[sr-dev] git:3.1: modules/auth: fixed sending of [www|proxy]_challenge reply
Juha Heinanen
jh at tutpro.com
Thu Oct 7 17:04:01 CEST 2010
Module: sip-router
Branch: 3.1
Commit: c7974ebd1d2f9a55d3b742964ab6940236204e33
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c7974ebd1d2f9a55d3b742964ab6940236204e33
Author: Juha Heinanen <jh at tutpro.com>
Committer: Juha Heinanen <jh at tutpro.com>
Date: Thu Oct 7 17:59:27 2010 +0300
modules/auth: fixed sending of [www|proxy]_challenge reply
- By default, [www|proxy]_challenge functions now send reply statefully
if transaction exists and statelessly otherwise.
- Added force_stateless_reply module param that can be used to change
the default behavior.
- Credits to Andrei Pelinescu-Onciul.
---
modules/auth/README | 29 ++++++++++++++++++++++-------
modules/auth/auth_mod.c | 12 ++++++++++--
modules/auth/doc/functions.xml | 6 ++++--
modules/auth/doc/params.xml | 19 +++++++++++++++++++
4 files changed, 55 insertions(+), 11 deletions(-)
diff --git a/modules/auth/README b/modules/auth/README
index 92e4641..0f0214b 100644
--- a/modules/auth/README
+++ b/modules/auth/README
@@ -36,6 +36,7 @@ Daniel-Constantin Mierla
1.3.10. secret (string)
1.3.11. nonce_expire (integer)
1.3.12. nonce_auth_max_drift (integer)
+ 1.3.13. force_stateless_reply (boolean)
1.4. Functions
@@ -450,6 +451,18 @@ modparam("auth", "nonce_expire", 600) # Set nonce_expire to 600s
modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s
...
+1.3.13. force_stateless_reply (boolean)
+
+ If set to 1, www_challenge() and proxy_challenge() functions send reply
+ statelessly no matter if transaction exists or not. If set to 0
+ (default), reply is sent statefully if transaction exists and
+ stelelessly otherwise.
+
+ Example 13. force_stateless_reply example
+...
+modparam("auth", "force_stateless_reply", 1)
+...
+
1.4. Functions
1.4.1. consume_credentials()
@@ -462,7 +475,7 @@ modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s
little bit shorter. The function must be called after www_authorize,
proxy_authorize, www_authenticate or proxy_authenticate.
- Example 13. consume_credentials example
+ Example 14. consume_credentials example
...
if (www_authenticate("realm", "subscriber)) {
consume_credentials();
@@ -476,7 +489,8 @@ if (www_authenticate("realm", "subscriber)) {
field into a response generated from the request the server is
processing and send the reply. Upon reception of such a reply the user
agent should compute credentials and retry the request. For more
- information regarding digest authentication see RFC2617.
+ information regarding digest authentication see RFC2617. See module
+ parameter force_stateless_reply regarding sending of the reply.
Meaning of the parameters is as follows:
* realm - Realm is a opaque string that the user agent should present
@@ -496,7 +510,7 @@ if (www_authenticate("realm", "subscriber)) {
This function can be used from REQUEST_ROUTE.
- Example 14. www_challenge usage
+ Example 15. www_challenge usage
...
if (!www_authenticate("$td", "subscriber")) {
www_challenge("$td", "1");
@@ -510,14 +524,15 @@ if (!www_authenticate("$td", "subscriber")) {
the header field into a response generated from the request the server
is processing and send the reply. Upon reception of such a reply the
user agent should compute credentials and retry the request. For more
- information regarding digest authentication see RFC2617.
+ information regarding digest authentication see RFC2617. See module
+ parameter force_stateless_reply regarding sending of the reply.
Meaning of the parameters the same as for function www_challenge(realm,
flags)
This function can be used from REQUEST_ROUTE.
- Example 15. proxy_challenge usage
+ Example 16. proxy_challenge usage
...
if (!proxy_authenticate("$fd", "subscriber)) {
proxy_challenge("$fd", "1");
@@ -562,7 +577,7 @@ if (!proxy_authenticate("$fd", "subscriber)) {
This function can be used from REQUEST_ROUTE.
- Example 16. pv_www_authenticate usage
+ Example 17. pv_www_authenticate usage
...
if (!pv_www_authenticate("$td", "123abc", "0")) {
www_challenge("$td", "1");
@@ -584,7 +599,7 @@ if (!pv_www_authenticate("$td", "123abc", "0")) {
This function can be used from REQUEST_ROUTE.
- Example 17. pv_proxy_authenticate usage
+ Example 18. pv_proxy_authenticate usage
...
$avp(password)="xyz";
if (!pv_proxy_authenticate("$fd", "$avp(password)", "0")) {
diff --git a/modules/auth/auth_mod.c b/modules/auth/auth_mod.c
index f75530b..b30f6b8 100644
--- a/modules/auth/auth_mod.c
+++ b/modules/auth/auth_mod.c
@@ -97,6 +97,7 @@ char* sec_param = 0; /* If the parameter was not used, the secret phrase
int nonce_expire = 300; /* Nonce lifetime */
/*int auth_extra_checks = 0; -- in nonce.c */
int protect_contacts = 0; /* Do not include contacts in nonce by default */
+int force_stateless_reply = 0; /* Always send reply statelessly */
str secret1;
str secret2;
@@ -171,7 +172,7 @@ static param_export_t params[] = {
{"one_time_nonce" , PARAM_INT, &otn_enabled },
{"otn_in_flight_no", PARAM_INT, &otn_in_flight_no },
{"otn_in_flight_order", PARAM_INT, &otn_in_flight_k },
- {"nid_pool_no", PARAM_INT, &nid_pool_no },
+ {"force_stateless_reply", PARAM_INT, &force_stateless_reply },
{0, 0, 0}
};
@@ -558,6 +559,8 @@ static int fixup_pv_auth(void **param, int param_no)
static int auth_send_reply(struct sip_msg *msg, int code, char *reason,
char *hdr, int hdr_len)
{
+ str reason_str;
+
/* Add new headers if there are any */
if ((hdr!=NULL) && (hdr_len>0)) {
if (add_lump_rpl(msg, hdr, hdr_len, LUMP_RPL_HDR)==0) {
@@ -566,7 +569,12 @@ static int auth_send_reply(struct sip_msg *msg, int code, char *reason,
}
}
- return slb.zreply(msg, code, reason);
+ reason_str.s = reason;
+ reason_str.len = strlen(reason);
+
+ return force_stateless_reply ?
+ slb.sreply(msg, code, &reason_str) :
+ slb.freply(msg, code, &reason_str);
}
/**
diff --git a/modules/auth/doc/functions.xml b/modules/auth/doc/functions.xml
index 90f4c93..b9816bc 100644
--- a/modules/auth/doc/functions.xml
+++ b/modules/auth/doc/functions.xml
@@ -42,7 +42,8 @@ if (www_authenticate("realm", "subscriber)) {
server is processing and send the reply. Upon reception of such a
reply the user agent should compute credentials and retry the
request. For more information regarding digest authentication
- see RFC2617.
+ see RFC2617. See module parameter force_stateless_reply
+ regarding sending of the reply.
</para>
<para>Meaning of the parameters is as follows:</para>
<itemizedlist>
@@ -109,7 +110,8 @@ if (!www_authenticate("$td", "subscriber")) {
put the header field into a response generated from the request the
server is processing and send the reply. Upon reception of such a
reply the user agent should compute credentials and retry the request.
- For more information regarding digest authentication see RFC2617.
+ For more information regarding digest authentication see RFC2617. See module parameter force_stateless_reply
+ regarding sending of the reply.
</para>
<para>Meaning of the parameters the same as for function
www_challenge(realm, flags)</para>
diff --git a/modules/auth/doc/params.xml b/modules/auth/doc/params.xml
index ad84251..67c83bb 100644
--- a/modules/auth/doc/params.xml
+++ b/modules/auth/doc/params.xml
@@ -572,4 +572,23 @@ modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s
</programlisting>
</example>
</section>
+
+ <section id="force_stateless_reply">
+ <title><varname>force_stateless_reply</varname> (boolean)</title>
+ <para>
+ If set to 1, <function>www_challenge()</function> and
+ <function>proxy_challenge()</function>
+ functions send reply statelessly no matter if transaction
+ exists or not. If set to 0 (default), reply is sent statefully
+ if transaction exists and stelelessly otherwise.
+ </para>
+ <example>
+ <title>force_stateless_reply example</title>
+ <programlisting>
+...
+modparam("auth", "force_stateless_reply", 1)
+...
+ </programlisting>
+ </example>
+ </section>
</section>
More information about the sr-dev
mailing list