Changeset 1290 for pjproject/trunk

Timestamp:

May 23, 2007 7:05:59 AM (18 years ago)

Author:

bennylp

Message:

Ticket #287: selectively disable authentication for several STUN error responses

Location:

pjproject/trunk/pjnath

Files:

• include/pjnath/stun_auth.h (modified) (1 diff)
• src/pjnath/stun_auth.c (modified) (2 diffs)
• src/pjnath/stun_session.c (modified) (2 diffs)

pjproject/trunk/pjnath/include/pjnath/stun_auth.h

@@ -296 +296 @@
 
 /**
+ * Determine if STUN message can be authenticated. Some STUN error
+ * responses cannot be authenticated since they cannot contain STUN
+ * MESSAGE-INTEGRITY attribute. STUN Indication messages also cannot
+ * be authenticated.
+ *
+ * @param msg           The STUN message.
+ *
+ * @return              Non-zero if the STUN message can be authenticated.
+ */
+PJ_DECL(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg);
+
+
+/**
  * Verify credential in the STUN response. Note that before calling this
  * function, application must have checked that the message contains

pjproject/trunk/pjnath/src/pjnath/stun_auth.c

@@ -22 +22 @@
 #include <pjlib-util/sha1.h>
 #include <pj/assert.h>
+#include <pj/log.h>
 #include <pj/string.h>
 
+#define THIS_FILE   "stun_auth.c"
 
 /* Duplicate credential */
@@ -349 +351 @@
 
 
+/* Determine if STUN message can be authenticated */
+PJ_DEF(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg)
+{
+    unsigned msg_type = msg->hdr.type;
+    const pj_stun_errcode_attr *err_attr;
+
+    /* STUN requests and success response can be authenticated */
+    if (!PJ_STUN_IS_ERROR_RESPONSE(msg_type) && 
+        !PJ_STUN_IS_INDICATION(msg_type))
+    {
+        return PJ_TRUE;
+    }
+
+    /* STUN Indication cannot be authenticated */
+    if (PJ_STUN_IS_INDICATION(msg_type))
+        return PJ_FALSE;
+
+    /* Authentication for STUN error responses depend on the error
+     * code.
+     */
+    err_attr = (const pj_stun_errcode_attr*)
+               pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_ERROR_CODE, 0);
+    if (err_attr == NULL) {
+        PJ_LOG(4,(THIS_FILE, "STUN error code attribute not present in "
+                             "error response"));
+        return PJ_TRUE;
+    }
+
+    switch (err_attr->err_code) {
+    case PJ_STUN_SC_UNAUTHORIZED:
+    case PJ_STUN_SC_MISSING_USERNAME:
+    case PJ_STUN_SC_MISSING_REALM:
+    case PJ_STUN_SC_UNKNOWN_USERNAME:
+    case PJ_STUN_SC_INTEGRITY_CHECK_FAILURE:
+        return PJ_FALSE;
+    default:
+        return PJ_TRUE;
+    }
+}
+
+
 /* Authenticate MESSAGE-INTEGRITY in the response */
 PJ_DEF(pj_status_t) pj_stun_authenticate_response(const pj_uint8_t *pkt,

pjproject/trunk/pjnath/src/pjnath/stun_session.c

@@ -268 +268 @@
     }
 
-    need_auth = PJ_STUN_IS_REQUEST(msg->hdr.type) ||
-                PJ_STUN_IS_SUCCESS_RESPONSE(msg->hdr.type);
+    need_auth = pj_stun_auth_valid_for_msg(msg);
 
     if (sess->cred && sess->cred->type == PJ_STUN_AUTH_CRED_STATIC &&
@@ -844 +843 @@
      * is specified in the option.
      */
-    if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0)
+    if ((options & PJ_STUN_NO_AUTHENTICATE) == 0 && tdata->auth_key.slen != 0
+        && pj_stun_auth_valid_for_msg(msg))
     {
         status = pj_stun_authenticate_response(pkt, pkt_len, msg,