2 * Digest Authentication Module
4 * Copyright (C) 2001-2003 FhG Fokus
6 * This file is part of Kamailio, a free SIP server.
8 * Kamailio is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version
13 * Kamailio is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
28 #include "../../core/sr_module.h"
29 #include "../../core/dprint.h"
30 #include "../../core/mem/mem.h"
31 #include "../../core/parser/digest/digest.h"
32 #include "../../core/parser/parse_from.h"
33 #include "../../core/parser/parse_to.h"
34 #include "../../core/parser/parse_uri.h"
35 #include "../../core/data_lump.h"
36 #include "../../core/data_lump_rpl.h"
37 #include "../../core/error.h"
38 #include "../../core/ut.h"
39 #include "../../core/pvapi.h"
40 #include "../../core/lvalue.h"
41 #include "../../core/mod_fix.h"
42 #include "../../core/kemi.h"
43 #include "../../core/rand/kam_rand.h"
44 #include "../../modules/sl/sl.h"
46 #include "challenge.h"
52 #include "rfc2617_sha256.h"
56 #define RAND_SECRET_LEN 32
60 * Module destroy function prototype
62 static void destroy(void);
65 * Module initialization function prototype
67 static int mod_init(void);
70 * Remove used credentials from a SIP message header
72 int w_consume_credentials(struct sip_msg* msg, char* s1, char* s2);
74 * Check for credentials with given realm
76 int w_has_credentials(struct sip_msg* msg, char* s1, char* s2);
78 static int pv_proxy_authenticate(struct sip_msg* msg, char* realm,
79 char *passwd, char *flags);
80 static int pv_www_authenticate(struct sip_msg* msg, char* realm,
81 char *passwd, char *flags);
82 static int pv_www_authenticate2(struct sip_msg* msg, char* realm,
83 char *passwd, char *flags, char *method);
84 static int fixup_pv_auth(void **param, int param_no);
85 static int w_pv_auth_check(sip_msg_t *msg, char *realm,
86 char *passwd, char *flags, char *checks);
87 static int fixup_pv_auth_check(void **param, int param_no);
89 static int proxy_challenge(struct sip_msg *msg, char* realm, char *flags);
90 static int www_challenge(struct sip_msg *msg, char* realm, char *flags);
91 static int w_auth_challenge(struct sip_msg *msg, char* realm, char *flags);
92 static int fixup_auth_challenge(void **param, int param_no);
94 static int w_auth_get_www_authenticate(sip_msg_t* msg, char* realm,
95 char *flags, char *dst);
96 static int fixup_auth_get_www_authenticate(void **param, int param_no);
99 * Module parameter variables
101 char* sec_param = 0; /* If the parameter was not used, the secret phrase will be auto-generated */
102 int nonce_expire = 300; /* Nonce lifetime */
103 /*int auth_extra_checks = 0; -- in nonce.c */
104 int protect_contacts = 0; /* Do not include contacts in nonce by default */
105 int force_stateless_reply = 0; /* Always send reply statelessly */
107 /*! Prefix to strip from realm */
108 str auth_realm_prefix = {"", 0};
110 static int auth_use_domain = 0;
117 str challenge_attr = STR_STATIC_INIT("$digest_challenge");
118 avp_ident_t challenge_avpid;
120 str proxy_challenge_header = STR_STATIC_INIT("Proxy-Authenticate");
121 str www_challenge_header = STR_STATIC_INIT("WWW-Authenticate");
123 struct qp auth_qop = {
124 STR_STATIC_INIT("auth"),
128 static struct qp auth_qauth = {
129 STR_STATIC_INIT("auth"),
133 static struct qp auth_qauthint = {
134 STR_STATIC_INIT("auth-int"),
138 /* Hash algorithm used for digest authentication, MD5 if empty */
139 str auth_algorithm = {"", 0};
141 int add_authinfo_hdr = 0; /* should an Authentication-Info header be added on 200 OK responses? */
144 calc_response_t calc_response;
147 /*! SL API structure */
153 static cmd_export_t cmds[] = {
154 {"consume_credentials", w_consume_credentials, 0,
156 {"www_challenge", (cmd_function)www_challenge, 2,
157 fixup_auth_challenge, REQUEST_ROUTE},
158 {"proxy_challenge", (cmd_function)proxy_challenge, 2,
159 fixup_auth_challenge, REQUEST_ROUTE},
160 {"auth_challenge", (cmd_function)w_auth_challenge, 2,
161 fixup_auth_challenge, REQUEST_ROUTE},
162 {"pv_www_authorize", (cmd_function)pv_www_authenticate, 3,
163 fixup_pv_auth, REQUEST_ROUTE},
164 {"pv_www_authenticate", (cmd_function)pv_www_authenticate, 3,
165 fixup_pv_auth, REQUEST_ROUTE},
166 {"pv_www_authenticate", (cmd_function)pv_www_authenticate2, 4,
167 fixup_pv_auth, REQUEST_ROUTE},
168 {"pv_proxy_authorize", (cmd_function)pv_proxy_authenticate, 3,
169 fixup_pv_auth, REQUEST_ROUTE},
170 {"pv_proxy_authenticate", (cmd_function)pv_proxy_authenticate, 3,
171 fixup_pv_auth, REQUEST_ROUTE},
172 {"auth_get_www_authenticate", (cmd_function)w_auth_get_www_authenticate, 3,
173 fixup_auth_get_www_authenticate, REQUEST_ROUTE},
174 {"has_credentials", w_has_credentials, 1,
175 fixup_spve_null, REQUEST_ROUTE},
176 {"pv_auth_check", (cmd_function)w_pv_auth_check, 4,
177 fixup_pv_auth_check, REQUEST_ROUTE},
178 {"bind_auth_s", (cmd_function)bind_auth_s, 0, 0, 0 },
184 * Exported parameters
186 static param_export_t params[] = {
187 {"secret", PARAM_STRING, &sec_param },
188 {"nonce_expire", PARAM_INT, &nonce_expire },
189 {"nonce_auth_max_drift", PARAM_INT, &nonce_auth_max_drift },
190 {"protect_contacts", PARAM_INT, &protect_contacts },
191 {"challenge_attr", PARAM_STR, &challenge_attr },
192 {"proxy_challenge_header", PARAM_STR, &proxy_challenge_header},
193 {"www_challenge_header", PARAM_STR, &www_challenge_header },
194 {"qop", PARAM_STR, &auth_qop.qop_str },
195 {"auth_checks_register", PARAM_INT, &auth_checks_reg },
196 {"auth_checks_no_dlg", PARAM_INT, &auth_checks_ood },
197 {"auth_checks_in_dlg", PARAM_INT, &auth_checks_ind },
198 {"nonce_count" , PARAM_INT, &nc_enabled },
199 {"nc_array_size", PARAM_INT, &nc_array_size },
200 {"nc_array_order", PARAM_INT, &nc_array_k },
201 {"one_time_nonce" , PARAM_INT, &otn_enabled },
202 {"otn_in_flight_no", PARAM_INT, &otn_in_flight_no },
203 {"otn_in_flight_order", PARAM_INT, &otn_in_flight_k },
204 {"nid_pool_no", PARAM_INT, &nid_pool_no },
205 {"force_stateless_reply", PARAM_INT, &force_stateless_reply },
206 {"realm_prefix", PARAM_STRING, &auth_realm_prefix.s },
207 {"use_domain", PARAM_INT, &auth_use_domain },
208 {"algorithm", PARAM_STR, &auth_algorithm },
209 {"add_authinfo_hdr", INT_PARAM, &add_authinfo_hdr },
217 struct module_exports exports = {
222 mod_init, /* module initialization function */
223 0, /* response function */
224 destroy, /* destroy function */
225 0, /* oncancel function */
226 0 /* child initialization function */
231 * Secret parameter was not used so we generate
232 * a random value here
234 static inline int generate_random_secret(void)
238 sec_rand1 = (char*)pkg_malloc(RAND_SECRET_LEN);
239 sec_rand2 = (char*)pkg_malloc(RAND_SECRET_LEN);
240 if (!sec_rand1 || !sec_rand2) {
241 LM_ERR("No memory left\n");
249 /* srandom(time(0)); -- seeded by core */
251 for(i = 0; i < RAND_SECRET_LEN; i++) {
252 sec_rand1[i] = 32 + (int)(95.0 * kam_rand() / (KAM_RAND_MAX + 1.0));
255 secret1.s = sec_rand1;
256 secret1.len = RAND_SECRET_LEN;
258 for(i = 0; i < RAND_SECRET_LEN; i++) {
259 sec_rand2[i] = 32 + (int)(95.0 * kam_rand() / (KAM_RAND_MAX + 1.0));
262 secret2.s = sec_rand2;
263 secret2.len = RAND_SECRET_LEN;
265 /* DBG("Generated secret: '%.*s'\n", secret.len, secret.s); */
271 static int mod_init(void)
275 DBG("auth module - initializing\n");
277 auth_realm_prefix.len = strlen(auth_realm_prefix.s);
279 /* bind the SL API */
280 if (sl_load_api(&slb)!=0) {
281 LM_ERR("cannot bind to SL API\n");
285 /* If the parameter was not used */
286 if (sec_param == 0) {
287 /* Generate secret using random generator */
288 if (generate_random_secret() < 0) {
289 LM_ERR("Error while generating random secret\n");
293 /* Otherwise use the parameter's value */
294 secret1.s = sec_param;
295 secret1.len = strlen(secret1.s);
297 if (auth_checks_reg || auth_checks_ind || auth_checks_ood) {
298 /* divide the secret in half: one half for secret1 and one half for
300 secret2.len = secret1.len/2;
301 secret1.len -= secret2.len;
302 secret2.s = secret1.s + secret1.len;
303 if (secret2.len < 16) {
304 LM_WARN("consider a longer secret when extra auth checks are"
305 " enabled (the config secret is divided in 2!)\n");
310 if ((!challenge_attr.s || challenge_attr.len == 0) ||
311 challenge_attr.s[0] != '$') {
312 LM_ERR("Invalid value of challenge_attr module parameter\n");
316 attr.s = challenge_attr.s + 1;
317 attr.len = challenge_attr.len - 1;
319 if (parse_avp_ident(&attr, &challenge_avpid) < 0) {
320 LM_ERR("Error while parsing value of challenge_attr module"
325 parse_qop(&auth_qop);
326 switch(auth_qop.qop_parsed){
328 LM_ERR("Unsupported qop parameter value\n");
334 LM_WARN("nounce count support enabled from config, but"
335 " disabled at compile time (recompile with -DUSE_NC)\n");
340 if (init_nonce_count()!=0)
346 LM_INFO("qop set, but nonce-count (nc_enabled) support"
353 LM_WARN("nonce-count support enabled, but qop not set\n");
360 if (nid_crt==0) init_nonce_id();
361 if (init_ot_nonce()!=0)
364 LM_WARN("one-time-nonce support enabled from config, but "
365 "disabled at compile time (recompile with -DUSE_OT_NONCE)\n");
367 #endif /* USE_OT_NONCE */
370 if (auth_algorithm.len == 0 || strcmp(auth_algorithm.s, "MD5") == 0) {
371 hash_hex_len = HASHHEXLEN;
372 calc_HA1 = calc_HA1_md5;
373 calc_response = calc_response_md5;
375 else if (strcmp(auth_algorithm.s, "SHA-256") == 0) {
376 hash_hex_len = HASHHEXLEN_SHA256;
377 calc_HA1 = calc_HA1_sha256;
378 calc_response = calc_response_sha256;
381 LM_ERR("Invalid algorithm provided."
382 " Possible values are \"\", \"MD5\" or \"SHA-256\"\n");
390 static void destroy(void)
392 if (sec_rand1) pkg_free(sec_rand1);
393 if (sec_rand2) pkg_free(sec_rand2);
395 destroy_nonce_count();
400 #if defined USE_NC || defined USE_OT_NONCE
407 * Remove used credentials from a SIP message header
409 int consume_credentials(struct sip_msg* msg)
414 /* skip requests that can't be authenticated */
415 if (msg->REQ_METHOD & (METHOD_ACK|METHOD_CANCEL|METHOD_PRACK))
417 get_authorized_cred(msg->authorization, &h);
419 get_authorized_cred(msg->proxy_auth, &h);
421 LM_ERR("No authorized credentials found (error in scripts)\n");
428 if (del_lump(msg, h->name.s - msg->buf, len, 0) == 0) {
429 LM_ERR("Can't remove credentials\n");
439 int w_consume_credentials(struct sip_msg* msg, char* s1, char* s2)
441 return consume_credentials(msg);
447 int ki_has_credentials(sip_msg_t *msg, str* srealm)
449 hdr_field_t *hdr = NULL;
452 ret = find_credentials(msg, srealm, HDR_PROXYAUTH_T, &hdr);
454 LM_DBG("found www credentials with realm [%.*s]\n", srealm->len, srealm->s);
457 ret = find_credentials(msg, srealm, HDR_AUTHORIZATION_T, &hdr);
459 LM_DBG("found proxy credentials with realm [%.*s]\n", srealm->len, srealm->s);
463 LM_DBG("no credentials with realm [%.*s]\n", srealm->len, srealm->s);
470 int w_has_credentials(sip_msg_t *msg, char* realm, char* s2)
474 if (fixup_get_svalue(msg, (gparam_t*)realm, &srealm) < 0) {
475 LM_ERR("failed to get realm value\n");
478 return ki_has_credentials(msg, &srealm);
481 * @brief do WWW-Digest authentication with password taken from cfg var
483 int pv_authenticate(struct sip_msg *msg, str *realm, str *passwd,
484 int flags, int hftype, str *method)
491 static char ha1[256];
492 struct qp *qop = NULL;
497 switch(pre_auth(msg, realm, hftype, &h, NULL)) {
499 LM_DBG("nonce reused");
500 ret = AUTH_NONCE_REUSED;
503 LM_DBG("stale nonce\n");
504 ret = AUTH_STALE_NONCE;
507 LM_DBG("no credentials\n");
508 ret = AUTH_NO_CREDENTIALS;
511 case BAD_CREDENTIALS:
512 LM_DBG("error or bad credentials\n");
515 case CREATE_CHALLENGE:
516 LM_ERR("CREATE_CHALLENGE is not a valid state\n");
519 case DO_RESYNCHRONIZATION:
520 LM_ERR("DO_RESYNCHRONIZATION is not a valid state\n");
523 case NOT_AUTHENTICATED:
524 LM_DBG("not authenticated\n");
527 case DO_AUTHENTICATION:
534 cred = (auth_body_t*)h->parsed;
536 /* compute HA1 if needed */
538 /* Plaintext password is stored in PV, calculate HA1 */
539 calc_HA1(HA_MD5, &cred->digest.username.whole, realm,
541 LM_DBG("HA1 string calculated: %s\n", ha1);
543 memcpy(ha1, passwd->s, passwd->len);
544 ha1[passwd->len] = '\0';
547 /* Recalculate response, it must be same to authorize successfully */
548 ret = auth_check_response(&(cred->digest), method, ha1);
549 if(ret==AUTHENTICATED) {
551 switch(post_auth(msg, h, ha1)) {
559 if(ret==NOT_AUTHENTICATED)
560 ret = AUTH_INVALID_PASSWORD;
567 /* check if required to add challenge header as avp */
571 qop = &auth_qauthint;
575 if (get_challenge_hf(msg, (cred ? cred->stale : 0),
576 realm, NULL, (auth_algorithm.len ? &auth_algorithm : NULL), qop, hftype, &hf) < 0) {
577 LM_ERR("Error while creating challenge\n");
581 if(add_avp(challenge_avpid.flags | AVP_VAL_STR,
582 challenge_avpid.name, val) < 0) {
583 LM_ERR("Error while creating attribute with challenge\n");
596 static int pv_proxy_authenticate(struct sip_msg *msg, char* realm,
597 char *passwd, char *flags)
601 str spasswd = {0, 0};
603 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
604 LM_ERR("failed to get realm value\n");
609 LM_ERR("invalid realm value - empty content\n");
613 if (get_str_fparam(&spasswd, msg, (fparam_t*)passwd) < 0) {
614 LM_ERR("failed to get passwd value\n");
619 LM_ERR("invalid password value - empty content\n");
623 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
624 LM_ERR("invalid flags value\n");
627 return pv_authenticate(msg, &srealm, &spasswd, vflags, HDR_PROXYAUTH_T,
628 &msg->first_line.u.request.method);
637 static int pv_www_authenticate(struct sip_msg *msg, char* realm,
638 char *passwd, char *flags)
642 str spasswd = {0, 0};
644 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
645 LM_ERR("failed to get realm value\n");
650 LM_ERR("invalid realm value - empty content\n");
654 if (get_str_fparam(&spasswd, msg, (fparam_t*)passwd) < 0) {
655 LM_ERR("failed to get passwd value\n");
660 LM_ERR("invalid password value - empty content\n");
664 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
665 LM_ERR("invalid flags value\n");
668 return pv_authenticate(msg, &srealm, &spasswd, vflags, HDR_AUTHORIZATION_T,
669 &msg->first_line.u.request.method);
675 static int pv_www_authenticate2(struct sip_msg *msg, char* realm,
676 char *passwd, char *flags, char *method)
680 str spasswd = {0, 0};
681 str smethod = {0, 0};
683 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
684 LM_ERR("failed to get realm value\n");
689 LM_ERR("invalid realm value - empty content\n");
693 if (get_str_fparam(&spasswd, msg, (fparam_t*)passwd) < 0) {
694 LM_ERR("failed to get passwd value\n");
699 LM_ERR("invalid password value - empty content\n");
703 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
704 LM_ERR("invalid flags value\n");
708 if (get_str_fparam(&smethod, msg, (fparam_t*)method) < 0) {
709 LM_ERR("failed to get method value from msg %p var %p\n", msg, method);
714 LM_ERR("invalid method value - empty content\n");
718 return pv_authenticate(msg, &srealm, &spasswd, vflags, HDR_AUTHORIZATION_T,
728 static int pv_auth_check(sip_msg_t *msg, str *srealm, str *spasswd, int vflags,
733 sip_uri_t *uri = NULL;
734 sip_uri_t *turi = NULL;
735 sip_uri_t *furi = NULL;
738 if(msg->REQ_METHOD==METHOD_REGISTER)
739 ret = pv_authenticate(msg, srealm, spasswd, vflags, HDR_AUTHORIZATION_T,
740 &msg->first_line.u.request.method);
742 ret = pv_authenticate(msg, srealm, spasswd, vflags, HDR_PROXYAUTH_T,
743 &msg->first_line.u.request.method);
745 if(ret==AUTH_OK && (vchecks&AUTH_CHECK_ID_F)) {
746 hdr = (msg->proxy_auth==0)?msg->authorization:msg->proxy_auth;
747 suser = ((auth_body_t*)(hdr->parsed))->digest.username.user;
749 if((furi=parse_from_uri(msg))==NULL)
752 if(msg->REQ_METHOD==METHOD_REGISTER || msg->REQ_METHOD==METHOD_PUBLISH) {
753 if((turi=parse_to_uri(msg))==NULL)
759 if(suser.len!=uri->user.len
760 || strncmp(suser.s, uri->user.s, suser.len)!=0)
761 return AUTH_USER_MISMATCH;
763 if(msg->REQ_METHOD==METHOD_REGISTER || msg->REQ_METHOD==METHOD_PUBLISH) {
765 if(furi->user.len!=turi->user.len
766 || strncmp(furi->user.s, turi->user.s, furi->user.len)!=0)
767 return AUTH_USER_MISMATCH;
768 if(auth_use_domain!=0 && (furi->host.len!=turi->host.len
769 || strncmp(furi->host.s, turi->host.s, furi->host.len)!=0))
770 return AUTH_USER_MISMATCH;
771 /* check r-uri==from for publish */
772 if(msg->REQ_METHOD==METHOD_PUBLISH) {
773 if(parse_sip_msg_uri(msg)<0)
775 uri = &msg->parsed_uri;
776 if(furi->user.len!=uri->user.len
777 || strncmp(furi->user.s, uri->user.s, furi->user.len)!=0)
778 return AUTH_USER_MISMATCH;
779 if(auth_use_domain!=0 && (furi->host.len!=uri->host.len
780 || strncmp(furi->host.s, uri->host.s, furi->host.len)!=0))
781 return AUTH_USER_MISMATCH;
793 static int w_pv_auth_check(sip_msg_t *msg, char *realm,
794 char *passwd, char *flags, char *checks)
799 str spasswd = {0, 0};
803 LM_ERR("invalid msg parameter\n");
807 if ((msg->REQ_METHOD == METHOD_ACK) || (msg->REQ_METHOD == METHOD_CANCEL)) {
811 if(realm==NULL || passwd==NULL || flags==NULL || checks==NULL) {
812 LM_ERR("invalid parameters\n");
816 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
817 LM_ERR("failed to get realm value\n");
822 LM_ERR("invalid realm value - empty content\n");
826 if (get_str_fparam(&spasswd, msg, (fparam_t*)passwd) < 0) {
827 LM_ERR("failed to get passwd value\n");
832 LM_ERR("invalid password value - empty content\n");
836 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
837 LM_ERR("invalid flags value\n");
841 if (get_int_fparam(&vchecks, msg, (fparam_t*)checks) < 0) {
842 LM_ERR("invalid checks value\n");
845 LM_DBG("realm [%.*s] flags [%d] checks [%d]\n", srealm.len, srealm.s,
847 return pv_auth_check(msg, &srealm, &spasswd, vflags, vchecks);
852 * @brief fixup function for pv_{www,proxy}_authenticate
854 static int fixup_pv_auth(void **param, int param_no)
856 if(strlen((char*)*param)<=0) {
857 LM_ERR("empty parameter %d not allowed\n", param_no);
865 return fixup_var_pve_str_12(param, 1);
867 return fixup_var_int_12(param, 1);
873 * @brief fixup function for pv_{www,proxy}_authenticate
875 static int fixup_pv_auth_check(void **param, int param_no)
877 if(strlen((char*)*param)<=0) {
878 LM_ERR("empty parameter %d not allowed\n", param_no);
885 return fixup_var_pve_str_12(param, 1);
888 return fixup_var_int_12(param, 1);
898 static int auth_send_reply(struct sip_msg *msg, int code, char *reason,
899 char *hdr, int hdr_len)
903 /* Add new headers if there are any */
904 if ((hdr!=NULL) && (hdr_len>0)) {
905 if (add_lump_rpl(msg, hdr, hdr_len, LUMP_RPL_HDR)==0) {
906 LM_ERR("failed to append hdr to reply\n");
911 reason_str.s = reason;
912 reason_str.len = strlen(reason);
914 return force_stateless_reply ?
915 slb.sreply(msg, code, &reason_str) :
916 slb.freply(msg, code, &reason_str);
922 int auth_challenge_helper(struct sip_msg *msg, str *realm, int flags, int hftype,
927 struct qp *qop = NULL;
932 qop = &auth_qauthint;
941 if (get_challenge_hf(msg, stale, realm, NULL, (auth_algorithm.len ? &auth_algorithm : NULL), qop, hftype, &hf)
943 LM_ERR("Error while creating challenge\n");
955 case HDR_AUTHORIZATION_T:
956 if(auth_send_reply(msg, 401, "Unauthorized",
960 case HDR_PROXYAUTH_T:
961 if(auth_send_reply(msg, 407, "Proxy Authentication Required",
966 if(hf.s) pkg_free(hf.s);
970 if(hf.s) pkg_free(hf.s);
972 if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
981 int auth_challenge_hftype(struct sip_msg *msg, str *realm, int flags, int hftype)
983 return auth_challenge_helper(msg, realm, flags, hftype, NULL);
989 int auth_challenge(sip_msg_t *msg, str *realm, int flags)
993 if(msg==NULL) return -1;
995 if(msg->REQ_METHOD==METHOD_REGISTER)
996 htype = HDR_AUTHORIZATION_T;
998 htype = HDR_PROXYAUTH_T;
1000 return auth_challenge_helper(msg, realm, flags, htype, NULL);
1006 static int proxy_challenge(struct sip_msg *msg, char* realm, char *flags)
1009 str srealm = {0, 0};
1011 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
1012 LM_ERR("failed to get realm value\n");
1017 LM_ERR("invalid realm value - empty content\n");
1021 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
1022 LM_ERR("invalid flags value\n");
1026 return auth_challenge_hftype(msg, &srealm, vflags, HDR_PROXYAUTH_T);
1030 if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
1039 static int www_challenge(struct sip_msg *msg, char* realm, char *flags)
1042 str srealm = {0, 0};
1044 if (get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
1045 LM_ERR("failed to get realm value\n");
1050 LM_ERR("invalid realm value - empty content\n");
1054 if (get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
1055 LM_ERR("invalid flags value\n");
1059 return auth_challenge_hftype(msg, &srealm, vflags, HDR_AUTHORIZATION_T);
1063 if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
1072 static int w_auth_challenge(struct sip_msg *msg, char* realm, char *flags)
1075 str srealm = {0, 0};
1077 if((msg->REQ_METHOD == METHOD_ACK) || (msg->REQ_METHOD == METHOD_CANCEL)) {
1081 if(get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
1082 LM_ERR("failed to get realm value\n");
1087 LM_ERR("invalid realm value - empty content\n");
1091 if(get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
1092 LM_ERR("invalid flags value\n");
1096 if(msg->REQ_METHOD==METHOD_REGISTER)
1097 return auth_challenge_hftype(msg, &srealm, vflags, HDR_AUTHORIZATION_T);
1099 return auth_challenge_hftype(msg, &srealm, vflags, HDR_PROXYAUTH_T);
1103 if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
1111 * @brief fixup function for {www,proxy}_challenge
1113 static int fixup_auth_challenge(void **param, int param_no)
1115 if(strlen((char*)*param)<=0) {
1116 LM_ERR("empty parameter %d not allowed\n", param_no);
1122 return fixup_var_str_12(param, 1);
1124 return fixup_var_int_12(param, 1);
1133 static int w_auth_get_www_authenticate(sip_msg_t* msg, char* realm,
1134 char *flags, char *dst)
1143 if(get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
1144 LM_ERR("failed to get realm value\n");
1149 LM_ERR("invalid realm value - empty content\n");
1153 if(get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
1154 LM_ERR("invalid flags value\n");
1158 pv = (pv_spec_t *)dst;
1160 ret = auth_challenge_helper(NULL, &srealm, vflags,
1161 HDR_AUTHORIZATION_T, &hf);
1166 val.rs.s = pv_get_buffer();
1170 memcpy(val.rs.s, hf.s, hf.len);
1171 val.rs.len = hf.len;
1172 val.rs.s[val.rs.len] = '\0';
1175 val.flags = PV_VAL_STR;
1176 pv->setf(msg, &pv->pvp, (int)EQ_T, &val);
1185 static int fixup_auth_get_www_authenticate(void **param, int param_no)
1187 if(strlen((char*)*param)<=0) {
1188 LM_ERR("empty parameter %d not allowed\n", param_no);
1194 return fixup_var_str_12(param, 1);
1196 return fixup_var_int_12(param, 1);
1198 if (fixup_pvar_null(param, 1) != 0) {
1199 LM_ERR("failed to fixup result pvar\n");
1202 if (((pv_spec_t *)(*param))->setf == NULL) {
1203 LM_ERR("result pvar is not writeble\n");
1214 static sr_kemi_t sr_kemi_auth_exports[] = {
1215 { str_init("auth"), str_init("consume_credentials"),
1216 SR_KEMIP_INT, consume_credentials,
1217 { SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE,
1218 SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
1220 { str_init("auth"), str_init("auth_challenge"),
1221 SR_KEMIP_INT, auth_challenge,
1222 { SR_KEMIP_STR, SR_KEMIP_INT, SR_KEMIP_NONE,
1223 SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
1225 { str_init("auth"), str_init("pv_auth_check"),
1226 SR_KEMIP_INT, pv_auth_check,
1227 { SR_KEMIP_STR, SR_KEMIP_STR, SR_KEMIP_INT,
1228 SR_KEMIP_INT, SR_KEMIP_NONE, SR_KEMIP_NONE }
1230 { str_init("auth"), str_init("has_credentials"),
1231 SR_KEMIP_INT, ki_has_credentials,
1232 { SR_KEMIP_STR, SR_KEMIP_NONE, SR_KEMIP_NONE,
1233 SR_KEMIP_NONE, SR_KEMIP_NONE, SR_KEMIP_NONE }
1236 { {0, 0}, {0, 0}, 0, NULL, { 0, 0, 0, 0, 0, 0 } }
1242 int mod_register(char *path, int *dlflags, void *p1, void *p2)
1244 sr_kemi_modules_add(sr_kemi_auth_exports);
projects / sip-router / blob