[asterisk-commits] kharwell: trunk r393442 - in /trunk: include/asterisk/ res/ res/res_sip/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Jul 2 12:06:09 CDT 2013


Author: kharwell
Date: Tue Jul  2 12:06:06 2013
New Revision: 393442

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=393442
Log:
New SIP Channel driver: Always Auth Reject

If no matching endpoint is found for the incoming request Asterisk will respond
with a 401 Unauthorized (rejecting the request), but will first challenge if
no authorization creditials are given.

Changes also included moving ACL options into a new global 'security'
configuration section in res_sip.conf.

(closes issue ASTERISK-21433)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/2554/

Added:
    trunk/res/res_sip/config_security.c   (with props)
Modified:
    trunk/include/asterisk/res_sip.h
    trunk/res/res_sip.c
    trunk/res/res_sip.exports.in
    trunk/res/res_sip/config_auth.c
    trunk/res/res_sip/sip_configuration.c
    trunk/res/res_sip/sip_distributor.c
    trunk/res/res_sip_acl.c
    trunk/res/res_sip_authenticator_digest.c
    trunk/res/res_sip_outbound_authenticator_digest.c

Modified: trunk/include/asterisk/res_sip.h
URL: http://svnview.digium.com/svn/asterisk/trunk/include/asterisk/res_sip.h?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/include/asterisk/res_sip.h (original)
+++ trunk/include/asterisk/res_sip.h Tue Jul  2 12:06:06 2013
@@ -237,6 +237,8 @@
 	AST_SIP_AUTH_TYPE_USER_PASS,
 	/*! Credentials stored as an MD5 sum */
 	AST_SIP_AUTH_TYPE_MD5,
+	/*! Credentials not stored this is a fake auth */
+	AST_SIP_AUTH_TYPE_ARTIFICIAL
 };
 
 #define SIP_SORCERY_AUTH_TYPE "auth"
@@ -481,6 +483,17 @@
     struct ast_sip_endpoint *(*identify_endpoint)(pjsip_rx_data *rdata);
 };
 
+#define SIP_SORCERY_SECURITY_TYPE "security"
+
+/*!
+ * \brief SIP security details and configuration.
+ */
+struct ast_sip_security {
+	SORCERY_OBJECT(details);
+	struct ast_acl_list *acl;
+	struct ast_acl_list *contact_acl;
+};
+
 /*!
  * \brief Register a SIP service in Asterisk.
  *
@@ -778,6 +791,16 @@
 int ast_sip_initialize_sorcery_auth(struct ast_sorcery *sorcery);
 
 /*!
+ * \brief Initialize security support on a sorcery instance
+ *
+ * \param sorcery The sorcery instance
+ *
+ * \retval -1 failure
+ * \retval 0 success
+ */
+int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery);
+
+/*!
  * \brief Callback called when an outbound request with authentication credentials is to be sent in dialog
  *
  * This callback will have the created request on it. The callback's purpose is to do any extra
@@ -824,6 +847,27 @@
  * \retval 0 Success
  */
 int ast_sip_initialize_distributor(void);
+
+/*!
+ * \brief Destruct the distributor module.
+ *
+ * Unregisters pjsip modules and cleans up any allocated resources.
+ */
+void ast_sip_destroy_distributor(void);
+
+/*!
+ * \brief Retrieves a reference to the artificial auth.
+ *
+ * \retval The artificial auth
+ */
+struct ast_sip_auth *ast_sip_get_artificial_auth(void);
+
+/*!
+ * \brief Retrieves a reference to the artificial endpoint.
+ *
+ * \retval The artificial endpoint
+ */
+struct ast_sip_endpoint *ast_sip_get_artificial_endpoint(void);
 
 /*!
  * \page Threading model for SIP

Modified: trunk/res/res_sip.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip.c (original)
+++ trunk/res/res_sip.c Tue Jul  2 12:06:06 2013
@@ -1519,6 +1519,7 @@
 return AST_MODULE_LOAD_SUCCESS;
 
 error:
+	ast_sip_destroy_distributor();
 	ast_res_sip_destroy_configuration();
 	if (monitor_thread) {
 		stop_monitor_thread();
@@ -1561,6 +1562,7 @@
 
 static int unload_module(void)
 {
+	ast_sip_destroy_distributor();
 	ast_res_sip_destroy_configuration();
 	if (monitor_thread) {
 		stop_monitor_thread();

Modified: trunk/res/res_sip.exports.in
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip.exports.in?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip.exports.in (original)
+++ trunk/res/res_sip.exports.in Tue Jul  2 12:06:06 2013
@@ -53,6 +53,8 @@
 		LINKER_SYMBOL_PREFIXast_sip_retrieve_auths;
 		LINKER_SYMBOL_PREFIXast_sip_cleanup_auths;
 		LINKER_SYMBOL_PREFIXast_sip_is_content_type;
+		LINKER_SYMBOL_PREFIXast_sip_get_artificial_endpoint;
+		LINKER_SYMBOL_PREFIXast_sip_get_artificial_auth;
 		LINKER_SYMBOL_PREFIXast_sip_report_invalid_endpoint;
 		LINKER_SYMBOL_PREFIXast_sip_report_failed_acl;
 		LINKER_SYMBOL_PREFIXast_sip_report_auth_failed_challenge_response;

Modified: trunk/res/res_sip/config_auth.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip/config_auth.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip/config_auth.c (original)
+++ trunk/res/res_sip/config_auth.c Tue Jul  2 12:06:06 2013
@@ -87,6 +87,8 @@
 			res = -1;
 		}
 		break;
+	case AST_SIP_AUTH_TYPE_ARTIFICIAL:
+		break;
 	}
 
 	return res;

Added: trunk/res/res_sip/config_security.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip/config_security.c?view=auto&rev=393442
==============================================================================
--- trunk/res/res_sip/config_security.c (added)
+++ trunk/res/res_sip/config_security.c Tue Jul  2 12:06:06 2013
@@ -1,0 +1,88 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2013, Digium, Inc.
+ *
+ * Mark Michelson <mmichelson at digium.com>
+ * Kevin Harwell <kharwell at digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*** MODULEINFO
+	<depend>pjproject</depend>
+	<depend>res_sip</depend>
+	<support_level>core</support_level>
+ ***/
+#include "asterisk.h"
+
+#include <pjsip.h>
+
+#include "asterisk/res_sip.h"
+#include "asterisk/logger.h"
+#include "asterisk/sorcery.h"
+#include "asterisk/acl.h"
+
+static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+	struct ast_sip_security *security = obj;
+	int error = 0;
+	int ignore;
+	if (!strncmp(var->name, "contact", 7)) {
+		ast_append_acl(var->name + 7, var->value, &security->contact_acl, &error, &ignore);
+	} else {
+		ast_append_acl(var->name, var->value, &security->acl, &error, &ignore);
+	}
+
+	return error;
+}
+
+static void security_destroy(void *obj)
+{
+	struct ast_sip_security *security = obj;
+	security->acl = ast_free_acl_list(security->acl);
+	security->contact_acl = ast_free_acl_list(security->contact_acl);
+}
+
+static void *security_alloc(const char *name)
+{
+	struct ast_sip_security *security =
+		ast_sorcery_generic_alloc(sizeof(*security), security_destroy);
+
+	if (!security) {
+		return NULL;
+	}
+
+	return security;
+}
+
+int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery)
+{
+	ast_sorcery_apply_default(sorcery, SIP_SORCERY_SECURITY_TYPE,
+				  "config", "res_sip.conf,criteria=type=security");
+
+	if (ast_sorcery_object_register(sorcery, SIP_SORCERY_SECURITY_TYPE,
+					security_alloc, NULL, NULL)) {
+
+		ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
+			SIP_SORCERY_SECURITY_TYPE);
+		return -1;
+	}
+
+	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_SECURITY_TYPE, "type", "", OPT_NOOP_T, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "permit", "", acl_handler, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "deny", "", acl_handler, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "acl", "", acl_handler, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
+	return 0;
+}

Propchange: trunk/res/res_sip/config_security.c
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: trunk/res/res_sip/config_security.c
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Rev URL

Propchange: trunk/res/res_sip/config_security.c
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: trunk/res/res_sip/sip_configuration.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip/sip_configuration.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip/sip_configuration.c (original)
+++ trunk/res/res_sip/sip_configuration.c Tue Jul  2 12:06:06 2013
@@ -281,6 +281,11 @@
 static void destroy_auths(const char **auths, size_t num_auths)
 {
 	int i;
+
+	if (!auths) {
+		return;
+	}
+
 	for (i = 0; i < num_auths; ++i) {
 		ast_free((char *) auths[i]);
 	}
@@ -684,6 +689,13 @@
 		return -1;
 	}
 
+	if (ast_sip_initialize_sorcery_security(sip_sorcery)) {
+		ast_log(LOG_ERROR, "Failed to register SIP security support\n");
+		ast_sorcery_unref(sip_sorcery);
+		sip_sorcery = NULL;
+		return -1;
+	}
+
 	ast_sorcery_load(sip_sorcery);
 
 	return 0;

Modified: trunk/res/res_sip/sip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip/sip_distributor.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip/sip_distributor.c (original)
+++ trunk/res/res_sip/sip_distributor.c Tue Jul  2 12:06:06 2013
@@ -59,7 +59,7 @@
 {
 	struct distributor_dialog_data *dist;
 	SCOPED_LOCK(lock, dlg, pjsip_dlg_inc_lock, pjsip_dlg_dec_lock);
-	
+
 	dist = pjsip_dlg_get_mod_data(dlg, distributor_mod.id);
 	if (!dist) {
 		dist = distributor_dialog_data_alloc(dlg);
@@ -71,7 +71,7 @@
 {
 	struct distributor_dialog_data *dist;
 	SCOPED_LOCK(lock, dlg, pjsip_dlg_inc_lock, pjsip_dlg_dec_lock);
-	
+
 	dist = pjsip_dlg_get_mod_data(dlg, distributor_mod.id);
 	if (!dist) {
 		dist = distributor_dialog_data_alloc(dlg);
@@ -125,6 +125,48 @@
 	.on_rx_request = endpoint_lookup,
 };
 
+static struct ast_sip_auth *artificial_auth;
+
+static int create_artificial_auth(void)
+{
+	if (!(artificial_auth = ast_sorcery_alloc(
+		      ast_sip_get_sorcery(), SIP_SORCERY_AUTH_TYPE, "artificial"))) {
+		ast_log(LOG_ERROR, "Unable to create artificial auth\n");
+		return -1;
+	}
+
+	ast_string_field_set(artificial_auth, realm, "asterisk");
+	ast_string_field_set(artificial_auth, auth_user, "");
+	ast_string_field_set(artificial_auth, auth_pass, "");
+	artificial_auth->type = AST_SIP_AUTH_TYPE_ARTIFICIAL;
+	return 0;
+}
+
+struct ast_sip_auth *ast_sip_get_artificial_auth(void)
+{
+	ao2_ref(artificial_auth, +1);
+	return artificial_auth;
+}
+
+static struct ast_sip_endpoint *artificial_endpoint;
+
+static int create_artificial_endpoint(void)
+{
+	if (!(artificial_endpoint = ast_sorcery_alloc(
+		      ast_sip_get_sorcery(), "endpoint", NULL))) {
+		return -1;
+	}
+
+	artificial_endpoint->num_inbound_auths = 1;
+	return 0;
+}
+
+struct ast_sip_endpoint *ast_sip_get_artificial_endpoint(void)
+{
+	ao2_ref(artificial_endpoint, +1);
+	return artificial_endpoint;
+}
+
 static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 {
 	struct ast_sip_endpoint *endpoint;
@@ -143,11 +185,12 @@
 		char name[AST_UUID_STR_LEN] = "";
 		pjsip_uri *from = rdata->msg_info.from->uri;
 
-		/* XXX When we do an alwaysauthreject-like option, we'll need to take that into account
-		 * for this response. Either that, or have a pseudo-endpoint to pass along so that authentication
-		 * will fail
-		 */
-		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+		/* always use an artificial endpoint - per discussion no reason
+		   to have "alwaysauthreject" as an option.  It is felt using it
+		   was a bug fix and it is not needed since we are not worried about
+		   breaking old stuff and we really don't want to enable the discovery
+		   of SIP accounts */
+		endpoint = ast_sip_get_artificial_endpoint();
 
 		if (PJSIP_URI_SCHEME_IS_SIP(from) || PJSIP_URI_SCHEME_IS_SIPS(from)) {
 			pjsip_sip_uri *sip_from = pjsip_uri_get_uri(from);
@@ -155,7 +198,6 @@
 		}
 
 		ast_sip_report_invalid_endpoint(name, rdata);
-		return PJ_TRUE;
 	}
 	rdata->endpt_info.mod_data[endpoint_mod.id] = endpoint;
 	return PJ_FALSE;
@@ -183,8 +225,7 @@
 			return PJ_FALSE;
 		case AST_SIP_AUTHENTICATION_FAILED:
 			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
-			pjsip_tx_data_dec_ref(tdata);
-			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_ERROR:
 			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
@@ -240,6 +281,10 @@
 
 int ast_sip_initialize_distributor(void)
 {
+	if (create_artificial_endpoint() || create_artificial_auth()) {
+		return -1;
+	}
+
 	if (ast_sip_register_service(&distributor_mod)) {
 		return -1;
 	}
@@ -249,5 +294,16 @@
 	if (ast_sip_register_service(&auth_mod)) {
 		return -1;
 	}
+
 	return 0;
 }
+
+void ast_sip_destroy_distributor(void)
+{
+	ast_sip_unregister_service(&distributor_mod);
+	ast_sip_unregister_service(&endpoint_mod);
+	ast_sip_unregister_service(&auth_mod);
+
+	ao2_cleanup(artificial_auth);
+	ao2_cleanup(artificial_endpoint);
+}

Modified: trunk/res/res_sip_acl.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip_acl.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip_acl.c (original)
+++ trunk/res/res_sip_acl.c Tue Jul  2 12:06:06 2013
@@ -77,18 +77,12 @@
 					<synopsis>List of IP-domains to allow access from</synopsis>
 				</configOption>
 				<configOption name="type">
-					<synopsis>Must be of type 'acl'.</synopsis>
+					<synopsis>Must be of type 'security'.</synopsis>
 				</configOption>
 			</configObject>
 		</configFile>
 	</configInfo>
  ***/
-
-struct sip_acl {
-	SORCERY_OBJECT(details);
-	struct ast_acl_list *acl;
-	struct ast_acl_list *contact_acl;
-};
 
 static int apply_acl(pjsip_rx_data *rdata, struct ast_acl_list *acl)
 {
@@ -161,10 +155,11 @@
 
 static int check_acls(void *obj, void *arg, int flags)
 {
-	struct sip_acl *acl = obj;
+	struct ast_sip_security *security = obj;
 	pjsip_rx_data *rdata = arg;
 
-	if (apply_acl(rdata, acl->acl) || apply_contact_acl(rdata, acl->contact_acl)) {
+	if (apply_acl(rdata, security->acl) ||
+	    apply_contact_acl(rdata, security->contact_acl)) {
 		return CMP_MATCH | CMP_STOP;
 	}
 	return 0;
@@ -172,22 +167,17 @@
 
 static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
 {
-	int forbidden = 0;
-	struct ao2_container *acls = ast_sorcery_retrieve_by_fields(ast_sip_get_sorcery(), "acl", AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
-	struct sip_acl *matched_acl;
+	RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
+			 ast_sip_get_sorcery(), SIP_SORCERY_SECURITY_TYPE,
+			 AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
+	RAII_VAR(struct ast_sip_security *, matched_acl, NULL, ao2_cleanup);
+
 	if (!acls) {
 		ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
 		return PJ_FALSE;
 	}
 
-	matched_acl = ao2_callback(acls, 0, check_acls, rdata);
-	if (matched_acl) {
-		forbidden = 1;
-		ao2_ref(matched_acl, -1);
-	}
-	ao2_ref(acls, -1);
-
-	if (forbidden) {
+	if ((matched_acl = ao2_callback(acls, 0, check_acls, rdata))) {
 		if (rdata->msg_info.msg->line.req.method.id != PJSIP_ACK_METHOD) {
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
 		}
@@ -204,60 +194,8 @@
 	.on_rx_request = acl_on_rx_msg,
 };
 
-static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
-{
-	struct sip_acl *acl = obj;
-	int error;
-	int ignore;
-	if (!strncmp(var->name, "contact", 7)) {
-		ast_append_acl(var->name + 7, var->value, &acl->contact_acl, &error, &ignore);
-	} else {
-		ast_append_acl(var->name, var->value, &acl->acl, &error, &ignore);
-	}
-	return error;
-}
-
-static void sip_acl_destructor(void *obj)
-{
-	struct sip_acl *acl = obj;
-	acl->acl = ast_free_acl_list(acl->acl);
-	acl->contact_acl = ast_free_acl_list(acl->contact_acl);
-}
-
-static void *sip_acl_alloc(const char *name)
-{
-	struct sip_acl *acl = ast_sorcery_generic_alloc(sizeof(*acl), sip_acl_destructor);
-	if (!acl) {
-		return NULL;
-	}
-	return acl;
-}
-
-static int load_acls(void)
-{
-	ast_sorcery_apply_default(ast_sip_get_sorcery(), "acl", "config", "res_sip.conf,criteria=type=acl");
-	if (ast_sorcery_object_register(ast_sip_get_sorcery(), "acl", sip_acl_alloc, NULL, NULL)) {
-		ast_log(LOG_ERROR, "Failed to register SIP ACL object with sorcery\n");
-		return -1;
-	}
-	ast_sorcery_object_field_register(ast_sip_get_sorcery(), "acl", "type", "", OPT_NOOP_T, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "permit", "", acl_handler, NULL, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "deny", "", acl_handler, NULL, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "acl", "", acl_handler, NULL, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactpermit", "", acl_handler, NULL, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactdeny", "", acl_handler, NULL, 0, 0);
-	ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactacl", "", acl_handler, NULL, 0, 0);
-
-	/* XXX Is there a more selective way to do this? (i.e. Just reload a specific object type?) */
-	ast_sorcery_reload(ast_sip_get_sorcery());
-	return 0;
-}
-
 static int load_module(void)
 {
-	if (load_acls()) {
-		return AST_MODULE_LOAD_DECLINE;
-	}
 	ast_sip_register_service(&acl_module);
 	return AST_MODULE_LOAD_SUCCESS;
 }

Modified: trunk/res/res_sip_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip_authenticator_digest.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip_authenticator_digest.c (original)
+++ trunk/res/res_sip_authenticator_digest.c Tue Jul  2 12:06:06 2013
@@ -146,6 +146,10 @@
 {
 	RAII_VAR(struct ast_sip_auth *, auth, get_auth(), ao2_cleanup);
 	if (!auth) {
+		return PJSIP_SC_FORBIDDEN;
+	}
+
+	if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) {
 		return PJSIP_SC_FORBIDDEN;
 	}
 
@@ -268,12 +272,12 @@
 /*!
  * \brief Common code for initializing a pjsip_auth_srv
  */
-static void setup_auth_srv(pj_pool_t *pool, pjsip_auth_srv *auth_server, const struct ast_sip_auth *auth)
-{
-	pj_str_t realm;
-	pj_cstr(&realm, auth->realm);
-
-	pjsip_auth_srv_init(pool, auth_server, &realm, digest_lookup, 0);
+static void setup_auth_srv(pj_pool_t *pool, pjsip_auth_srv *auth_server, const char *realm)
+{
+	pj_str_t realm_str;
+	pj_cstr(&realm_str, realm);
+
+	pjsip_auth_srv_init(pool, auth_server, &realm_str, digest_lookup, 0);
 }
 
 /*!
@@ -311,7 +315,7 @@
 		stale = 1;
 	}
 
-	setup_auth_srv(pool, &auth_server, auth);
+	setup_auth_srv(pool, &auth_server, auth->realm);
 
 	store_auth(auth);
 
@@ -332,12 +336,12 @@
 /*!
  * \brief astobj2 callback for adding digest challenges to responses
  *
- * \param auth The ast_aip_auth to build a challenge from
+ * \param realm An auth's realm to build a challenge from
  * \param tdata The response to add the challenge to
  * \param rdata The request the challenge is in response to
  * \param is_stale Indicates whether nonce on incoming request was stale
  */
-static void challenge(const struct ast_sip_auth *auth, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
+static void challenge(const char *realm, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
 {
 	pj_str_t qop;
 	pj_str_t pj_nonce;
@@ -347,9 +351,9 @@
 	time_t timestamp = time(NULL);
 	snprintf(time_buf, sizeof(time_buf), "%d", (int) timestamp);
 
-	build_nonce(&nonce, time_buf, rdata, auth->realm);
-
-	setup_auth_srv(tdata->pool, &auth_server, auth);
+	build_nonce(&nonce, time_buf, rdata, realm);
+
+	setup_auth_srv(tdata->pool, &auth_server, realm);
 
 	pj_cstr(&pj_nonce, ast_str_buffer(nonce));
 	pj_cstr(&qop, "auth");
@@ -362,22 +366,30 @@
  * This function will check an incoming message against configured authentication
  * options. If \b any of the incoming Authorization headers result in successful
  * authentication, then authentication is considered successful.
- * 
+ *
  * \see ast_sip_check_authentication
  */
 static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint *endpoint,
 		pjsip_rx_data *rdata, pjsip_tx_data *tdata)
 {
-	struct ast_sip_auth **auths = ast_alloca(endpoint->num_inbound_auths * sizeof(*auths));
-	enum digest_verify_result *verify_res = ast_alloca(endpoint->num_inbound_auths * sizeof(*verify_res));
+	struct ast_sip_auth **auths;
+	enum digest_verify_result *verify_res;
 	enum ast_sip_check_auth_result res;
 	int i;
 
+	RAII_VAR(struct ast_sip_endpoint *, artificial_endpoint,
+		 ast_sip_get_artificial_endpoint(), ao2_cleanup);
+
+	auths = ast_alloca(endpoint->num_inbound_auths * sizeof(*auths));
+	verify_res = ast_alloca(endpoint->num_inbound_auths * sizeof(*verify_res));
+
 	if (!auths) {
 		return AST_SIP_AUTHENTICATION_ERROR;
 	}
 
-	if (ast_sip_retrieve_auths(endpoint->sip_inbound_auths, endpoint->num_inbound_auths, auths)) {
+	if (endpoint == artificial_endpoint) {
+		auths[0] = ast_sip_get_artificial_auth();
+	} else if (ast_sip_retrieve_auths(endpoint->sip_inbound_auths, endpoint->num_inbound_auths, auths)) {
 		res = AST_SIP_AUTHENTICATION_ERROR;
 		goto cleanup;
 	}
@@ -391,9 +403,9 @@
 	}
 
 	for (i = 0; i < endpoint->num_inbound_auths; ++i) {
-		challenge(auths[i], tdata, rdata, verify_res[i] == AUTH_STALE);
-	}
-	
+		challenge(auths[i]->realm, tdata, rdata, verify_res[i] == AUTH_STALE);
+	}
+
 	res = AST_SIP_AUTHENTICATION_CHALLENGE;
 
 cleanup:

Modified: trunk/res/res_sip_outbound_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_sip_outbound_authenticator_digest.c?view=diff&rev=393442&r1=393441&r2=393442
==============================================================================
--- trunk/res/res_sip_outbound_authenticator_digest.c (original)
+++ trunk/res/res_sip_outbound_authenticator_digest.c Tue Jul  2 12:06:06 2013
@@ -55,6 +55,9 @@
 		case AST_SIP_AUTH_TYPE_MD5:
 			pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
 			auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
+			break;
+		case AST_SIP_AUTH_TYPE_ARTIFICIAL:
+			ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
 			break;
 		}
 	}




More information about the asterisk-commits mailing list