res_pjsip_authenticator_digest.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495
  1. /*
  2. * Asterisk -- An open source telephony toolkit.
  3. *
  4. * Copyright (C) 2013, Digium, Inc.
  5. *
  6. * Mark Michelson <mmichelson@digium.com>
  7. *
  8. * See http://www.asterisk.org for more information about
  9. * the Asterisk project. Please do not directly contact
  10. * any of the maintainers of this project for assistance;
  11. * the project provides a web site, mailing lists and IRC
  12. * channels for your use.
  13. *
  14. * This program is free software, distributed under the terms of
  15. * the GNU General Public License Version 2. See the LICENSE file
  16. * at the top of the source tree.
  17. */
  18. #include "asterisk.h"
  19. #include <pjsip.h>
  20. #include "asterisk/res_pjsip.h"
  21. #include "asterisk/logger.h"
  22. #include "asterisk/module.h"
  23. #include "asterisk/strings.h"
  24. /*** MODULEINFO
  25. <depend>pjproject</depend>
  26. <depend>res_pjsip</depend>
  27. <support_level>core</support_level>
  28. ***/
  29. AO2_GLOBAL_OBJ_STATIC(entity_id);
  30. /*!
  31. * \brief Determine if authentication is required
  32. *
  33. * Authentication is required if the endpoint has at least one auth
  34. * section specified
  35. */
  36. static int digest_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
  37. {
  38. RAII_VAR(struct ast_sip_endpoint *, artificial, ast_sip_get_artificial_endpoint(), ao2_cleanup);
  39. return endpoint == artificial || AST_VECTOR_SIZE(&endpoint->inbound_auths) > 0;
  40. }
  41. static void auth_store_cleanup(void *data)
  42. {
  43. struct ast_sip_auth **auth = data;
  44. ao2_cleanup(*auth);
  45. ast_free(data);
  46. }
  47. /*!
  48. * \brief Thread-local storage for \ref ast_sip_auth
  49. *
  50. * The PJSIP authentication API is a bit annoying. When you set
  51. * up an authentication server, you specify a lookup callback to
  52. * call into when verifying incoming credentials. The problem
  53. * with this callback is that it only gives you the realm and
  54. * authentication username. In 2.0.5, there is a new version of
  55. * the callback you can use that gives the pjsip_rx_data in
  56. * addition.
  57. *
  58. * Unfortunately, the data we actually \b need is the
  59. * \ref ast_sip_auth we are currently observing. So we have two
  60. * choices:
  61. * 1) Use the current PJSIP API and use thread-local storage
  62. * to temporarily store our SIP authentication information. Then
  63. * in the callback, we can retrieve the authentication info and
  64. * use as needed. Given our threading model, this is safe.
  65. * 2) Use the 2.0.5 API and temporarily store the authentication
  66. * information in the rdata's endpoint_info. Then in the callback,
  67. * we can retrieve the authentication info from the rdata.
  68. *
  69. * I've chosen option 1 since it does not require backporting
  70. * any APIs from future versions of PJSIP, plus I feel the
  71. * thread-local option is a bit cleaner.
  72. */
  73. AST_THREADSTORAGE_CUSTOM(auth_store, NULL, auth_store_cleanup);
  74. /*!
  75. * \brief Store authentication information in thread-local storage
  76. */
  77. static int store_auth(struct ast_sip_auth *auth)
  78. {
  79. struct ast_sip_auth **pointing;
  80. pointing = ast_threadstorage_get(&auth_store, sizeof(pointing));
  81. if (!pointing || *pointing) {
  82. return -1;
  83. }
  84. ao2_ref(auth, +1);
  85. *pointing = auth;
  86. return 0;
  87. }
  88. /*!
  89. * \brief Remove authentication information from thread-local storage
  90. */
  91. static int remove_auth(void)
  92. {
  93. struct ast_sip_auth **pointing;
  94. pointing = ast_threadstorage_get(&auth_store, sizeof(pointing));
  95. if (!pointing) {
  96. return -1;
  97. }
  98. ao2_cleanup(*pointing);
  99. *pointing = NULL;
  100. return 0;
  101. }
  102. /*!
  103. * \brief Retrieve authentication information from thread-local storage
  104. */
  105. static struct ast_sip_auth *get_auth(void)
  106. {
  107. struct ast_sip_auth **auth;
  108. auth = ast_threadstorage_get(&auth_store, sizeof(auth));
  109. if (auth && *auth) {
  110. ao2_ref(*auth, +1);
  111. return *auth;
  112. }
  113. return NULL;
  114. }
  115. /*!
  116. * \brief Lookup callback for authentication verification
  117. *
  118. * This function is called when we call pjsip_auth_srv_verify(). It
  119. * expects us to verify that the realm and account name from the
  120. * Authorization header is correct. We are then supposed to supply
  121. * a password or MD5 sum of credentials.
  122. *
  123. * \param pool A memory pool we can use for allocations
  124. * \param realm The realm from the Authorization header
  125. * \param acc_name the user from the Authorization header
  126. * \param[out] info The credentials we need to fill in
  127. * \retval PJ_SUCCESS Successful authentication
  128. * \retval other Unsuccessful
  129. */
  130. static pj_status_t digest_lookup(pj_pool_t *pool, const pj_str_t *realm,
  131. const pj_str_t *acc_name, pjsip_cred_info *info)
  132. {
  133. RAII_VAR(struct ast_sip_auth *, auth, get_auth(), ao2_cleanup);
  134. if (!auth) {
  135. return PJSIP_SC_FORBIDDEN;
  136. }
  137. if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) {
  138. return PJSIP_SC_FORBIDDEN;
  139. }
  140. if (pj_strcmp2(realm, auth->realm)) {
  141. return PJSIP_SC_FORBIDDEN;
  142. }
  143. if (pj_strcmp2(acc_name, auth->auth_user)) {
  144. return PJSIP_SC_FORBIDDEN;
  145. }
  146. pj_strdup2(pool, &info->realm, auth->realm);
  147. pj_strdup2(pool, &info->username, auth->auth_user);
  148. switch (auth->type) {
  149. case AST_SIP_AUTH_TYPE_USER_PASS:
  150. pj_strdup2(pool, &info->data, auth->auth_pass);
  151. info->data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
  152. break;
  153. case AST_SIP_AUTH_TYPE_MD5:
  154. pj_strdup2(pool, &info->data, auth->md5_creds);
  155. info->data_type = PJSIP_CRED_DATA_DIGEST;
  156. break;
  157. default:
  158. return PJSIP_SC_FORBIDDEN;
  159. }
  160. return PJ_SUCCESS;
  161. }
  162. /*!
  163. * \brief Calculate a nonce
  164. *
  165. * We use this in order to create authentication challenges. We also use this in order
  166. * to verify that an incoming request with credentials could be in response to one
  167. * of our challenges.
  168. *
  169. * The nonce is calculated from a timestamp, the source IP address, the source port, a
  170. * unique ID for us, and the realm. This helps to ensure that the incoming request
  171. * is from the same source that the nonce was calculated for. Including the realm
  172. * ensures that multiple challenges to the same request have different nonces.
  173. *
  174. * \param A UNIX timestamp expressed as a string
  175. * \param rdata The incoming request
  176. * \param realm The realm for which authentication should occur
  177. */
  178. static int build_nonce(struct ast_str **nonce, const char *timestamp, const pjsip_rx_data *rdata, const char *realm)
  179. {
  180. struct ast_str *str = ast_str_alloca(256);
  181. RAII_VAR(char *, eid, ao2_global_obj_ref(entity_id), ao2_cleanup);
  182. char hash[33];
  183. ast_str_append(&str, 0, "%s", timestamp);
  184. ast_str_append(&str, 0, ":%s", rdata->pkt_info.src_name);
  185. ast_str_append(&str, 0, ":%d", rdata->pkt_info.src_port);
  186. ast_str_append(&str, 0, ":%s", eid);
  187. ast_str_append(&str, 0, ":%s", realm);
  188. ast_md5_hash(hash, ast_str_buffer(str));
  189. ast_str_append(nonce, 0, "%s/%s", timestamp, hash);
  190. return 0;
  191. }
  192. /*!
  193. * \brief Ensure that a nonce on an incoming request is sane.
  194. *
  195. * The nonce in an incoming Authorization header needs to pass some scrutiny in order
  196. * for us to consider accepting it. What we do is re-build a nonce based on request
  197. * data and a realm and see if it matches the nonce they sent us.
  198. * \param candidate The nonce on an incoming request
  199. * \param rdata The incoming request
  200. * \param auth The auth credentials we are trying to match against.
  201. * \retval 0 Nonce does not pass validity checks
  202. * \retval 1 Nonce passes validity check
  203. */
  204. static int check_nonce(const char *candidate, const pjsip_rx_data *rdata, const struct ast_sip_auth *auth)
  205. {
  206. char *copy = ast_strdupa(candidate);
  207. char *timestamp = strsep(&copy, "/");
  208. int timestamp_int;
  209. time_t now = time(NULL);
  210. struct ast_str *calculated = ast_str_alloca(64);
  211. if (!copy) {
  212. /* Clearly a bad nonce! */
  213. return 0;
  214. }
  215. if (sscanf(timestamp, "%30d", &timestamp_int) != 1) {
  216. return 0;
  217. }
  218. if ((int) now - timestamp_int > auth->nonce_lifetime) {
  219. return 0;
  220. }
  221. build_nonce(&calculated, timestamp, rdata, auth->realm);
  222. ast_debug(3, "Calculated nonce %s. Actual nonce is %s\n", ast_str_buffer(calculated), candidate);
  223. if (strcmp(ast_str_buffer(calculated), candidate)) {
  224. return 0;
  225. }
  226. return 1;
  227. }
  228. static int find_challenge(const pjsip_rx_data *rdata, const struct ast_sip_auth *auth)
  229. {
  230. struct pjsip_authorization_hdr *auth_hdr = (pjsip_authorization_hdr *) &rdata->msg_info.msg->hdr;
  231. int challenge_found = 0;
  232. char nonce[64];
  233. while ((auth_hdr = (pjsip_authorization_hdr *) pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, auth_hdr->next))) {
  234. ast_copy_pj_str(nonce, &auth_hdr->credential.digest.nonce, sizeof(nonce));
  235. if (check_nonce(nonce, rdata, auth) && !pj_strcmp2(&auth_hdr->credential.digest.realm, auth->realm)) {
  236. challenge_found = 1;
  237. break;
  238. }
  239. }
  240. return challenge_found;
  241. }
  242. /*!
  243. * \brief Common code for initializing a pjsip_auth_srv
  244. */
  245. static void setup_auth_srv(pj_pool_t *pool, pjsip_auth_srv *auth_server, const char *realm)
  246. {
  247. pj_str_t realm_str;
  248. pj_cstr(&realm_str, realm);
  249. pjsip_auth_srv_init(pool, auth_server, &realm_str, digest_lookup, 0);
  250. }
  251. /*!
  252. * \brief Result of digest verification
  253. */
  254. enum digest_verify_result {
  255. /*! Authentication credentials incorrect */
  256. AUTH_FAIL,
  257. /*! Authentication credentials correct */
  258. AUTH_SUCCESS,
  259. /*! Authentication credentials correct but nonce mismatch */
  260. AUTH_STALE,
  261. /*! Authentication credentials were not provided */
  262. AUTH_NOAUTH,
  263. };
  264. /*!
  265. * \brief astobj2 callback for verifying incoming credentials
  266. *
  267. * \param auth The ast_sip_auth to check against
  268. * \param rdata The incoming request
  269. * \param pool A pool to use for the auth server
  270. * \return CMP_MATCH on successful authentication
  271. * \return 0 on failed authentication
  272. */
  273. static int verify(struct ast_sip_auth *auth, pjsip_rx_data *rdata, pj_pool_t *pool)
  274. {
  275. pj_status_t authed;
  276. int response_code;
  277. pjsip_auth_srv auth_server;
  278. int stale = 0;
  279. if (!find_challenge(rdata, auth)) {
  280. /* Couldn't find a challenge with a sane nonce.
  281. * Nonce mismatch may just be due to staleness.
  282. */
  283. stale = 1;
  284. }
  285. setup_auth_srv(pool, &auth_server, auth->realm);
  286. store_auth(auth);
  287. authed = pjsip_auth_srv_verify(&auth_server, rdata, &response_code);
  288. remove_auth();
  289. if (authed == PJ_SUCCESS) {
  290. if (stale) {
  291. return AUTH_STALE;
  292. } else {
  293. return AUTH_SUCCESS;
  294. }
  295. }
  296. if (authed == PJSIP_EAUTHNOAUTH) {
  297. return AUTH_NOAUTH;
  298. }
  299. return AUTH_FAIL;
  300. }
  301. /*!
  302. * \brief astobj2 callback for adding digest challenges to responses
  303. *
  304. * \param realm An auth's realm to build a challenge from
  305. * \param tdata The response to add the challenge to
  306. * \param rdata The request the challenge is in response to
  307. * \param is_stale Indicates whether nonce on incoming request was stale
  308. */
  309. static void challenge(const char *realm, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
  310. {
  311. pj_str_t qop;
  312. pj_str_t pj_nonce;
  313. pjsip_auth_srv auth_server;
  314. struct ast_str *nonce = ast_str_alloca(256);
  315. char time_buf[32];
  316. time_t timestamp = time(NULL);
  317. snprintf(time_buf, sizeof(time_buf), "%d", (int) timestamp);
  318. build_nonce(&nonce, time_buf, rdata, realm);
  319. setup_auth_srv(tdata->pool, &auth_server, realm);
  320. pj_cstr(&pj_nonce, ast_str_buffer(nonce));
  321. pj_cstr(&qop, "auth");
  322. pjsip_auth_srv_challenge(&auth_server, &qop, &pj_nonce, NULL, is_stale ? PJ_TRUE : PJ_FALSE, tdata);
  323. }
  324. /*!
  325. * \brief Check authentication using Digest scheme
  326. *
  327. * This function will check an incoming message against configured authentication
  328. * options. If \b any of the incoming Authorization headers result in successful
  329. * authentication, then authentication is considered successful.
  330. *
  331. * \see ast_sip_check_authentication
  332. */
  333. static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint *endpoint,
  334. pjsip_rx_data *rdata, pjsip_tx_data *tdata)
  335. {
  336. struct ast_sip_auth **auths;
  337. enum digest_verify_result *verify_res;
  338. enum ast_sip_check_auth_result res;
  339. int i;
  340. int failures = 0;
  341. size_t auth_size;
  342. RAII_VAR(struct ast_sip_endpoint *, artificial_endpoint,
  343. ast_sip_get_artificial_endpoint(), ao2_cleanup);
  344. auth_size = AST_VECTOR_SIZE(&endpoint->inbound_auths);
  345. auths = ast_alloca(auth_size * sizeof(*auths));
  346. verify_res = ast_alloca(auth_size * sizeof(*verify_res));
  347. if (!auths) {
  348. return AST_SIP_AUTHENTICATION_ERROR;
  349. }
  350. if (endpoint == artificial_endpoint) {
  351. auths[0] = ast_sip_get_artificial_auth();
  352. } else if (ast_sip_retrieve_auths(&endpoint->inbound_auths, auths)) {
  353. res = AST_SIP_AUTHENTICATION_ERROR;
  354. goto cleanup;
  355. }
  356. for (i = 0; i < auth_size; ++i) {
  357. if (ast_strlen_zero(auths[i]->realm)) {
  358. ast_string_field_set(auths[i], realm, "asterisk");
  359. }
  360. verify_res[i] = verify(auths[i], rdata, tdata->pool);
  361. if (verify_res[i] == AUTH_SUCCESS) {
  362. res = AST_SIP_AUTHENTICATION_SUCCESS;
  363. goto cleanup;
  364. }
  365. if (verify_res[i] == AUTH_FAIL) {
  366. failures++;
  367. }
  368. }
  369. for (i = 0; i < auth_size; ++i) {
  370. challenge(auths[i]->realm, tdata, rdata, verify_res[i] == AUTH_STALE);
  371. }
  372. if (failures == auth_size) {
  373. res = AST_SIP_AUTHENTICATION_FAILED;
  374. } else {
  375. res = AST_SIP_AUTHENTICATION_CHALLENGE;
  376. }
  377. cleanup:
  378. ast_sip_cleanup_auths(auths, auth_size);
  379. return res;
  380. }
  381. static struct ast_sip_authenticator digest_authenticator = {
  382. .requires_authentication = digest_requires_authentication,
  383. .check_authentication = digest_check_auth,
  384. };
  385. static int build_entity_id(void)
  386. {
  387. char *eid;
  388. eid = ao2_alloc(AST_UUID_STR_LEN, NULL);
  389. if (!eid) {
  390. return -1;
  391. }
  392. ast_uuid_generate_str(eid, AST_UUID_STR_LEN);
  393. ao2_global_obj_replace_unref(entity_id, eid);
  394. ao2_ref(eid, -1);
  395. return 0;
  396. }
  397. static int reload_module(void)
  398. {
  399. if (build_entity_id()) {
  400. return -1;
  401. }
  402. return 0;
  403. }
  404. static int load_module(void)
  405. {
  406. CHECK_PJSIP_MODULE_LOADED();
  407. if (build_entity_id()) {
  408. return AST_MODULE_LOAD_DECLINE;
  409. }
  410. if (ast_sip_register_authenticator(&digest_authenticator)) {
  411. ao2_global_obj_release(entity_id);
  412. return AST_MODULE_LOAD_DECLINE;
  413. }
  414. return AST_MODULE_LOAD_SUCCESS;
  415. }
  416. static int unload_module(void)
  417. {
  418. ast_sip_unregister_authenticator(&digest_authenticator);
  419. ao2_global_obj_release(entity_id);
  420. return 0;
  421. }
  422. AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP authentication resource",
  423. .support_level = AST_MODULE_SUPPORT_CORE,
  424. .load = load_module,
  425. .unload = unload_module,
  426. .reload = reload_module,
  427. .load_pri = AST_MODPRI_CHANNEL_DEPEND,
  428. );