Don't authenticate SUBSCRIBE re-transmissions

This only skips authentication on retransmissions that are already
authenticated. A similar method is already used for INVITES. This
is the kind of thing we end up having to do when we don't have a
transaction layer...

(closes issue #18075)
Reported by: mdu113
Patches:
      diff.txt uploaded by twilson (license 396)
Tested by: twilson, mdu113

Review: https://reviewboard.asterisk.org/r/1005/

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@300216 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 17f519678a49b9b650aafde7bfba4cdfc305d883..993ae5ae9b372c719adeff4cea94713ff3c7b7b4 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -16445,7 +16445,7 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req,
        int firststate = AST_EXTENSION_REMOVED;
        struct sip_peer *authpeer = NULL;
        const char *eventheader = get_header(req, "Event");     /* Get Event package name */
-       int resubscribe = (p->subscribed != NONE);
+       int resubscribe = (p->subscribed != NONE) && !ast_test_flag(req, SIP_PKT_IGNORE);
        char *temp, *event;
 
        if (p->initreq.headers) {       
@@ -16463,7 +16463,7 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req,
                                if (resubscribe)
                                        ast_log(LOG_DEBUG, "Got a re-subscribe on existing subscription %s\n", p->callid);
                                else
-                                       ast_log(LOG_DEBUG, "Got a new subscription %s (possibly with auth)\n", p->callid);
+                                       ast_log(LOG_DEBUG, "Got a new subscription %s (possibly with auth) or retransmission\n", p->callid);
                        }
                }
        }
@@ -16517,26 +16517,31 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req,
        } else
                event = (char *) eventheader;           /* XXX is this legal ? */
 
-       /* Handle authentication */
-       res = check_user_full(p, req, SIP_SUBSCRIBE, e, 0, sin, &authpeer);
-       /* if an authentication response was sent, we are done here */
-       if (res == AUTH_CHALLENGE_SENT) {
-               if (authpeer)
-                       ASTOBJ_UNREF(authpeer, sip_destroy_peer);
-               return 0;
-       }
-       if (res < 0) {
-               if (res == AUTH_FAKE_AUTH) {
-                       ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
-                       transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
-               } else {
-                       ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From"));
-                       transmit_response_reliable(p, "403 Forbidden", req);
+       /* Handle authentication if we're new and not a retransmission. We can't just
+        * use if !(ast_test_flag(req, SIP_PKT_IGNORE), because then we'll end up sending
+        * a 200 OK if someone retransmits without sending auth */
+       if (p->subscribed == NONE || resubscribe) {
+               res = check_user_full(p, req, SIP_SUBSCRIBE, e, 0, sin, &authpeer);
+
+               /* if an authentication response was sent, we are done here */
+               if (res == AUTH_CHALLENGE_SENT) {
+                       if (authpeer)
+                               ASTOBJ_UNREF(authpeer, sip_destroy_peer);
+                       return 0;
+               }
+               if (res < 0) {
+                       if (res == AUTH_FAKE_AUTH) {
+                               ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
+                               transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
+                       } else {
+                               ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From"));
+                               transmit_response_reliable(p, "403 Forbidden", req);
+                       }
+                       ast_set_flag(&p->flags[0], SIP_NEEDDESTROY);    
+                       if (authpeer)
+                               ASTOBJ_UNREF(authpeer, sip_destroy_peer);
+                       return 0;
                }
-               ast_set_flag(&p->flags[0], SIP_NEEDDESTROY);    
-               if (authpeer)
-                       ASTOBJ_UNREF(authpeer, sip_destroy_peer);
-               return 0;
        }
 
        /* Check if this user/peer is allowed to subscribe at all */