MODULE, .flags = AST_MODFLAG_LOAD_ORDER , .description = "PJSIP authentication resource" , .key = "This paragraph is copyright (c) 2006 by Digium, Inc. \In order for your module to load, it must return this \key via a function called \"key\". Any code which \includes this paragraph must be licensed under the GNU \General Public License version 2 or later (at your \option). In addition to Digium's general reservations \of rights, Digium expressly reserves the right to \allow other parties to license this paragraph under \different terms. Any use of Digium, Inc. trademarks or \logos (including \"Asterisk\" or \"Digium\") without \express written permission of Digium, Inc. is prohibited.\n" , .buildopt_sum = AST_BUILDOPT_SUM, .support_level = AST_MODULE_SUPPORT_CORE, .load = load_module, .unload = unload_module, .reload = reload_module, .load_pri = AST_MODPRI_CHANNEL_DEPEND - 5, .requires = "res_pjsip", } |
static const struct ast_module_info * | ast_module_info = &__mod_info |
static struct ast_threadstorage | auth_store = { .once = PTHREAD_ONCE_INIT , .key_init = __init_auth_store , .custom_init = NULL , } |
static char | default_realm [AST_SIP_AUTH_MAX_REALM_LENGTH+1] |
static struct ast_sip_authenticator | digest_authenticator |
static struct ast_sorcery_observer | global_observer |
Observer which is used to update our default_realm when the global setting changes. More... | |
static char * | verify_result_str [] |
enum digest_verify_result |
Result of digest verification.
Definition at line 297 of file res_pjsip_authenticator_digest.c.
|
static |
Thread-local storage for ast_sip_auth.
The PJSIP authentication API is a bit annoying. When you set up an authentication server, you specify a lookup callback to call into when verifying incoming credentials. The problem with this callback is that it only gives you the realm and authentication username. In 2.0.5, there is a new version of the callback you can use that gives the pjsip_rx_data in addition.
Unfortunately, the data we actually need is the ast_sip_auth we are currently observing. So we have two choices: 1) Use the current PJSIP API and use thread-local storage to temporarily store our SIP authentication information. Then in the callback, we can retrieve the authentication info and use as needed. Given our threading model, this is safe. 2) Use the 2.0.5 API and temporarily store the authentication information in the rdata's endpoint_info. Then in the callback, we can retrieve the authentication info from the rdata.
I've chosen option 1 since it does not require backporting any APIs from future versions of PJSIP, plus I feel the thread-local option is a bit cleaner.
Definition at line 86 of file res_pjsip_authenticator_digest.c.
|
static |
Definition at line 572 of file res_pjsip_authenticator_digest.c.
|
static |
Definition at line 572 of file res_pjsip_authenticator_digest.c.
AO2_GLOBAL_OBJ_STATIC | ( | entity_id | ) |
struct ast_module * AST_MODULE_SELF_SYM | ( | void | ) |
Definition at line 572 of file res_pjsip_authenticator_digest.c.
|
static |
Definition at line 52 of file res_pjsip_authenticator_digest.c.
References ao2_cleanup, and ast_free.
|
static |
Definition at line 508 of file res_pjsip_authenticator_digest.c.
References ao2_alloc, ao2_global_obj_replace_unref, ao2_ref, ast_uuid_generate_str(), AST_UUID_STR_LEN, and NULL.
Referenced by load_module(), and reload_module().
|
static |
Calculate a nonce.
We use this in order to create authentication challenges. We also use this in order to verify that an incoming request with credentials could be in response to one of our challenges.
The nonce is calculated from a timestamp, the source IP address, the source port, a unique ID for us, and the realm. This helps to ensure that the incoming request is from the same source that the nonce was calculated for. Including the realm ensures that multiple challenges to the same request have different nonces.
nonce | |
timestamp | A UNIX timestamp expressed as a string |
rdata | The incoming request |
realm | The realm for which authentication should occur |
Definition at line 205 of file res_pjsip_authenticator_digest.c.
References ao2_cleanup, ao2_global_obj_ref, ast_md5_hash(), ast_str_alloca, ast_str_append(), ast_str_buffer(), RAII_VAR, and str.
Referenced by challenge(), and check_nonce().
|
static |
astobj2 callback for adding digest challenges to responses
realm | An auth's realm to build a challenge from |
tdata | The response to add the challenge to |
rdata | The request the challenge is in response to |
is_stale | Indicates whether nonce on incoming request was stale |
Definition at line 376 of file res_pjsip_authenticator_digest.c.
References ast_str_alloca, ast_str_buffer(), build_nonce(), NULL, and setup_auth_srv().
Referenced by ast_sip_create_request_with_auth(), authenticate(), authenticate_reply(), authenticate_request(), decrypt_frame(), digest_check_auth(), digest_create_request_with_auth(), get_auth_search_type(), manager_login(), register_verify(), registry_authrequest(), registry_rerequest(), send_request_cb(), and set_outbound_authentication_credentials().
|
static |
Ensure that a nonce on an incoming request is sane.
The nonce in an incoming Authorization header needs to pass some scrutiny in order for us to consider accepting it. What we do is re-build a nonce based on request data and a realm and see if it matches the nonce they sent us.
candidate | The nonce on an incoming request |
rdata | The incoming request |
auth | The auth credentials we are trying to match against. |
0 | Nonce does not pass validity checks |
1 | Nonce passes validity check |
Definition at line 237 of file res_pjsip_authenticator_digest.c.
References ast_debug, ast_str_alloca, ast_str_buffer(), ast_strdupa, build_nonce(), copy(), ast_sip_auth::nonce_lifetime, NULL, ast_sip_auth::realm, and strsep().
Referenced by find_challenge().
|
static |
Check authentication using Digest scheme.
This function will check an incoming message against configured authentication options. If any of the incoming Authorization headers result in successful authentication, then authentication is considered successful.
Definition at line 404 of file res_pjsip_authenticator_digest.c.
References ao2_ref, artificial_endpoint, ast_alloca, ast_assert, ast_debug, AST_SIP_AUTHENTICATION_CHALLENGE, AST_SIP_AUTHENTICATION_ERROR, AST_SIP_AUTHENTICATION_FAILED, AST_SIP_AUTHENTICATION_SUCCESS, ast_sip_cleanup_auths(), ast_sip_get_artificial_auth(), ast_sip_get_artificial_endpoint(), ast_sip_retrieve_auths(), ast_sorcery_object_get_id(), ast_strlen_zero(), AST_VECTOR_SIZE, AUTH_FAIL, AUTH_STALE, AUTH_SUCCESS, challenge(), cleanup(), default_realm, ast_sip_endpoint::inbound_auths, and verify().
|
static |
Lookup callback for authentication verification.
This function is called when we call pjsip_auth_srv_verify(). It expects us to verify that the realm and account name from the Authorization header is correct. We are then supposed to supply a password or MD5 sum of credentials.
pool | A memory pool we can use for allocations | |
realm | The realm from the Authorization header | |
acc_name | the user from the Authorization header | |
[out] | info | The credentials we need to fill in |
PJ_SUCCESS | Successful authentication |
other | Unsuccessful |
Definition at line 149 of file res_pjsip_authenticator_digest.c.
References AST_SIP_AUTH_TYPE_ARTIFICIAL, AST_SIP_AUTH_TYPE_MD5, AST_SIP_AUTH_TYPE_USER_PASS, ast_sip_auth::auth_pass, ast_sip_auth::auth_user, get_auth(), sip_to_pjsip::info(), ast_sip_auth::md5_creds, ast_sip_auth::realm, and ast_sip_auth::type.
Referenced by setup_auth_srv().
|
static |
Determine if authentication is required.
Authentication is required if the endpoint has at least one auth section specified
Definition at line 45 of file res_pjsip_authenticator_digest.c.
References ao2_cleanup, ast_sip_get_artificial_endpoint(), AST_VECTOR_SIZE, ast_sip_endpoint::inbound_auths, and RAII_VAR.
|
static |
Definition at line 266 of file res_pjsip_authenticator_digest.c.
References ast_copy_pj_str(), check_nonce(), ast_sip_auth::realm, and while().
Referenced by verify().
|
static |
Retrieve shallow copy authentication information from thread-local storage.
Definition at line 123 of file res_pjsip_authenticator_digest.c.
References ast_threadstorage_get(), auth_store, and NULL.
Referenced by digest_lookup().
|
static |
Definition at line 523 of file res_pjsip_authenticator_digest.c.
References ast_sip_get_default_realm(), and default_realm.
|
static |
Definition at line 541 of file res_pjsip_authenticator_digest.c.
References ao2_global_obj_release, AST_MODULE_LOAD_DECLINE, AST_MODULE_LOAD_SUCCESS, ast_sip_get_sorcery(), ast_sip_register_authenticator(), ast_sorcery_observer_add(), ast_sorcery_reload_object(), build_entity_id(), digest_authenticator, and global_observer.
|
static |
Definition at line 533 of file res_pjsip_authenticator_digest.c.
References build_entity_id().
|
static |
Remove shallow copy authentication information from thread-local storage.
Definition at line 107 of file res_pjsip_authenticator_digest.c.
References ast_threadstorage_get(), auth_store, and NULL.
Referenced by verify().
|
static |
Common code for initializing a pjsip_auth_srv.
Definition at line 286 of file res_pjsip_authenticator_digest.c.
References digest_lookup().
Referenced by challenge(), and verify().
|
static |
Store shallow copy authentication information in thread-local storage.
Definition at line 91 of file res_pjsip_authenticator_digest.c.
References ast_threadstorage_get(), and auth_store.
Referenced by verify().
|
static |
Definition at line 557 of file res_pjsip_authenticator_digest.c.
References ao2_global_obj_release, ast_sip_get_sorcery(), ast_sip_unregister_authenticator(), ast_sorcery_observer_remove(), digest_authenticator, and global_observer.
|
static |
astobj2 callback for verifying incoming credentials
auth | The ast_sip_auth to check against |
rdata | The incoming request |
pool | A pool to use for the auth server |
Definition at line 323 of file res_pjsip_authenticator_digest.c.
References ast_debug, ast_test_suite_event_notify, AUTH_FAIL, AUTH_NOAUTH, AUTH_STALE, AUTH_SUCCESS, ast_sip_auth::auth_user, find_challenge(), ast_sip_auth::realm, remove_auth(), setup_auth_srv(), store_auth(), and verify_result_str.
Referenced by digest_check_auth().
|
static |
Definition at line 572 of file res_pjsip_authenticator_digest.c.
|
static |
Definition at line 572 of file res_pjsip_authenticator_digest.c.
|
static |
Definition at line 86 of file res_pjsip_authenticator_digest.c.
Referenced by get_auth(), remove_auth(), and store_auth().
|
static |
Definition at line 35 of file res_pjsip_authenticator_digest.c.
Referenced by alloc_artificial_auth(), ast_sip_initialize_sorcery_global(), create_artificial_auth(), digest_check_auth(), and global_loaded().
|
static |
Definition at line 503 of file res_pjsip_authenticator_digest.c.
Referenced by load_module(), and unload_module().
|
static |
Observer which is used to update our default_realm when the global setting changes.
Definition at line 529 of file res_pjsip_authenticator_digest.c.
Referenced by load_module(), and unload_module().
|
static |
Definition at line 308 of file res_pjsip_authenticator_digest.c.
Referenced by verify().