Contributed Logic: opensips/modules/uac/auth.c@8ec65b8f6e2c (annotated)

opensips/modules/uac/auth.c@8ec65b8f6e2c (annotated)

opensips/modules/uac/auth.c

Wed, 10 Feb 2010 21:25:01 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 10 Feb 2010 21:25:01 +0100
changeset 18: 8ec65b8f6e2c
parent 16: c5c55937e44c
permissions: -rw-r--r--

Extend uac_auth() of the UAC module to workaround CSEQ problems.
This logic is meant to complement that of changeset 17, which
added rich authentication credentials to the gw table and its
associated logic in the LCR module.

 /*
  * $Id: auth.c 5901 2009-07-21 07:45:05Z bogdan_iancu $
  *
  * Copyright (C) 2005 Voice Sistem SRL
  *
  * This file is part of opensips, a free SIP server.
  *
  * UAC OpenSIPS-module is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
  * as published by the Free Software Foundation; either version 2
  * of the License, or (at your option) any later version.
  *
  * UAC OpenSIPS-module is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  *
  *
  * History:
  * ---------
  *  2005-01-31  first version (ramona)
  *  2006-03-02  UAC authentication looks first in AVPs for credential (bogdan)
  *  2010-01-18  UAC replaces proxy-auth entries with new credentials (msvb)
  */
 #include <ctype.h>
 #include <string.h>
 #include "../../str.h"
 #include "../../dprint.h"
 #include "../../pvar.h"
 #include "../../data_lump.h"
 #include "../../mem/mem.h"
 #include "../tm/tm_load.h"
 #include "auth.h"
 #include "auth_alg.h"
 #include "auth_hdr.h"
 extern struct tm_binds uac_tmb;
 extern pv_spec_t auth_username_spec;
 extern pv_spec_t auth_realm_spec;
 extern pv_spec_t auth_password_spec;
 static struct uac_credential *crd_list = 0;
 #define  duplicate_str(_strd, _strs, _error) \
 	do { \
 		_strd.s = (char*)pkg_malloc(_strs.len); \
 		if (_strd.s==0) \
 		{ \
 			LM_ERR("no more pkg memory\n");\
 			goto _error; \
 		} \
 		memcpy( _strd.s, _strs.s, _strs.len); \
 		_strd.len = _strs.len; \
 	}while(0)
 #define WWW_AUTH_CODE       401
 #define WWW_AUTH_HDR        "WWW-Authenticate"
 #define WWW_AUTH_HDR_LEN    (sizeof(WWW_AUTH_HDR)-1)
 #define PROXY_AUTH_CODE     407
 #define PROXY_AUTH_HDR      "Proxy-Authenticate"
 #define PROXY_AUTH_HDR_LEN  (sizeof(PROXY_AUTH_HDR)-1)
 static str nc = {"00000001", 8};
 static str cnonce = {"o", 1};
 int has_credentials(void)
 {
 	return (crd_list!=0)?1:0;
 }
 void free_credential(struct uac_credential *crd)
 {
 	if (crd)
 	{
 		if (crd->realm.s)
 			pkg_free(crd->realm.s);
 		if (crd->user.s)
 			pkg_free(crd->user.s);
 		if (crd->passwd.s)
 			pkg_free(crd->passwd.s);
 		pkg_free(crd);
 	}
 }
 int add_credential( unsigned int type, void *val)
 {
 	struct uac_credential *crd;
 	char *p;
 	str foo;
 	p = (char*)val;
 	crd = 0;
 	if (p==0 || *p==0)
 		goto error;
 	crd = (struct uac_credential*)pkg_malloc(sizeof(struct uac_credential));
 	if (crd==0)
 	{
 		LM_ERR("no more pkg mem\n");
 		goto error;
 	}
 	memset( crd, 0, sizeof(struct uac_credential));
 	/*parse the user */
 	while (*p && isspace((int)*p)) p++;
 	foo.s = p;
 	while (*p && *p!=':' && !isspace((int)*p)) p++;
 	if (foo.s==p || *p==0)
 		/* missing or empty user */
 		goto parse_error;
 	foo.len = p - foo.s;
 	/* dulicate it */
 	duplicate_str( crd->user, foo, error);
 	/* parse the ':' separator */
 	while (*p && isspace((int)*p)) p++;
 	if (*p!=':')
 		goto parse_error;
 	p++;
 	while (*p && isspace((int)*p)) p++;
 	if (*p==0)
 		goto parse_error;
 	/*parse the realm */
 	while (*p && isspace((int)*p)) p++;
 	foo.s = p;
 	while (*p && *p!=':' && !isspace((int)*p)) p++;
 	if (foo.s==p || *p==0)
 		/* missing or empty realm */
 		goto parse_error;
 	foo.len = p - foo.s;
 	/* dulicate it */
 	duplicate_str( crd->realm, foo, error);
 	/* parse the ':' separator */
 	while (*p && isspace((int)*p)) p++;
 	if (*p!=':')
 		goto parse_error;
 	p++;
 	while (*p && isspace((int)*p)) p++;
 	if (*p==0)
 		goto parse_error;
 	/*parse the passwd */
 	while (*p && isspace((int)*p)) p++;
 	foo.s = p;
 	while (*p && !isspace((int)*p)) p++;
 	if (foo.s==p)
 		/* missing or empty passwd */
 		goto parse_error;
 	foo.len = p - foo.s;
 	/* dulicate it */
 	duplicate_str( crd->passwd, foo, error);
 	/* end of string */
 	while (*p && isspace((int)*p)) p++;
 	if (*p!=0)
 		goto parse_error;
 	/* link the new cred struct */
 	crd->next = crd_list;
 	crd_list = crd;
 	pkg_free(val);
 	return 0;
 parse_error:
 		LM_ERR("parse error in <%s> "
 		"around %ld\n", (char*)val, (long)(p-(char*)val));
 error:
 	if (crd)
 		free_credential(crd);
 	return -1;
 }
 void destroy_credentials(void)
 {
 	struct uac_credential *foo;
 	while (crd_list)
 	{
 		foo = crd_list;
 		crd_list = crd_list->next;
 		free_credential(foo);
 	}
 	crd_list = 0;
 }
 static inline struct hdr_field *get_autenticate_hdr(struct sip_msg *rpl,
 																int rpl_code)
 {
 	struct hdr_field *hdr;
 	str hdr_name;
 	/* what hdr should we look for */
 	if (rpl_code==WWW_AUTH_CODE)
 	{
 		hdr_name.s = WWW_AUTH_HDR;
 		hdr_name.len = WWW_AUTH_HDR_LEN;
 	} else if (rpl_code==PROXY_AUTH_CODE) {
 		hdr_name.s = PROXY_AUTH_HDR;
 		hdr_name.len = PROXY_AUTH_HDR_LEN;
 	} else {
 		LM_ERR("reply is not an "
 			"auth request\n");
 		goto error;
 	}
 	LM_DBG("looking for header \"%.*s\"\n",
 		hdr_name.len, hdr_name.s);
 	/* search the auth hdr, but first parse them all */
 	if (parse_headers( rpl, HDR_EOH_F, 0)<0)
 	{
 		LM_ERR("failed to parse reply\n");
 		goto error;
 	}
 	hdr = get_header_by_name( rpl , hdr_name.s, hdr_name.len);
 	if (hdr)
 		return hdr;
 	LM_ERR("reply has no "
 		"auth hdr (%.*s)\n", hdr_name.len, hdr_name.s);
 error:
 	return 0;
 }
 static inline struct uac_credential *lookup_realm( str *realm)
 {
 	struct uac_credential *crd;
 	for( crd=crd_list ; crd ; crd=crd->next )
 		if (realm->len==crd->realm.len &&
 		strncmp( realm->s, crd->realm.s, realm->len)==0 )
 			return crd;
 	return 0;
 }
 static inline struct uac_credential *get_avp_credential(struct sip_msg *msg,
 																str *realm)
 {
 	static struct uac_credential crd;
 	pv_value_t pv_val;
 	if(pv_get_spec_value( msg, &auth_realm_spec, &pv_val)!=0
 	|| pv_val.flags&PV_VAL_NULL || pv_val.rs.len<=0)
 		return 0;
 	crd.realm = pv_val.rs;
 	/* is it the domain we are looking for? */
 	if (realm->len!=crd.realm.len ||
 	strncmp( realm->s, crd.realm.s, realm->len)!=0 )
 		return 0;
 	/* get username and password */
 	if(pv_get_spec_value( msg, &auth_username_spec, &pv_val)!=0
 	|| pv_val.flags&PV_VAL_NULL || pv_val.rs.len<=0)
 		return 0;
 	crd.user = pv_val.rs;
 	if(pv_get_spec_value( msg, &auth_password_spec, &pv_val)!=0
 	|| pv_val.flags&PV_VAL_NULL || pv_val.rs.len<=0)
 		return 0;
 	crd.passwd = pv_val.rs;
 	return &crd;
 }
 static inline void do_uac_auth(struct sip_msg *req, str *uri,
 		struct uac_credential *crd, struct authenticate_body *auth,
 		HASHHEX response)
 {
 	HASHHEX ha1;
 	HASHHEX ha2;
 	if((auth->flags&QOP_AUTH) || (auth->flags&QOP_AUTH_INT))
 	{
 		/* if qop generate nonce-count and cnonce */
 		cnonce.s = int2str(core_hash(&auth->nonce, 0, 0),&cnonce.len);
 		/* do authentication */
 		uac_calc_HA1( crd, auth, &cnonce, ha1);
 		uac_calc_HA2( &req->first_line.u.request.method, uri,
 			auth, 0/*hentity*/, ha2 );
 		uac_calc_response( ha1, ha2, auth, &nc, &cnonce, response);
 		auth->nc = &nc;
 		auth->cnonce = &cnonce;
 	} else {
 		/* do authentication */
 		uac_calc_HA1( crd, auth, 0/*cnonce*/, ha1);
 		uac_calc_HA2( &req->first_line.u.request.method, uri,
 			auth, 0/*hentity*/, ha2 );
 		uac_calc_response( ha1, ha2, auth, 0/*nc*/, 0/*cnonce*/, response);
 	}
 }
 static inline int apply_urihdr_changes( struct sip_msg *req,
 													str *uri, str *hdr)
 {
 	struct lump* anchor;
 	/* add the uri - move it to branch directly FIXME (bogdan)*/
 	if (req->new_uri.s)
 	{
 		pkg_free(req->new_uri.s);
 		req->new_uri.len=0;
 	}
 	req->parsed_uri_ok=0;
 	req->new_uri.s = (char*)pkg_malloc(uri->len+1);
 	if (req->new_uri.s==0)
 	{
 		LM_ERR("no more pkg\n");
 		goto error;
 	}
 	memcpy( req->new_uri.s, uri->s, uri->len);
 	req->new_uri.s[uri->len]=0;
 	req->new_uri.len=uri->len;
 	/* add the header */
 	if (parse_headers(req, HDR_EOH_F, 0) == -1)
 	{
 		LM_ERR("failed to parse message\n");
 		goto error;
 	}
 	anchor = anchor_lump(req, req->unparsed - req->buf, 0, 0);
 	if (anchor==0)
 	{
 		LM_ERR("failed to get anchor\n");
 		goto error;
 	}
 	if (insert_new_lump_before(anchor, hdr->s, hdr->len, 0) == 0)
 	{
 		LM_ERR("faield to insert lump\n");
 		goto error;
 	}
 	return 0;
 error:
 	pkg_free( hdr->s );
 	return -1;
 }
 int uac_auth( struct sip_msg *msg)
 {
 	static struct authenticate_body auth;
 	struct uac_credential *crd;
 	int code, branch;
 	struct sip_msg *rpl;
 	struct cell *t;
 	struct hdr_field *hdr;
 	HASHHEX response;
 	str *new_hdr;
 	/* pretransact */
 	int nret = 0;
 	pv_value_t pv_val;
 	str *newuri = 0;
 	struct uac_credential *tst = 0;
 	struct hdr_field *tmp_hdr = 0;
 	struct hdr_field *del_hdr = 0;
 	/* Goes something like this...                          */
 	/* HA1 = echo -n 'username:realm:password' | md5sum     */
 	/*       echo -n 'itsme:mydom.com:stupidpass' | md5sum  */
 	/* HA2 = echo -n 'message:uri' | md5sum                 */
 	/*       echo -n 'INVITE:sip:danc@ing.fool.es' | md5sum */
 	/* Response = echo -n 'HA1:nonce:HA2' | md5sum          */
 	/* get transaction */
 	t = uac_tmb.t_gett();
 	if (t==T_UNDEFINED || t==T_NULL_CELL) {
 		/* begin without any transaction */
 		/* set relevant structure variables */
 		crd = 0;
 		crd = pkg_malloc(sizeof(struct uac_credential));
 		if (!crd) {
 			LM_ERR("no more pkg memory\n");
 			goto error;
 		}
 		/* set the realm from existing UAC message */
 		tmp_hdr = msg->proxy_auth;
 		del_hdr = 0;
 		while (tmp_hdr) {
 			crd->realm.s = strchr(strstr(tmp_hdr->body.s, "realm="), '"') + 1;
 			crd->realm.len = strchr(crd->realm.s, '"') - crd->realm.s;
 			if(pv_get_spec_value(msg, &auth_realm_spec, &pv_val)==0 \
 				&& pv_val.rs.len>0) /* ensure realm is the desired one */
 				if (strncmp(crd->realm.s, pv_val.rs.s, crd->realm.len)==0)
 					del_hdr = tmp_hdr;
 			tmp_hdr = tmp_hdr->sibling;
 		}
 		if (del_hdr)
 			crd->realm = pv_val.rs;	/* success */
 		else
 			nret++;					/* failure */
 		/* set username from new AVP proxy values */
 		if(pv_get_spec_value(msg, &auth_username_spec, &pv_val)!=0 \
 			|| pv_val.flags&PV_VAL_NULL || pv_val.rs.len<=0)
 			nret++; /* signal failure with nonzero value */
 		else
 			crd->user = pv_val.rs;
 		/* set password from new AVP proxy values */
 		if(pv_get_spec_value(msg, &auth_password_spec, &pv_val)!=0 \
 			|| pv_val.flags&PV_VAL_NULL || pv_val.rs.len<=0)
 			nret++; /* signal failure with nonzero value */
 		else
 			crd->passwd = pv_val.rs;
 		if (nret) { /* if not found, look into predefined credentials */
 			tst = lookup_realm(&crd->realm);
 			if (tst==0) { /* found? */
 				LM_DBG("no credential for realm \"%.*s\"\n", \
 					crd->realm.len, crd->realm.s);
 				pkg_free(crd);
 				goto error;
 			}
 			crd = tst; /* use predefined credentials */
 			/* set the realm from existing UAC message */
 			tmp_hdr = msg->proxy_auth;
 			del_hdr = 0;
 			while (tmp_hdr) {
 				if(pv_get_spec_value(msg, &auth_realm_spec, &pv_val)==0 \
 					&& pv_val.rs.len>0) /* ensure realm is the desired one */
 					if (strncmp(crd->realm.s, pv_val.rs.s, crd->realm.len)==0)
 						del_hdr = tmp_hdr;
 				tmp_hdr = tmp_hdr->sibling;
 			}
 			if (del_hdr == 0) { /* proxy-auth header matching realm not found */
 				LM_DBG("no credential for realm \"%.*s\"\n", \
 					crd->realm.len, crd->realm.s);
 				pkg_free(crd);
 				goto error;
 			}
 		}
 		/* set the uri from existing UAC message */
 		newuri = pkg_malloc(sizeof(str));
 		if (!newuri) {
 			LM_ERR("no more pkg memory\n");
 			goto error;
 		}
 		newuri->s = pkg_malloc(msg->new_uri.len);
 		if (!newuri->s) {
 			LM_ERR("no more pkg memory\n");
 			pkg_free(newuri);
 			goto error;
 		}
 		newuri->len = msg->new_uri.len;
 		strncpy(newuri->s, msg->new_uri.s, msg->new_uri.len);
 		if (!newuri->s) {
 			LM_DBG("failed to retrieve URI from UAC message\n");
 			pkg_free(newuri->s);
 			pkg_free(newuri);
 			goto error;
 		}
 		/* set the nonce from existing UAC message */
 		tmp_hdr = msg->proxy_auth;
 		auth.nonce.len = 0;
 		auth.nonce.s = 0;
 		while (tmp_hdr) {
 			if(pv_get_spec_value(msg, &auth_realm_spec, &pv_val)==0 \
 				&& pv_val.rs.len>0) /* ensure realm is the desired one */
 				if (strncmp(crd->realm.s, pv_val.rs.s, crd->realm.len)==0) {
 					auth.nonce.s = strchr(strstr(tmp_hdr->body.s, "nonce="), '"') + 1;
 					auth.nonce.len = strchr(auth.nonce.s, '"') - auth.nonce.s;
 				}
 			tmp_hdr = tmp_hdr->sibling;
 		}
 		if (auth.nonce.s == 0) {
 			LM_DBG("failed to retrieve nonce from UAC message\n");
 			pkg_free(crd);
 			goto error;
 		}
 		/* do authentication */
 		do_uac_auth(msg, newuri, crd, &auth, response);
 		if (response==0) {
 			LM_ERR("failed to calculate challenge response\n");
 			pkg_free(crd);
 			goto error;
 		}
 		/* build the authorization header */
 		new_hdr = build_authorization_hdr(407, newuri, crd, &auth, response);
 		if (new_hdr==0) {
 			LM_ERR("failed to build authorization hdr\n");
 			pkg_free(crd);
 			goto error;
 		}
 		/* remove the old proxy-auth header and relink message index    */
 		/* before updating the authorization credentials of the message */
 		if (del_hdr) { /* updated a record and must remove the old one  */
 			if (del_lump(msg, del_hdr->name.s - msg->buf, del_hdr->len, 0)==0) {
 				LM_ERR("can't remove credentials\n");
 				pkg_free(crd);
 				goto error;
 			}
 		}
 		/* so far, so good -> add the header and set the proper RURI */
 		if (apply_urihdr_changes(msg, newuri, new_hdr)<0)
 		{
 			LM_ERR("failed to apply changes\n");
 			pkg_free(crd);
 			goto error;
 		}
 		pkg_free(crd); /* finished calculating new response string, success */
 		return 0;
 	} /* if (t==T_UNDEFINED || t==T_NULL_CELL) */
 	/* begin with transaction reply */
 	/* get the selected branch */
 	branch = uac_tmb.t_get_picked();
 	if (branch<0) {
 		LM_CRIT("no picked branch (%d)\n",branch);
 		goto error;
 	}
 	rpl = t->uac[branch].reply;
 	code = t->uac[branch].last_received;
 	LM_DBG("picked reply is %p, code %d\n",rpl,code);
 	if (rpl==0)
 	{
 		LM_CRIT("empty reply on picked branch\n");
 		goto error;
 	}
 	if (rpl==FAKED_REPLY)
 	{
 		LM_ERR("cannot process a FAKED reply\n");
 		goto error;
 	}
 	hdr = get_autenticate_hdr( rpl, code);
 	if (hdr==0)
 	{
 		LM_ERR("failed to extract authenticate hdr\n");
 		goto error;
 	}
 	LM_DBG("header found; body=<%.*s>\n",
 		hdr->body.len, hdr->body.s);
 	if (parse_authenticate_body( &hdr->body, &auth)<0)
 	{
 		LM_ERR("failed to parse auth hdr body\n");
 		goto error;
 	}
 	/* can we authenticate this realm? */
 	crd = 0;
 	/* first look into AVP, if set */
 	if ( auth_realm_spec.type==PVT_AVP )
 		crd = get_avp_credential( msg, &auth.realm );
 	/* if not found, look into predefined credentials */
 	if (crd==0)
 		crd = lookup_realm( &auth.realm );
 	/* found? */
 	if (crd==0)
 	{
 		LM_DBG("no credential for realm \"%.*s\"\n",
 			auth.realm.len, auth.realm.s);
 		goto error;
 	}
 	/* do authentication */
 	do_uac_auth( msg, &t->uac[branch].uri, crd, &auth, response);
 	/* build the authorization header */
 	new_hdr = build_authorization_hdr( code, &t->uac[branch].uri,
 		crd, &auth, response);
 	if (new_hdr==0)
 	{
 		LM_ERR("failed to build authorization hdr\n");
 		goto error;
 	}
 	/* so far, so good -> add the header and set the proper RURI */
 	if ( apply_urihdr_changes( msg, &t->uac[branch].uri, new_hdr)<0 )
 	{
 		LM_ERR("failed to apply changes\n");
 		goto error;
 	}
 	/* increas the Cseq nr */
 	return 0;
 error:
 	return -1;
 }

Contributed Logic / annotate

opensips/modules/uac/auth.c@8ec65b8f6e2c (annotated)

opensips/modules/uac/auth.c