[sr-dev] git:master: modules/ims_auth: ims_www_challenge allows specification of auth algorithm from cfg

Jason Penton jason.penton at gmail.com
Wed Sep 3 22:34:49 CEST 2014 

Module: sip-router
Branch: master
Commit: 33f054a793dc843959de356f0dc201e66d306583
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=33f054a793dc843959de356f0dc201e66d306583

Author: Jason Penton <jason.penton at gmail.com>
Committer: Jason Penton <jason.penton at gmail.com>
Date:   Wed Sep  3 22:32:03 2014 +0200

modules/ims_auth: ims_www_challenge allows specification of auth algorithm from cfg
	- e.g. ims_www_challenge("REG_MAR_REPLY", "$td", "MD5");
	- useful for non-ims clients that do not do AKA

---

 modules/ims_auth/authims_mod.c          |    8 +++-
 modules/ims_auth/authorize.c            |   23 ++++++++--
 modules/ims_auth/doc/ims_auth_admin.xml |   68 +++++++++++++++++++++++++------
 3 files changed, 80 insertions(+), 19 deletions(-)

diff --git a/modules/ims_auth/authims_mod.c b/modules/ims_auth/authims_mod.c
index 716f75c..8d8afd1 100644
--- a/modules/ims_auth/authims_mod.c
+++ b/modules/ims_auth/authims_mod.c
@@ -113,6 +113,7 @@ int ignore_failed_auth = 0;
 static cmd_export_t cmds[] = {
     {"ims_www_authenticate", (cmd_function) www_authenticate, 1, auth_fixup, 0, REQUEST_ROUTE},
     {"ims_www_challenge", (cmd_function) www_challenge, 2, challenge_fixup_async, 0, REQUEST_ROUTE},
+    {"ims_www_challenge", (cmd_function) www_challenge, 3, challenge_fixup_async, 0, REQUEST_ROUTE},
     {"ims_www_resync_auth", (cmd_function) www_resync_auth, 2, challenge_fixup_async, 0, REQUEST_ROUTE},
     {"ims_proxy_authenticate", (cmd_function) proxy_authenticate, 1, auth_fixup, 0, REQUEST_ROUTE},
     {"ims_proxy_challenge", (cmd_function) proxy_challenge, 2, auth_fixup_async, 0, REQUEST_ROUTE},
@@ -262,7 +263,12 @@ static int challenge_fixup_async(void** param, int param_no) {
         return 0;
     } else if (param_no == 2) {
         if (fixup_var_str_12(param, 1) == -1) {
-            LM_ERR("Erroring doing fixup on challenge");
+            LM_ERR("Error doing fixup on challenge");
+            return -1;
+        }
+    } else if (param_no == 3) /* algorithm */ {
+	if (fixup_var_str_12(param, 1) == -1) {
+            LM_ERR("Error doing fixup on challenge");
             return -1;
         }
     }
diff --git a/modules/ims_auth/authorize.c b/modules/ims_auth/authorize.c
index c409b4a..bb93ffa 100644
--- a/modules/ims_auth/authorize.c
+++ b/modules/ims_auth/authorize.c
@@ -269,13 +269,13 @@ int proxy_authenticate(struct sip_msg* _m, char* _realm, char* _table) {
     return digest_authenticate(_m, &srealm, &stable, HDR_PROXYAUTH_T);
 }
  */
-int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, char *route) {
+int challenge(struct sip_msg* msg, char* str1, char* alg, int is_proxy_auth, char *route) {
 
-    str realm = {0, 0};
+    str realm = {0, 0}, algo = {0,0};
     unsigned int aud_hash;
     str private_identity, public_identity, auts = {0, 0}, nonce = {0, 0};
     auth_vector *av = 0;
-    int algo_type;
+    int algo_type = 0;
     str route_name;
 
     saved_transaction_t* saved_t;
@@ -287,6 +287,15 @@ int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, ch
         return -1;
     }
     
+    if (!alg) {
+	LM_DBG("no algorithm specified in cfg... using default\n");
+    } else {
+	if (get_str_fparam(&algo, msg, (fparam_t*) alg) < 0) {
+	    LM_ERR("failed to get auth algorithm\n");
+	    return -1;
+	}
+    }
+    
     LM_DBG("Looking for route block [%.*s]\n", route_name.len, route_name.s);
     int ri = route_get(&main_rt, route_name.s);
     if (ri < 0) {
@@ -343,8 +352,12 @@ int challenge(struct sip_msg* msg, char* str1, char* str2, int is_proxy_auth, ch
         return CSCF_RETURN_BREAK;
     }
 
-    algo_type = registration_default_algorithm_type;
-
+    if (algo.len > 0) {
+	algo_type = get_algorithm_type(algo);
+    } else {
+	algo_type = registration_default_algorithm_type;
+    }
+    
 //    /* check if it is a synchronization request */
 //    //TODO this is MAR syncing - have removed it currently - TOD maybe put back in
 //    auts = ims_get_auts(msg, realm, is_proxy_auth);
diff --git a/modules/ims_auth/doc/ims_auth_admin.xml b/modules/ims_auth/doc/ims_auth_admin.xml
index ca57bd3..d5a1e0f 100644
--- a/modules/ims_auth/doc/ims_auth_admin.xml
+++ b/modules/ims_auth/doc/ims_auth_admin.xml
@@ -422,17 +422,17 @@ if (!www_authorize("kamailio.org", "subscriber")) {
     </section>
 
     <section>
-      <title><function moreinfo="none">ims_www_authenticate(realm,
-      table)</function></title>
+      <title><function
+      moreinfo="none">ims_www_authenticate(realm)</function></title>
 
-      <para>It is same function as www_authenticate(realm, table). This name
-      is kept for backward compatibility, since it was named this way first
-      time by it actually does user authentication.</para>
+      <para>It is the same function as www_authenticate(realm, table). This
+      name is kept for backward compatibility, since it was named this way
+      first time by it actually does user authentication.</para>
     </section>
 
     <section>
-      <title><function moreinfo="none">ims_www_challenge(route_block, realm,
-      table)</function></title>
+      <title><function moreinfo="none">ims_www_challenge(route_block,
+      realm)</function></title>
 
       <para>Name alias: proxy_authorize(realm, table)</para>
 
@@ -471,17 +471,12 @@ if (!www_authorize("kamailio.org", "subscriber")) {
 
           <para>The string may contain pseudo variables.</para>
         </listitem>
-
-        <listitem>
-          <para><emphasis>table</emphasis> - Table to be used to lookup
-          usernames and passwords (usually subscribers table).</para>
-        </listitem>
       </itemizedlist>
 
       <para>This function can be used from REQUEST_ROUTE.</para>
 
       <example>
-        <title>proxy_authorize usage</title>
+        <title>ims_www_challenge usage</title>
 
         <programlisting format="linespecific">
 ...
@@ -518,6 +513,53 @@ route[REG_MAR_REPLY]
     </section>
 
     <section>
+      <title><function moreinfo="none">ims_www_challenge(route_block, realm,
+      algorithm)</function></title>
+
+      <para>Same as 4.3 except here there is the addiional option to specify
+      the authorisation algorithm</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><emphasis>algorithm</emphasis> - The algorithm to be used when
+          challenging the client. Can be AKAv1-MD5, AKAv2-MD5, MD5, or
+          HSS-Selected. If left as an empty string, the default algorithm will
+          be chosen according to the parameter registration_default_algorithm
+          (see section 3.7)</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>This function can be used from REQUEST_ROUTE.</para>
+
+      <example>
+        <title>ims_www_challenge usage</title>
+
+        <programlisting format="linespecific">
+...
+ if (!ims_www_authenticate(NETWORKNAME)) {
+                #user has not been authenticated. Lets send a challenge via 401 Unauthorized
+                if ($? == -2) {
+                        t_reply("403", "Authentication Failed");
+                        exit;
+                } else if ($? == -3) {
+                        t_reply("400", "Bad Request");
+                        exit;
+                } else if ($? == -9) {
+                        xlog("L_DBG", "Authentication re-sync requested\n");
+                        ims_www_resync_auth("REG_RESYNC_REPLY", "$td");
+                        exit;
+                } else {
+                        xlog("L_DBG","About to challenge! auth_ims\n"); 
+                        ims_www_challenge("REG_MAR_REPLY", "$td", "MD5");
+                        exit;
+                }
+        }
+
+</programlisting>
+      </example>
+    </section>
+
+    <section>
       <title><function moreinfo="none">ims_proxy_challenge(route_block, realm,
       table)</function></title>

More information about the sr-dev mailing list