Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

res_pjsip_authenticator_digest: Fix issue with missing auth and DONT_OPTIMIZE

Browse Source 
The return code fom digest_check_auth wasn't explicitly being initialized.
The return code also wasn't explicitly set to CHALLENGE when challenges
were sent.  When optimization was turned off (DONT_OPTIMIZE), the compiler
was setting it to "0"(CHALLENGE) which worked fine.  However, with
optimization turned on, it was setting it to "1" (SUCCESS) so if there was
no incoming Authorization header, the function was returning SUCCESS to the
distributor allowing the request to incorrectly succeed.

The return code is now initialized correctly and is now explicitly set
to CHALLENGE when we send challenges.
pull/1074/head
George Joseph 3 months ago committed by asterisk-org-access-app[bot]
parent cd97f4069d
commit ff0fb401ae
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File

14
res/res_pjsip_authenticator_digest.c
Unescape View File

@ -566,7 +566,7 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint
struct ast_sip_auth **auths; struct ast_sip_auth **auths;
enum digest_verify_result *verify_res; enum digest_verify_result *verify_res;
struct ast_sip_endpoint *artificial_endpoint; struct ast_sip_endpoint *artificial_endpoint;
enum ast_sip_check_auth_result res; enum ast_sip_check_auth_result res = AST_SIP_AUTHENTICATION_ERROR;
int idx; int idx;
int is_artificial; int is_artificial;
int failures = 0; int failures = 0;
@ -674,6 +674,7 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint
SCOPE_CALL(5, challenge, endpoint_id, auth, tdata, rdata, SCOPE_CALL(5, challenge, endpoint_id, auth, tdata, rdata,
verify_res[idx] == AUTH_STALE, algorithm); verify_res[idx] == AUTH_STALE, algorithm);
res = AST_SIP_AUTHENTICATION_CHALLENGE;
SCOPE_EXIT("%s:%s:%s: Challenged with " PJSTR_PRINTF_SPEC "\n", SCOPE_EXIT("%s:%s:%s: Challenged with " PJSTR_PRINTF_SPEC "\n",
endpoint_id, auth_id, src_name, PJSTR_PRINTF_VAR(algorithm->iana_name)); endpoint_id, auth_id, src_name, PJSTR_PRINTF_VAR(algorithm->iana_name));
@ -689,10 +690,17 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint
* auth object as a UAS. * auth object as a UAS.
*/ */
/*
* If the authentication failed for any reason, we want to send
* a 401 with a challenge. If it was because there was no
* Authorization header or there was a stale nonce, fine. That's not
* unusual so we return AST_SIP_AUTHENTICATION_CHALLENGE. If it
* failed because of a user/password mismatch then we return
* AST_SIP_AUTHENTICATION_FAILED which causes the distributor to
* print a "Failed to authenticate" message.
*/
if (failures == auth_size) { if (failures == auth_size) {
res = AST_SIP_AUTHENTICATION_FAILED; res = AST_SIP_AUTHENTICATION_FAILED;
} else if (res != AST_SIP_AUTHENTICATION_SUCCESS){
res = AST_SIP_AUTHENTICATION_CHALLENGE;
} }
ast_sip_cleanup_auths(auths, auth_size); ast_sip_cleanup_auths(auths, auth_size);

Write Preview
Loading…
Cancel
Save