]> git.ipfire.org Git - thirdparty/freeswitch.git/commitdiff
BOUNTY-12
authorRaymond Chandler <intralanman@freeswitch.org>
Thu, 7 Jan 2010 18:47:53 +0000 (18:47 +0000)
committerRaymond Chandler <intralanman@freeswitch.org>
Thu, 7 Jan 2010 18:47:53 +0000 (18:47 +0000)
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@16200 d0543943-73ff-0310-b7d9-9358b9ac24b2

src/mod/endpoints/mod_sofia/sofia_reg.c

index f1015e3ed6123d74260b31402fd37b571602928b..11f45d7f5091867539817628c15c3ea689a3f6a4 100644 (file)
@@ -1365,7 +1365,7 @@ void sofia_reg_handle_sip_i_register(nua_t *nua, sofia_profile_t *profile, nua_h
                if (ok && !sofia_test_pflag(profile, PFLAG_BLIND_REG)) {
                        type = REG_AUTO_REGISTER;
                } else if (!ok) {
-                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by acl \"%s\"\n", network_ip, profile->reg_acl[x]);
+                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by register acl \"%s\"\n", network_ip, profile->reg_acl[x]);
                        nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
                        goto end;
                }
@@ -1656,6 +1656,7 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
        switch_event_t *params = NULL;
        const char *auth_acl = NULL;
        long ncl = 0;
+       sip_unknown_t *un;
 
        username = realm = nonce = uri = qop = cnonce = nc = response = NULL;
 
@@ -1787,6 +1788,17 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
                }
        }
 
+       for (un = sip->sip_unknown; un; un = un->un_next) {
+               if (!strncasecmp(un->un_name, "X-", 2)) {
+                       if (!zstr(un->un_value)) {
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "adding %s => %s to xml_curl request\n", un->un_name, un->un_value);
+                               switch_event_add_header_string(params, SWITCH_STACK_BOTTOM, un->un_name, un->un_value);
+                       }
+               } else {
+                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "skipping %s => %s from xml_curl request\n", un->un_name, un->un_value);
+               }
+       }
+
        if (qop) {
                switch_event_add_header_string(params, SWITCH_STACK_BOTTOM, "sip_auth_qop", qop);
        }
@@ -1927,17 +1939,77 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
 
        if (auth_acl) {
                if (!switch_check_network_list_ip(ip, auth_acl)) {
-                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", ip, auth_acl);
-                       ret = AUTH_FORBIDDEN;
-                       goto end;
+                       int network_ip_is_proxy, x = 0;
+                       char *last_acl = NULL;
+                       if (profile->proxy_acl_count == 0) {
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl [%s] and no proxy acl present\n", ip, auth_acl);
+                               ret = AUTH_FORBIDDEN;
+                               goto end;
+                       } else {
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "IP %s Rejected by user acl [%s] checking proxy ACLs now\n", ip, auth_acl);
+                       }
+                       /* Check if network_ip is a proxy allowed to send us calls */
+                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "%d acls to check for proxy\n", profile->proxy_acl_count);
+                       
+                       for (x = 0; x < profile->proxy_acl_count; x++) {
+                               last_acl = profile->proxy_acl[x];
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
+                                                                 "checking %s against acl %s\n",
+                                                                 ip, last_acl
+                                                                 );
+                               if (switch_check_network_list_ip(ip, last_acl)) {
+                                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
+                                                                         "%s is a proxy according to the %s acl\n",
+                                                                         ip, last_acl
+                                                                         );
+                                       network_ip_is_proxy = 1;
+                                       break;
+                               }
+                       }
+                       /*
+                        * if network_ip is a proxy allowed to send traffic, check for auth
+                        * ip header and see if it matches against the auth acl
+                        */
+                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "network ip is a proxy [%d]\n", network_ip_is_proxy);
+                       if (network_ip_is_proxy) {
+                               int x_auth_ip = 0;
+                               for (un = sip->sip_unknown; un; un = un->un_next) {
+                                       if (!strcasecmp(un->un_name, "X-AUTH-IP")) {
+                                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
+                                                                                 "found auth ip [%s] header of [%s]\n",
+                                                                                 un->un_name, un->un_value
+                                                                                 );
+                                               if (!zstr(un->un_value)) {
+                                                       if (!switch_check_network_list_ip(un->un_value, auth_acl)) {
+                                                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "IP %s Rejected by user acl %s\n", un->un_value, auth_acl);
+                                                               ret = AUTH_FORBIDDEN;
+                                                               goto end;
+                                                       } else {
+                                                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG,
+                                                                                                 "IP %s allowed by acl %s, checking credentials\n",
+                                                                                                 un->un_value, auth_acl
+                                                                                                 );
+                                                               x_auth_ip = 1;
+                                                               break;
+                                                       }
+                                               }
+                                       }
+                               }
+                               if (!x_auth_ip) {
+                                       ret = AUTH_FORBIDDEN;
+                                       goto end;
+                               }
+                       }
+               } else {
+                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "IP [%s] passed ACL check [%s]\n", ip, auth_acl);
                }
        }
-
+       
        if (zstr(passwd) && zstr(a1_hash)) {
                ret = AUTH_OK;
                goto skip_auth;
        }
-
+       
        if (!a1_hash) {
                input = switch_mprintf("%s:%s:%s", username, realm, passwd);
                su_md5_init(&ctx);
@@ -2013,12 +2085,12 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile,
                        if (mwi_account) {
                                switch_event_add_header_string(*v_event, SWITCH_STACK_BOTTOM, "mwi-account", mwi_account);
                        }
-
+                       
                        if ((uparams = switch_xml_child(user, "params"))) {
                                xparams_type[i] = 0;
                                xparams[i++] = uparams;
                        }
-
+                       
                        if (group && (gparams = switch_xml_child(group, "params"))) {
                                xparams_type[i] = 0;
                                xparams[i++] = gparams;