auth_db(k): updated to use auth(s) module

- aliased {www,proxy}_authorize to {www,proxy}_authenticate since they
  perform user authentication
- use the API provided by modules_s/auth, improved functionality and
  security protection comparing with modules_k/auth

modules_k/auth_db/authdb_mod.c

@@ -42,7 +42,7 @@
 #include "../../error.h"
 #include "../../mod_fix.h"
 #include "../../mem/mem.h"
-#include "../../modules_k/auth/api.h"
+#include "../../modules_s/auth/api.h"
 #include "aaa_avps.h"
 #include "authorize.h"
 
@@ -99,7 +99,7 @@ int use_domain              = 0; /* Use also domain when looking up in table */
 
 db1_con_t* auth_db_handle    = 0; /* database connection handle */
 db_func_t auth_dbf;
-auth_api_k_t auth_api;
+auth_api_s_t auth_api;
 
 char *credentials_list      = DEFAULT_CRED_LIST;
 struct aaa_avp *credentials = 0; /* Parsed list of credentials to load */
@@ -109,8 +109,14 @@ int credentials_n           = 0; /* Number of credentials in the list */
  * Exported functions
  */
 static cmd_export_t cmds[] = {
-	{"www_authorize",   (cmd_function)www_authorize,   2, auth_fixup, 0, REQUEST_ROUTE},
-	{"proxy_authorize", (cmd_function)proxy_authorize, 2, auth_fixup, 0, REQUEST_ROUTE},
+	{"www_authorize",      (cmd_function)www_authenticate,   2, auth_fixup, 0,
+		REQUEST_ROUTE},
+	{"www_authenticate",   (cmd_function)www_authenticate,   2, auth_fixup, 0,
+		REQUEST_ROUTE},
+	{"proxy_authorize",    (cmd_function)proxy_authenticate, 2, auth_fixup, 0,
+		REQUEST_ROUTE},
+	{"proxy_authenticate", (cmd_function)proxy_authenticate, 2, auth_fixup, 0,
+		REQUEST_ROUTE},
 	{0, 0, 0, 0, 0, 0}
 };
 
@@ -167,7 +173,7 @@ static int child_init(int rank)
 
 static int mod_init(void)
 {
-	bind_auth_k_t bind_auth;
+	bind_auth_s_t bind_auth;
 
 	db_url.len = strlen(db_url.s);
 	user_column.len = strlen(user_column.s);
@@ -182,9 +188,10 @@ static int mod_init(void)
 	}
 
 	/* bind to auth module and import the API */
-	bind_auth = (bind_auth_k_t)find_export("bind_auth_k", 0, 0);
+	bind_auth = (bind_auth_s_t)find_export("bind_auth_s", 0, 0);
 	if (!bind_auth) {
-		LM_ERR("unable to find bind_auth function. Check if you load the auth module.\n");
+		LM_ERR("unable to find bind_auth function. Check if you load"
+				" the auth module.\n");
 		return -2;
 	}
 
@@ -225,6 +232,11 @@ static int auth_fixup(void** param, int param_no)
 	db1_con_t* dbh = NULL;
 	str name;
 
+	if(strlen((char*)*param)<=0) {
+		LM_ERR("empty parameter %d not allowed\n", param_no);
+		return -1;
+	}
+
 	if (param_no == 1) {
 		return fixup_spve_null(param, 1);
 	} else if (param_no == 2) {

modules_k/auth_db/authdb_mod.h

@@ -28,7 +28,7 @@
 
 #include "../../str.h"
 #include "../../lib/srdb1/db.h"
-#include "../../modules_k/auth/api.h"
+#include "../../modules_s/auth/api.h"
 #include "../../parser/msg_parser.h"
 
 
@@ -49,7 +49,7 @@ extern int use_domain;        /* If set to 1 then the domain will be used when s
 extern db1_con_t* auth_db_handle; /* database connection handle */
 extern db_func_t auth_dbf;
 
-extern auth_api_k_t auth_api;
+extern auth_api_s_t auth_api;
 
 extern struct aaa_avp* credentials;
 extern int credentials_n;

modules_k/auth_db/authorize.c

@@ -191,7 +191,8 @@ static int generate_avps(db1_res_t* result)
 		default:
 			LM_ERR("subscriber table column `%.*s' has unsuported type. "
 				"Only string/str or int columns are supported by"
-				"load_credentials.\n", result->col.names[i]->len, result->col.names[i]->s);
+				"load_credentials.\n", result->col.names[i]->len,
+				result->col.names[i]->s);
 			break;
 		}
 	}
@@ -203,80 +204,122 @@ static int generate_avps(db1_res_t* result)
 /*
  * Authorize digest credentials
  */
-static inline int authorize(struct sip_msg* _m, gparam_p _realm,
-									char* _table, hdr_types_t _hftype)
+static inline int digest_authenticate(struct sip_msg* msg, gparam_p realm,
+									char* tname, hdr_types_t hftype)
 {
 	char ha1[256];
 	int res;
 	struct hdr_field* h;
 	auth_body_t* cred;
-	auth_result_t ret;
 	str domain, table;
 	db1_res_t* result = NULL;
+	int ret;
 
-	if(!_table) {
+	cred = 0;
+	ret = AUTH_ERROR;
+
+	if(!tname) {
 		LM_ERR("invalid table parameter\n");
-		return -1;
+		return AUTH_ERROR;
 	}
 
-	table.s = _table;
-	table.len = strlen(_table);
+	table.s = tname;
+	table.len = strlen(tname);
 
-	if(fixup_get_svalue(_m, _realm, &domain)!=0)
+	if(fixup_get_svalue(msg, realm, &domain)!=0)
 	{
 		LM_ERR("invalid realm parameter\n");
-		return AUTH_ERROR;
+		goto end;
 	}
 
 	if (domain.len==0)
-		domain.s = 0;
-
-	ret = auth_api.pre_auth(_m, &domain, _hftype, &h);
+	{
+		LM_ERR("invalid realm parameter - empty value\n");
+		goto end;
+	}
 
-	if (ret != DO_AUTHORIZATION)
-		return ret;
+	ret = auth_api.pre_auth(msg, &domain, hftype, &h, NULL);
+	switch(ret) {
+		case ERROR:
+		case BAD_CREDENTIALS:
+			LM_DBG("error or bad credentials\n");
+			ret = AUTH_ERROR;
+			goto end;
+		case CREATE_CHALLENGE:
+			LM_ERR("CREATE_CHALLENGE is not a valid state\n");
+			ret = AUTH_ERROR;
+			goto end;
+		case DO_RESYNCHRONIZATION:
+			LM_ERR("DO_RESYNCHRONIZATION is not a valid state\n");
+			ret = AUTH_ERROR;
+			goto end;
+		case NOT_AUTHENTICATED:
+			LM_DBG("not authenticated\n");
+			ret = AUTH_ERROR;
+			goto end;
+		case DO_AUTHENTICATION:
+			break;
+		case AUTHENTICATED:
+			ret = AUTH_OK;
+			goto end;
+	}
 
 	cred = (auth_body_t*)h->parsed;
 
 	res = get_ha1(&cred->digest.username, &domain, &table, ha1, &result);
 	if (res < 0) {
 		/* Error while accessing the database */
-		return ERROR;
+		ret = AUTH_ERROR;
+		goto end;
 	}
 	if (res > 0) {
 		/* Username not found in the database */
-		auth_dbf.free_result(auth_db_handle, result);
-		return USER_UNKNOWN;
+		ret = AUTH_USER_UNKNOWN;
+		goto end;
 	}
 
 	/* Recalculate response, it must be same to authorize successfully */
-	if (!auth_api.check_response(&(cred->digest),
-				&_m->first_line.u.request.method, ha1)) {
-		ret = auth_api.post_auth(_m, h);
-		if (ret == AUTHORIZED)
-			generate_avps(result);
-		auth_dbf.free_result(auth_db_handle, result);
-		return ret;
+	ret = auth_api.check_response(&(cred->digest),
+				&msg->first_line.u.request.method, ha1);
+	if(ret==AUTHENTICATED) {
+		ret = AUTH_OK;
+		switch(post_auth(msg, h)) {
+			case AUTHENTICATED:
+				generate_avps(result);
+				break;
+			default:
+				ret = AUTH_ERROR;
+				break;
+		}
+	} else {
+		if(ret==NOT_AUTHENTICATED)
+			ret = AUTH_INVALID_PASSWORD;
+		else
+			ret = AUTH_ERROR;
 	}
 
-	auth_dbf.free_result(auth_db_handle, result);
-	return INVALID_PASSWORD;
+end:
+	if(result)
+		auth_dbf.free_result(auth_db_handle, result);
+	return ret;
 }
 
 
 /*
- * Authorize using Proxy-Authorize header field
+ * Authenticate using Proxy-Authorize header field
  */
-int proxy_authorize(struct sip_msg* _m, char* _realm, char* _table)
+int proxy_authenticate(struct sip_msg* _m, char* _realm, char* _table)
 {
-	return authorize(_m, (gparam_p)_realm, _table, HDR_PROXYAUTH_T);
+	return digest_authenticate(_m, (gparam_p)_realm, _table,
+			HDR_PROXYAUTH_T);
 }
 
 
 /*
- * Authorize using WWW-Authorize header field
+ * Authenticate using WWW-Authorize header field
  */
-int www_authorize(struct sip_msg* _m, char* _realm, char* _table)
+int www_authenticate(struct sip_msg* _m, char* _realm, char* _table)
 {
-	return authorize(_m, (gparam_p)_realm, _table, HDR_AUTHORIZATION_T);
+	return digest_authenticate(_m, (gparam_p)_realm, _table,
+			HDR_AUTHORIZATION_T);
 }

modules_k/auth_db/authorize.h

@@ -36,13 +36,13 @@ void auth_db_close(void);
 /*
  * Authorize using Proxy-Authorization header field
  */
-int proxy_authorize(struct sip_msg* _msg, char* _realm, char* _table);
+int proxy_authenticate(struct sip_msg* _msg, char* _realm, char* _table);
 
 
 /*
  * Authorize using WWW-Authorization header field
  */
-int www_authorize(struct sip_msg* _msg, char* _realm, char* _table);
+int www_authenticate(struct sip_msg* _msg, char* _realm, char* _table);
 
 
 #endif /* AUTHORIZE_H */