int check_http(Socket_T socket) {
Port_T P;
char host[STRLEN];
char auth[STRLEN]= {0};
const char *request = NULL;
const char *hostheader = NULL;
ASSERT(socket);
P = socket_get_Port(socket);
ASSERT(P);
request = P->request ? P->request : "/";
Util_getHTTPHostHeader(socket, host, STRLEN);
hostheader = P->request_hostheader ? P->request_hostheader : host;
if (socket_print(socket,
"GET %s HTTP/1.1\r\n"
"Host: %s\r\n"
"Accept: */*\r\n"
"User-Agent: %s/%s\r\n"
"%s\r\n",
request, hostheader, prog, VERSION,
get_auth_header(P, auth, STRLEN)) < 0) {
socket_setError(socket, "HTTP: error sending data -- %s\n", STRERROR);
return FALSE;
}
return check_request(socket, P);
}
static struct ast_sip_endpoint *auth_username_identify(pjsip_rx_data *rdata)
{
char username[64], realm[64];
struct ast_sip_endpoint *endpoint;
pjsip_authorization_hdr *auth_header = NULL;
while ((auth_header = get_auth_header(rdata, username, sizeof(username), realm, sizeof(realm),
auth_header ? auth_header->next : NULL))) {
ast_debug(3, "Attempting identify by Authorization username '%s' realm '%s'\n", username,
realm);
endpoint = find_endpoint(rdata, username, realm);
if (!endpoint) {
ast_debug(3, "Endpoint not found for Authentication username '%s' realm '%s'\n",
username, realm);
ao2_cleanup(endpoint);
continue;
}
if (!(endpoint->ident_method & AST_SIP_ENDPOINT_IDENTIFY_BY_AUTH_USERNAME)) {
ast_debug(3, "Endpoint found for '%s' but 'auth_username' method not supported'\n",
username);
ao2_cleanup(endpoint);
continue;
}
ast_debug(3, "Identified by Authorization username '%s' realm '%s'\n", username, realm);
return endpoint;
}
return NULL;
}
static int set_outbound_authentication_credentials(pjsip_auth_clt_sess *auth_sess,
const struct ast_sip_auth_vector *auth_vector, pjsip_rx_data *challenge)
{
size_t auth_size = AST_VECTOR_SIZE(auth_vector);
struct ast_sip_auth **auths = ast_alloca(auth_size * sizeof(*auths));
pjsip_cred_info *auth_creds = ast_alloca(auth_size * sizeof(*auth_creds));
pjsip_www_authenticate_hdr *auth_hdr = NULL;
int res = 0;
int i;
if (ast_sip_retrieve_auths(auth_vector, auths)) {
res = -1;
goto cleanup;
}
auth_hdr = get_auth_header(challenge);
if (auth_hdr == NULL) {
res = -1;
ast_log(LOG_ERROR, "Unable to find authenticate header in challenge.\n");
goto cleanup;
}
for (i = 0; i < auth_size; ++i) {
if (ast_strlen_zero(auths[i]->realm)) {
auth_creds[i].realm = auth_hdr->challenge.common.realm;
} else {
pj_cstr(&auth_creds[i].realm, auths[i]->realm);
}
pj_cstr(&auth_creds[i].username, auths[i]->auth_user);
pj_cstr(&auth_creds[i].scheme, "digest");
switch (auths[i]->type) {
case AST_SIP_AUTH_TYPE_USER_PASS:
pj_cstr(&auth_creds[i].data, auths[i]->auth_pass);
auth_creds[i].data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
break;
case AST_SIP_AUTH_TYPE_MD5:
pj_cstr(&auth_creds[i].data, auths[i]->md5_creds);
auth_creds[i].data_type = PJSIP_CRED_DATA_DIGEST;
break;
case AST_SIP_AUTH_TYPE_ARTIFICIAL:
ast_log(LOG_ERROR, "Trying to set artificial outbound auth credentials shouldn't happen.\n");
break;
}
}
pjsip_auth_clt_set_credentials(auth_sess, auth_size, auth_creds);
cleanup:
ast_sip_cleanup_auths(auths, auth_size);
return res;
}
int check_http(Socket_T socket) {
Port_T P;
char host[STRLEN];
char auth[STRLEN] = {};
const char *request = NULL;
const char *hostheader = NULL;
ASSERT(socket);
P = socket_get_Port(socket);
ASSERT(P);
request = P->request ? P->request : "/";
hostheader = _findHostHeaderIn(P->http_headers);
hostheader = hostheader ? hostheader : P->request_hostheader
? P->request_hostheader : Util_getHTTPHostHeader(socket, host, STRLEN); // Otherwise use deprecated request_hostheader or default host
StringBuffer_T sb = StringBuffer_create(168);
StringBuffer_append(sb,
"GET %s HTTP/1.1\r\n"
"Host: %s\r\n"
"Accept: */*\r\n"
"User-Agent: Monit/%s\r\n"
"%s",
request, hostheader, VERSION,
get_auth_header(P, auth, STRLEN));
// Add headers if we have them
if (P->http_headers) {
for (list_t p = P->http_headers->head; p; p = p->next) {
if (Str_startsWith(p->e, "Host")) // Already set contrived above
continue;
StringBuffer_append(sb, "%s\r\n", p->e);
}
}
StringBuffer_append(sb, "\r\n");
int send_status = socket_write(socket, (void*)StringBuffer_toString(sb), StringBuffer_length(sb));
StringBuffer_free(&sb);
if (send_status < 0) {
socket_setError(socket, "HTTP: error sending data -- %s", STRERROR);
return FALSE;
}
return check_request(socket, P);
}
/* Function is called when 2xx responses are received. Normally we don't
* have to do anything, except for the first response after the
* authentication handshake. This specific response includes authentication
* data which should be validated by the client (mutual authentication).
*/
apr_status_t
serf__validate_response_spnego_auth(const serf__authn_scheme_t *scheme,
peer_t peer,
int code,
serf_connection_t *conn,
serf_request_t *request,
serf_bucket_t *response,
apr_pool_t *pool)
{
serf_context_t *ctx = conn->ctx;
gss_authn_info_t *gss_info;
const char *auth_hdr_name;
/* TODO: currently this function is only called when a response includes
an Authenticate header. This header is optional. If the server does
not provide this header on the first 2xx response, we will not promote
the connection from undecided to stateful. This won't break anything,
but means we stay in non-pipelining mode. */
serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
"Validate Negotiate response header.\n");
if (peer == HOST) {
gss_info = conn->authn_info.baton;
auth_hdr_name = "WWW-Authenticate";
} else {
gss_info = ctx->proxy_authn_info.baton;
auth_hdr_name = "Proxy-Authenticate";
}
if (gss_info->state != gss_api_auth_completed) {
serf_bucket_t *hdrs;
const char *auth_hdr_val;
apr_status_t status;
hdrs = serf_bucket_response_get_headers(response);
auth_hdr_val = get_auth_header(hdrs, auth_hdr_name, scheme->name,
pool);
if (auth_hdr_val) {
status = do_auth(peer, code, gss_info, conn, request, auth_hdr_val,
pool);
if (status) {
return status;
}
} else {
/* No Authenticate headers, nothing to validate: authentication
completed.*/
gss_info->state = gss_api_auth_completed;
serf__log_skt(AUTH_VERBOSE, __FILE__, conn->skt,
"SPNEGO handshake completed.\n");
}
}
if (gss_info->state == gss_api_auth_completed) {
switch(gss_info->pstate) {
case pstate_init:
/* Authentication of the first request is done. */
gss_info->pstate = pstate_undecided;
break;
case pstate_undecided:
/* The server didn't request for authentication even though
we didn't add an Authorization header to previous
request. That means it supports persistent authentication. */
gss_info->pstate = pstate_stateful;
serf_connection_set_max_outstanding_requests(conn, 0);
break;
default:
/* Nothing to do here. */
break;
}
}
return APR_SUCCESS;
}
static int digest_create_request_with_auth(const struct ast_sip_auth_vector *auths,
pjsip_rx_data *challenge, pjsip_tx_data *old_request, pjsip_tx_data **new_request)
{
pjsip_auth_clt_sess auth_sess;
pjsip_cseq_hdr *cseq;
pj_status_t status;
struct ast_sip_endpoint *endpoint;
char *id = NULL;
const char *id_type;
pjsip_www_authenticate_hdr *auth_hdr;
struct ast_str *realms;
pjsip_dialog *dlg;
dlg = pjsip_rdata_get_dlg(challenge);
if (dlg) {
endpoint = ast_sip_dialog_get_endpoint(dlg);
id = endpoint ? ast_strdupa(ast_sorcery_object_get_id(endpoint)) : NULL;
ao2_cleanup(endpoint);
id_type = "Endpoint";
}
/* If there was no dialog, then this is probably a REGISTER so no endpoint */
if (!id) {
id = ast_alloca(strlen(challenge->pkt_info.src_name) + 7 /* ':' + port + NULL */);
sprintf(id, "%s:%d", challenge->pkt_info.src_name, challenge->pkt_info.src_port);
id_type = "Host";
}
auth_hdr = get_auth_header(challenge, NULL);
if (auth_hdr == NULL) {
ast_log(LOG_ERROR, "%s: '%s': Unable to find authenticate header in challenge.\n",
id_type, id);
return -1;
}
if (pjsip_auth_clt_init(&auth_sess, ast_sip_get_pjsip_endpoint(),
old_request->pool, 0) != PJ_SUCCESS) {
ast_log(LOG_ERROR, "%s: '%s': Failed to initialize client authentication session\n",
id_type, id);
return -1;
}
if (set_outbound_authentication_credentials(&auth_sess, auths, challenge, auth_hdr)) {
ast_log(LOG_WARNING, "%s: '%s': Failed to set authentication credentials\n",
id_type, id);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* In case it is not a noop here in the future. */
pjsip_auth_clt_deinit(&auth_sess);
#endif
return -1;
}
status = pjsip_auth_clt_reinit_req(&auth_sess, challenge, old_request, new_request);
#if defined(HAVE_PJSIP_AUTH_CLT_DEINIT)
/* Release any cached auths */
pjsip_auth_clt_deinit(&auth_sess);
#endif
switch (status) {
case PJ_SUCCESS:
/* PJSIP creates a new transaction for new_request (meaning it creates a new
* branch). However, it recycles the Call-ID, from-tag, and CSeq from the
* original request. Some SIP implementations will not process the new request
* since the CSeq is the same as the original request. Incrementing it here
* fixes the interop issue
*/
cseq = pjsip_msg_find_hdr((*new_request)->msg, PJSIP_H_CSEQ, NULL);
ast_assert(cseq != NULL);
++cseq->cseq;
return 0;
case PJSIP_ENOCREDENTIAL:
realms = ast_str_create(32);
if (realms) {
ast_str_append(&realms, 0, "%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
while((auth_hdr = get_auth_header(challenge, auth_hdr->next))) {
ast_str_append(&realms, 0, ",%.*s", (int)auth_hdr->challenge.common.realm.slen,
auth_hdr->challenge.common.realm.ptr);
}
}
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. "
"No auth credentials for realm(s) '%s' in challenge.\n", id_type, id,
realms ? ast_str_buffer(realms) : "<unknown>");
ast_free(realms);
break;
case PJSIP_EAUTHSTALECOUNT:
ast_log(LOG_WARNING,
"%s: '%s': Unable to create request with auth. Number of stale retries exceeded.\n",
id_type, id);
break;
case PJSIP_EFAILEDCREDENTIAL:
ast_log(LOG_WARNING, "%s: '%s': Authentication credentials not accepted by server.\n",
id_type, id);
break;
default:
ast_log(LOG_WARNING, "%s: '%s': Unable to create request with auth. Unknown failure.\n",
id_type, id);
break;
}
return -1;
}
