Changeset 1290


Ignore:
Timestamp:
May 23, 2007 7:05:59 AM (12 years ago)
Author:
bennylp
Message:

Ticket #287: selectively disable authentication for several STUN error responses

Location:
pjproject/trunk/pjnath
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • pjproject/trunk/pjnath/include/pjnath/stun_auth.h

    r1275 r1290  
    296296 
    297297/** 
     298 * Determine if STUN message can be authenticated. Some STUN error 
     299 * responses cannot be authenticated since they cannot contain STUN 
     300 * MESSAGE-INTEGRITY attribute. STUN Indication messages also cannot 
     301 * be authenticated. 
     302 * 
     303 * @param msg           The STUN message. 
     304 * 
     305 * @return              Non-zero if the STUN message can be authenticated. 
     306 */ 
     307PJ_DECL(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg); 
     308 
     309 
     310/** 
    298311 * Verify credential in the STUN response. Note that before calling this 
    299312 * function, application must have checked that the message contains 
  • pjproject/trunk/pjnath/src/pjnath/stun_auth.c

    r1275 r1290  
    2222#include <pjlib-util/sha1.h> 
    2323#include <pj/assert.h> 
     24#include <pj/log.h> 
    2425#include <pj/string.h> 
    2526 
     27#define THIS_FILE   "stun_auth.c" 
    2628 
    2729/* Duplicate credential */ 
     
    349351 
    350352 
     353/* Determine if STUN message can be authenticated */ 
     354PJ_DEF(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg) 
     355{ 
     356    unsigned msg_type = msg->hdr.type; 
     357    const pj_stun_errcode_attr *err_attr; 
     358 
     359    /* STUN requests and success response can be authenticated */ 
     360    if (!PJ_STUN_IS_ERROR_RESPONSE(msg_type) &&  
     361        !PJ_STUN_IS_INDICATION(msg_type)) 
     362    { 
     363        return PJ_TRUE; 
     364    } 
     365 
     366    /* STUN Indication cannot be authenticated */ 
     367    if (PJ_STUN_IS_INDICATION(msg_type)) 
     368        return PJ_FALSE; 
     369 
     370    /* Authentication for STUN error responses depend on the error 
     371     * code. 
     372     */ 
     373    err_attr = (const pj_stun_errcode_attr*) 
     374               pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_ERROR_CODE, 0); 
     375    if (err_attr == NULL) { 
     376        PJ_LOG(4,(THIS_FILE, "STUN error code attribute not present in " 
     377                             "error response")); 
     378        return PJ_TRUE; 
     379    } 
     380 
     381    switch (err_attr->err_code) { 
     382    case PJ_STUN_SC_UNAUTHORIZED: 
     383    case PJ_STUN_SC_MISSING_USERNAME: 
     384    case PJ_STUN_SC_MISSING_REALM: 
     385    case PJ_STUN_SC_UNKNOWN_USERNAME: 
     386    case PJ_STUN_SC_INTEGRITY_CHECK_FAILURE: 
     387        return PJ_FALSE; 
     388    default: 
     389        return PJ_TRUE; 
     390    } 
     391} 
     392 
     393 
    351394/* Authenticate MESSAGE-INTEGRITY in the response */ 
    352395PJ_DEF(pj_status_t) pj_stun_authenticate_response(const pj_uint8_t *pkt, 
  • pjproject/trunk/pjnath/src/pjnath/stun_session.c

    r1284 r1290  
    268268    } 
    269269 
    270     need_auth = PJ_STUN_IS_REQUEST(msg->hdr.type) || 
    271                 PJ_STUN_IS_SUCCESS_RESPONSE(msg->hdr.type); 
     270    need_auth = pj_stun_auth_valid_for_msg(msg); 
    272271 
    273272    if (sess->cred && sess->cred->type == PJ_STUN_AUTH_CRED_STATIC && 
     
    844843     * is specified in the option. 
    845844     */ 
    846     if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0) 
     845    if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0 
     846        && pj_stun_auth_valid_for_msg(msg)) 
    847847    { 
    848848        status = pj_stun_authenticate_response(pkt, pkt_len, msg,  
Note: See TracChangeset for help on using the changeset viewer.