[sr-dev] git:master: modules/ims_auth: ims_www_challenge allows specification of auth algorithm from cfg

Module: sip-router Branch: master Commit: 33f054a793dc843959de356f0dc201e66d306583 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=33f054a… Author: Jason Penton &lt;jason.penton(a)gmail.com&gt; Committer: Jason Penton &lt;jason.penton(a)gmail.com&gt; Date: Wed Sep 3 22:32:03 2014 +0200 modules/ims_auth: ims_www_challenge allows specification of auth algorithm from cfg - e.g. ims_www_challenge("REG_MAR_REPLY", "$td", "MD5"); - useful for non-ims clients that do not do AKA --- modules/ims_auth/authims_mod.c | 8 +++- modules/ims_auth/authorize.c | 23 ++++++++-- modules/ims_auth/doc/ims_auth_admin.xml | 68 +++++++++++++++++++++++++------ 3 files changed, 80 insertions(+), 19 deletions(-) diff --git a/modules/ims_auth/authims_mod.c b/modules/ims_auth/authims_mod.c index 716f75c..8d8afd1 100644 --- a/modules/ims_auth/authims_mod.c +++ b/modules/ims_auth/authims_mod.c @@ -113,6 +113,7 @@ int ignore_failed_auth = 0; static cmd_export_t cmds[] = { {"ims_www_authenticate", (cmd_function) www_authenticate, 1, auth_fixup, 0, REQUEST_ROUTE}, {"ims_www_challenge", (cmd_function) www_challenge, 2, challenge_fixup_async, 0, REQUEST_ROUTE}, + {"ims_www_challenge", (cmd_function) www_challenge, 3, challenge_fixup_async, 0, REQUEST_ROUTE}, {"ims_www_resync_auth", (cmd_function) www_resync_auth, 2, challenge_fixup_async, 0, REQUEST_ROUTE}, {"ims_proxy_authenticate", (cmd_function) proxy_authenticate, 1, auth_fixup, 0, REQUEST_ROUTE}, {"ims_proxy_challenge", (cmd_function) proxy_challenge, 2, auth_fixup_async, 0, REQUEST_ROUTE}, @@ -262,7 +263,12 @@ static int challenge_fixup_async(void** param, int param_no) { return 0; } else if (param_no == 2) { if (fixup_var_str_12(param, 1) == -1) { - LM_ERR("Erroring doing fixup on challenge"); + LM_ERR("Error doing fixup on challenge"); + return -1; + } + } else if (param_no == 3) /* algorithm */ { + if (fixup_var_str_12(param, 1) == -1) { + LM_ERR("Error doing fixup on challenge"); return -1; } } diff --git a/modules/ims_auth/authorize.c b/modules/ims_auth/authorize.c index c409b4a..bb93ffa 100644 --- a/modules/ims_auth/authorize.c +++ b/modules/ims_auth/authorize.c @@ -269,13 +269,13 @@ int proxy_authenticate(struct sip_msg* _m, char* _realm, char* _table) { return digest_authenticate(_m, &srealm, &stable, HDR_PROXYAUTH_T); } */ -int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, char *route) { +int challenge(struct sip_msg* msg, char* str1, char* alg, int is_proxy_auth, char *route) { - str realm = {0, 0}; + str realm = {0, 0}, algo = {0,0}; unsigned int aud_hash; str private_identity, public_identity, auts = {0, 0}, nonce = {0, 0}; auth_vector *av = 0; - int algo_type; + int algo_type = 0; str route_name; saved_transaction_t* saved_t; @@ -287,6 +287,15 @@ int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, ch return -1; } + if (!alg) { + LM_DBG("no algorithm specified in cfg... using default\n"); + } else { + if (get_str_fparam(&algo, msg, (fparam_t*) alg) < 0) { + LM_ERR("failed to get auth algorithm\n"); + return -1; + } + } + LM_DBG("Looking for route block [%.*s]\n", route_name.len, route_name.s); int ri = route_get(&main_rt, route_name.s); if (ri < 0) { @@ -343,8 +352,12 @@ int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, ch return CSCF_RETURN_BREAK; } - algo_type = registration_default_algorithm_type; - + if (algo.len > 0) { + algo_type = get_algorithm_type(algo); + } else { + algo_type = registration_default_algorithm_type; + } + // /* check if it is a synchronization request */ // //TODO this is MAR syncing - have removed it currently - TOD maybe put back in // auts = ims_get_auts(msg, realm, is_proxy_auth); diff --git a/modules/ims_auth/doc/ims_auth_admin.xml b/modules/ims_auth/doc/ims_auth_admin.xml index ca57bd3..d5a1e0f 100644 --- a/modules/ims_auth/doc/ims_auth_admin.xml +++ b/modules/ims_auth/doc/ims_auth_admin.xml @@ -422,17 +422,17 @@ if (!www_authorize("kamailio.org", "subscriber")) { </section> <section> - <title><function moreinfo="none">ims_www_authenticate(realm, - table)</function></title> + <title><function + moreinfo="none">ims_www_authenticate(realm)</function></title> - <para>It is same function as www_authenticate(realm, table). This name - is kept for backward compatibility, since it was named this way first - time by it actually does user authentication.</para> + <para>It is the same function as www_authenticate(realm, table). This + name is kept for backward compatibility, since it was named this way + first time by it actually does user authentication.</para> </section> <section> - <title><function moreinfo="none">ims_www_challenge(route_block, realm, - table)</function></title> + <title><function moreinfo="none">ims_www_challenge(route_block, + realm)</function></title> <para>Name alias: proxy_authorize(realm, table)</para> @@ -471,17 +471,12 @@ if (!www_authorize("kamailio.org", "subscriber")) { <para>The string may contain pseudo variables.</para> </listitem> - - <listitem> - <para><emphasis>table</emphasis> - Table to be used to lookup - usernames and passwords (usually subscribers table).</para> - </listitem> </itemizedlist> <para>This function can be used from REQUEST_ROUTE.</para> <example> - <title>proxy_authorize usage</title> + <title>ims_www_challenge usage</title> <programlisting format="linespecific"> ... @@ -518,6 +513,53 @@ route[REG_MAR_REPLY] </section> <section> + <title><function moreinfo="none">ims_www_challenge(route_block, realm, + algorithm)</function></title> + + <para>Same as 4.3 except here there is the addiional option to specify + the authorisation algorithm</para> + + <itemizedlist> + <listitem> + <para><emphasis>algorithm</emphasis> - The algorithm to be used when + challenging the client. Can be AKAv1-MD5, AKAv2-MD5, MD5, or + HSS-Selected. If left as an empty string, the default algorithm will + be chosen according to the parameter registration_default_algorithm + (see section 3.7)</para> + </listitem> + </itemizedlist> + + <para>This function can be used from REQUEST_ROUTE.</para> + + <example> + <title>ims_www_challenge usage</title> + + <programlisting format="linespecific"> +... + if (!ims_www_authenticate(NETWORKNAME)) { + #user has not been authenticated. Lets send a challenge via 401 Unauthorized + if ($? == -2) { + t_reply("403", "Authentication Failed"); + exit; + } else if ($? == -3) { + t_reply("400", "Bad Request"); + exit; + } else if ($? == -9) { + xlog("L_DBG", "Authentication re-sync requested\n"); + ims_www_resync_auth("REG_RESYNC_REPLY", "$td"); + exit; + } else { + xlog("L_DBG","About to challenge! auth_ims\n"); + ims_www_challenge("REG_MAR_REPLY", "$td", "MD5"); + exit; + } + } + +</programlisting> + </example> + </section> + + <section> <title><function moreinfo="none">ims_proxy_challenge(route_block, realm, table)</function></title>