kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-05-16 13:10:05 +00:00
Code Issues Projects Releases Wiki Activity

BOUNTY-12

Browse Source 
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@16200 d0543943-73ff-0310-b7d9-9358b9ac24b2
This commit is contained in:
Raymond Chandler 2010-01-07 18:47:53 +00:00
parent 222d5d9131
commit c031e681b8
1 changed files with 80 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
src/mod/endpoints/mod_sofia/sofia_reg.c
View File

@ -1365,7 +1365,7 @@ void sofia_reg_handle_sip_i_register(nua_t *nua, sofia_profile_t *profile, nua_h
if (ok && !sofia_test_pflag(profile, PFLAG_BLIND_REG)) { if (ok && !sofia_test_pflag(profile, PFLAG_BLIND_REG)) {
type = REG_AUTO_REGISTER; type = REG_AUTO_REGISTER;
} else if (!ok) { } else if (!ok) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by acl \"%s\"\n", network_ip, profile->reg_acl[x]); switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by register acl \"%s\"\n", network_ip, profile->reg_acl[x]);
nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END()); nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
goto end; goto end;
} }
@ -1656,6 +1656,7 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
switch_event_t *params = NULL; switch_event_t *params = NULL;
const char *auth_acl = NULL; const char *auth_acl = NULL;
long ncl = 0; long ncl = 0;
sip_unknown_t *un;
username = realm = nonce = uri = qop = cnonce = nc = response = NULL; username = realm = nonce = uri = qop = cnonce = nc = response = NULL;
@ -1787,6 +1788,17 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
} }
} }
for (un = sip->sip_unknown; un; un = un->un_next) {
if (!strncasecmp(un->un_name, "X-", 2)) {
if (!zstr(un->un_value)) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "adding %s => %s to xml_curl request\n", un->un_name, un->un_value);
switch_event_add_header_string(params, SWITCH_STACK_BOTTOM, un->un_name, un->un_value);
}
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "skipping %s => %s from xml_curl request\n", un->un_name, un->un_value);
}
}
if (qop) { if (qop) {
switch_event_add_header_string(params, SWITCH_STACK_BOTTOM, "sip_auth_qop", qop); switch_event_add_header_string(params, SWITCH_STACK_BOTTOM, "sip_auth_qop", qop);
} }
@ -1927,9 +1939,69 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
if (auth_acl) { if (auth_acl) {
if (!switch_check_network_list_ip(ip, auth_acl)) { if (!switch_check_network_list_ip(ip, auth_acl)) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", ip, auth_acl); int network_ip_is_proxy, x = 0;
char *last_acl = NULL;
if (profile->proxy_acl_count == 0) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl [%s] and no proxy acl present\n", ip, auth_acl);
ret = AUTH_FORBIDDEN; ret = AUTH_FORBIDDEN;
goto end; goto end;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "IP %s Rejected by user acl [%s] checking proxy ACLs now\n", ip, auth_acl);
}
/* Check if network_ip is a proxy allowed to send us calls */
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "%d acls to check for proxy\n", profile->proxy_acl_count);
for (x = 0; x < profile->proxy_acl_count; x++) {
last_acl = profile->proxy_acl[x];
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
"checking %s against acl %s\n",
ip, last_acl
);
if (switch_check_network_list_ip(ip, last_acl)) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
"%s is a proxy according to the %s acl\n",
ip, last_acl
);
network_ip_is_proxy = 1;
break;
}
}
/*
* if network_ip is a proxy allowed to send traffic, check for auth
* ip header and see if it matches against the auth acl
*/
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "network ip is a proxy [%d]\n", network_ip_is_proxy);
if (network_ip_is_proxy) {
int x_auth_ip = 0;
for (un = sip->sip_unknown; un; un = un->un_next) {
if (!strcasecmp(un->un_name, "X-AUTH-IP")) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
"found auth ip [%s] header of [%s]\n",
un->un_name, un->un_value
);
if (!zstr(un->un_value)) {
if (!switch_check_network_list_ip(un->un_value, auth_acl)) {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", un->un_value, auth_acl);
ret = AUTH_FORBIDDEN;
goto end;
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
"IP %s allowed by acl %s, checking credentials\n",
un->un_value, auth_acl
);
x_auth_ip = 1;
break;
}
}
}
}
if (!x_auth_ip) {
ret = AUTH_FORBIDDEN;
goto end;
}
}
} else {
switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "IP [%s] passed ACL check [%s]\n", ip, auth_acl);
} }
} }