[sr-dev] git:master: auth: new function auth_challenge()
Daniel-Constantin Mierla
miconda at gmail.com
Mon Nov 14 22:41:30 CET 2011
Module: sip-router
Branch: master
Commit: ef6bb4541687862f2f2cc09a5a784a7b7045672f
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ef6bb4541687862f2f2cc09a5a784a7b7045672f
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: Mon Nov 14 22:39:24 2011 +0100
auth: new function auth_challenge()
- combines www_challenge() and proxy_challenge() by calling the first
for REGISTER and the second for the rest of request types
- it is usefull to simplify the config file for default auth handling
---
modules/auth/README | 46 ++++++++++++++++++++++++++++-----------
modules/auth/auth_mod.c | 44 ++++++++++++++++++++++++++++++++++++++
modules/auth/doc/functions.xml | 29 ++++++++++++++++++++++++-
3 files changed, 105 insertions(+), 14 deletions(-)
diff --git a/modules/auth/README b/modules/auth/README
index 04d7594..a29bcf5 100644
--- a/modules/auth/README
+++ b/modules/auth/README
@@ -15,7 +15,7 @@ Daniel-Constantin Mierla
asipto.com
<miconda at gmail.com>
- Copyright © 2002, 2003 FhG FOKUS
+ Copyright © 2002, 2003 FhG FOKUS
__________________________________________________________________
1.1. Overview
@@ -43,8 +43,9 @@ Daniel-Constantin Mierla
1.4.1. consume_credentials()
1.4.2. www_challenge(realm, flags)
1.4.3. proxy_challenge(realm, flags)
- 1.4.4. pv_www_authenticate(realm, passwd, flags)
- 1.4.5. pv_proxy_authenticate(realm, passwd, flags)
+ 1.4.4. auth_challenge(realm, flags)
+ 1.4.5. pv_www_authenticate(realm, passwd, flags)
+ 1.4.6. pv_proxy_authenticate(realm, passwd, flags)
1.1. Overview
@@ -66,7 +67,7 @@ Daniel-Constantin Mierla
1.3. Parameters
-1.3.1. auth_checks_register, auth_checks_no_dlg, and auth_checks_in_dlg
+1.3.1. auth_checks_register, auth_checks_no_dlg, and auth_checks_in_dlg
(flags)
These three module parameters control which optional integrity checks
@@ -514,7 +515,7 @@ if (www_authenticate("realm", "subscriber)) {
};
...
-1.4.2. www_challenge(realm, flags)
+1.4.2. www_challenge(realm, flags)
The function challenges a user agent. It will generate a WWW-Authorize
header field containing a digest challenge, it will put the header
@@ -528,7 +529,7 @@ if (www_authenticate("realm", "subscriber)) {
* realm - Realm is a opaque string that the user agent should present
to the user so he can decide what username and password to use.
Usually this is domain of the host the server is running on.
- It must not be empty string ââ. In case of REGISTER requests To
+ It must not be empty string "". In case of REGISTER requests To
header field domain (e.g., variable $td) can be used (because this
header field represents the user being registered), for all other
messages From header field domain can be used (e.g., variable $fd).
@@ -550,7 +551,7 @@ if (!www_authenticate("$td", "subscriber")) {
}
...
-1.4.3. proxy_challenge(realm, flags)
+1.4.3. proxy_challenge(realm, flags)
The function challenges a user agent. It will generate a
Proxy-Authorize header field containing a digest challenge, it will put
@@ -567,12 +568,31 @@ if (!www_authenticate("$td", "subscriber")) {
Example 16. proxy_challenge usage
...
-if (!proxy_authenticate("$fd", "subscriber)) {
+if (!proxy_authenticate("$fd", "subscriber")) {
proxy_challenge("$fd", "1");
};
...
-1.4.4. pv_www_authenticate(realm, passwd, flags)
+1.4.4. auth_challenge(realm, flags)
+
+ The function challenges a user agent for authentication. It combines
+ the functions www_challenge() and proxy_challenge(), by calling
+ internally the first one for REGISTER requests and the second one for
+ the rest of the request types.
+
+ Meaning of the parameters the same as for function www_challenge(realm,
+ flags)
+
+ This function can be used from REQUEST_ROUTE.
+
+ Example 17. proxy_challenge usage
+...
+if (!auth_check("$fd", "subscriber", "1")) {
+ auth_challenge("$fd", "1");
+};
+...
+
+1.4.5. pv_www_authenticate(realm, passwd, flags)
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will succeed
@@ -596,7 +616,7 @@ if (!proxy_authenticate("$fd", "subscriber)) {
* realm - Realm is a opaque string that the user agent should present
to the user so he can decide what username and password to use.
Usually this is domain of the host the server is running on.
- It must not be empty string ââ. In case of REGISTER requests To
+ It must not be empty string "". In case of REGISTER requests To
header field domain (e.g., varibale $td) can be used (because this
header field represents a user being registered), for all other
messages From header field domain can be used (e.g., varibale $fd).
@@ -616,14 +636,14 @@ if (!proxy_authenticate("$fd", "subscriber)) {
This function can be used from REQUEST_ROUTE.
- Example 17. pv_www_authenticate usage
+ Example 18. pv_www_authenticate usage
...
if (!pv_www_authenticate("$td", "123abc", "0")) {
www_challenge("$td", "1");
};
...
-1.4.5. pv_proxy_authenticate(realm, passwd, flags)
+1.4.6. pv_proxy_authenticate(realm, passwd, flags)
The function verifies credentials according to RFC2617. If the
credentials are verified successfully then the function will succeed
@@ -638,7 +658,7 @@ if (!pv_www_authenticate("$td", "123abc", "0")) {
This function can be used from REQUEST_ROUTE.
- Example 18. pv_proxy_authenticate usage
+ Example 19. pv_proxy_authenticate usage
...
$avp(password)="xyz";
if (!pv_proxy_authenticate("$fd", "$avp(password)", "0")) {
diff --git a/modules/auth/auth_mod.c b/modules/auth/auth_mod.c
index a28c2ba..4dabc10 100644
--- a/modules/auth/auth_mod.c
+++ b/modules/auth/auth_mod.c
@@ -87,6 +87,7 @@ static int fixup_pv_auth(void **param, int param_no);
static int proxy_challenge(struct sip_msg *msg, char* realm, char *flags);
static int www_challenge(struct sip_msg *msg, char* realm, char *flags);
+static int w_auth_challenge(struct sip_msg *msg, char* realm, char *flags);
static int fixup_auth_challenge(void **param, int param_no);
@@ -138,6 +139,8 @@ static cmd_export_t cmds[] = {
fixup_auth_challenge, REQUEST_ROUTE},
{"proxy_challenge", (cmd_function)proxy_challenge, 2,
fixup_auth_challenge, REQUEST_ROUTE},
+ {"auth_challenge", (cmd_function)w_auth_challenge, 2,
+ fixup_auth_challenge, REQUEST_ROUTE},
{"pv_www_authorize", (cmd_function)pv_www_authenticate, 3,
fixup_pv_auth, REQUEST_ROUTE},
{"pv_www_authenticate", (cmd_function)pv_www_authenticate, 3,
@@ -750,6 +753,47 @@ error:
}
/**
+ *
+ */
+static int w_auth_challenge(struct sip_msg *msg, char* realm, char *flags)
+{
+ int vflags = 0;
+ str srealm = {0, 0};
+
+ if((msg->REQ_METHOD == METHOD_ACK) || (msg->REQ_METHOD == METHOD_CANCEL)) {
+ return 1;
+ }
+
+ if(get_str_fparam(&srealm, msg, (fparam_t*)realm) < 0) {
+ LM_ERR("failed to get realm value\n");
+ goto error;
+ }
+
+ if(srealm.len==0) {
+ LM_ERR("invalid realm value - empty content\n");
+ goto error;
+ }
+
+ if(get_int_fparam(&vflags, msg, (fparam_t*)flags) < 0) {
+ LM_ERR("invalid flags value\n");
+ goto error;
+ }
+
+ if(msg->REQ_METHOD==METHOD_REGISTER)
+ return auth_challenge(msg, &srealm, vflags, HDR_AUTHORIZATION_T);
+ else
+ return auth_challenge(msg, &srealm, vflags, HDR_PROXYAUTH_T);
+
+error:
+ if(!(vflags&4)) {
+ if(auth_send_reply(msg, 500, "Internal Server Error", 0, 0) <0 )
+ return -4;
+ }
+ return -1;
+}
+
+
+/**
* @brief fixup function for {www,proxy}_challenge
*/
static int fixup_auth_challenge(void **param, int param_no)
diff --git a/modules/auth/doc/functions.xml b/modules/auth/doc/functions.xml
index d328def..f094e44 100644
--- a/modules/auth/doc/functions.xml
+++ b/modules/auth/doc/functions.xml
@@ -126,7 +126,7 @@ if (!www_authenticate("$td", "subscriber")) {
<title>proxy_challenge usage</title>
<programlisting format="linespecific">
...
-if (!proxy_authenticate("$fd", "subscriber)) {
+if (!proxy_authenticate("$fd", "subscriber")) {
proxy_challenge("$fd", "1");
};
...
@@ -134,6 +134,33 @@ if (!proxy_authenticate("$fd", "subscriber)) {
</example>
</section>
+ <section id="auth_challenge">
+ <title>
+ <function moreinfo="none">auth_challenge(realm, flags)</function>
+ </title>
+ <para>
+ The function challenges a user agent for authentication. It combines
+ the functions www_challenge() and proxy_challenge(), by calling
+ internally the first one for REGISTER requests and the second one for
+ the rest of the request types.
+ </para>
+ <para>Meaning of the parameters the same as for function
+ www_challenge(realm, flags)</para>
+ <para>
+ This function can be used from REQUEST_ROUTE.
+ </para>
+ <example>
+ <title>proxy_challenge usage</title>
+ <programlisting format="linespecific">
+...
+if (!auth_check("$fd", "subscriber", "1")) {
+ auth_challenge("$fd", "1");
+};
+...
+</programlisting>
+ </example>
+ </section>
+
<section id="pv_www_authenticate">
<title>
<function moreinfo="none">pv_www_authenticate(realm, passwd, flags)</function>
More information about the sr-dev
mailing list