[svn-commits] jrose: branch 12 r402537 - /branches/12/res/res_pjsip_authenticator_digest.c

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Nov 7 17:16:32 CST 2013 

Author: jrose
Date: Thu Nov  7 17:16:30 2013
New Revision: 402537

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=402537
Log:
PJSIP: Improve error handling in digest authenticator

Previously, regardless of whether failure to authenticate was due to
lacking any authentication or actually failing authentication, the
Digest Authenticator would simply return that a challenge was still
needed. It will continue to do that when no authentication information
is in the received SIP digest, but when authentication information
is present and does not pass authentication, that will be treated as
an authentication error. This is to ensure that PJSIP will issue
security events indicated failed auths.

Modified:
    branches/12/res/res_pjsip_authenticator_digest.c

Modified: branches/12/res/res_pjsip_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/branches/12/res/res_pjsip_authenticator_digest.c?view=diff&rev=402537&r1=402536&r2=402537
==============================================================================
--- branches/12/res/res_pjsip_authenticator_digest.c (original)
+++ branches/12/res/res_pjsip_authenticator_digest.c Thu Nov  7 17:16:30 2013
@@ -290,6 +290,8 @@
 	AUTH_SUCCESS,
 	/*! Authentication credentials correct but nonce mismatch */
 	AUTH_STALE,
+	/*! Authentication credentials were not provided */
+	AUTH_NOAUTH,
 };
 
 /*!
@@ -330,6 +332,11 @@
 			return AUTH_SUCCESS;
 		}
 	}
+
+	if (authed == PJSIP_EAUTHNOAUTH) {
+		return AUTH_NOAUTH;
+	}
+
 	return AUTH_FAIL;
 }
 
@@ -376,6 +383,7 @@
 	enum digest_verify_result *verify_res;
 	enum ast_sip_check_auth_result res;
 	int i;
+	int failures = 0;
 
 	RAII_VAR(struct ast_sip_endpoint *, artificial_endpoint,
 		 ast_sip_get_artificial_endpoint(), ao2_cleanup);
@@ -403,13 +411,20 @@
 			res = AST_SIP_AUTHENTICATION_SUCCESS;
 			goto cleanup;
 		}
+		if (verify_res[i] == AUTH_FAIL) {
+			failures++;
+		}
 	}
 
 	for (i = 0; i < endpoint->inbound_auths.num; ++i) {
 		challenge(auths[i]->realm, tdata, rdata, verify_res[i] == AUTH_STALE);
 	}
 
-	res = AST_SIP_AUTHENTICATION_CHALLENGE;
+	if (failures == endpoint->inbound_auths.num) {
+		res = AST_SIP_AUTHENTICATION_FAILED;
+	} else {
+		res = AST_SIP_AUTHENTICATION_CHALLENGE;
+	}
 
 cleanup:
 	ast_sip_cleanup_auths(auths, endpoint->inbound_auths.num);

More information about the svn-commits mailing list