From: Mark Michelson Date: Mon, 27 Apr 2015 21:56:31 +0000 (-0500) Subject: res_pjsip_outbound_registration: Don't fail on delayed processing: 13. X-Git-Tag: certified/13.1-cert3-rc1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11d85ea2511fcfdc444ea627d7f636ce8912510b;p=thirdparty%2Fasterisk.git res_pjsip_outbound_registration: Don't fail on delayed processing: 13. This is the Asterisk 13 version of a change to master that allows for registration responses to be processed successfully potentially after the original transaction has timed out. The main difference between this and the master change is that the master version has API changes that are unacceptable for 13. For 13, this is worked around by adding a new API call that the outbound registration code uses instead. The following is the text from the master version of this commit: Odd behaviors have been observed during outbound registrations. The most common problem witnessed has been one where a request with authentication credentials cannot be created after receiving a 401 response. Other behaviors include apparently processing an incorrect SIP response. Inspecting the code led to an apparent issue with regards to how we handle transactions in outbound registration code. When a response to a REGISTER arrives, we save a pointer to the transaction and then push a task onto the registration serializer. Between the time that we save the pointer and push the task, it's possible for the transaction to be destroyed due to a timeout. It's also possible for the address to be reused by the transaction layer for a new transaction. To allow for authentication of a REGISTER request to be authenticated after the transaction has timed out, we now also hold a reference to the original REGISTER request instead of the transaction. The function for creating a request with authentication has been altered to take the original request instead of the transaction where the original request was sent. ASTERISK-25020 Reported by Mark Michelson Change-Id: If1ee5f601be839479a219424f0358a229f358f7c --- diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h index 82e7ccf18a..a4795565f9 100644 --- a/include/asterisk/res_pjsip.h +++ b/include/asterisk/res_pjsip.h @@ -689,6 +689,18 @@ struct ast_sip_outbound_authenticator { */ int (*create_request_with_auth)(const struct ast_sip_auth_vector *auths, struct pjsip_rx_data *challenge, struct pjsip_transaction *tsx, struct pjsip_tx_data **new_request); + /*! + * \brief Create a new request with authentication credentials based on old request + * + * \param auths A vector of IDs of auth sorcery objects + * \param challenge The SIP response with authentication challenge(s) + * \param old_request The request that resulted in challenge(s) + * \param new_request The new SIP request with challenge response(s) + * \retval 0 Successfully created new request + * \retval -1 Failed to create a new request + */ + int (*create_request_with_auth_from_old)(const struct ast_sip_auth_vector *auths, struct pjsip_rx_data *challenge, + struct pjsip_tx_data *old_request, struct pjsip_tx_data **new_request); }; /*! @@ -1424,6 +1436,17 @@ enum ast_sip_check_auth_result ast_sip_check_authentication(struct ast_sip_endpo int ast_sip_create_request_with_auth(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, pjsip_transaction *tsx, pjsip_tx_data **new_request); +/*! + * \brief Create a response to an authentication challenge + * + * This will call into an outbound authenticator's create_request_with_auth callback + * to create a new request with authentication credentials. See the create_request_with_auth_from_old + * callback in the \ref ast_sip_outbound_authenticator structure for details about + * the parameters and return values. + */ +int ast_sip_create_request_with_auth_from_old(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, + pjsip_tx_data *old_request, pjsip_tx_data **new_request); + /*! * \brief Determine the endpoint that has sent a SIP message * diff --git a/res/res_pjsip.c b/res/res_pjsip.c index f78050c57a..39e61a8b43 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -1921,6 +1921,16 @@ int ast_sip_create_request_with_auth(const struct ast_sip_auth_vector *auths, pj return registered_outbound_authenticator->create_request_with_auth(auths, challenge, tsx, new_request); } +int ast_sip_create_request_with_auth_from_old(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, + pjsip_tx_data *old_request, pjsip_tx_data **new_request) +{ + if (!registered_outbound_authenticator) { + ast_log(LOG_WARNING, "No SIP outbound authenticator registered. Cannot respond to authentication challenge\n"); + return -1; + } + return registered_outbound_authenticator->create_request_with_auth_from_old(auths, challenge, old_request, new_request); +} + struct endpoint_identifier_list { const char *name; unsigned int priority; diff --git a/res/res_pjsip_outbound_authenticator_digest.c b/res/res_pjsip_outbound_authenticator_digest.c index 64238a868f..8ad1899402 100644 --- a/res/res_pjsip_outbound_authenticator_digest.c +++ b/res/res_pjsip_outbound_authenticator_digest.c @@ -101,13 +101,13 @@ cleanup: return res; } -static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, - pjsip_transaction *tsx, pjsip_tx_data **new_request) +static int digest_create_request_with_auth_from_old(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, + pjsip_tx_data *old_request, pjsip_tx_data **new_request) { pjsip_auth_clt_sess auth_sess; if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(), - tsx->pool, 0) != PJ_SUCCESS) { + old_request->pool, 0) != PJ_SUCCESS) { ast_log(LOG_WARNING, "Failed to initialize client authentication session\n"); return -1; } @@ -118,7 +118,7 @@ static int digest_create_request_with_auth(const struct ast_sip_auth_vector *aut } switch (pjsip_auth_clt_reinit_req(&auth_sess, challenge, - tsx->last_tx, new_request)) { + old_request, new_request)) { case PJ_SUCCESS: return 0; case PJSIP_ENOCREDENTIAL: @@ -140,6 +140,12 @@ static int digest_create_request_with_auth(const struct ast_sip_auth_vector *aut return -1; } +static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths, pjsip_rx_data *challenge, + pjsip_transaction *tsx, pjsip_tx_data **new_request) +{ + return digest_create_request_with_auth_from_old(auths, challenge, tsx->last_tx, new_request); +} + static struct ast_sip_outbound_authenticator digest_authenticator = { .create_request_with_auth = digest_create_request_with_auth, }; diff --git a/res/res_pjsip_outbound_registration.c b/res/res_pjsip_outbound_registration.c index df2f457804..8ece16397c 100644 --- a/res/res_pjsip_outbound_registration.c +++ b/res/res_pjsip_outbound_registration.c @@ -505,8 +505,8 @@ struct registration_response { struct sip_outbound_registration_client_state *client_state; /*! \brief The response message */ pjsip_rx_data *rdata; - /*! \brief The response transaction */ - pjsip_transaction *tsx; + /*! \brief Request for which the response was received */ + pjsip_tx_data *old_request; }; /*! \brief Registration response structure destructor */ @@ -518,6 +518,10 @@ static void registration_response_destroy(void *obj) pjsip_rx_data_free_cloned(response->rdata); } + if (response->old_request) { + pjsip_tx_data_dec_ref(response->old_request); + } + ao2_cleanup(response->client_state); } @@ -570,19 +574,19 @@ static int handle_registration_response(void *data) ast_copy_pj_str(client_uri, &info.client_uri, sizeof(client_uri)); if (response->client_state->status == SIP_REGISTRATION_STOPPED) { - ast_debug(1, "Not handling registration response from '%s' (transaction %s). Registration already stopped\n", - server_uri, response->tsx ? response->tsx->obj_name : ""); + ast_debug(1, "Not handling registration response from server '%s' to client '%s'. Registration already stopped\n", + server_uri, client_uri); return 0; } - ast_debug(1, "Processing REGISTER response %d from '%s' (transaction %s)\n", - response->code, server_uri, response->tsx ? response->tsx->obj_name : ""); + ast_debug(1, "Processing REGISTER response %d from server '%s' to client '%s'\n", + response->code, server_uri, client_uri); if (!response->client_state->auth_attempted && (response->code == 401 || response->code == 407)) { pjsip_tx_data *tdata; - if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths, - response->rdata, response->tsx, &tdata)) { + if (!ast_sip_create_request_with_auth_from_old(&response->client_state->outbound_auths, + response->rdata, response->old_request, &tdata)) { ao2_ref(response->client_state, +1); response->client_state->auth_attempted = 1; ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n", @@ -679,9 +683,12 @@ static void sip_outbound_registration_response_cb(struct pjsip_regc_cbparam *par if (param->rdata) { struct pjsip_retry_after_hdr *retry_after = pjsip_msg_find_hdr(param->rdata->msg_info.msg, PJSIP_H_RETRY_AFTER, NULL); + pjsip_transaction *tsx; response->retry_after = retry_after ? retry_after->ivalue : 0; - response->tsx = pjsip_rdata_get_tsx(param->rdata); + tsx = pjsip_rdata_get_tsx(param->rdata); + response->old_request = tsx->last_tx; + pjsip_tx_data_add_ref(response->old_request); pjsip_rx_data_clone(param->rdata, 0, &response->rdata); }