[asterisk-commits] kharwell: branch kharwell/pimp_sip_security r389037 - in /team/kharwell/pimp_...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri May 17 18:03:04 CDT 2013
Author: kharwell
Date: Fri May 17 18:03:00 2013
New Revision: 389037
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=389037
Log:
alwaysauthrejection feature added, also combined this feature and acl configuration under a security config
Added:
team/kharwell/pimp_sip_security/res/res_sip/config_security.c (with props)
Modified:
team/kharwell/pimp_sip_security/include/asterisk/res_sip.h
team/kharwell/pimp_sip_security/res/res_sip/sip_configuration.c
team/kharwell/pimp_sip_security/res/res_sip/sip_distributor.c
team/kharwell/pimp_sip_security/res/res_sip_acl.c
team/kharwell/pimp_sip_security/res/res_sip_authenticator_digest.c
Modified: team/kharwell/pimp_sip_security/include/asterisk/res_sip.h
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/include/asterisk/res_sip.h?view=diff&rev=389037&r1=389036&r2=389037
==============================================================================
--- team/kharwell/pimp_sip_security/include/asterisk/res_sip.h (original)
+++ team/kharwell/pimp_sip_security/include/asterisk/res_sip.h Fri May 17 18:03:00 2013
@@ -277,6 +277,16 @@
};
/*!
+ * \brief Endpoint type enumeration.
+ */
+enum ast_sip_endpoint_type {
+ /*! Identifies an endpoint as authentic */
+ AUTHENTIC,
+ /*! Identifies an endpoint as artificial */
+ ARTIFICIAL
+};
+
+/*!
* \brief An entity with which Asterisk communicates
*/
struct ast_sip_endpoint {
@@ -297,6 +307,8 @@
/*! Configured voicemail boxes for this endpoint. Used for MWI */
AST_STRING_FIELD(mailboxes);
);
+ /*! The type of endpoint */
+ enum ast_sip_endpoint_type type;
/*! Identification information for this endpoint */
struct ast_party_id id;
/*! Domain to which this endpoint belongs */
@@ -442,6 +454,21 @@
struct ast_sip_endpoint *(*identify_endpoint)(pjsip_rx_data *rdata);
};
+#define SIP_SORCERY_SECURITY_TYPE "security"
+
+/*!
+ * \brief SIP security details and configuration.
+ */
+struct ast_sip_security {
+ SORCERY_OBJECT(details);
+ struct ast_acl_list *acl;
+ struct ast_acl_list *contact_acl;
+
+ /*! If true always reject in a way so that the requester doesn't know if
+ there was a matching peer */
+ int alwaysauthreject;
+};
+
/*!
* \brief Register a SIP service in Asterisk.
*
@@ -727,6 +754,16 @@
* \retval 0 success
*/
int ast_sip_initialize_sorcery_auth(struct ast_sorcery *sorcery);
+
+/*!
+ * \brief Initialize security support on a sorcery instance
+ *
+ * \param sorcery The sorcery instance
+ *
+ * \retval -1 failure
+ * \retval 0 success
+ */
+int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery);
/*!
* \brief Callback called when an outbound request with authentication credentials is to be sent in dialog
Added: team/kharwell/pimp_sip_security/res/res_sip/config_security.c
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/res/res_sip/config_security.c?view=auto&rev=389037
==============================================================================
--- team/kharwell/pimp_sip_security/res/res_sip/config_security.c (added)
+++ team/kharwell/pimp_sip_security/res/res_sip/config_security.c Fri May 17 18:03:00 2013
@@ -1,0 +1,90 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2013, Digium, Inc.
+ *
+ * Mark Michelson <mmichelson at digium.com>
+ * Kevin Harwell <kharwell at digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*** MODULEINFO
+ <depend>pjproject</depend>
+ <depend>res_sip</depend>
+ <support_level>core</support_level>
+ ***/
+#include "asterisk.h"
+
+#include <pjsip.h>
+
+#include "asterisk/res_sip.h"
+#include "asterisk/logger.h"
+#include "asterisk/sorcery.h"
+#include "asterisk/acl.h"
+
+static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+ struct ast_sip_security *security = obj;
+ int error;
+ int ignore;
+ if (!strncmp(var->name, "contact", 7)) {
+ ast_append_acl(var->name + 7, var->value, &security->contact_acl, &error, &ignore);
+ } else {
+ ast_append_acl(var->name, var->value, &security->acl, &error, &ignore);
+ }
+ return error;
+}
+
+static void security_destroy(void *obj)
+{
+ struct ast_sip_security *security = obj;
+ security->acl = ast_free_acl_list(security->acl);
+ security->contact_acl = ast_free_acl_list(security->contact_acl);
+}
+
+static void *security_alloc(const char *name)
+{
+ struct ast_sip_security *security =
+ ao2_alloc(sizeof(*security), security_destroy);
+
+ if (!security) {
+ return NULL;
+ }
+
+ return security;
+}
+
+int ast_sip_initialize_sorcery_security(struct ast_sorcery *sorcery)
+{
+ ast_sorcery_apply_default(sorcery, SIP_SORCERY_SECURITY_TYPE,
+ "config", "res_sip.conf,criteria=type=security");
+
+ if (ast_sorcery_object_register(sorcery, SIP_SORCERY_SECURITY_TYPE,
+ security_alloc, NULL, NULL)) {
+
+ ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
+ SIP_SORCERY_SECURITY_TYPE);
+ return -1;
+ }
+
+ ast_sorcery_object_field_register(sorcery, SIP_SORCERY_SECURITY_TYPE, "type", "", OPT_NOOP_T, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "permit", "", acl_handler, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "deny", "", acl_handler, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "acl", "", acl_handler, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactpermit", "", acl_handler, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactdeny", "", acl_handler, NULL, 0, 0);
+ ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_SECURITY_TYPE, "contactacl", "", acl_handler, NULL, 0, 0);
+
+ ast_sorcery_object_field_register(sorcery, SIP_SORCERY_SECURITY_TYPE, "alwaysauthreject", "yes",
+ OPT_BOOL_T, 1, FLDSET(struct ast_sip_security, alwaysauthreject));
+ return 0;
+}
Propchange: team/kharwell/pimp_sip_security/res/res_sip/config_security.c
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: team/kharwell/pimp_sip_security/res/res_sip/config_security.c
------------------------------------------------------------------------------
svn:keywords = Author Date Id Rev URL
Propchange: team/kharwell/pimp_sip_security/res/res_sip/config_security.c
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: team/kharwell/pimp_sip_security/res/res_sip/sip_configuration.c
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/res/res_sip/sip_configuration.c?view=diff&rev=389037&r1=389036&r2=389037
==============================================================================
--- team/kharwell/pimp_sip_security/res/res_sip/sip_configuration.c (original)
+++ team/kharwell/pimp_sip_security/res/res_sip/sip_configuration.c Fri May 17 18:03:00 2013
@@ -119,6 +119,11 @@
static void destroy_auths(const char **auths, size_t num_auths)
{
int i;
+
+ if (!auths) {
+ return;
+ }
+
for (i = 0; i < num_auths; ++i) {
ast_free((char *) auths[i]);
}
@@ -394,6 +399,13 @@
return -1;
}
+ if (ast_sip_initialize_sorcery_security(sip_sorcery)) {
+ ast_log(LOG_ERROR, "Failed to register SIP security support\n");
+ ast_sorcery_unref(sip_sorcery);
+ sip_sorcery = NULL;
+ return -1;
+ }
+
ast_sorcery_load(sip_sorcery);
return 0;
@@ -442,6 +454,7 @@
return NULL;
}
ast_party_id_init(&endpoint->id);
+ endpoint->type = AUTHENTIC;
return endpoint;
}
Modified: team/kharwell/pimp_sip_security/res/res_sip/sip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/res/res_sip/sip_distributor.c?view=diff&rev=389037&r1=389036&r2=389037
==============================================================================
--- team/kharwell/pimp_sip_security/res/res_sip/sip_distributor.c (original)
+++ team/kharwell/pimp_sip_security/res/res_sip/sip_distributor.c Fri May 17 18:03:00 2013
@@ -124,6 +124,41 @@
.priority = PJSIP_MOD_PRIORITY_TSX_LAYER - 3,
.on_rx_request = endpoint_lookup,
};
+
+static struct ast_sip_endpoint *create_artificial_endpoint(void)
+{
+ struct ast_sip_endpoint *endpoint =
+ ast_sorcery_alloc(ast_sip_get_sorcery(), "endpoint", NULL);
+
+ if (!endpoint) {
+ return NULL;
+ }
+
+ endpoint->type = ARTIFICIAL;
+ endpoint->num_inbound_auths = 1;
+
+ return endpoint;
+}
+
+static int find_always_auth_reject(void *obj, void *arg, int flags)
+{
+ struct ast_sip_security *security = obj;
+
+ return security->alwaysauthreject ? CMP_MATCH | CMP_STOP : 0;
+}
+
+static int always_auth_reject(void)
+{
+ RAII_VAR(struct ao2_container *, securities, NULL, ao2_cleanup);
+ RAII_VAR(struct ast_sip_security *, security, NULL, ao2_cleanup);
+
+ securities = ast_sorcery_retrieve_by_fields(
+ ast_sip_get_sorcery(), SIP_SORCERY_SECURITY_TYPE,
+ AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
+
+ return (security = ao2_callback(securities, 0,
+ find_always_auth_reject, NULL)) != NULL;
+}
static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
{
@@ -140,12 +175,15 @@
}
if (!endpoint && !is_ack) {
- /* XXX When we do an alwaysauthreject-like option, we'll need to take that into account
- * for this response. Either that, or have a pseudo-endpoint to pass along so that authentication
- * will fail
- */
- pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
- return PJ_TRUE;
+ if (always_auth_reject()) {
+ endpoint = create_artificial_endpoint();
+ }
+
+ if (!endpoint) {
+ pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(),
+ rdata, 403, NULL, NULL, NULL);
+ return PJ_TRUE;
+ }
}
rdata->endpt_info.mod_data[endpoint_mod.id] = endpoint;
return PJ_FALSE;
Modified: team/kharwell/pimp_sip_security/res/res_sip_acl.c
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/res/res_sip_acl.c?view=diff&rev=389037&r1=389036&r2=389037
==============================================================================
--- team/kharwell/pimp_sip_security/res/res_sip_acl.c (original)
+++ team/kharwell/pimp_sip_security/res/res_sip_acl.c Fri May 17 18:03:00 2013
@@ -31,12 +31,6 @@
#include "asterisk/logger.h"
#include "asterisk/sorcery.h"
#include "asterisk/acl.h"
-
-struct sip_acl {
- SORCERY_OBJECT(details);
- struct ast_acl_list *acl;
- struct ast_acl_list *contact_acl;
-};
static int apply_acl(pjsip_rx_data *rdata, struct ast_acl_list *acl)
{
@@ -109,10 +103,10 @@
static int check_acls(void *obj, void *arg, int flags)
{
- struct sip_acl *acl = obj;
+ struct ast_sip_security *security = obj;
pjsip_rx_data *rdata = arg;
- if (apply_acl(rdata, acl->acl) || apply_contact_acl(rdata, acl->contact_acl)) {
+ if (apply_acl(rdata, security->acl) || apply_contact_acl(rdata, security->contact_acl)) {
return CMP_MATCH | CMP_STOP;
}
return 0;
@@ -121,8 +115,11 @@
static pj_bool_t acl_on_rx_msg(pjsip_rx_data *rdata)
{
int forbidden = 0;
- struct ao2_container *acls = ast_sorcery_retrieve_by_fields(ast_sip_get_sorcery(), "acl", AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
- struct sip_acl *matched_acl;
+ struct ao2_container *acls = ast_sorcery_retrieve_by_fields(
+ ast_sip_get_sorcery(), SIP_SORCERY_SECURITY_TYPE,
+ AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
+ struct ast_sip_security *matched_acl;
+
if (!acls) {
ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
return PJ_FALSE;
@@ -152,60 +149,8 @@
.on_rx_request = acl_on_rx_msg,
};
-static int acl_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
-{
- struct sip_acl *acl = obj;
- int error;
- int ignore;
- if (!strncmp(var->name, "contact", 7)) {
- ast_append_acl(var->name + 7, var->value, &acl->contact_acl, &error, &ignore);
- } else {
- ast_append_acl(var->name, var->value, &acl->acl, &error, &ignore);
- }
- return error;
-}
-
-static void sip_acl_destructor(void *obj)
-{
- struct sip_acl *acl = obj;
- acl->acl = ast_free_acl_list(acl->acl);
- acl->contact_acl = ast_free_acl_list(acl->contact_acl);
-}
-
-static void *sip_acl_alloc(const char *name)
-{
- struct sip_acl *acl = ao2_alloc(sizeof(*acl), sip_acl_destructor);
- if (!acl) {
- return NULL;
- }
- return acl;
-}
-
-static int load_acls(void)
-{
- ast_sorcery_apply_default(ast_sip_get_sorcery(), "acl", "config", "res_sip.conf,criteria=type=acl");
- if (ast_sorcery_object_register(ast_sip_get_sorcery(), "acl", sip_acl_alloc, NULL, NULL)) {
- ast_log(LOG_ERROR, "Failed to register SIP ACL object with sorcery\n");
- return -1;
- }
- ast_sorcery_object_field_register(ast_sip_get_sorcery(), "acl", "type", "", OPT_NOOP_T, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "permit", "", acl_handler, NULL, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "deny", "", acl_handler, NULL, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "acl", "", acl_handler, NULL, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactpermit", "", acl_handler, NULL, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactdeny", "", acl_handler, NULL, 0, 0);
- ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "acl", "contactacl", "", acl_handler, NULL, 0, 0);
-
- /* XXX Is there a more selective way to do this? (i.e. Just reload a specific object type?) */
- ast_sorcery_reload(ast_sip_get_sorcery());
- return 0;
-}
-
static int load_module(void)
{
- if (load_acls()) {
- return AST_MODULE_LOAD_DECLINE;
- }
ast_sip_register_service(&acl_module);
return AST_MODULE_LOAD_SUCCESS;
}
Modified: team/kharwell/pimp_sip_security/res/res_sip_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/team/kharwell/pimp_sip_security/res/res_sip_authenticator_digest.c?view=diff&rev=389037&r1=389036&r2=389037
==============================================================================
--- team/kharwell/pimp_sip_security/res/res_sip_authenticator_digest.c (original)
+++ team/kharwell/pimp_sip_security/res/res_sip_authenticator_digest.c Fri May 17 18:03:00 2013
@@ -268,12 +268,12 @@
/*!
* \brief Common code for initializing a pjsip_auth_srv
*/
-static void setup_auth_srv(pj_pool_t *pool, pjsip_auth_srv *auth_server, const struct ast_sip_auth *auth)
-{
- pj_str_t realm;
- pj_cstr(&realm, auth->realm);
-
- pjsip_auth_srv_init(pool, auth_server, &realm, digest_lookup, 0);
+static void setup_auth_srv(pj_pool_t *pool, pjsip_auth_srv *auth_server, const char *realm)
+{
+ pj_str_t realm_str;
+ pj_cstr(&realm_str, realm);
+
+ pjsip_auth_srv_init(pool, auth_server, &realm_str, digest_lookup, 0);
}
/*!
@@ -311,7 +311,7 @@
stale = 1;
}
- setup_auth_srv(pool, &auth_server, auth);
+ setup_auth_srv(pool, &auth_server, auth->realm);
store_auth(auth);
@@ -332,12 +332,12 @@
/*!
* \brief astobj2 callback for adding digest challenges to responses
*
- * \param auth The ast_aip_auth to build a challenge from
+ * \param realm An auth's realm to build a challenge from
* \param tdata The response to add the challenge to
* \param rdata The request the challenge is in response to
* \param is_stale Indicates whether nonce on incoming request was stale
*/
-static void challenge(const struct ast_sip_auth *auth, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
+static void challenge(const char *realm, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
{
pj_str_t qop;
pj_str_t pj_nonce;
@@ -347,9 +347,9 @@
time_t timestamp = time(NULL);
snprintf(time_buf, sizeof(time_buf), "%d", (int) timestamp);
- build_nonce(&nonce, time_buf, rdata, auth->realm);
-
- setup_auth_srv(tdata->pool, &auth_server, auth);
+ build_nonce(&nonce, time_buf, rdata, realm);
+
+ setup_auth_srv(tdata->pool, &auth_server, realm);
pj_cstr(&pj_nonce, ast_str_buffer(nonce));
pj_cstr(&qop, "auth");
@@ -368,10 +368,18 @@
static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint *endpoint,
pjsip_rx_data *rdata, pjsip_tx_data *tdata)
{
- struct ast_sip_auth **auths = ast_alloca(endpoint->num_inbound_auths * sizeof(*auths));
- enum digest_verify_result *verify_res = ast_alloca(endpoint->num_inbound_auths * sizeof(*verify_res));
+ struct ast_sip_auth **auths;
+ enum digest_verify_result *verify_res;
enum ast_sip_check_auth_result res;
int i;
+
+ if (endpoint->type == ARTIFICIAL) {
+ challenge("asterisk", tdata, rdata, 0);
+ return AST_SIP_AUTHENTICATION_CHALLENGE;
+ }
+
+ auths = ast_alloca(endpoint->num_inbound_auths * sizeof(*auths));
+ verify_res = ast_alloca(endpoint->num_inbound_auths * sizeof(*verify_res));
if (!auths) {
return AST_SIP_AUTHENTICATION_ERROR;
@@ -391,7 +399,7 @@
}
for (i = 0; i < endpoint->num_inbound_auths; ++i) {
- challenge(auths[i], tdata, rdata, verify_res[i] == AUTH_STALE);
+ challenge(auths[i]->realm, tdata, rdata, verify_res[i] == AUTH_STALE);
}
res = AST_SIP_AUTHENTICATION_CHALLENGE;
More information about the asterisk-commits
mailing list