auth(k): module removed

- use modules/auth insted of this one

modules_k/auth/Makefile

@@ -1,17 +0,0 @@
-# $Id$
-#
-# auth example module makefile
-#
-# 
-# WARNING: do not run this directly, it should be run by the master Makefile
-
-include ../../Makefile.defs
-auto_gen=
-NAME=auth.so
-LIBS=
-
-DEFS+=-DOPENSER_MOD_INTERFACE
-
-SERLIBPATH=../../lib
-SER_LIBS+=$(SERLIBPATH)/kcore/kcore
-include ../../Makefile.modules

modules_k/auth/README

@@ -1,432 +0,0 @@
-Auth Module
-
-Jan Janak
-
-   FhG Fokus
-   <[email protected]>
-
-Juha Heinanen
-
-   Song Networks
-   <[email protected]>
-
-Bogdan-Andrei Iancu
-
-   voice-system.ro
-   <[email protected]>
-
-Daniel-Constantin Mierla
-
-   <[email protected]>
-
-Edited by
-
-Jan Janak
-
-   <[email protected]>
-
-   Copyright © 2002, 2003 FhG FOKUS
-
-   Copyright © 2005 voice-system.ro
-   Revision History
-   Revision $Revision$ $Date$
-     __________________________________________________________________
-
-   Table of Contents
-
-   1. Admin Guide
-
-        1. Overview
-        2. Nonce Security
-        3. Dependencies
-
-              3.1. Kamailio Modules
-              3.2. External Libraries or Applications
-
-        4. Exported Parameters
-
-              4.1. secret (string)
-              4.2. nonce_expire (integer)
-              4.3. realm_prefix (string)
-              4.4. username_spec (string)
-              4.5. password_spec (string)
-              4.6. calculate_ha1 (integer)
-              4.7. nonce_reuse (integer)
-
-        5. Exported Functions
-
-              5.1. www_challenge(realm, qop)
-              5.2. proxy_challenge(realm, qop)
-              5.3. consume_credentials()
-              5.4. pv_www_authorize(realm)
-              5.5. pv_proxy_authorize(realm)
-
-   List of Examples
-
-   1.1. secret parameter example
-   1.2. nonce_expire parameter example
-   1.3. realm_prefix parameter example
-   1.4. username_spec parameter usage
-   1.5. password_spec parameter usage
-   1.6. calculate_ha1 parameter usage
-   1.7. nonce_reuse parameter usage
-   1.8. www_challenge usage
-   1.9. proxy_challenge usage
-   1.10. consume_credentials example
-   1.11. pv_www_authorize usage
-   1.12. pv_proxy_authorize usage
-
-Chapter 1. Admin Guide
-
-   Table of Contents
-
-   1. Overview
-   2. Nonce Security
-   3. Dependencies
-
-        3.1. Kamailio Modules
-        3.2. External Libraries or Applications
-
-   4. Exported Parameters
-
-        4.1. secret (string)
-        4.2. nonce_expire (integer)
-        4.3. realm_prefix (string)
-        4.4. username_spec (string)
-        4.5. password_spec (string)
-        4.6. calculate_ha1 (integer)
-        4.7. nonce_reuse (integer)
-
-   5. Exported Functions
-
-        5.1. www_challenge(realm, qop)
-        5.2. proxy_challenge(realm, qop)
-        5.3. consume_credentials()
-        5.4. pv_www_authorize(realm)
-        5.5. pv_proxy_authorize(realm)
-
-1. Overview
-
-   This is a module that provides common functions that are needed by
-   other authentication related modules. Also, it can perform
-   authentication taking username and password from pseudo-variables.
-
-2. Nonce Security
-
-   The authentication mechanism offers protection against sniffing
-   intrusion. The module generates and verifies the nonces so that they
-   can be used only once (in an auth response). This is done by having a
-   lifetime value and an index associated with every nonce. Using only an
-   expiration value is not good enough because,as this value has to be of
-   few tens of seconds, it is possible for someone to sniff on the
-   network, get the credentials and then reuse them in another packet with
-   which to register a different contact or make calls using the others's
-   account. The index ensures that this will never be possible since it is
-   generated as unique through the lifetime of the nonce.
-
-   The default limit for the requests that can be authenticated is 100000
-   in 30 seconds. If you wish to adjust this you can decrease the lifetime
-   of a nonce( how much time to wait for a reply to a challenge). However,
-   be aware not to set it to a too small value.
-
-3. Dependencies
-
-   3.1. Kamailio Modules
-   3.2. External Libraries or Applications
-
-3.1. Kamailio Modules
-
-   The module depends on the following modules (in the other words the
-   listed modules must be loaded before this module):
-     * sl -- Stateless replies
-       pv -- Pseudo-variables
-
-3.2. External Libraries or Applications
-
-   The following libraries or applications must be installed before
-   running Kamailio with this module loaded:
-     * none
-
-4. Exported Parameters
-
-   4.1. secret (string)
-   4.2. nonce_expire (integer)
-   4.3. realm_prefix (string)
-   4.4. username_spec (string)
-   4.5. password_spec (string)
-   4.6. calculate_ha1 (integer)
-   4.7. nonce_reuse (integer)
-
-4.1. secret (string)
-
-   Secret phrase used to calculate the nonce value.
-
-   The default is to use a random value generated from the random source
-   in the core.
-
-   If you use multiple servers in your installation, and would like to
-   authenticate on the second server against the nonce generated at the
-   first one its necessary to explicitly set the secret to the same value
-   on all servers. However, the use of a shared (and fixed) secret as
-   nonce is insecure, much better is to stay with the default. Any clients
-   should send the reply to the server that issued the request.
-
-   Example 1.1. secret parameter example
-modparam("auth", "secret", "johndoessecretphrase")
-
-4.2. nonce_expire (integer)
-
-   Nonces have limited lifetime. After a given period of time nonces will
-   be considered invalid. This is to protect replay attacks. Credentials
-   containing a stale nonce will be not authorized, but the user agent
-   will be challenged again. This time the challenge will contain stale
-   parameter which will indicate to the client that it doesn't have to
-   disturb user by asking for username and password, it can recalculate
-   credentials using existing username and password.
-
-   The value is in seconds and default value is 30 seconds.
-
-   Example 1.2. nonce_expire parameter example
-modparam("auth", "nonce_expire", 15)   # Set nonce_expire to 15s
-
-4.3. realm_prefix (string)
-
-   Prefix to be automatically strip from realm. As an alternative to SRV
-   records (not all SIP clients support SRV lookup), a subdomain of the
-   master domain can be defined for SIP purposes (like sip.mydomain.net
-   pointing to same IP address as the SRV record for mydomain.net). By
-   ignoring the realm_prefix “sip.”, at authentication, sip.mydomain.net
-   will be equivalent to mydomain.net .
-
-   Default value is empty string.
-
-   Example 1.3. realm_prefix parameter example
-modparam("auth", "realm_prefix", "sip.")
-
-4.4. username_spec (string)
-
-   This name of the pseudo-variable that will hold the username.
-
-   Default value is “NULL”.
-
-   Example 1.4. username_spec parameter usage
-modparam("auth", "username_spec", "$var(username)")
-
-4.5. password_spec (string)
-
-   This name of the pseudo-variable that will hold the password.
-
-   Default value is “NULL”.
-
-   Example 1.5. password_spec parameter usage
-modparam("auth", "password_spec", "$avp(s:password)")
-
-4.6. calculate_ha1 (integer)
-
-   This parameter tells the server whether it should expect plaintext
-   passwords in the pseudo-variable or a pre-calculated HA1 string.
-
-   If the parameter is set to 1 then the server will assume that the
-   “password_spec” pseudo-variable contains plaintext passwords and it
-   will calculate HA1 strings on the fly. If the parameter is set to 0
-   then the server assumes the pseudo-variable contains the HA1 strings
-   directly and will not calculate them.
-
-   Default value of this parameter is 0.
-
-   Example 1.6. calculate_ha1 parameter usage
-modparam("auth", "calculate_ha1", 1)
-
-4.7. nonce_reuse (integer)
-
-   Since version 1.4.0, the module checks if the nonce value is re-used,
-   enhancing security protection against reply and man in the middle
-   attacks. This check is done by default.
-
-   If the parameter is set to 1 then the nonce reuse checking is disabled,
-   offering compatibility with previous behavior. Not recommended though,
-   this functionality is still good in some scenarios, specially when
-   registration time is very low to deal with NAT traversal.
-
-   Default value of this parameter is 0 (protect against nonce reuse).
-
-   Example 1.7. nonce_reuse parameter usage
-modparam("auth", "nonce_reuse", 1)
-
-5. Exported Functions
-
-   5.1. www_challenge(realm, qop)
-   5.2. proxy_challenge(realm, qop)
-   5.3. consume_credentials()
-   5.4. pv_www_authorize(realm)
-   5.5. pv_proxy_authorize(realm)
-
-5.1.  www_challenge(realm, qop)
-
-   The function challenges a user agent. It will generate a WWW-Authorize
-   header field containing a digest challenge, it will put the header
-   field into a response generated from the request the server is
-   processing and send the reply. Upon reception of such a reply the user
-   agent should compute credentials and retry the request. For more
-   information regarding digest authentication see RFC2617.
-
-   In case the reply cannot be sent, this method returns "-1"; in case a
-   reply was sent, it just terminates further script processing.
-
-   Meaning of the parameters is as follows:
-     * realm - Realm is a opaque string that the user agent should present
-       to the user so he can decide what username and password to use.
-       Usually this is domain of the host the server is running on.
-       If an empty string “” is used then the server will generate it from
-       the request. In case of REGISTER requests To header field domain
-       will be used (because this header field represents a user being
-       registered), for all other messages From header field domain will
-       be used.
-       The string may contain pseudo variables.
-     * qop - Value of this parameter can be either “1” or “0”. When set to
-       1 then the server will put a qop parameter in the challenge. When
-       set to 0 then the server will not put the qop parameter in the
-       challenge. It is recommended to use the qop parameter, however
-       there are still some user agents that cannot handle qop properly so
-       we made this optional. On the other hand there are still some user
-       agents that cannot handle request without a qop parameter too.
-       Enabling this parameter don't improve the security at the moment,
-       because the sequence number is not stored and therefore could not
-       be checked. Actually there is no information kept by the module
-       during the challenge and response requests.
-
-   This function can be used from REQUEST_ROUTE.
-
-   Example 1.8. www_challenge usage
-...
-if (!www_authorize("siphub.net", "subscriber")) {
-        www_challenge("siphub.net", "1");
-};
-...
-
-5.2.  proxy_challenge(realm, qop)
-
-   The function challenges a user agent. It will generate a
-   Proxy-Authorize header field containing a digest challenge, it will put
-   the header field into a response generated from the request the server
-   is processing and send the reply. Upon reception of such a reply the
-   user agent should compute credentials and retry the request. For more
-   information regarding digest authentication see RFC2617.
-
-   In case the reply cannot be sent, this method returns "-1"; in case a
-   reply was sent, it just terminates further script processing.
-
-   Meaning of the parameters is as follows:
-     * realm - Realm is a opaque string that the user agent should present
-       to the user so he can decide what username and password to use.
-       Usually this is domain of the host the server is running on.
-       If an empty string “” is used then the server will generate it from
-       the request. From header field domain will be used as realm.
-       The string may contain pseudo variables.
-     * qop - Value of this parameter can be either “1” or “0”. When set to
-       1 then the server will put a qop parameter in the challenge. When
-       set to 0 then the server will not put the qop parameter in the
-       challenge. It is recommended to use the qop parameter, however
-       there are still some user agents that cannot handle qop properly so
-       we made this optional. On the other hand there are still some user
-       agents that cannot handle request without a qop parameter too.
-       Enabling this parameter don't improve the security at the moment,
-       because the sequence number is not stored and therefore could not
-       be checked. Actually there is no information kept by the module
-       during the challenge and response requests.
-
-   This function can be used from REQUEST_ROUTE.
-
-   Example 1.9. proxy_challenge usage
-...
-if (!proxy_authorize("", "subscriber)) {
-        proxy_challenge("", "1");  # Realm will be autogenerated
-};
-...
-
-5.3.  consume_credentials()
-
-   This function removes previously authorized credentials from the
-   message being processed by the server. That means that the downstream
-   message will not contain credentials there were used by this server.
-   This ensures that the proxy will not reveal information about
-   credentials used to downstream elements and also the message will be a
-   little bit shorter. The function must be called after www_authorize or
-   proxy_authorize.
-
-   This function can be used from REQUEST_ROUTE.
-
-   Example 1.10. consume_credentials example
-...
-if (www_authorize("", "subscriber)) {
-    consume_credentials();
-};
-...
-
-5.4.  pv_www_authorize(realm)
-
-   The function verifies credentials according to RFC2617. If the
-   credentials are verified successfully then the function will succeed
-   and mark the credentials as authorized (marked credentials can be later
-   used by some other functions). If the function was unable to verify the
-   credentials for some reason then it will fail and the script should
-   call www_challenge which will challenge the user again.
-
-   Negative codes may be interpreted as follows:
-     * -5 (generic error) - some generic error occurred and no reply was
-       sent out;
-     * -4 (no credentials) - credentials were not found in request;
-     * -3 (stale nonce) - stale nonce;
-     * -2 (invalid password) - valid user, but wrong password;
-     * -1 (invalid user) - authentication user does not exist.
-
-   Meaning of the parameters is as follows:
-     * realm - Realm is a opaque string that the user agent should present
-       to the user so he can decide what username and password to use.
-       Usually this is domain of the host the server is running on.
-       If an empty string “” is used then the server will generate it from
-       the request. In case of REGISTER requests To header field domain
-       will be used (because this header field represents a user being
-       registered), for all other messages From header field domain will
-       be used.
-       The string may contain pseudo variables.
-
-   This function can be used from REQUEST_ROUTE.
-
-   Example 1.11. pv_www_authorize usage
-...
-$var(username)="abc";
-$avp(s:password)="xyz";
-if (!pv_www_authorize("kamailio.org")) {
-        www_challenge("kamailio.org", "1");
-};
-...
-
-5.5.  pv_proxy_authorize(realm)
-
-   The function verifies credentials according to RFC2617. If the
-   credentials are verified successfully then the function will succeed
-   and mark the credentials as authorized (marked credentials can be later
-   used by some other functions). If the function was unable to verify the
-   credentials for some reason then it will fail and the script should
-   call proxy_challenge which will challenge the user again. For more
-   about the negative return codes, see the above function.
-
-   Meaning of the parameters is as follows:
-     * realm - Realm is a opaque string that the user agent should present
-       to the user so he can decide what username and password to use.
-       Usually this is domain of the host the server is running on.
-       If an empty string “” is used then the server will generate it from
-       the request. From header field domain will be used as realm.
-       The string may contain pseudo variables.
-
-   This function can be used from REQUEST_ROUTE.
-
-   Example 1.12. pv_proxy_authorize usage
-...
-$var(username)="abc";
-$avp(s:password)="xyz";
-if (!pv_proxy_authorize("")) {
-        proxy_challenge("", "1");  # Realm will be autogenerated
-};
-...

modules_k/auth/api.c

@@ -1,272 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module, API exports
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include <string.h>
-#include "../../dprint.h"
-#include "../../parser/digest/digest.h"
-#include "../../sr_module.h"
-#include "../../str.h"
-#include "../../ut.h"
-#include "auth_mod.h"
-#include "nonce.h"
-#include "common.h"
-#include "api.h"
-#include "index.h"
-
-static str auth_400_err = str_init(MESSAGE_400);
-static str auth_500_err = str_init(MESSAGE_500);
-
-
-/*!
- * \brief Strip the beginning of a realm string
- *
- * Strip the beginning of a realm string, depending on the length of
- * the realm_prefix.
- * \param _realm realm string
- */
-void strip_realm(str* _realm)
-{
-	/* no param defined -- return */
-	if (!realm_prefix.len) return;
-
-	/* prefix longer than realm -- return */
-	if (realm_prefix.len > _realm->len) return;
-
-	/* match ? -- if so, shorten realm -*/
-	if (memcmp(realm_prefix.s, _realm->s, realm_prefix.len) == 0) {
-		_realm->s += realm_prefix.len;
-		_realm->len -= realm_prefix.len;
-	}
-	return;
-}
-
-
-/*!
- * \brief Find credentials with given realm, check if we need to authenticate
- *
- * The purpose of this function is to find credentials with given realm,
- * do sanity check, validate credential correctness and determine if
- * we should really authenticate (there must be no authentication for
- * ACK and CANCEL.
- * \param _m SIP message
- * \param _realm authentification realm
- * \param _hftype header field type
- * \param _h header field
- * \return authentification result
- */
-auth_result_t pre_auth(struct sip_msg* _m, str* _realm, hdr_types_t _hftype,
-													struct hdr_field** _h)
-{
-	int ret;
-	auth_body_t* c;
-	struct sip_uri *uri;
-
-	/* ACK and CANCEL must be always authorized, there is
-	 * no way how to challenge ACK and CANCEL cannot be
-	 * challenged because it must have the same CSeq as
-	 * the request to be canceled
-	 */
-
-	if ((_m->REQ_METHOD == METHOD_ACK) ||  (_m->REQ_METHOD == METHOD_CANCEL))
-		return AUTHORIZED;
-
-	if (_realm->len == 0) {
-		if (get_realm(_m, _hftype, &uri) < 0) {
-			LM_ERR("failed to extract realm\n");
-			if (send_resp(_m, 400, &auth_400_err, 0, 0) == -1) {
-				LM_ERR("failed to send 400 reply\n");
-			}
-			return ERROR;
-		}
-		
-		*_realm = uri->host;
-		strip_realm(_realm);
-	}
-
-	/* Try to find credentials with corresponding realm
-	 * in the message, parse them and return pointer to
-	 * parsed structure
-	 */
-	ret = find_credentials(_m, _realm, _hftype, _h);
-	if (ret < 0) {
-		LM_ERR("failed to find credentials\n");
-		if (send_resp(_m, (ret == -2) ? 500 : 400, 
-			      (ret == -2) ? &auth_500_err : &auth_400_err, 0, 0) == -1) {
-			LM_ERR("failed to send 400 reply\n");
-		}
-		return ERROR;
-	} else if (ret > 0) {
-		LM_DBG("credentials with given realm not found\n");
-		return NO_CREDENTIALS;
-	}
-
-	/* Pointer to the parsed credentials */
-	c = (auth_body_t*)((*_h)->parsed);
-
-	/* Check credentials correctness here */
-	if (check_dig_cred(&(c->digest)) != E_DIG_OK) {
-		LM_ERR("received credentials are not filled properly\n");
-		if (send_resp(_m, 400, &auth_400_err, 0, 0) == -1) {
-			LM_ERR("failed to send 400 reply\n");
-		}
-		return ERROR;
-	}
-
-	if (mark_authorized_cred(_m, *_h) < 0) {
-		LM_ERR("failed to mark parsed credentials\n");
-		if (send_resp(_m, 500, &auth_400_err, 0, 0) == -1) {
-			LM_ERR("failed to send 400 reply\n");
-		}
-		return ERROR;
-	}
-
-	if (check_nonce(&c->digest.nonce, &secret) != 0) {
-		LM_DBG("invalid nonce value received\n");
-		c->stale = 1;
-		return STALE_NONCE;
-	}
-
-	return DO_AUTHORIZATION;
-}
-
-
-/*!
- * \brief Do post authentification steps
- *
- * The purpose of this function is to do post authentication steps like
- * marking authorized credentials and so on.
- * \param _m SIP message
- * \param _h header field
- * \return authentification result
- */
-auth_result_t post_auth(struct sip_msg* _m, struct hdr_field* _h)
-{
-	auth_body_t* c;
-	int index = 0;
-
-	c = (auth_body_t*)((_h)->parsed);
-
-	if ((_m->REQ_METHOD == METHOD_ACK) ||
-		(_m->REQ_METHOD == METHOD_CANCEL))
-		return AUTHORIZED;
-
-	if (is_nonce_stale(&c->digest.nonce)) {
-		LM_DBG("response is OK, but nonce is stale\n");
-		c->stale = 1;
-		return STALE_NONCE;
-	} else {
-		if(nonce_reuse==0)
-		{
-			/* Verify if it is the first time this nonce is received */
-			index= get_nonce_index(&c->digest.nonce);
-			if(index== -1)
-			{
-				LM_ERR("failed to extract nonce index\n");
-				return ERROR;
-			}
-			LM_DBG("nonce index= %d\n", index);
-
-			if(!is_nonce_index_valid(index))
-			{
-				LM_DBG("nonce index not valid\n");
-				return NONCE_REUSED;
-			}
-		}
-	}
-	return AUTHORIZED;
-}
-
-
-/*!
- * \brief Calculate the response and compare with given response
- *
- * Calculate the response and compare with the given response string.
- * Authorization is successful if this two strings are same.
- * \param _cred digest credentials
- * \param _method method from the request
- * \param _ha1 HA1 value
- * \return 0 if comparison was ok, 1 when length not match, 2 when comparison not ok
- */
-int check_response(dig_cred_t* _cred, str* _method, char* _ha1)
-{
-	HASHHEX resp, hent;
-
-	/*
-	 * First, we have to verify that the response received has
-	 * the same length as responses created by us
-	 */
-	if (_cred->response.len != 32) {
-		LM_DBG("receive response len != 32\n");
-		return 1;
-	}
-
-	/*
-	 * Now, calculate our response from parameters received
-	 * from the user agent
-	 */
-	calc_response(_ha1, &(_cred->nonce),
-		&(_cred->nc), &(_cred->cnonce),
-		&(_cred->qop.qop_str), _cred->qop.qop_parsed == QOP_AUTHINT,
-		_method, &(_cred->uri), hent, resp);
-	
-	LM_DBG("our result = \'%s\'\n", resp);
-	
-	/*
-	 * And simply compare the strings, the user is
-	 * authorized if they match
-	 */
-	if (!memcmp(resp, _cred->response.s, 32)) {
-		LM_DBG("authorization is OK\n");
-		return 0;
-	} else {
-		LM_DBG("authorization failed\n");
-		return 2;
-	}
-}
-
-
-/*!
- * \brief Bind function for the auth API
- * \param api binded API
- * \return 0 on success, -1 on failure
- */
-int bind_auth_k(auth_api_k_t* api)
-{
-	if (!api) {
-		LM_ERR("invalid parameter value\n");
-		return -1;
-	}
-
-	api->pre_auth = pre_auth;
-	api->post_auth = post_auth;
-	api->calc_HA1 = calc_HA1;
-	api->check_response = check_response;
-
-	return 0;
-}

modules_k/auth/api.h

@@ -1,186 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module, API exports
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef AUTH_API_H
-#define AUTH_API_H
-
-
-#include "../../parser/digest/digest.h"
-#include "../../parser/msg_parser.h"
-#include "../../parser/hf.h"
-#include "../../str.h"
-#include "../../usr_avp.h"
-#include "rfc2617.h"
-
-
-typedef enum auth_result {
-	NONCE_REUSED = -6,  /*!< Returned if nonce is used more than once */
-	AUTH_ERROR,         /*!< Error occurred, a reply has not been sent out */
-	NO_CREDENTIALS,     /*!< Credentials missing */
-	STALE_NONCE,        /*!< Stale nonce */
-	INVALID_PASSWORD,   /*!< Invalid password */
-	USER_UNKNOWN,       /*!< User non existant */
-	ERROR,              /*!< Error occurred, a reply has been sent out,
-	                        return 0 to the openser core */
-	AUTHORIZED,         /*!< Authorized. If returned by pre_auth,
-	                         no digest authorization necessary */
-	DO_AUTHORIZATION,   /*!< Can only be returned by pre_auth. */
-	                    /*!< Means to continue doing authorization */
-} auth_result_t;
-
-
-/*!
- * \brief Find credentials with given realm, check if we need to authenticate
- *
- * The purpose of this function is to find credentials with given realm,
- * do sanity check, validate credential correctness and determine if
- * we should really authenticate (there must be no authentication for
- * ACK and CANCEL
- * \param _m SIP message
- * \param _realm authentification realm
- * \param _hftype header field type
- * \param _h header field
- * \return authentification result
- */
-typedef auth_result_t (*pre_auth_t)(struct sip_msg* _m, str* _realm,
-		hdr_types_t _hftype, struct hdr_field** _h);
-
-
-/*!
- * \brief Find credentials with given realm, check if we need to authenticate
- *
- * The purpose of this function is to find credentials with given realm,
- * do sanity check, validate credential correctness and determine if
- * we should really authenticate (there must be no authentication for
- * ACK and CANCEL
- * \param _m SIP message
- * \param _realm authentification realm
- * \param _hftype header field type
- * \param _h header field
- * \return authentification result
- */
-auth_result_t pre_auth(struct sip_msg* _m, str* _realm,
-		hdr_types_t _hftype, struct hdr_field** _h);
-
-
-/*!
- * \brief Do post authentification steps
- *
- * The purpose of this function is to do post authentication steps like
- * marking authorized credentials and so on.
- * \param _m SIP message
- * \param _h header field
- * \return authentification result
- */
-typedef auth_result_t (*post_auth_t)(struct sip_msg* _m, struct hdr_field* _h);
-
-
-/*!
- * \brief Do post authentification steps
- *
- * The purpose of this function is to do post authentication steps like
- * marking authorized credentials and so on.
- * \param _m SIP message
- * \param _h header field
- * \return authentification result
- */
-auth_result_t post_auth(struct sip_msg* _m, struct hdr_field* _h);
-
-
-/*!
- * \brief Calculate the response and compare with given response
- *
- * Calculate the response and compare with the given response string.
- * Authorization is successful if this two strings are same.
- * \param _cred digest credentials
- * \param _method method from the request
- * \param _ha1 HA1 value
- * \return 0 if comparison was ok, 1 when length not match, 2 when comparison not ok
- */
-typedef int (*check_response_t)(dig_cred_t* _cred, str* _method, char* _ha1);
-
-
-/*!
- * \brief Calculate the response and compare with given response
- *
- * Calculate the response and compare with the given response string.
- * Authorization is successful if this two strings are same.
- * \param _cred digest credentials
- * \param _method method from the request
- * \param _ha1 HA1 value
- * \return 0 if comparison was ok, 1 when length not match, 2 when comparison not ok
- */
-int check_response(dig_cred_t* _cred, str* _method, char* _ha1);
-
-
-/*!
- * \brief Calculate H(A1) as per HTTP Digest spec
- * \param _alg type of hash algorithm
- * \param _username username
- * \param _realm authentification realm
- * \param _password password
- * \param _nonce nonce value
- * \param _cnonce cnonce value
- * \param _sess_key session key, result will be stored there
- */
-typedef void (*calc_HA1_t)(ha_alg_t _alg, str* _username, str* _realm,
-		str* _password, str* _nonce, str* _cnonce, HASHHEX _sess_key);
-
-
-/*!
- * \brief Strip the beginning of a realm string
- *
- * Strip the beginning of a realm string, depending on the length of
- * the realm_prefix.
- * \param _realm realm string
- */
-void strip_realm(str *_realm);
-
-
-/*! Auth module API */
-typedef struct auth_api_k {
-	pre_auth_t  pre_auth;  /*!< The function to be called before auth */
-	post_auth_t post_auth; /*!< The function to be called after auth */
-	calc_HA1_t  calc_HA1;  /*!< calculate H(A1) as per spec */
-	check_response_t check_response; /*!< check auth response */
-} auth_api_k_t;
-
-
-typedef int (*bind_auth_k_t)(auth_api_k_t* api);
-
-
-/*!
- * \brief Bind function for the auth API
- * \param api binded API
- * \return 0 on success, -1 on failure
- */
-int bind_auth_k(auth_api_k_t* api);
-
-
-#endif

modules_k/auth/auth_mod.c

@@ -1,467 +0,0 @@
-/*
- * $Id$ 
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * --------
- * 2003-02-26 checks and group moved to separate modules (janakj)
- * 2003-03-10 New module interface (janakj)
- * 2003-03-16 flags export parameter added (janakj)
- * 2003-03-19 all mallocs/frees replaced w/ pkg_malloc/pkg_free (andrei)
- * 2003-04-28 rpid contributed by Juha Heinanen added (janakj) 
- * 2005-05-31 general avp specification added for rpid (bogdan)
- * 2006-03-01 pseudo variables support for domain name (bogdan)
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module
- * \ingroup auth
- * - Module: \ref auth
- */
-
-/*!
- * \defgroup auth AUTH :: The Kamailio auth Module
- * The module provides functions to authentificate users.
- * It also exports a API that can be used from other modules.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include "../../sr_module.h"
-#include "../../dprint.h"
-#include "../../mem/mem.h"
-#include "../../error.h"
-#include "../../pvar.h"
-#include "../../ut.h"
-#include "../../mod_fix.h"
-#include "../../lock_alloc.h"
-#include "auth_mod.h"
-#include "challenge.h"
-#include "api.h"
-
-MODULE_VERSION
-
-/*! length of the random secret */
-#define RAND_SECRET_LEN 32
-
-#define DEF_STRIP_REALM ""
-
-/*!
- * Module destroy function prototype
- */
-static void destroy(void);
-
-/*!
- * Module initialization function prototype
- */
-static int mod_init(void);
-
-int pv_proxy_authorize(struct sip_msg* msg, char* realm, char* str2);
-int pv_www_authorize(struct sip_msg* msg, char* realm, char* str2);
-
-/*! SL API structure */
-sl_api_t slb;
-
-
-/*
- * Module parameter variables
- */
-char* sec_param    = 0;   /*!< If the parameter is not used, the secret phrase will be auto-generated */
-unsigned int   nonce_expire = 30; /*!< Nonce lifetime - default 30 seconds */
-
-str secret;
-char* sec_rand = 0;
-
-int auth_calc_ha1 = 0;
-
-/*! Prefix to strip from realm */
-str realm_prefix = {DEF_STRIP_REALM, sizeof(DEF_STRIP_REALM) - 1};
-
-/*! definition of AVP containing username value */
-char* user_spec_param = 0;
-static pv_spec_t user_spec;
-
-
-/*! definition of AVP containing password value */
-char* passwd_spec_param = 0;
-static pv_spec_t passwd_spec;
-
-/*! nonce index */
-gen_lock_t* nonce_lock= NULL;
-char* nonce_buf= NULL;
-int* sec_monit= NULL;
-int* second= NULL;
-int* next_index= NULL;
-
-/*! control nonce usage checking */
-int nonce_reuse = 0;
-
-/*
- * Exported functions
- */
-static cmd_export_t cmds[] = {
-	{"www_challenge",       (cmd_function)www_challenge,           2,
-		fixup_spve_uint, 0, REQUEST_ROUTE},
-	{"proxy_challenge",     (cmd_function)proxy_challenge,         2,
-		fixup_spve_uint, 0, REQUEST_ROUTE},
-	{"pv_www_authorize",    (cmd_function)pv_www_authorize,        1,
-		fixup_spve_null, 0, REQUEST_ROUTE},
-	{"pv_proxy_authorize",  (cmd_function)pv_proxy_authorize,      1,
-		fixup_spve_null, 0, REQUEST_ROUTE},
-	{"consume_credentials", (cmd_function)consume_credentials,     0, 0,
-			0, REQUEST_ROUTE},
-	{"bind_auth_k",           (cmd_function)bind_auth_k, 0, 0,
-			0, 0},
-	{0, 0, 0, 0, 0, 0}
-};
-
-
-/*
- * Exported parameters
- */
-static param_export_t params[] = {
-	{"secret",          STR_PARAM, &sec_param      },
-	{"nonce_expire",    INT_PARAM, &nonce_expire   },
-	{"realm_prefix",    STR_PARAM, &realm_prefix.s },
-	{"username_spec",   STR_PARAM, &user_spec_param   },
-	{"password_spec",   STR_PARAM, &passwd_spec_param },
-	{"calculate_ha1",   INT_PARAM, &auth_calc_ha1     },
-	{"nonce_reuse",     INT_PARAM, &nonce_reuse       },
-	{0, 0, 0}
-};
-
-
-/*
- * Module interface
- */
-struct module_exports exports = {
-	"auth", 
-	DEFAULT_DLFLAGS, /* dlopen flags */
-	cmds,
-	params,
-	0,          /* exported statistics */
-	0,          /* exported MI functions */
-	0,          /* exported pseudo-variables */
-	0,          /* extra processes */
-	mod_init,   /* module initialization function */
-	0,          /* response function */
-	destroy,    /* destroy function */
-	0           /* child initialization function */
-};
-
-
-/*!
- * \brief Generate a random secret
- *
- * Generate a random secret. A secret parameter was not used so we
- * generate a random value here.
- * \return 0 on success, -1 on failure
- */
-static inline int generate_random_secret(void)
-{
-	int i;
-
-	sec_rand = (char*)pkg_malloc(RAND_SECRET_LEN);
-	if (!sec_rand) {
-		LM_ERR("no pkg memory left\n");
-		return -1;
-	}
-
-	/* the generator is seeded from the core */
-
-	for(i = 0; i < RAND_SECRET_LEN; i++) {
-		sec_rand[i] = 32 + (int)(95.0 * rand() / (RAND_MAX + 1.0));
-	}
-
-	secret.s = sec_rand;
-	secret.len = RAND_SECRET_LEN;
-
-	/*LM_DBG("Generated secret: '%.*s'\n", secret.len, secret.s); */
-
-	return 0;
-}
-
-
-static int mod_init(void)
-{
-	str stmp;
-	
-	/* bind the SL API */
-	if (sl_load_api(&slb)!=0) {
-		LM_ERR("cannot bind to SL API\n");
-		return -1;
-	}
-
-	/* If the parameter was not used */
-	if (sec_param == 0) {
-		/* Generate secret using random generator */
-		if (generate_random_secret() < 0) {
-			LM_ERR("failed to generate random secret\n");
-			return -3;
-		}
-	} else {
-		/* Otherwise use the parameter's value */
-		secret.s = sec_param;
-		secret.len = strlen(secret.s);
-	}
-
-	realm_prefix.len = strlen(realm_prefix.s);
-
-	if(user_spec_param!=0)
-	{
-		stmp.s = user_spec_param; stmp.len = strlen(stmp.s);
-		if(pv_parse_spec(&stmp, &user_spec)==NULL)
-		{
-			LM_ERR("failed to parse username spec\n");
-			return -5;
-		}
-		switch(user_spec.type) {
-			case PVT_NONE:
-			case PVT_EMPTY:
-			case PVT_NULL:
-			case PVT_MARKER:
-			case PVT_COLOR:
-				LM_ERR("invalid username spec\n");
-				return -6;
-			default: ;
-		}
-	}
-	if(passwd_spec_param!=0)
-	{
-		stmp.s = passwd_spec_param; stmp.len = strlen(stmp.s);
-		if(pv_parse_spec(&stmp, &passwd_spec)==NULL)
-		{
-			LM_ERR("failed to parse password spec\n");
-			return -7;
-		}
-		switch(passwd_spec.type) {
-			case PVT_NONE:
-			case PVT_EMPTY:
-			case PVT_NULL:
-			case PVT_MARKER:
-			case PVT_COLOR:
-				LM_ERR("invalid password spec\n");
-				return -8;
-			default: ;
-		}
-	}
-
-	if(nonce_reuse==0)
-	{
-	    nonce_lock = (gen_lock_t*)lock_alloc();
-		if(nonce_lock== NULL)
-	    {
-		    LM_ERR("no more shared memory\n");
-			return -1;
-	    }
-
-		/* initialize lock_nonce */
-	    if(lock_init(nonce_lock)== 0)
-		{
-	        LM_ERR("failed to init lock\n");
-		    return -9;
-	    }
-
-		nonce_buf= (char*)shm_malloc(NBUF_LEN);
-		if(nonce_buf== NULL)
-	    {
-		    LM_ERR("no more share memory\n");
-			return -10;
-	    }
-		memset(nonce_buf, 255, NBUF_LEN);
-
-		sec_monit= (int*)shm_malloc((nonce_expire +1)* sizeof(int));
-		if(sec_monit== NULL)
-		{
-			LM_ERR("no more share memory\n");
-	        return -10;
-		}
-		memset(sec_monit, -1, (nonce_expire +1)* sizeof(int));
-		second= (int*)shm_malloc(sizeof(int));
-		next_index= (int*)shm_malloc(sizeof(int));
-		if(second==  NULL || next_index== NULL)
-	    {
-		    LM_ERR("no more share memory\n");
-	        return -10;
-		}
-		*next_index= -1;
-	}
-
-	return 0;
-}
-
-
-static void destroy(void)
-{
-	if (sec_rand) pkg_free(sec_rand);
-
-	if(nonce_reuse==0)
-	{
-	    if(nonce_lock)
-		{
-			lock_destroy(nonce_lock);
-	        lock_dealloc(nonce_lock);
-		}
-
-	    if(nonce_buf)
-		    shm_free(nonce_buf);
-	    if(second)
-		    shm_free(second);
-	    if(sec_monit)
-		    shm_free(sec_monit);
-	    if(next_index)
-		    shm_free(next_index);
-	}
-}
-
-
-/*!
- * \brief Generate a HA1 response from username and domain
- * \param msg SIP message
- * \param _username user name
- * \param _domain domain
- * \param _ha1 generated HA1
- * \return 0 on success, 1 on error and when the user could not found
- */
-static inline int auth_get_ha1(struct sip_msg *msg, struct username* _username,
-		str* _domain, char* _ha1)
-{
-	pv_value_t sval;
-	
-	/* get username from PV */
-	memset(&sval, 0, sizeof(pv_value_t));
-	if(pv_get_spec_value(msg, &user_spec, &sval)==0)
-	{
-		if(sval.flags==PV_VAL_NONE || (sval.flags&PV_VAL_NULL)
-				|| (sval.flags&PV_VAL_EMPTY) || (!(sval.flags&PV_VAL_STR)))
-		{
-			pv_value_destroy(&sval);
-			return 1;
-		}
-		if(sval.rs.len!= _username->user.len
-				|| strncasecmp(sval.rs.s, _username->user.s, sval.rs.len))
-		{
-			LM_DBG("username mismatch [%.*s] [%.*s]\n",
-				_username->user.len, _username->user.s, sval.rs.len, sval.rs.s);
-			pv_value_destroy(&sval);
-			return 1;
-		}
-	} else {
-		return 1;
-	}
-	/* get password from PV */
-	memset(&sval, 0, sizeof(pv_value_t));
-	if(pv_get_spec_value(msg, &passwd_spec, &sval)==0)
-	{
-		if(sval.flags==PV_VAL_NONE || (sval.flags&PV_VAL_NULL)
-				|| (sval.flags&PV_VAL_EMPTY) || (!(sval.flags&PV_VAL_STR)))
-		{
-			pv_value_destroy(&sval);
-			return 1;
-		}
-	} else {
-		return 1;
-	}
-	if (auth_calc_ha1) {
-		/* Only plaintext passwords are stored in database,
-		 * we have to calculate HA1 */
-		calc_HA1(HA_MD5, &_username->whole, _domain, &sval.rs, 0, 0, _ha1);
-		LM_DBG("HA1 string calculated: %s\n", _ha1);
-	} else {
-		memcpy(_ha1, sval.rs.s, sval.rs.len);
-		_ha1[sval.rs.len] = '\0';
-	}
-
-	return 0;
-}
-
-
-/*!
- * \brief Check authorization from a pseudo-variable
- * \param msg SIP message
- * \param realm authentification realm
- * \param hftype type of the header field
- * \return 1 when authorized, null on errors, negative on authentification failure
- */
-static inline int pv_authorize(struct sip_msg* msg, gparam_p realm,
-										hdr_types_t hftype)
-{
-	static char ha1[256];
-	struct hdr_field* h;
-	auth_body_t* cred;
-	auth_result_t ret;
-	str domain;
-
-	if(fixup_get_svalue(msg, realm, &domain)!=0)
-	{
-		LM_ERR("invalid realm parameter\n");
-		return -1;
-	}
-
-	if (domain.len==0)
-		domain.s = 0;
-
-	ret = pre_auth(msg, &domain, hftype, &h);
-
-	if (ret != DO_AUTHORIZATION)
-		return ret;
-
-	cred = (auth_body_t*)h->parsed;
-
-	if ((auth_get_ha1(msg, &cred->digest.username, &domain, ha1)) > 0) {
-		/* Username not found */
-		return USER_UNKNOWN;
-	}
-
-	/* Recalculate response, it must be same to authorize successfully */
-	if (!check_response(&(cred->digest),&msg->first_line.u.request.method,ha1))
-	{
-		return post_auth(msg, h);
-	}
-	return AUTH_ERROR;
-}
-
-
-/*!
- * \brief Small wrapper around pv_authorize, use proxy challenge
- * \param msg SIP message
- * \param realm authenfication realm
- * \param str2 unused
- * \return 1 on sucess, 0 on errors, negative on authentification failures
- */
-int pv_proxy_authorize(struct sip_msg* msg, char* realm, char* str2)
-{
-	return pv_authorize(msg, (gparam_p)realm, HDR_PROXYAUTH_T);
-}
-
-
-/*!
- * \brief Small wrapper around pv_authorize, use www challenge
- * \param msg SIP message
- * \param realm authenfication realm
- * \param str2 unused
- * \return 1 on sucess, 0 on errors, negative on authentification failures
- */
-int pv_www_authorize(struct sip_msg* msg, char* realm, char* str2)
-{
-	return pv_authorize(msg, (gparam_p)realm, HDR_AUTHORIZATION_T);
-}

modules_k/auth/auth_mod.h

@@ -1,63 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * --------
- * 2003-04-28 rpid contributed by Juha Heinanen added (janakj)
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef AUTH_MOD_H
-#define AUTH_MOD_H
-
-#include "../../str.h"
-#include "../../parser/msg_parser.h"    /* struct sip_msg */
-#include "../../modules/sl/sl.h"
-#include "../../lock_ops.h"
-
-#define MAX_NONCE_INDEX     100000
-#define NBUF_LEN            (MAX_NONCE_INDEX>>3) /*!< nonce buffer length */
-
-/*
- * Module parameters variables
- */
-extern str secret;            /*!< secret phrase used to generate nonce */
-extern unsigned int nonce_expire; /*!< nonce expire interval */
-extern str realm_prefix;      /*!< strip off auto-generated realm */
-
-/*! SL API structure */
-extern sl_api_t slb;
-
-/* nonce index */
-extern gen_lock_t* nonce_lock;
-extern char* nonce_buf;
-extern int* sec_monit;
-extern int* second;
-extern int* next_index;
-extern int nonce_reuse;
-
-#endif

modules_k/auth/challenge.c

@@ -1,297 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * --------
- * 2003-01-20 snprintf in build_auth_hf replaced with memcpy to avoid
- *            possible issues with too small buffer
- * 2003-01-26 consume_credentials no longer complains about ACK/CANCEL(jiri)
- * 2006-03-01 pseudo variables support for domain name (bogdan)
- */
-
-/*!
- * \file
- * \brief Challenge related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include "../../data_lump.h"
-#include "../../mem/mem.h"
-#include "../../parser/digest/digest.h"
-#include "../../pvar.h"
-#include "../../str.h"
-#include "../../ut.h"
-#include "../../mod_fix.h"
-#include "auth_mod.h"
-#include "common.h"
-#include "challenge.h"
-#include "nonce.h"
-#include "index.h"
-#include "api.h"
-
-static str auth_400_err = str_init(MESSAGE_400);
-static str auth_500_err = str_init(MESSAGE_500);
-
-
-/*
- * proxy_challenge function sends this reply
- */
-#define MESSAGE_407          "Proxy Authentication Required"
-#define PROXY_AUTH_CHALLENGE "Proxy-Authenticate"
-
-
-/*
- * www_challenge function send this reply
- */
-#define MESSAGE_401        "Unauthorized"
-#define WWW_AUTH_CHALLENGE "WWW-Authenticate"
-
-
-#define QOP_PARAM	  ", qop=\"auth\""
-#define QOP_PARAM_LEN	  (sizeof(QOP_PARAM)-1)
-#define STALE_PARAM	  ", stale=true"
-#define STALE_PARAM_LEN	  (sizeof(STALE_PARAM)-1)
-#define DIGEST_REALM	  ": Digest realm=\""
-#define DIGEST_REALM_LEN  (sizeof(DIGEST_REALM)-1)
-#define DIGEST_NONCE	  "\", nonce=\""
-#define DIGEST_NONCE_LEN  (sizeof(DIGEST_NONCE)-1)
-#define DIGEST_MD5	  ", algorithm=MD5"
-#define DIGEST_MD5_LEN	  (sizeof(DIGEST_MD5)-1)
-
-
-/*!
- * \brief Create {WWW,Proxy}-Authenticate header field
- * \param _stale
- * \param _realm authentification realm
- * \param _len length, will be set
- * \param _qop qop value
- * \param _hf_name header field name
- * \return created header field, or 0 on failure
- */
-static inline char *build_auth_hf(int _stale, str* _realm, int* _len,
-		int _qop, char* _hf_name)
-{
-	
-	int hf_name_len;
-	char *hf, *p;
-	int index = 0;
-
-	if(nonce_reuse==0)
-	{
-		/* get the nonce index and mark it as used */
-		index= reserve_nonce_index();
-		if(index == -1)
-		{
-			LM_ERR("no more nonces can be generated\n");
-			return 0;
-		}
-		LM_DBG("nonce index= %d\n", index);
-	}
-	     /* length calculation */
-	*_len=hf_name_len=strlen(_hf_name);
-	*_len+=DIGEST_REALM_LEN
-		+_realm->len
-		+DIGEST_NONCE_LEN
-		+((nonce_reuse==0)?NONCE_LEN:NONCE_LEN-8)
-		+1 /* '"' */
-		+((_qop)? QOP_PARAM_LEN:0)
-		+((_stale)? STALE_PARAM_LEN : 0)
-#ifdef _PRINT_MD5
-		+DIGEST_MD5_LEN
-#endif
-		+CRLF_LEN ;
-	
-	p=hf=pkg_malloc(*_len+1);
-	if (!hf) {
-		LM_ERR("no pkg memory left\n");
-		*_len=0;
-		return 0;
-	}
-
-	memcpy(p, _hf_name, hf_name_len); p+=hf_name_len;
-	memcpy(p, DIGEST_REALM, DIGEST_REALM_LEN);p+=DIGEST_REALM_LEN;
-	memcpy(p, _realm->s, _realm->len);p+=_realm->len;
-	memcpy(p, DIGEST_NONCE, DIGEST_NONCE_LEN);p+=DIGEST_NONCE_LEN;
-	calc_nonce(p, time(0) + nonce_expire, index, &secret);
-	p+=((nonce_reuse==0)?NONCE_LEN:NONCE_LEN-8);
-	*p='"';p++;
-	if (_qop) {
-		memcpy(p, QOP_PARAM, QOP_PARAM_LEN);
-		p+=QOP_PARAM_LEN;
-	}
-	if (_stale) {
-		memcpy(p, STALE_PARAM, STALE_PARAM_LEN);
-		p+=STALE_PARAM_LEN;
-	}
-#ifdef _PRINT_MD5
-	memcpy(p, DIGEST_MD5, DIGEST_MD5_LEN ); p+=DIGEST_MD5_LEN;
-#endif
-	memcpy(p, CRLF, CRLF_LEN ); p+=CRLF_LEN;
-	*p=0; /* zero terminator, just in case */
-	
-	LM_DBG("'%s'\n", hf);
-	return hf;
-}
-
-/*!
- * \brief Create and send a authentification challenge
- * \param _msg SIP message
- * \param _realm authentification realm
- * \param _qop qop value
- * \param _code response code
- * \param _message response message
- * \param _challenge_msg challenge message
- * \return 0 if challenge could be created and sended, -1 on failure
- */
-static inline int challenge(struct sip_msg* _msg, gparam_p _realm, int _qop,
-						int _code, char* _message, char* _challenge_msg)
-{
-	int auth_hf_len;
-	struct hdr_field* h;
-	auth_body_t* cred = 0;
-	char *auth_hf;
-	int ret;
-	hdr_types_t hftype = 0;
-	struct sip_uri *uri;
-	str realm;
-	str reason;
-
-	switch(_code) {
-	case 401:
-		get_authorized_cred(_msg->authorization, &h); 
-		hftype = HDR_AUTHORIZATION_T;
-		break;
-	case 407:
-		get_authorized_cred(_msg->proxy_auth, &h);
-		hftype = HDR_PROXYAUTH_T;
-		break;
-	}
-
-	if (h) cred = (auth_body_t*)(h->parsed);
-
-	if(fixup_get_svalue(_msg, _realm, &realm)!=0)
-	{
-		LM_ERR("invalid realm parameter");
-		if (send_resp(_msg, 500, &auth_500_err, 0, 0)==-1)
-			return -1;
-		else
-			return 0;
-	}
-	if (realm.len == 0) {
-		if (get_realm(_msg, hftype, &uri) < 0) {
-			LM_ERR("failed to extract URI\n");
-			if (send_resp(_msg, 400, &auth_400_err, 0, 0) == -1) {
-				LM_ERR("failed to send the response\n");
-				return -1;
-			}
-			return 0;
-		}
-
-		realm = uri->host;
-		strip_realm(&realm);
-	}
-
-	auth_hf = build_auth_hf((cred ? cred->stale : 0), &realm, 
-			&auth_hf_len, _qop, _challenge_msg);
-	if (!auth_hf) {
-		LM_ERR("failed to generate nonce\n");
-		if (send_resp(_msg, 500, &auth_500_err, 0, 0)==-1)
-			return -1;
-		else
-			return 0;
-	}
-
-	reason.s = _message;
-	reason.len = strlen(_message);
-	ret = send_resp(_msg, _code, &reason, auth_hf, auth_hf_len);
-	if (auth_hf) pkg_free(auth_hf);
-	if (ret == -1) {
-		LM_ERR("failed to send the response\n");
-		return -1;
-	}
-	
-	return 0;
-}
-
-
-
-int www_challenge(struct sip_msg* _msg, char* _realm, char* _qop)
-{/*!
- * \brief Challenge a user to send credentials using WWW-Authorize header field
- * \param _msg SIP message
- * \param _realm authentification realm
- * \param _qop qop value
- * \return 0 if challenge could be sended, -1 on failure
- */
-	return challenge(_msg, (gparam_p)_realm, (int)(long)_qop, 401,
-			MESSAGE_401, WWW_AUTH_CHALLENGE);
-}
-
-
-
-/*!
- * \brief Challenge a user to send credentials using Proxy-Authorize header field
- * \param _msg SIP message
- * \param _realm authentification realm
- * \param _qop qop value
- * \return 0 if challenge could be sended, -1 on failure
- */
-int proxy_challenge(struct sip_msg* _msg, char* _realm, char* _qop)
-{
-	return challenge(_msg, (gparam_p)_realm, (int)(long)_qop, 407,
-			MESSAGE_407, PROXY_AUTH_CHALLENGE);
-}
-
-
-/*!
- * \brief Remove used credentials from a SIP message header
- * \param _m SIP message
- * \param _s1 unused
- * \param _s2 unused
- * \return 1 when credentials could be removed, -1 if not found or on failure
- */
-int consume_credentials(struct sip_msg* _m, char* _s1, char* _s2)
-{
-	struct hdr_field* h;
-	int len;
-
-	get_authorized_cred(_m->authorization, &h);
-	if (!h) {
-		get_authorized_cred(_m->proxy_auth, &h);
-		if (!h) { 
-			if (_m->REQ_METHOD!=METHOD_ACK 
-					&& _m->REQ_METHOD!=METHOD_CANCEL) {
-				LM_ERR("no authorized credentials found (error in scripts)\n");
-			}
-			return -1;
-		}
-	}
-
-	len=h->len;
-
-	if (del_lump(_m, h->name.s - _m->buf, len, 0) == 0) {
-		LM_ERR("can't remove credentials\n");
-		return -1;
-	}
-
-	return 1;
-}

modules_k/auth/challenge.h

@@ -1,66 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Challenge related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef CHALLENGE_H
-#define CHALLENGE_H
-
-#include "../../parser/msg_parser.h"
-
-
-/*!
- * \brief Challenge a user to send credentials using WWW-Authorize header field
- * \param _msg SIP message
- * \param _realm authentification realm
- * \param _qop qop value
- * \return 0 if challenge could be sended, -1 on failure
- */
-int www_challenge(struct sip_msg* _msg, char* _realm, char* _qop);
-
-
-/*!
- * \brief Challenge a user to send credentials using Proxy-Authorize header field
- * \param _msg SIP message
- * \param _realm authentification realm
- * \param _qop qop value
- * \return 0 if challenge could be sended, -1 on failure
- */
-int proxy_challenge(struct sip_msg* _msg, char* _realm, char* _qop);
-
-
-/*!
- * \brief Remove used credentials from a SIP message header
- * \param _m SIP message
- * \param _s1 unused
- * \param _s2 unused
- * \return 1 when credentials could be removed, -1 if not found or on failure
- */
-int consume_credentials(struct sip_msg* _m, char* _s1, char* _s2);
-
-
-#endif

modules_k/auth/common.c

@@ -1,110 +0,0 @@
-
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * -------
- * 2003-03-15: In case of HDR_PROXYAUTH we always extract realm from From,
- *             even for REGISTERS
- * 2003-09-11: updated to new build_lump_rpl() interface (bogdan)
- * 2003-11-11: build_lump_rpl() removed, add_lump_rpl() has flags (bogdan)
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include <string.h>
-#include "../../dprint.h"
-#include "../../parser/parse_from.h"
-#include "../../parser/parse_to.h"
-#include "../../parser/parse_uri.h"
-#include "../../data_lump_rpl.h"
-#include "../../lib/kcore/parser_helpers.h"
-#include "auth_mod.h"
-#include "common.h"
-
-
-/*!
- * \brief Return parsed To or From, host part of the parsed uri is realm
- * \param _m SIP message
- * \param _hftype header field type
- * \param _u SIP URI
- * \return 0 on success, negative on failure
- */
-int get_realm(struct sip_msg* _m, hdr_types_t _hftype, struct sip_uri** _u)
-{
-
-	if(_u==NULL)
-		return -1;
-	if ((REQ_LINE(_m).method.len == 8) 
-	    && !memcmp(REQ_LINE(_m).method.s, "REGISTER", 8) 
-	    && (_hftype == HDR_AUTHORIZATION_T)
-	   ) {
-		if (!_m->to && ((parse_headers(_m, HDR_TO_F, 0)==-1) || (!_m->to))) {
-			LM_ERR("failed to parse TO headers\n");
-			return -1;
-		}
-		
-		/* Body of To header field is parsed automatically */
-		if((*_u = parse_to_uri(_m))==NULL)
-			return -1;
-	} else {
-		if (parse_from_header(_m) < 0) {
-			LM_ERR("failed to parse FROM headers\n");
-			return -2;
-		}
-		if((*_u = parse_from_uri(_m))==NULL)
-			return -1;
-	}
-	
-	return 0;
-}
-
-
-/*!
- * \brief Create a response with given code and reason phrase
- *
- * Create a response with given code and reason phrase
- * Optionally add new headers specified in _hdr
- * \param _m SIP message
- * \param _code response code
- * \param _reason reason string
- * \param _hdr header to add
- * \param _hdr_len header length
- * \return 1 if reply could be sended, -1 on failure
- */
-int send_resp(struct sip_msg* _m, int _code, str* _reason,
-					char* _hdr, int _hdr_len)
-{
-	/* Add new headers if there are any */
-	if ((_hdr) && (_hdr_len)) {
-		if (add_lump_rpl( _m, _hdr, _hdr_len, LUMP_RPL_HDR)==0) {
-			LM_ERR("unable to append hdr\n");
-			return -1;
-		}
-	}
-
-	return slb.freply(_m, _code, _reason);
-}

modules_k/auth/common.h

@@ -1,64 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Digest Authentication Module
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef COMMON_H
-#define COMMON_H
-
-#include "../../parser/msg_parser.h"
-
-#define MESSAGE_400 "Bad Request"
-#define MESSAGE_500 "Server Internal Error"
-
-
-/*!
- * \brief Return parsed To or From, host part of the parsed uri is realm
- * \param _m SIP message
- * \param _hftype header field type
- * \param _u SIP URI
- * \return 0 on success, negative on failure
- */
-int get_realm(struct sip_msg* _m, hdr_types_t _hftype, struct sip_uri** _u);
-
-
-/*!
- * \brief Create a response with given code and reason phrase
- *
- * Create a response with given code and reason phrase
- * Optionally add new headers specified in _hdr
- * \param _m SIP message
- * \param _code response code
- * \param _reason reason string
- * \param _hdr header to add
- * \param _hdr_len header length
- * \return 1 if reply could be sended, -1 on failure
- */
-int send_resp(struct sip_msg* _m, int _code, str* _reason,
-	char* _hdr, int _hdr_len);
-
-#endif

modules_k/auth/doc/Makefile

@@ -1,4 +0,0 @@
-docs = auth.xml
-
-docbook_dir = ../../../docbook
-include $(docbook_dir)/Makefile.module

modules_k/auth/doc/auth.xml

@@ -1,65 +0,0 @@
-<?xml version="1.0" encoding='ISO-8859-1'?>
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
-
-<!-- Include general documentation entities -->
-<!ENTITY % docentities SYSTEM "../../../docbook/entities.xml">
-%docentities;
-
-]>
-
-<book xmlns:xi="http://www.w3.org/2001/XInclude">
-	<bookinfo>
-	<title>Auth Module</title>
-	<productname class="trade">&kamailioname;</productname>
-	<authorgroup>
-		<author>
-		<firstname>Jan</firstname>
-		<surname>Janak</surname>
-		<affiliation><orgname>FhG Fokus</orgname></affiliation>
-		<email>[email protected]</email>
-		</author>
-		<author>
-		<firstname>Juha</firstname>
-		<surname>Heinanen</surname>
-		<affiliation><orgname>Song Networks</orgname></affiliation>
-		<email>[email protected]</email>
-		</author>
-		<author>
-		<firstname>Bogdan-Andrei</firstname>
-		<surname>Iancu</surname>
-		<affiliation><orgname>&voicesystem;</orgname></affiliation>
-		<email>[email protected]</email>
-		</author>
-		<author>
-		<firstname>Daniel-Constantin</firstname>
-		<surname>Mierla</surname>
-		<email>[email protected]</email>
-		</author>
-		<editor>
-		<firstname>Jan</firstname>
-		<surname>Janak</surname>
-		<email>[email protected]</email>
-		</editor>
-	</authorgroup>
-	<copyright>
-		<year>2002</year>
-		<year>2003</year>
-		<holder>FhG FOKUS</holder>
-	</copyright>
-	<copyright>
-		<year>2005</year>
-		<holder>&voicesystem;</holder>
-	</copyright>
-	<revhistory>
-		<revision>
-		<revnumber>$Revision$</revnumber>
-		<date>$Date$</date>
-		</revision>
-	</revhistory>
-	</bookinfo>
-	<toc></toc>
-
-	<xi:include href="auth_admin.xml"/>
-
-</book>

modules_k/auth/doc/auth_admin.xml

@@ -1,518 +0,0 @@
-<?xml version="1.0" encoding='ISO-8859-1'?>
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
-
-<!-- Include general documentation entities -->
-<!ENTITY % docentities SYSTEM "../../../docbook/entities.xml">
-%docentities;
-
-]>
-
-<!-- Auth Module User's Guide -->
-
-<chapter>
-	
-	<title>&adminguide;</title>
-
-	<section>
-	<title>Overview</title>
-	<para>
-		This is a module that provides common functions that are needed by
-		other authentication related modules. Also, it can perform 
-		authentication taking username and password from pseudo-variables.
-    </para>
-	</section>
-
-    <section>
-		<title>Nonce Security</title>
-    <para>
-		The authentication mechanism offers protection against sniffing intrusion.
-		The module generates and verifies the nonces so that they can be used only
-		once (in an auth response). This is done
-		by having a lifetime value and an index associated with every nonce.
-		Using only an expiration value is not good enough because,as this value
-		has to be of few tens of seconds, it is possible for someone to sniff
-		on the network, get the credentials and then reuse them in another packet
-		with which to register a different contact or make calls using the others's
-		account. The index ensures that this will never be possible since it
-		is generated as unique through the lifetime of the nonce.
-	</para>
-	<para>
-		The default limit for the requests that can be authenticated is 100000 
-		in 30 seconds.
-		If you wish to adjust this you can decrease the lifetime of a nonce(
-		how much time to wait for a reply to a challenge). However, be aware not to
-		set it to a too small value.
-    </para>
-	</section>
-
-	<section>
-		<title>Dependencies</title>
-		<section>
-			<title>&kamailio; Modules</title>
-			<para>
-			The module depends on the following modules (in the other words 
-			the listed modules must be loaded before this module):
-			<itemizedlist>
-			<listitem>
-				<para><emphasis>sl</emphasis> -- Stateless replies</para>
-				<para><emphasis>pv</emphasis> -- Pseudo-variables</para>
-			</listitem>
-			</itemizedlist>
-			</para>
-		</section>
-		<section>
-			<title>External Libraries or Applications</title>
-			<para>
-			The following libraries or applications must be installed 
-			before running &kamailio; with this module loaded:
-			</para>
-			<itemizedlist>
-				<listitem>
-				<para><emphasis>none</emphasis></para>
-				</listitem>
-			</itemizedlist>
-		</section>
-	</section>
-
-	<section>
-	<title>Exported Parameters</title>
-	<section>
-		<title><varname>secret</varname> (string)</title>
-		<para>
-		Secret phrase used to calculate the nonce value.
-		</para>
-		<para>
-		The default is to use a random value generated from the random source in the core.
-		</para>
-		<para>
-		If you use multiple servers in your installation, and would like to authenticate
-		on the second server against the nonce generated at the first one its necessary
-		to explicitly set the secret to the same value on all servers. 
-		However, the use of a shared (and fixed) secret as nonce is insecure, much better
-		is to stay with the default. Any clients should send the reply to the server that
-		issued the request.
-		</para>
-		<example>
-		<title>secret parameter example</title>
-		<programlisting format="linespecific">
-modparam("auth", "secret", "johndoessecretphrase")
-</programlisting>
-		</example>
-	</section>
-	<section>
-		<title><varname>nonce_expire</varname> (integer)</title>
-		<para>
-		Nonces have limited lifetime. After a given period of time nonces 
-		will be considered invalid. This is to protect replay attacks. 
-		Credentials containing a stale nonce will be not authorized, but the 
-		user agent will be challenged again. This time the challenge will 
-		contain <varname>stale</varname> parameter which will indicate to the
-		client that it doesn't have to disturb user by asking for username 
-		and password, it can recalculate credentials using existing username 
-		and password.
-		</para>
-		<para>
-		The value is in seconds and default value is 30 seconds.
-		</para>
-		<example>
-		<title>nonce_expire parameter example</title>
-		<programlisting format="linespecific">
-modparam("auth", "nonce_expire", 15)   # Set nonce_expire to 15s
-</programlisting>
-		</example>
-	</section>
-	<section>
-		<title><varname>realm_prefix</varname> (string)</title>
-		<para>
-			Prefix to be automatically strip from realm. As an alternative to
-			SRV records (not all SIP clients support SRV lookup), a subdomain
-			of the master domain can be defined for SIP purposes (like 
-			sip.mydomain.net pointing to same IP address as the SRV
-			record for mydomain.net). By ignoring the realm_prefix 
-			<quote>sip.</quote>, at authentication, sip.mydomain.net will be
-			equivalent to mydomain.net .
-		</para>
-		<para>
-		Default value is empty string.
-		</para>
-		<example>
-		<title>realm_prefix parameter example</title>
-		<programlisting format="linespecific">
-modparam("auth", "realm_prefix", "sip.")
-</programlisting>
-		</example>
-	</section>
-	
-	<section>
-		<title><varname>username_spec</varname> (string)</title>
-		<para>
-		This name of the pseudo-variable that will hold the username.
-		</para>
-		<para>
-		Default value is <quote>NULL</quote>.
-		</para>
-		<example>
-		<title><varname>username_spec</varname> parameter usage</title>
-		<programlisting format="linespecific">
-modparam("auth", "username_spec", "$var(username)")
-</programlisting>
-		</example>
-	</section>
-
-	<section>
-		<title><varname>password_spec</varname> (string)</title>
-		<para>
-		This name of the pseudo-variable that will hold the password.
-		</para>
-		<para>
-		Default value is <quote>NULL</quote>.
-		</para>
-		<example>
-		<title><varname>password_spec</varname> parameter usage</title>
-		<programlisting format="linespecific">
-modparam("auth", "password_spec", "$avp(s:password)")
-</programlisting>
-		</example>
-	</section>
-
-	<section>
-		<title><varname>calculate_ha1</varname> (integer)</title>
-		<para>
-		This parameter tells the server whether it should expect plaintext
-		passwords in the pseudo-variable or a pre-calculated HA1 string.
-		</para>
-		<para>
-		If the parameter is set to 1 then the server will assume that the
-		<quote>password_spec</quote> pseudo-variable contains plaintext passwords
-		and it will calculate HA1 strings on the fly. If the parameter is set to 0
-		then the server assumes the pseudo-variable contains the HA1 strings directly
-		and will not calculate them.
-		</para>
-		<para>
-		Default value of this parameter is 0.
-		</para>
-		<example>
-		<title><varname>calculate_ha1</varname> parameter usage</title>
-		<programlisting format="linespecific">
-modparam("auth", "calculate_ha1", 1)
-</programlisting>
-		</example>
-	</section>
-
-	<section>
-		<title><varname>nonce_reuse</varname> (integer)</title>
-		<para>
-		Since version 1.4.0, the module checks if the nonce value
-		is re-used, enhancing security protection against reply and
-		man in the middle attacks. This check is done by default.
-		</para>
-		<para>
-		If the parameter is set to 1 then the nonce reuse checking is disabled,
-		offering compatibility with previous behavior. Not recommended though, this
-		functionality is still good in some scenarios, specially when registration time
-		is very low to deal with NAT traversal.
-		</para>
-		<para>
-		Default value of this parameter is 0 (protect against nonce reuse).
-		</para>
-		<example>
-		<title><varname>nonce_reuse</varname> parameter usage</title>
-		<programlisting format="linespecific">
-modparam("auth", "nonce_reuse", 1)
-</programlisting>
-		</example>
-	</section>
-	</section>
-
-	<section>
-	<title>Exported Functions</title>
-	<section>
-		<title>
-			<function moreinfo="none">www_challenge(realm, qop)</function>
-		</title>
-		<para>
-		The function challenges a user agent. It will generate a 
-		WWW-Authorize header field containing a digest challenge, it will 
-		put the header field into a response generated from the request the 
-		server is processing and send the reply. Upon reception of such a 
-		reply the user agent should compute credentials and retry the
-		request. For more information regarding digest authentication 
-		see RFC2617.
-		</para>
-		<para>
-		In case the reply cannot be sent, this method returns "-1"; in case a
-		reply was sent, it just terminates further script processing.
-		</para>
-		<para>Meaning of the parameters is as follows:</para>
-		<itemizedlist>
-		<listitem>
-			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
-			the user agent should present to the user so he can decide what 
-			username and password to use. Usually this is domain of the host 
-			the server is running on.
-			</para>
-			<para>
-			If an empty string <quote></quote> is used then the server will 
-			generate it from the request. In case of REGISTER requests To 
-			header field domain will be used (because this header field 
-			represents a user being registered), for all other messages From 
-			header field domain will be used.
-			</para>
-			<para>
-			The string may contain pseudo variables.
-			</para>
-		</listitem>
-		<listitem>
-			<para><emphasis>qop</emphasis> - Value of this parameter can be 
-			either <quote>1</quote> or <quote>0</quote>. When set to 1 then 
-			the server will put a qop parameter in the challenge. When set to 0
-			then the server will not put the qop parameter in the challenge. It
-			is recommended to use the qop parameter, however there are still some
-			user agents that cannot handle qop properly so we made this optional.
-			On the other hand there are still some user agents that cannot handle
-			request without a qop parameter too.
-			</para>
-			<para>Enabling this parameter don't improve the security at the moment,
-			because the sequence number is not stored and therefore could not be
-			checked. Actually there is no information kept by the module during
-			the challenge and response requests.
-			</para>
-		</listitem>
-		</itemizedlist>
-		<para>
-		This function can be used from REQUEST_ROUTE.
-		</para>
-
-		<example>
-		<title>www_challenge usage</title>
-		<programlisting format="linespecific">
-...
-if (!www_authorize("siphub.net", "subscriber")) {
-	www_challenge("siphub.net", "1");
-};
-...
-</programlisting>
-		</example>
-	</section>
-
-	<section>
-		<title>
-			<function moreinfo="none">proxy_challenge(realm, qop)</function>
-		</title>
-		<para>
-		The function challenges a user agent. It will generate a 
-		Proxy-Authorize header field containing a digest challenge, it will 
-		put the header field into a response generated from the request the 
-		server is processing and send the reply. Upon reception of such a 
-		reply the user agent should compute credentials and retry the request.
-		For more information regarding digest authentication see RFC2617.
-		</para>
-		<para>
-		In case the reply cannot be sent, this method returns "-1"; in case a
-		reply was sent, it just terminates further script processing.
-		</para>
-		<para>Meaning of the parameters is as follows:</para>
-		<itemizedlist>
-		<listitem>
-			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
-			the user agent should present to the user so he can decide what 
-			username and password to use. Usually this is domain of the host 
-			the server is running on.
-			</para>
-			<para>
-			If an empty string <quote></quote> is used then the server will 
-			generate it from the request. From header field domain will be 
-			used as realm.
-			</para>
-			<para>
-			The string may contain pseudo variables.
-			</para>
-		</listitem>
-		<listitem>
-			<para><emphasis>qop</emphasis> - Value of this parameter can be 
-			either <quote>1</quote> or <quote>0</quote>. When set to 1 then 
-			the server will put a qop parameter in the challenge. When set to 0
-			then the server will not put the qop parameter in the challenge. It
-			is recommended to use the qop parameter, however there are still some
-			user agents that cannot handle qop properly so we made this optional.
-			On the other hand there are still some user agents that cannot handle
-			request without a qop parameter too.
-			</para>
-			<para>Enabling this parameter don't improve the security at the moment,
-			because the sequence number is not stored and therefore could not be
-			checked. Actually there is no information kept by the module during
-			the challenge and response requests.
-			</para>
-		</listitem>
-		</itemizedlist>
-		<para>
-		This function can be used from REQUEST_ROUTE.
-		</para>
-		<example>
-		<title>proxy_challenge usage</title>
-		<programlisting format="linespecific">
-...
-if (!proxy_authorize("", "subscriber)) {
-	proxy_challenge("", "1");  # Realm will be autogenerated
-};
-...
-</programlisting>
-		</example>
-	</section>
-	<section>
-		<title>
-			<function moreinfo="none">consume_credentials()</function>
-		</title>
-		<para>
-		This function removes previously authorized credentials from the 
-		message being processed by the server. That means that the downstream 
-		message will not contain credentials there were used by this server. 
-		This ensures that the proxy will not reveal information about 
-		credentials used to downstream elements and also the message will be 
-		a little bit shorter. The function must be called after 
-		<function moreinfo="none">www_authorize</function> or 
-		<function moreinfo="none">proxy_authorize</function>. 
-		</para>
-		<para>
-		This function can be used from REQUEST_ROUTE.
-		</para>
-		<example>
-		<title>consume_credentials example</title>
-		<programlisting format="linespecific">
-...
-if (www_authorize("", "subscriber)) {
-    consume_credentials();
-};
-...
-</programlisting>
-		</example>
-	</section>
-	<section>
-		<title>
-			<function moreinfo="none">pv_www_authorize(realm)</function>
-		</title>
-		<para>
-		The function verifies credentials according to 
-		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If the 
-		credentials are verified successfully then the function will succeed 
-		and mark the credentials as authorized (marked credentials can be later 
-		used by some other functions). If the function was unable to verify the 
-		credentials for some reason then it will fail and the script should 
-		call <function moreinfo="none">www_challenge</function> which will 
-		challenge the user again.
-		</para>
-		<para>Negative codes may be interpreted as follows:</para>
-		<itemizedlist>
-			<listitem><para>
-			<emphasis>-5 (generic error)</emphasis> - some generic error
-			occurred and no reply was sent out;
-			</para></listitem>
-			<listitem><para>
-			<emphasis>-4 (no credentials)</emphasis> - credentials were not
-			found in request;
-			</para></listitem>
-			<listitem><para>
-			<emphasis>-3 (stale nonce)</emphasis> - stale nonce;
-			</para></listitem>
-			<listitem><para>
-			<emphasis>-2 (invalid password)</emphasis> - valid user, but 
-			wrong password;
-			</para></listitem>
-			<listitem><para>
-			<emphasis>-1 (invalid user)</emphasis> - authentication user does
-			not exist.
-			</para></listitem>
-		</itemizedlist>
-		<para>Meaning of the parameters is as follows:</para>
-		<itemizedlist>
-		<listitem>
-			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
-			the user agent should present to the user so he can decide what 
-			username and password to use. Usually this is domain of the host 
-			the server is running on.
-			</para>
-			<para>
-			If an empty string <quote></quote> is used then the server will 
-			generate it from the request. In case of REGISTER requests To 
-			header field domain will be used (because this header field 
-			represents a user being registered), for all other messages From 
-			header field domain will be used.
-			</para>
-			<para>
-			The string may contain pseudo variables.
-			</para>
-		</listitem>
-		</itemizedlist>
-		<para>
-		This function can be used from REQUEST_ROUTE.
-		</para>
-		<example>
-		<title><function moreinfo="none">pv_www_authorize</function>
-		usage</title>
-		<programlisting format="linespecific">
-...
-$var(username)="abc";
-$avp(s:password)="xyz";
-if (!pv_www_authorize("kamailio.org")) {
-	www_challenge("kamailio.org", "1");
-};
-...
-</programlisting>
-		</example>
-	</section>
-
-	<section>
-		<title>
-			<function moreinfo="none">pv_proxy_authorize(realm)</function>
-		</title>
-		<para>
-		The function verifies credentials according to 
-		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
-		the credentials are verified successfully then the function will 
-		succeed and mark the credentials as authorized (marked credentials can 
-		be later used by some other functions). If the function was unable to 
-		verify the credentials for some reason then it will fail and
-		the script should call 
-		<function moreinfo="none">proxy_challenge</function> which will
-		challenge the user again. For more about the negative return codes,
-		see the above function.
-		</para>
-		<para>Meaning of the parameters is as follows:</para>
-		<itemizedlist>
-		<listitem>
-			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
-			the user agent should present to the user so he can decide what 
-			username and password to use. Usually this is domain of the host 
-			the server is running on.
-			</para>
-			<para>
-			If an empty string <quote></quote> is used then the server will 
-			generate it from the request. From header field domain will be 
-			used as realm.
-			</para>
-			<para>
-			The string may contain pseudo variables.
-			</para>
-		</listitem>
-		</itemizedlist>
-		<para>
-		This function can be used from REQUEST_ROUTE.
-		</para>
-		<example>
-		<title>pv_proxy_authorize usage</title>
-		<programlisting format="linespecific">
-...
-$var(username)="abc";
-$avp(s:password)="xyz";
-if (!pv_proxy_authorize("")) {
-	proxy_challenge("", "1");  # Realm will be autogenerated
-};
-...
-</programlisting>
-		</example>
-	</section>
-
-	</section>
-</chapter>
-

modules_k/auth/index.c

@@ -1,198 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C)2008  Voice System S.R.L
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * --------
- *  2008-05-29  initial version (anca)
- */
-
-/*!
- * \file
- * \brief Nonce index related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include <stdio.h>
-#include "../../dprint.h"
-#include "../../timer.h"
-#include "index.h"
-#include "auth_mod.h"
-
-#define set_buf_bit(index)    \
-    do{\
-        nonce_buf[index>>3] |=  (1<<(index%8));\
-    }while(0)
-
-#define unset_buf_bit(index)    \
-    do{\
-        nonce_buf[index>>3] &=  ~(1<<(index%8));\
-    }while(0)
-
-#define check_buf_bit(index)  ( nonce_buf[index>>3] & (1<<(index%8)) )
-
-
-/*!
- * \brief Get valid index for nonce
- * \return index on success, -1 on failure
- */
-int reserve_nonce_index(void)
-{
-	unsigned int curr_sec;
-	int index, i;
-
-	curr_sec =  get_ticks()%(nonce_expire+1);
-	lock_get(nonce_lock);
-
-	/* update last index for the previous seconds */
-	if(*next_index== -1) /* for the first request */
-		*next_index= 0;
-	else
-	{
-		/* if the portion with still alive nonces is not yet reached */
-		if(*second!= curr_sec)
-		{
-			/* get the index for the next nonce */
-			index= (*next_index==MAX_NONCE_INDEX)?MAX_NONCE_INDEX-1:*next_index -1;
-
-			/* set the interval in sec_monit vector */
-			if(curr_sec> *second)
-			{
-				for (i= *second; i< curr_sec; i++)
-					sec_monit[i]= index;
-			}
-			else
-			{
-				for (i= *second; i<= nonce_expire; i++)
-					sec_monit[i]= index;
-
-				for (i= 0; i< curr_sec; i++)
-					sec_monit[i]= index;
-			}
-		}
-	}
-	*second= curr_sec;
-
-	if(sec_monit[curr_sec]== -1) /* if in the first second*/
-	{
-		if(*next_index == MAX_NONCE_INDEX)
-		{
-			lock_release(nonce_lock);
-			return -1;
-		}
-
-		goto done;
-	}
-
-	if(*next_index> sec_monit[curr_sec]) /* if at the end of the buffer */
-	{
-		/* if at the end of the buffer */
-		if(*next_index == MAX_NONCE_INDEX)
-		{
-			*next_index = 0;
-			goto index_smaller;
-		}
-		goto done;
-	}
-
-index_smaller:
-	if(*next_index== sec_monit[curr_sec])  /* no more space -> return error */
-	{
-		lock_release(nonce_lock);
-		LM_INFO("no more indexes available\n");
-		return -1;
-	}
-
-done:
-	unset_buf_bit(*next_index);
-	index= *next_index;
-	*next_index = *next_index + 1;
-	LM_DBG("second= %d, sec_monit= %d,  index= %d\n", *second, sec_monit[curr_sec], index);
-	lock_release(nonce_lock);
-	return index;
-}
-
-
-/*!
- * \brief Check if the nonce has been used before
- * \param index index
- * \return 1 if nonce is valid, 0 if not valid or on errors
- */
-int is_nonce_index_valid(int index)
-{
-	/* if greater than MAX_NONCE_INDEX ->error */
-	if(index>= MAX_NONCE_INDEX )    {
-		LM_ERR("index greater than buffer length\n");
-		return 0;
-	}
-
-	lock_get(nonce_lock);
-
-	/* if in the first 30 seconds */
-	if(sec_monit[*second]== -1)
-	{
-		if(index>= *next_index)
-		{
-			LM_DBG("index out of range\n");
-			lock_release(nonce_lock);
-			return 0;
-		}
-		else
-		{
-			set_buf_bit(index);
-			lock_release(nonce_lock);
-			return 1;
-		}
-	}
-
-	/* check if right interval */
-	if(*next_index < sec_monit[*second])
-	{
-		if(!(index>= sec_monit[*second] || index<= *next_index))
-		{
-			LM_DBG("index out of the permitted interval\n");
-			goto error;
-		}
-	}
-	else
-	{
-		if(!(index >= sec_monit[*second] && index<=*next_index))
-		{
-			LM_DBG("index out of the permitted interval\n");
-			goto error;
-		}
-	}
-
-	/* check if the first time used */
-	if(check_buf_bit(index))
-	{
-		LM_DBG("nonce already used\n");
-		goto error;
-	}
-
-	set_buf_bit(index);
-	lock_release(nonce_lock);
-	return 1;
-
-error:
-	lock_release(nonce_lock);
-	return 0;
-}

modules_k/auth/index.h

@@ -1,51 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C)2008  Voice System S.R.L
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * History:
- * --------
- *  2008-05-29  initial version (anca)
-*/
-
-/*!
- * \file
- * \brief Nonce index related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef _NONCE_INDEX_H_
-#define _NONCE_INDEX_H_
-
-/*!
- * \brief Get valid index for nonce
- * \return index on success, -1 on failure
- */
-int reserve_nonce_index(void);
-
-
-/*!
- * \brief Check if the nonce has been used before
- * \param index index
- * \return 1 if nonce is valid, 0 if not valid or on errors
- */
-int is_nonce_index_valid(int index);
-
-#endif

modules_k/auth/nonce.c

@@ -1,207 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Nonce related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include <time.h>
-#include <string.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include "../../md5.h"
-#include "../../dprint.h"
-#include "../../ut.h"
-#include "../../timer.h"
-#include "nonce.h"
-#include "index.h"
-#include "auth_mod.h"
-
-
-/*!
- * Convert an integer to its hex representation,
- * destination array must be at least 8 bytes long,
- * this string is NOT zero terminated
- */
-static inline void integer2hex(char* _d, int _s)
-{
-	int i;
-	unsigned char j;
-	char* s;
-
-	_s = htonl(_s);
-	s = (char*)&_s;
-
-	for (i = 0; i < 4; i++) {
-		
-		j = (s[i] >> 4) & 0xf;
-		if (j <= 9) {
-			_d[i * 2] = (j + '0');
-		} else { 
-			_d[i * 2] = (j + 'a' - 10);
-		}
-
-		j = s[i] & 0xf;
-		if (j <= 9) {
-			_d[i * 2 + 1] = (j + '0');
-		} else {
-		       _d[i * 2 + 1] = (j + 'a' - 10);
-		}
-	}
-}
-
-
-/*!
- * \brief Convert hex string to integer
- * \param _s hex string
- * \return integer value, can be 0
- */
-static inline int hex2integer(char* _s)
-{
-	unsigned int i, res = 0;
-
-	for(i = 0; i < 8; i++) {
-		res *= 16;
-		if ((_s[i] >= '0') && (_s[i] <= '9')) {
-			res += _s[i] - '0';
-		} else if ((_s[i] >= 'a') && (_s[i] <= 'f')) {
-			res += _s[i] - 'a' + 10;
-		} else if ((_s[i] >= 'A') && (_s[i] <= 'F')) {
-			res += _s[i] - 'A' + 10;
-		} else return 0;
-	}
-
-	return res;
-}
-
-
-/*!
- * \brief Calculate nonce value
- *
- * Calculate nonce value value. The nonce value consists of the
- * expires time (in seconds since 1.1 1970) and a secret phrase.
- * \param _nonce nonce value
- * \param _expires expires value
- * \param _index nonce index
- * \param _secret secret
- */
-void calc_nonce(char* _nonce, int _expires, int _index, str* _secret)
-{
-	MD5_CTX ctx;
-	unsigned char bin[16];
-	unsigned int offset = 8;
-
-	MD5Init(&ctx);
-	
-
-	integer2hex(_nonce, _expires);
-
-	if(nonce_reuse==0)
-	{
-	    integer2hex(_nonce + 8, _index);
-		offset = 16;
-	}
-	MD5Update(&ctx, _nonce, offset);
-
-	MD5Update(&ctx, _secret->s, _secret->len);
-	MD5Final(bin, &ctx);
-	string2hex(bin, 16, _nonce + offset);
-	_nonce[offset + 32] = '\0';
-}
-
-
-/*!
- * \brief Get index from nonce string
- * \param _n nonce string
- * \return nonce index
- */
-int get_nonce_index(str* _n)
-{
-    return hex2integer(_n->s + 8);
-}
-
-
-/*!
- * \brief Get expiry time from nonce string
- * \param _n nonce string
- * \return expiry time
- */
-static inline time_t get_nonce_expires(str* _n)
-{
-	return (time_t)hex2integer(_n->s);
-}
-
-
-/*!
- * \brief Check nonce value received from user agent
- * \param _nonce nonce value
- * \param _secret secret phrase
- * \return 0 when nonce is valid, -1 on errors, positive if nonce not valid
- */
-int check_nonce(str* _nonce, str* _secret)
-{
-	int expires;
-	char non[NONCE_LEN + 1];
-	int index = 0;
-
-	if (_nonce->s == 0) {
-		return -1;  /* Invalid nonce */
-	}
-
-	if (NONCE_LEN != ((nonce_reuse==0)?_nonce->len:_nonce->len+8)) {
-		return 1; /* Lengths must be equal */
-	}
-
-	expires = get_nonce_expires(_nonce);
-	if(nonce_reuse==0)
-	    index = get_nonce_index(_nonce);
-
-	calc_nonce(non, expires, index, _secret);
-
-	LM_DBG("comparing [%.*s] and [%.*s]\n",
-			_nonce->len, ZSW(_nonce->s),
-			((nonce_reuse==0)?NONCE_LEN:NONCE_LEN-8), non);
-	if (!memcmp(non, _nonce->s, _nonce->len)) {
-		return 0;
-	}
-	return 2;
-}
-
-
-/*!
- * \brief Check if a nonce is stale
- * \param _n nonce string
- * \return 1 if the nonce is stale, 0 otherwise
- */
-int is_nonce_stale(str* _n) 
-{
-	if (!_n->s) return 0;
-
-	if (get_nonce_expires(_n) < time(0)) {
-		return 1;
-	} else {
-		return 0;
-	}
-}

modules_k/auth/nonce.h

@@ -1,77 +0,0 @@
-/*
- * $Id$
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Nonce related functions
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef NONCE_H
-#define NONCE_H
-
-#include "../../str.h"
-#include <time.h>
-
-
-/*! Length of nonce string in bytes */
-#define NONCE_LEN (16+32)
-
-
-/*!
- * \brief Calculate nonce value
- *
- * Calculate nonce value value. The nonce value consists of the
- * expires time (in seconds since 1.1 1970) and a secret phrase.
- * \param _nonce nonce value
- * \param _expires expires value
- * \param _index nonce index
- * \param _secret secret phrase
- */
-void calc_nonce(char* _nonce, int _expires, int _index, str* _secret);
-
-
-/*!
- * \brief Check nonce value received from user agent
- * \param _nonce nonce value
- * \param _secret secret phrase
- * \return 0 when nonce is valid, -1 on errors, positive if nonce not valid
- */
-int check_nonce(str* _nonce, str* _secret);
-
-
-/*!
- * \brief Get index from nonce string
- * \param _n nonce string
- * \return nonce index
- */
-int get_nonce_index(str* _nonce);
-
-/*!
- * \brief Check if a nonce is stale
- * \param _n nonce string
- * \return 1 if the nonce is stale, 0 otherwise
- */
-int is_nonce_stale(str* _nonce);
-
-#endif

modules_k/auth/rfc2617.c

@@ -1,168 +0,0 @@
-/*
- * $Id: rfc2617.c 2 2005-06-13 16:47:24Z bogdan_iancu $
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Digest response calculation as per RFC2617
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "rfc2617.h"
-#include "../../md5.h"
-
-
-/*!
- * \brief Convert to hex form
- * \param _b hash value
- * \param _h hex value
- */
-inline void cvt_hex(HASH _b, HASHHEX _h)
-{
-	unsigned short i;
-	unsigned char j;
-	
-	for (i = 0; i < HASHLEN; i++) {
-		j = (_b[i] >> 4) & 0xf;
-		if (j <= 9) {
-			_h[i * 2] = (j + '0');
-		} else {
-			_h[i * 2] = (j + 'a' - 10);
-		}
-
-		j = _b[i] & 0xf;
-
-		if (j <= 9) {
-			_h[i * 2 + 1] = (j + '0');
-		} else {
-			_h[i * 2 + 1] = (j + 'a' - 10);
-		}
-	};
-
-	_h[HASHHEXLEN] = '\0';
-}
-
-
-/*!
- * \brief Calculate H(A1) as per HTTP Digest spec
- * \param _alg type of hash algorithm
- * \param _username username
- * \param _realm authentification realm
- * \param _password password
- * \param _nonce nonce value
- * \param _cnonce cnonce value
- * \param _sess_key session key, result will be stored there
- */
-void calc_HA1(ha_alg_t _alg, str* _username, str* _realm, str* _password,
-	      str* _nonce, str* _cnonce, HASHHEX _sess_key)
-{
-	MD5_CTX Md5Ctx;
-	HASH HA1;
-	
-	MD5Init(&Md5Ctx);
-	MD5Update(&Md5Ctx, _username->s, _username->len);
-	MD5Update(&Md5Ctx, ":", 1);
-	MD5Update(&Md5Ctx, _realm->s, _realm->len);
-	MD5Update(&Md5Ctx, ":", 1);
-	MD5Update(&Md5Ctx, _password->s, _password->len);
-	MD5Final(HA1, &Md5Ctx);
-
-	if (_alg == HA_MD5_SESS) {
-		MD5Init(&Md5Ctx);
-		MD5Update(&Md5Ctx, HA1, HASHLEN);
-		MD5Update(&Md5Ctx, ":", 1);
-		MD5Update(&Md5Ctx, _nonce->s, _nonce->len);
-		MD5Update(&Md5Ctx, ":", 1);
-		MD5Update(&Md5Ctx, _cnonce->s, _cnonce->len);
-		MD5Final(HA1, &Md5Ctx);
-	};
-
-	cvt_hex(HA1, _sess_key);
-}
-
-
-/*!
- * \brief Calculate request-digest/response-digest as per HTTP Digest spec
- * \param _ha1 H(A1)
- * \param _nonce nonce from server
- * \param _nc 8 hex digits
- * \param _cnonce cnonce value
- * \param _qop qop-value: "", "auth", "auth-int
- * \param _auth_int  1 if auth-int is used
- * \param _method method from the request
- * \param _uri requested URL/ URI
- * \param _hentity  H(entity body) if qop="auth-int"
- * \param _response request-digest or response-digest
- */
-void calc_response(HASHHEX _ha1,      /* H(A1) */
-		   str* _nonce,       /* nonce from server */
-		   str* _nc,          /* 8 hex digits */
-		   str* _cnonce,      /* client nonce */
-		   str* _qop,         /* qop-value: "", "auth", "auth-int" */
-		   int _auth_int,     /* 1 if auth-int is used */
-		   str* _method,      /* method from the request */
-		   str* _uri,         /* requested URL */
-		   HASHHEX _hentity,  /* H(entity body) if qop="auth-int" */
-		   HASHHEX _response) /* request-digest or response-digest */
-{
-	MD5_CTX Md5Ctx;
-	HASH HA2;
-	HASH RespHash;
-	HASHHEX HA2Hex;
-	
-	/* calculate H(A2) */
-	MD5Init(&Md5Ctx);
-	MD5Update(&Md5Ctx, _method->s, _method->len);
-	MD5Update(&Md5Ctx, ":", 1);
-	MD5Update(&Md5Ctx, _uri->s, _uri->len);
-
-	if (_auth_int) {
-		MD5Update(&Md5Ctx, ":", 1);
-		MD5Update(&Md5Ctx, _hentity, HASHHEXLEN);
-	};
-
-	MD5Final(HA2, &Md5Ctx);
-	cvt_hex(HA2, HA2Hex);
-	
-	/* calculate response */
-	MD5Init(&Md5Ctx);
-	MD5Update(&Md5Ctx, _ha1, HASHHEXLEN);
-	MD5Update(&Md5Ctx, ":", 1);
-	MD5Update(&Md5Ctx, _nonce->s, _nonce->len);
-	MD5Update(&Md5Ctx, ":", 1);
-
-	if (_qop->len) {
-		MD5Update(&Md5Ctx, _nc->s, _nc->len);
-		MD5Update(&Md5Ctx, ":", 1);
-		MD5Update(&Md5Ctx, _cnonce->s, _cnonce->len);
-		MD5Update(&Md5Ctx, ":", 1);
-		MD5Update(&Md5Ctx, _qop->s, _qop->len);
-		MD5Update(&Md5Ctx, ":", 1);
-	};
-	MD5Update(&Md5Ctx, HA2Hex, HASHHEXLEN);
-	MD5Final(RespHash, &Md5Ctx);
-	cvt_hex(RespHash, _response);
-}

modules_k/auth/rfc2617.h

@@ -1,92 +0,0 @@
-/*
- * $Id: rfc2617.h 2 2005-06-13 16:47:24Z bogdan_iancu $
- *
- * Copyright (C) 2001-2003 FhG Fokus
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License 
- * along with this program; if not, write to the Free Software 
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*!
- * \file
- * \brief Digest response calculation as per RFC2617
- * \ingroup auth
- * - Module: \ref auth
- */
-
-#ifndef RFC2617_H
-#define RFC2617_H
-
-#include "../../str.h"
-
-
-#define HASHLEN 16
-typedef char HASH[HASHLEN];
-
-
-#define HASHHEXLEN 32
-typedef char HASHHEX[HASHHEXLEN+1];
-
-
-/*! Type of algorithm used */
-typedef enum {
-	HA_MD5,      /*!< Plain MD5 */
-	HA_MD5_SESS, /*!< MD5-Session */
-} ha_alg_t;
-
-
-/*!
- * \brief Convert to hex form
- * \param _b hash value
- * \param _h hex value
- */
-void cvt_hex(HASH _b, HASHHEX _h);
-
-
-/*!
- * \brief Calculate H(A1) as per HTTP Digest spec
- * \param _alg type of hash algorithm
- * \param _username username
- * \param _realm authentification realm
- * \param _password password
- * \param _nonce nonce value
- * \param _cnonce cnonce value
- * \param _sess_key session key, result will be stored there
- */
-void calc_HA1(ha_alg_t _alg, str* _username, str* _realm,
-		str* _password, str* _nonce, str* _cnonce,
-		HASHHEX _sess_key);
-
-
-/*!
- * \brief Calculate request-digest/response-digest as per HTTP Digest spec
- * \param _ha1 H(A1)
- * \param _nonce nonce from server
- * \param _nc 8 hex digits
- * \param _cnonce
- * \param _qop qop-value: "", "auth", "auth-int
- * \param _auth_int  1 if auth-int is used
- * \param _method method from the request
- * \param _uri requested URL/ URI
- * \param _hentity  H(entity body) if qop="auth-int"
- * \param _response request-digest or response-digest
- */
-void calc_response(HASHHEX _ha1, str* _nonce, str* _nc, str* _cnonce,
-		str* _qop, int _auth_int, str* _method, str* _uri,
-		HASHHEX _hentity, HASHHEX _response);
-
-
-#endif

modules_k/auth/todo.txt

@@ -1,9 +0,0 @@
-- Describe parser structure, how nonce is looked up
-- Describe that www,proxy_authorize must be called before
-  any other function
-- Create some examples how to use digest parser
-
-- Consider MD5-Sess support(will require to store passwords in clear text)
-- auth-int support
-- Database cache
-- Option to use memory only