diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h index 308869faf8..dc9d6b8e95 100644 --- a/src/mod/endpoints/mod_sofia/mod_sofia.h +++ b/src/mod/endpoints/mod_sofia/mod_sofia.h @@ -123,7 +123,8 @@ typedef enum { PFLAG_GREEDY = (1 << 10), PFLAG_MULTIREG = (1 << 11), PFLAG_SUPRESS_CNG = (1 << 12), - PFLAG_TLS = (1 << 13) + PFLAG_TLS = (1 << 13), + PFLAG_CHECKUSER = (1 << 14) } PFLAGS; typedef enum { @@ -454,8 +455,8 @@ void sofia_presence_mwi_event_handler(switch_event_t *event); void sofia_presence_cancel(void); switch_status_t config_sofia(int reload, char *profile_name); void sofia_reg_auth_challange(nua_t *nua, sofia_profile_t *profile, nua_handle_t *nh, sofia_regtype_t regtype, const char *realm, int stale); -auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, - const char *regstr, char *np, size_t nplen, char *ip, switch_event_t **v_event, long exptime); +auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, char *np, size_t nplen, + char *ip, switch_event_t **v_event, long exptime, sofia_regtype_t regtype, const char *to_user); void sofia_reg_handle_sip_r_challenge(int status, char const *phrase, nua_t *nua, sofia_profile_t *profile, diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c index e681848e52..e8286291cf 100644 --- a/src/mod/endpoints/mod_sofia/sofia.c +++ b/src/mod/endpoints/mod_sofia/sofia.c @@ -194,7 +194,7 @@ void sofia_event_callback(nua_event_t event, char network_ip[80]; get_addr(network_ip, sizeof(network_ip), &((struct sockaddr_in *) msg_addrinfo(nua_current_request(nua))->ai_addr)->sin_addr); auth_res = sofia_reg_parse_auth(profile, authorization, - (char *) sip->sip_request->rq_method_name, tech_pvt->key, strlen(tech_pvt->key), network_ip, NULL, 0); + (char *) sip->sip_request->rq_method_name, tech_pvt->key, strlen(tech_pvt->key), network_ip, NULL, 0, REG_INVITE, NULL); } if (auth_res != AUTH_OK) { @@ -1057,6 +1057,10 @@ switch_status_t config_sofia(int reload, char *profile_name) if (switch_true(val)) { profile->pflags |= PFLAG_FULL_ID; } + } else if (!strcasecmp(var, "inbound-reg-force-matching-username")) { + if (switch_true(val)) { + profile->pflags |= PFLAG_CHECKUSER; + } } else if (!strcasecmp(var, "bitpacking")) { if (!strcasecmp(val, "aal2")) { profile->codec_flags = SWITCH_CODEC_FLAG_AAL2; diff --git a/src/mod/endpoints/mod_sofia/sofia_reg.c b/src/mod/endpoints/mod_sofia/sofia_reg.c index c4970b1e15..b407b77e1c 100644 --- a/src/mod/endpoints/mod_sofia/sofia_reg.c +++ b/src/mod/endpoints/mod_sofia/sofia_reg.c @@ -28,6 +28,7 @@ * Paul D. Tinsley * Bret McDanel * Marcel Barbulescu + * David Knell <> * * * sofia_ref.c -- SOFIA SIP Endpoint (registration code) @@ -344,6 +345,7 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han int network_port; int cd = 0; const char *call_id = NULL; + char *force_user; /* all callers must confirm that sip, sip->sip_request and sip->sip_contact are not NULL */ switch_assert(sip != NULL && sip->sip_contact != NULL && sip->sip_request != NULL); @@ -410,7 +412,7 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han if (authorization) { char *v_contact_str; - if ((auth_res = sofia_reg_parse_auth(profile, authorization, sip->sip_request->rq_method_name, key, keylen, network_ip, v_event, exptime)) + if ((auth_res = sofia_reg_parse_auth(profile, authorization, sip->sip_request->rq_method_name, key, keylen, network_ip, v_event, exptime, regtype, to_user)) == AUTH_STALE) { stale = 1; } @@ -419,6 +421,14 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han char *exp_var; register_gateway = switch_event_get_header(*v_event, "sip-register-gateway"); + + /* Allow us to force the SIP user to be something specific - needed if + * we - for example - want to be able to ensure that the username a UA can + * be contacted at is the same one that they used for authentication. + */ + if ((force_user = switch_event_get_header(*v_event, "sip-force-user"))) { + to_user = force_user; + } if ((v_contact_str = switch_event_get_header(*v_event, "sip-force-contact"))) { if (!strcasecmp(v_contact_str, "nat-connectile-dysfunction") || !strcasecmp(v_contact_str, "NDLB-connectile-dysfunction")) { @@ -742,8 +752,8 @@ void sofia_reg_handle_sip_r_challenge(int status, } -auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, - const char *regstr, char *np, size_t nplen, char *ip, switch_event_t **v_event, long exptime) +auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, + char *np, size_t nplen, char *ip, switch_event_t **v_event, long exptime, sofia_regtype_t regtype, const char *to_user) { int indexnum; const char *cur; @@ -815,6 +825,15 @@ auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t co switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Invalid Authorization header!\n"); goto end; } + + /* Optional check that auth name == SIP username */ + if ((regtype == REG_REGISTER) && (profile->pflags & PFLAG_CHECKUSER)) { + if (switch_strlen_zero(username) || switch_strlen_zero(to_user) || strcasecmp(to_user, username)) { + /* Names don't match, so fail */ + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "SIP username %s does not match auth username\n", switch_str_nil(to_user)); + goto end; + } + } if (switch_strlen_zero(np)) { first = 1; @@ -1093,3 +1112,4 @@ switch_status_t sofia_reg_add_gateway(char *key, sofia_gateway_t *gateway) +