Adding ability to require authentication for sip messages on a sofia profile.

diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index 39c53d56d442a8b7c5c8f5880b593a2eab983e9f..150a3fe1d6df291f7466dfb754d6aa7bcd737940 100644 (file)
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -302,6 +302,7 @@
              register for nat handling -->
         <!-- <param name="NDLB-received-in-nat-reg-contact" value="true"/> -->
         <param name="auth-calls" value="$${internal_auth_calls}"/>
+        <!-- <param name="auth-messages" value="false"/> -->
         <!-- Force the user and auth-user to match. -->
         <param name="inbound-reg-force-matching-username" value="true"/>
         <!-- on authed calls, authenticate *all* the packets not just invite -->

diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 2690f0ee32943fef013e827c467d3b6fba1ef16e..bb09f2d95c996aa88366127427a5a1fbda1c62f4 100644 (file)
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -198,6 +198,7 @@ typedef enum {
 
 typedef enum {
        PFLAG_AUTH_CALLS,
+       PFLAG_AUTH_MESSAGES,
        PFLAG_BLIND_REG,
        PFLAG_AUTH_ALL,
        PFLAG_FULL_ID,

diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index cdaafff755d324bae30709f724e9f4c52763e2d3..9630522fffed334e887a199706f0270aa8d96dc8 100644 (file)
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -4198,6 +4198,10 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
                                                if (switch_true(val)) {
                                                        sofia_set_pflag(profile, PFLAG_AUTH_CALLS);
                                                }
+                                       } else if (!strcasecmp(var, "auth-messages")) {
+                                               if (switch_true(val)) {
+                                                       sofia_set_pflag(profile, PFLAG_AUTH_MESSAGES);
+                                               }
                                        } else if (!strcasecmp(var, "extended-info-parsing")) {
                                                if (switch_true(val)) {
                                                        sofia_set_pflag(profile, PFLAG_EXTENDED_INFO_PARSING);

diff --git a/src/mod/endpoints/mod_sofia/sofia_presence.c b/src/mod/endpoints/mod_sofia/sofia_presence.c
index a2b2903933af9d045c9752cc3b5d7916e5dcdb47..0d4e3bb0b999ff447ec8ae1a8a50f676694a66e8 100644 (file)
--- a/src/mod/endpoints/mod_sofia/sofia_presence.c
+++ b/src/mod/endpoints/mod_sofia/sofia_presence.c
@@ -4367,6 +4367,7 @@ void sofia_presence_handle_sip_i_message(int status,
                                                                                 sofia_dispatch_event_t *de,
                                                                                 tagi_t tags[])
 {
+
        if (sip) {
                sip_from_t const *from = sip->sip_from;
                const char *from_user = NULL;
@@ -4386,6 +4387,47 @@ void sofia_presence_handle_sip_i_message(int status,
                        channel = switch_core_session_get_channel(session);
                }
 
+               if (sofia_test_pflag(profile, PFLAG_AUTH_MESSAGES) && sip){
+                       sip_authorization_t const *authorization = NULL;
+                       auth_res_t auth_res = AUTH_FORBIDDEN;
+                       char keybuf[128] = "";
+                       char *key;
+                       size_t keylen;
+                       switch_event_t *v_event = NULL;
+
+                       key = keybuf;
+                       keylen = sizeof(keybuf);
+
+                       if (sip->sip_authorization) {
+                               authorization = sip->sip_authorization;
+                       } else if (sip->sip_proxy_authorization) {
+                               authorization = sip->sip_proxy_authorization;
+                       }
+
+                       if (authorization) {
+                               char network_ip[80];
+                               sofia_glue_get_addr(de->data->e_msg, network_ip, sizeof(network_ip), NULL);
+                               auth_res = sofia_reg_parse_auth(profile, authorization, sip, de,
+                                                                                               (char *) sip->sip_request->rq_method_name, key, keylen, network_ip, NULL, 0,
+                                                                                               REG_INVITE, NULL, NULL, NULL);
+                       } else if ( sofia_reg_handle_register(nua, profile, nh, sip, de, REG_INVITE, key, keylen, &v_event, NULL)) {
+                               if (v_event) {
+                                       switch_event_destroy(&v_event);
+                               }
+
+                               goto end;
+                       }
+
+                       if ((auth_res != AUTH_OK && auth_res != AUTH_RENEWED)) {
+                               nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());
+                               goto end;
+                       }
+
+                       if (channel) {
+                               switch_channel_set_variable(channel, "sip_authorized", "true");
+                       }
+               }
+
                if ((us = sofia_glue_get_unknown_header(sip, "X-FS-Sending-Message")) && !strcmp(us, switch_core_get_uuid())) {
                        switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not sending message to ourselves!\n");
                        nua_respond(nh, SIP_503_SERVICE_UNAVAILABLE, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());