git:master: auth_ims: New option to store authentication vectors using the IMPU only, instead of IMPI/IMPU. - sr-dev

24 Jun 2013

Module: sip-router
Branch: master
Commit: 14ef8ff8d460bc22f0df4793e11455487ea91aab
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=14ef8ff8...
Author: Carsten Bock carsten@ng-voice.com
Committer: Carsten Bock carsten@ng-voice.com
Date:   Mon Jun 24 22:10:33 2013 +0200
auth_ims: New option to store authentication vectors using the IMPU only, instead of IMPI/IMPU.
(this is required to work with some SIP-clients)
- added some more debug info
- replaced the hashing function with core_hash from Kamailio-core
---
modules/ims_auth/authims_mod.c          |    2 +
 modules/ims_auth/authorize.c            |   42 ++++++++++++++++++++++++++----
 modules/ims_auth/cxdx_mar.c             |    3 +-
 modules/ims_auth/doc/ims_auth_admin.xml |   21 +++++++++++++++
 4 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/modules/ims_auth/authims_mod.c b/modules/ims_auth/authims_mod.c
index 12070c6..0e94f69 100644
--- a/modules/ims_auth/authims_mod.c
+++ b/modules/ims_auth/authims_mod.c
@@ -86,6 +86,7 @@ int av_request_at_once = 1; /**< how many auth vectors to request in a MAR 				*
 int av_request_at_sync = 1; /**< how many auth vectors to request in a sync MAR 		*/
 char *registration_qop = "auth,auth-int"; /**< the qop options to put in the authorization challenges */
 str registration_qop_str = {0, 0}; /**< the qop options to put in the authorization challenges */
+int av_check_only_impu = 0; /**< Should we check IMPU (0) or IMPU and IMPI (1), when searching for authentication vectors? */
 static str s_qop_s = {", qop="", 7};
 static str s_qop_e = {""", 1};
@@ -139,6 +140,7 @@ static param_export_t params[] = {
     {"registration_default_algorithm", STR_PARAM, &registration_default_algorithm},
     {"registration_qop", STR_PARAM, &registration_qop},
     {"ignore_failed_auth", INT_PARAM, &ignore_failed_auth},
+    {"av_check_only_impu", INT_PARAM, &av_check_only_impu},
     {"cxdx_forced_peer", STR_PARAM, &cxdx_forced_peer_s},
     {"cxdx_dest_realm", STR_PARAM, &cxdx_dest_realm_s},
     {0, 0, 0}
diff --git a/modules/ims_auth/authorize.c b/modules/ims_auth/authorize.c
index 8b1904d..7f3e753 100644
--- a/modules/ims_auth/authorize.c
+++ b/modules/ims_auth/authorize.c
@@ -47,6 +47,7 @@
 #include "../../ut.h"
 #include "../../str.h"
 #include "../../basex.h"
+#include "../../hashes.h"
 #include "../../lib/srdb1/db.h"
 #include "../../lib/srdb1/db_ut.h"
 #include "../../dprint.h"
@@ -85,6 +86,7 @@ extern int add_authinfo_hdr;
 extern int max_nonce_reuse;
 extern str scscf_name_str;
 extern int ignore_failed_auth;
+extern int av_check_only_impu;
auth_hash_slot_t *auth_data; /**< Authentication vector hash table */
 extern int auth_data_hash_size; /**< authentication vector hash table size */
@@ -1162,6 +1164,12 @@ void free_auth_userdata(auth_userdata * aud) {
  * @returns the hash % Auth_data->size
  */
 inline unsigned int get_hash_auth(str private_identity, str public_identity) {
+if (av_check_only_impu)
+	return core_hash(&public_identity, 0, auth_data_hash_size);
+else
+	return core_hash(&public_identity, 0, auth_data_hash_size);
+/*
+
#define h_inc h+=v^(v>>3)
     char* p;
@@ -1192,6 +1200,7 @@ inline unsigned int get_hash_auth(str private_identity, str public_identity) {
     h = ((h)+(h >> 11))+((h >> 13)+(h >> 23));
     return (h) % auth_data_hash_size;
 #undef h_inc
+*/
 }
/**
@@ -1209,13 +1218,29 @@ auth_userdata * get_auth_userdata(str private_identity, str public_identity) {
     hash = get_hash_auth(private_identity, public_identity);
     auth_data_lock(hash);
     aud = auth_data[hash].head;
+    if (av_check_only_impu)
+      LM_DBG("Searching auth_userdata for IMPU %.*s (Hash %d)\n", public_identity.len, public_identity.s, hash);
+    else
+      LM_DBG("Searching auth_userdata for IMPU %.*s / IMPI %.*s (Hash %d)\n", public_identity.len, public_identity.s,
+        private_identity.len, private_identity.s, hash);
+
     while (aud) {
-        if (aud->private_identity.len == private_identity.len &&
-                aud->public_identity.len == public_identity.len &&
-                memcmp(aud->private_identity.s, private_identity.s, private_identity.len) == 0 &&
-                memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0) {
-            return aud;
-        }
+	if (av_check_only_impu) {
+		if (aud->public_identity.len == public_identity.len &&
+		        memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0) {
+                    LM_DBG("Found auth_userdata\n");
+		    return aud;
+		}
+	} else {
+		if (aud->private_identity.len == private_identity.len &&
+		        aud->public_identity.len == public_identity.len &&
+		        memcmp(aud->private_identity.s, private_identity.s, private_identity.len) == 0 &&
+		        memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0) {
+                    LM_DBG("Found auth_userdata\n");
+		    return aud;
+		}
+	}
+
         aud = aud->next;
     }
     /* if we get here, there is no auth_userdata for this user */
@@ -1408,6 +1433,11 @@ int add_auth_vector(str private_identity, str public_identity, auth_vector * av)
     aud = get_auth_userdata(private_identity, public_identity);
     if (!aud) goto error;
+     LM_DBG("Adding auth_vector (status %d) for IMPU %.*s / IMPI %.*s (Hash %d)\n", av->status,
+	public_identity.len, public_identity.s,
+        private_identity.len, private_identity.s, aud->hash);
+
+
     av->prev = aud->tail;
     av->next = 0;
diff --git a/modules/ims_auth/cxdx_mar.c b/modules/ims_auth/cxdx_mar.c
index 2ec113b..4fa7e17 100644
--- a/modules/ims_auth/cxdx_mar.c
+++ b/modules/ims_auth/cxdx_mar.c
@@ -154,7 +154,6 @@ void async_cdp_callback(int is_timeout, void *param, AAAMessage *maa, long elaps
         goto error;
     }
-
     //get each individual element from the MAA
     cxdx_get_result_code(maa, &rc);
     cxdx_get_experimental_result_code(maa, &experimental_rc);
@@ -388,6 +387,8 @@ success:
         //TODO need to confirm that removing this has done no problems
         //tmp->auth_data->code = -tmp->auth_data->code;
+	LM_DBG("Added new auth-vector.\n");
+
         tmp = tmp->next;
     }
diff --git a/modules/ims_auth/doc/ims_auth_admin.xml b/modules/ims_auth/doc/ims_auth_admin.xml
index a7e4649..56eb972 100644
--- a/modules/ims_auth/doc/ims_auth_admin.xml
+++ b/modules/ims_auth/doc/ims_auth_admin.xml
@@ -313,6 +313,27 @@ modparam("ims_auth", "ignore_failed_auth", 1)
       </example>
     </section>
+    <section>
+      <title><varname>av_check_only_impu</varname> (integer)</title>
+
+      <para>When storing the authentication vectors for an account, use either IMPI/IMPU (=0, default) or IMPU (=1).</para>
+      <para>In case the IMPI is different from the IMPU, this option needs to be enabled to allow registration from
+        classic "SIP-clients", such as Snom phones and others, as they do not send an authentication username in the first REGISTER.</para>
+      <para>Default value is <quote>0</quote> (store authentication vectors based on IMPI/IMPU).</para>
+
+      <example>
+        <title><varname>av_check_only_impu</varname> parameter usage</title>
+
+        <programlisting format="linespecific">
+...
+modparam("ims_auth", "av_check_only_impu", 1)
+...
+</programlisting>
+      </example>
+    </section>
+
+
+
   </section>
<section>

    