handle INVITEs that are asking for authentication that we cannot supply more intelligently (issue #4995)

git-svn-id: http://svn.digium.com/svn/asterisk/trunk@6399 f38db490-d61c-443f-a65b-d21fe96a405b
author: kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> 2005-08-25 02:19:42 +0000
committer: kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b> 2005-08-25 02:19:42 +0000
commit: 84a3ab489dd406fc3113a99d53ee268bfa0baece (patch)
tree: 6a9fa06ec475a9699c92cfb1cdf1441d08e5b2f6 /channels
parent: de71602f3b67cc61aa88a4626b9a8913323cd3fc (diff)
1 files changed, 37 insertions, 20 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 69de5475c..7289c392b 100755
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -114,6 +114,7 @@ static int default_expiry = DEFAULT_DEFAULT_EXPIRY;
 #define DEFAULT_RETRANS		1000		/* How frequently to retransmit */
 						/* 2 * 500 ms in RFC 3261 */
 #define MAX_RETRANS		7		/* Try only 7 times for retransmissions */
+#define MAX_AUTHTRIES		3		/* Try authentication three times, then fail */
 
 
 #define DEBUG_READ	0			/* Recieved data	*/
@@ -4974,8 +4975,10 @@ static int transmit_register(struct sip_registry *r, int sipmethod, char *auth,
 		ast_copy_string(p->qop, r->qop, sizeof(p->qop));
 
 		memset(digest,0,sizeof(digest));
-		build_reply_digest(p, sipmethod, digest, sizeof(digest));
-		add_header(&req, "Authorization", digest);
+		if(!build_reply_digest(p, sipmethod, digest, sizeof(digest)))
+			add_header(&req, "Authorization", digest);
+		else
+			ast_log(LOG_NOTICE, "No authorization available for authentication of registration to %s@%s\n", r->username, r->hostname);
 	
 	}
 
@@ -5092,8 +5095,10 @@ static int transmit_request_with_auth(struct sip_pvt *p, int sipmethod, int seqn
 		char digest[1024];
 
 		memset(digest, 0, sizeof(digest));
-		build_reply_digest(p, sipmethod, digest, sizeof(digest));
-		add_header(&resp, "Proxy-Authorization", digest);
+		if(!build_reply_digest(p, sipmethod, digest, sizeof(digest)))
+			add_header(&resp, "Proxy-Authorization", digest);
+		else
+			ast_log(LOG_WARNING, "No authentication available for call %s\n", p->callid);
 	}
 	/* If we are hanging up and know a cause for that, send it in clear text to make
 		debugging easier. */
@@ -8121,6 +8126,8 @@ static int do_proxy_auth(struct sip_pvt *p, struct sip_request *req, char *heade
 
 	memset(&options, 0, sizeof(struct sip_invite_param));
 	p->authtries++;
+	if (option_debug > 1)
+		ast_log(LOG_DEBUG, "Auth attempt %d on %s\n", p->authtries, sip_methods[sipmethod].text);
 	memset(digest,0,sizeof(digest));
 	if (reply_digest(p, req, header, sipmethod, digest, sizeof(digest) )) {
 		/* No way to authenticate */
@@ -8135,6 +8142,7 @@ static int do_proxy_auth(struct sip_pvt *p, struct sip_request *req, char *heade
 /*--- reply_digest: reply to authentication for outbound registrations ---*/
 /*      This is used for register= servers in sip.conf, SIP proxies we register
         with  for receiving calls from.  */
+/*	Returns -1 if we have no auth */
 static int reply_digest(struct sip_pvt *p, struct sip_request *req,
 	char *header, int sipmethod,  char *digest, int digest_len)
 {
@@ -8197,13 +8205,13 @@ static int reply_digest(struct sip_pvt *p, struct sip_request *req,
 		ast_copy_string(r->opaque, p->opaque, sizeof(r->opaque));
 		ast_copy_string(r->qop, p->qop, sizeof(r->qop));
 	}
-	build_reply_digest(p, sipmethod, digest, digest_len); 
-	return 0;
+	return build_reply_digest(p, sipmethod, digest, digest_len); 
 }
 
 /*--- build_reply_digest:  Build reply digest ---*/
 /*      Build digest challenge for authentication of peers (for registration) 
 	and users (for calls). Also used for authentication of CANCEL and BYE */
+/*	Returns -1 if we have no auth */
 static int build_reply_digest(struct sip_pvt *p, int method, char* digest, int digest_len)
 {
 	char a1[256];
@@ -8242,10 +8250,12 @@ static int build_reply_digest(struct sip_pvt *p, int method, char* digest, int d
  		secret =  p->peersecret;
  		md5secret = p->peermd5secret;
  	}
+	if (ast_strlen_zero(username))	/* We have no authentication */
+		return -1;
  
 
  	/* Calculate SIP digest response */
- 	snprintf(a1,sizeof(a1),"%s:%s:%s",username,p->realm,secret);
+ 	snprintf(a1,sizeof(a1),"%s:%s:%s", username, p->realm, secret);
 	snprintf(a2,sizeof(a2),"%s:%s", sip_methods[method].text, uri);
 	if (!ast_strlen_zero(md5secret))
 		ast_copy_string(a1_hash, md5secret, sizeof(a1_hash));
@@ -8255,10 +8265,10 @@ static int build_reply_digest(struct sip_pvt *p, int method, char* digest, int d
 	/* XXX We hard code the nonce-number to 1... What are the odds? Are we seriously going to keep
 	       track of every nonce we've seen? Also we hard code to "auth"...  XXX */
 	if (!ast_strlen_zero(p->qop))
-		snprintf(resp,sizeof(resp),"%s:%s:%s:%s:%s:%s",a1_hash,p->nonce, "00000001", cnonce, "auth", a2_hash);
+		snprintf(resp,sizeof(resp),"%s:%s:%s:%s:%s:%s", a1_hash, p->nonce, "00000001", cnonce, "auth", a2_hash);
 	else
-		snprintf(resp,sizeof(resp),"%s:%s:%s",a1_hash,p->nonce,a2_hash);
-	ast_md5_hash(resp_hash,resp);
+		snprintf(resp,sizeof(resp),"%s:%s:%s", a1_hash, p->nonce, a2_hash);
+	ast_md5_hash(resp_hash, resp);
 	/* XXX We hard code our qop to "auth" for now.  XXX */
 	if (!ast_strlen_zero(p->qop))
 		snprintf(digest, digest_len, "Digest username=\"%s\", realm=\"%s\", algorithm=MD5, uri=\"%s\", nonce=\"%s\", response=\"%s\", opaque=\"%s\", qop=auth, cnonce=\"%s\", nc=00000001", username, p->realm, uri, p->nonce, resp_hash, p->opaque, cnonce);
@@ -8632,7 +8642,7 @@ static int handle_response_register(struct sip_pvt *p, int resp, char *rest, str
 
 	switch (resp) {
 	case 401:	/* Unauthorized */
-		if ((p->authtries > 1) || do_register_auth(p, req, "WWW-Authenticate", "Authorization")) {
+		if ((p->authtries == MAX_AUTHTRIES) || do_register_auth(p, req, "WWW-Authenticate", "Authorization")) {
 			ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s@%s' (Tries %d)\n", p->registry->username, p->registry->hostname, p->authtries);
 			ast_set_flag(p, SIP_NEEDDESTROY);	
 			}
@@ -8651,7 +8661,7 @@ static int handle_response_register(struct sip_pvt *p, int resp, char *rest, str
 		ast_sched_del(sched, r->timeout);
 		break;
 	case 407:	/* Proxy auth */
-		if ((p->authtries > 1) || do_register_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization")) {
+		if ((p->authtries == MAX_AUTHTRIES) || do_register_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization")) {
 			ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s' (tries '%d')\n", get_header(&p->initreq, "From"), p->authtries);
 			ast_set_flag(p, SIP_NEEDDESTROY);	
 		}
@@ -8872,6 +8882,7 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 			}
 			break;
 		case 200:	/* 200 OK */
+			p->authtries = 0;	/* Reset authentication counter */
 			if (sipmethod == SIP_MESSAGE) {
 				/* We successfully transmitted a message */
 				ast_set_flag(p, SIP_NEEDDESTROY);	
@@ -8910,13 +8921,12 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 				} else /* It's possible we're getting an ACK after we've tried to disconnect
 						  by sending CANCEL */
 					ast_set_flag(p, SIP_PENDINGBYE);	
-				p->authtries = 0;
 				/* If I understand this right, the branch is different for a non-200 ACK only */
 				transmit_request(p, SIP_ACK, seqno, 0, 1);
 				check_pendings(p);
 			} else if (sipmethod == SIP_REGISTER) {
 				res = handle_response_register(p, resp, rest, req, ignore, seqno);
-			}
+			} 
 			break;
 		case 401: /* Not www-authorized on SIP method */
 			if (sipmethod == SIP_INVITE) {
@@ -8924,9 +8934,12 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 				transmit_request(p, SIP_ACK, seqno, 0, 0);
 				/* Then we AUTH */
 				p->theirtag[0]='\0';	/* forget their old tag, so we don't match tags when getting response */
-				if ((p->authtries > 1) || do_proxy_auth(p, req, "WWW-Authenticate", "Authorization", SIP_INVITE, 1)) {
+				if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "WWW-Authenticate", "Authorization", SIP_INVITE, 1)) {
 					ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From"));
 					ast_set_flag(p, SIP_NEEDDESTROY);	
+					ast_set_flag(p, SIP_ALREADYGONE);	
+					if (p->owner)
+						ast_queue_control(p->owner, AST_CONTROL_CONGESTION);
 				}
 			} else if (p->registry && sipmethod == SIP_REGISTER) {
 				res = handle_response_register(p, resp, rest, req, ignore, seqno);
@@ -8963,9 +8976,12 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 				/* But only if the packet wasn't marked as ignore in handle_request */
 				if (!ignore){
 					p->theirtag[0]='\0';	/* forget their old tag, so we don't match tags when getting response */
-					if ((p->authtries > 1) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", SIP_INVITE, 1)) {
+					if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", SIP_INVITE, 1)) {
 						ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From"));
 						ast_set_flag(p, SIP_NEEDDESTROY);	
+						if (p->owner)
+							ast_queue_control(p->owner, AST_CONTROL_CONGESTION);
+						ast_set_flag(p, SIP_ALREADYGONE);	
 					}
 				}
 			} else if (sipmethod == SIP_BYE || sipmethod == SIP_REFER) {
@@ -8973,7 +8989,7 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 					ast_log(LOG_WARNING, "Asked to authenticate %s, to %s:%d but we have no matching peer!\n",
 							msg, ast_inet_ntoa(iabuf, sizeof(iabuf), p->recv.sin_addr), ntohs(p->recv.sin_port));
 					ast_set_flag(p, SIP_NEEDDESTROY);	
-				if ((p->authtries > 1) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", sipmethod, 0)) {
+				if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", sipmethod, 0)) {
 					ast_log(LOG_NOTICE, "Failed to authenticate on %s to '%s'\n", msg, get_header(&p->initreq, "From"));
 					ast_set_flag(p, SIP_NEEDDESTROY);	
 				}
@@ -9078,9 +9094,10 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 		switch(resp) {
 		case 200:
 			/* Change branch since this is a 200 response */
-			if (sipmethod == SIP_INVITE)
+			if (sipmethod == SIP_INVITE) {
 				transmit_request(p, SIP_ACK, seqno, 0, 1);
-			else if (sipmethod == SIP_MESSAGE)
+				p->authtries = 0;
+			} else if (sipmethod == SIP_MESSAGE)
 				/* We successfully transmitted a message */
 				ast_set_flag(p, SIP_NEEDDESTROY);	
 			break;
@@ -9089,7 +9106,7 @@ static void handle_response(struct sip_pvt *p, int resp, char *rest, struct sip_
 				if (ast_strlen_zero(p->authname))
 					ast_log(LOG_WARNING, "Asked to authenticate %s, to %s:%d but we have no matching peer!\n",
 							msg, ast_inet_ntoa(iabuf, sizeof(iabuf), p->recv.sin_addr), ntohs(p->recv.sin_port));
-				if ((p->authtries > 1) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", sipmethod, 0)) {
+				if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", sipmethod, 0)) {
 					ast_log(LOG_NOTICE, "Failed to authenticate on %s to '%s'\n", msg, get_header(&p->initreq, "From"));
 					ast_set_flag(p, SIP_NEEDDESTROY);	
 				}
author	kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b>	2005-08-25 02:19:42 +0000
committer	kpfleming <kpfleming@f38db490-d61c-443f-a65b-d21fe96a405b>	2005-08-25 02:19:42 +0000
commit	84a3ab489dd406fc3113a99d53ee268bfa0baece (patch)
tree	6a9fa06ec475a9699c92cfb1cdf1441d08e5b2f6 /channels
parent	de71602f3b67cc61aa88a4626b9a8913323cd3fc (diff)