/* * $Id$ * * Copyright (C) 2012 Smile Communications, jason.penton@smilecoms.com * Copyright (C) 2012 Smile Communications, richard.good@smilecoms.com * * The initial version of this code was written by Dragos Vingarzan * (dragos(dot)vingarzan(at)fokus(dot)fraunhofer(dot)de and the * Fruanhofer Institute. It was and still is maintained in a separate * branch of the original SER. We are therefore migrating it to * Kamailio/SR and look forward to maintaining it from here on out. * 2011/2012 Smile Communications, Pty. Ltd. * ported/maintained/improved by * Jason Penton (jason(dot)penton(at)smilecoms.com and * Richard Good (richard(dot)good(at)smilecoms.com) as part of an * effort to add full IMS support to Kamailio/SR using a new and * improved architecture * * NB: Alot of this code was originally part of OpenIMSCore, * FhG Fokus. * Copyright (C) 2004-2006 FhG Fokus * Thanks for great work! This is an effort to * break apart the various CSCF functions into logically separate * components. We hope this will drive wider use. We also feel * that in this way the architecture is more complete and thereby easier * to manage in the Kamailio/SR environment * * This file is part of Kamailio, a free SIP server. * * Kamailio is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version * * Kamailio is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ #include #include "../../ut.h" #include "../../str.h" #include "../../basex.h" #include "../../hashes.h" #include "../../lib/srdb1/db.h" #include "../../lib/srdb1/db_ut.h" #include "../../dprint.h" #include "../../parser/digest/digest.h" #include "../../parser/hf.h" #include "../../parser/parser_f.h" #include "../../usr_avp.h" #include "../../mod_fix.h" #include "../../mem/mem.h" #include "../cdp/diameter.h" #include "../cdp/diameter_ims_code_result.h" #include "cxdx_mar.h" #include "cxdx_avp.h" #include "../../lib/ims/ims_getters.h" #include "../tm/tm_load.h" #include "api.h" #include "authims_mod.h" #include "authorize.h" #include "utils.h" #include "../../action.h" /* run_actions */ extern unsigned char registration_default_algorithm_type; /**< fixed default algorithm for registration (if none present) */ extern struct tm_binds tmb; extern struct cdp_binds cdpb; extern str registration_qop_str; /**< the qop options to put in the authorization challenges */ extern int av_request_at_sync; /**< how many auth vectors to request in a sync MAR */ extern int av_request_at_once; /**< how many auth vectors to request in a MAR */ extern int auth_vector_timeout; extern int auth_data_timeout; /**< timeout for a hash entry to expire when empty in sec */ extern int auth_used_vector_timeout; extern int add_authinfo_hdr; extern int max_nonce_reuse; extern str scscf_name_str; extern int ignore_failed_auth; extern int av_check_only_impu; auth_hash_slot_t *auth_data; /**< Authentication vector hash table */ static int act_auth_data_hash_size = 0; /**< authentication vector hash table size */ static str empty_s = {0, 0}; str S_WWW = {"WWW", 3}; str S_Proxy = {"Proxy", 5}; str S_Authorization_AKA = {"%.*s-Authenticate: Digest realm=\"%.*s\"," " nonce=\"%.*s\", algorithm=%.*s, ck=\"%.*s\", ik=\"%.*s\"%.*s\r\n", 107}; str S_Authorization_MD5 = {"%.*s-Authenticate: Digest realm=\"%.*s\"," " nonce=\"%.*s\", algorithm=%.*s%.*s\r\n", 102}; str algorithm_types[] = { {"unknown", 7}, {"AKAv1-MD5", 9}, {"AKAv2-MD5", 9}, {"Early-IMS", 9}, {"MD5", 3}, {"CableLabs-Digest", 16}, {"3GPP-Digest", 11}, {"TISPAN-HTTP_DIGEST_MD5", 22}, {"NASS-Bundled", 12}, {0, 0} }; str auth_scheme_types[] = { {"unknown", 7}, {"Digest-AKAv1-MD5", 16}, {"Digest-AKAv2-MD5", 16}, {"Early-IMS-Security", 18}, {"Digest-MD5", 10}, {"Digest", 6}, {"SIP Digest", 10}, {"HTTP_DIGEST_MD5", 15}, {"NASS-Bundled", 12}, {0, 0} }; /** * Convert the SIP Algorithm to its type * @param algorithm - the SIP Algorithm * @returns the algorithm type */ unsigned char get_algorithm_type(str algorithm) { int i; for (i = 0; algorithm_types[i].len > 0; i++) if (algorithm_types[i].len == algorithm.len && strncasecmp(algorithm_types[i].s, algorithm.s, algorithm.len) == 0) return i; return AUTH_UNKNOWN; } /** * Convert the Diameter Authorization Scheme to its type * @param scheme - the Diameter Authorization Scheme * @returns the SIP Algorithm */ unsigned char get_auth_scheme_type(str scheme) { int i; for (i = 0; auth_scheme_types[i].len > 0; i++) if (auth_scheme_types[i].len == scheme.len && strncasecmp(auth_scheme_types[i].s, scheme.s, scheme.len) == 0) return i; return AUTH_UNKNOWN; } static inline int get_ha1(struct username* _username, str* _domain, const str* _table, char* _ha1, db1_res_t** res) { return 0; } /* * Authorize digest credentials */ static int digest_authenticate(struct sip_msg* msg, str *realm, str *table, hdr_types_t hftype) { return 0; } /** * Starts the reg_await_timer for an authentication vector. * @param av - the authentication vector */ inline void start_reg_await_timer(auth_vector *av) { av->expires = get_ticks() + auth_vector_timeout; av->status = AUTH_VECTOR_SENT; } /** * Timer callback for reg await timers. * Drops the auth vectors that have been sent and are expired * Also drops the useless auth vectors - used and no longer needed * @param ticks - what's the time * @param param - a given parameter to be called with */ void reg_await_timer(unsigned int ticks, void* param) { auth_userdata *aud, *aud_next; auth_vector *av, *av_next; int i; LM_DBG("Looking for expired/useless at %d\n", ticks); for (i = 0; i < act_auth_data_hash_size; i++) { auth_data_lock(i); aud = auth_data[i].head; while (aud) { LM_DBG("Slot %4d <%.*s>\n", aud->hash, aud->private_identity.len, aud->private_identity.s); aud_next = aud->next; av = aud->head; while (av) { LM_DBG(".. AV %4d - %d Exp %3d %p\n", av->item_number, av->status, (int) av->expires, av); av_next = av->next; if (av->status == AUTH_VECTOR_USELESS || ((av->status == AUTH_VECTOR_USED || av->status == AUTH_VECTOR_SENT) && av->expires < ticks) ) { LM_DBG("... dropping av %d - %d\n", av->item_number, av->status); if (av->prev) av->prev->next = av->next; else aud->head = av->next; if (av->next) av->next->prev = av->prev; else aud->tail = av->prev; free_auth_vector(av); } av = av_next; } if (!aud->head) { if (aud->expires == 0) { LM_DBG("... started empty aud drop timer\n"); aud->expires = ticks + auth_data_timeout; } else if (aud->expires < ticks) { LM_DBG("... dropping aud \n"); if (aud->prev) aud->prev->next = aud->next; else auth_data[i].head = aud->next; if (aud->next) aud->next->prev = aud->prev; else auth_data[i].tail = aud->prev; free_auth_userdata(aud); } } else aud->expires = 0; aud = aud_next; } auth_data_unlock(i); } LM_DBG("[DONE] Looking for expired/useless at %d\n", ticks); } /* * Authenticate using Proxy-Authorize header field */ /* int proxy_authenticate(struct sip_msg* _m, char* _realm, char* _table) { str srealm; str stable; if (_table == NULL) { LM_ERR("invalid table parameter\n"); return -1; } stable.s = _table; stable.len = strlen(stable.s); if (get_str_fparam(&srealm, _m, (fparam_t*) _realm) < 0) { LM_ERR("failed to get realm value\n"); return -1; //AUTH_ERROR; } if (srealm.len == 0) { LM_ERR("invalid realm parameter - empty value\n"); return -1; //AUTH_ERROR; } LM_DBG("realm value [%.*s]\n", srealm.len, srealm.s); return digest_authenticate(_m, &srealm, &stable, HDR_PROXYAUTH_T); } */ int challenge(struct sip_msg* msg, char* str1, char* alg, int is_proxy_auth, char *route) { str realm = {0, 0}, algo = {0,0}; unsigned int aud_hash; str private_identity, public_identity, auts = {0, 0}, nonce = {0, 0}; auth_vector *av = 0; int algo_type = 0; str route_name; saved_transaction_t* saved_t; tm_cell_t *t = 0; cfg_action_t* cfg_action; if (fixup_get_svalue(msg, (gparam_t*) route, &route_name) != 0) { LM_ERR("no async route block for assign_server_unreg\n"); return -1; } if (!alg) { LM_DBG("no algorithm specified in cfg... using default\n"); } else { if (get_str_fparam(&algo, msg, (fparam_t*) alg) < 0) { LM_ERR("failed to get auth algorithm\n"); return -1; } } LM_DBG("Looking for route block [%.*s]\n", route_name.len, route_name.s); int ri = route_get(&main_rt, route_name.s); if (ri < 0) { LM_ERR("unable to find route block [%.*s]\n", route_name.len, route_name.s); return -1; } cfg_action = main_rt.rlist[ri]; if (cfg_action == NULL) { LM_ERR("empty action lists in route block [%.*s]\n", route_name.len, route_name.s); return -1; } if (get_str_fparam(&realm, msg, (fparam_t*) str1) < 0) { LM_ERR("failed to get realm value\n"); return CSCF_RETURN_ERROR; } if (realm.len == 0) { LM_ERR("invalid realm value - empty content\n"); return CSCF_RETURN_ERROR; } create_return_code(CSCF_RETURN_ERROR); LM_DBG("Need to challenge for realm [%.*s]\n", realm.len, realm.s); if (msg->first_line.type != SIP_REQUEST) { LM_ERR("This message is not a request\n"); return CSCF_RETURN_ERROR; } if (!is_proxy_auth) { LM_DBG("Checking if REGISTER is authorized for realm [%.*s]...\n", realm.len, realm.s); /* First check the parameters */ if (msg->first_line.u.request.method.len != 8 || memcmp(msg->first_line.u.request.method.s, "REGISTER", 8) != 0) { LM_ERR("This message is not a REGISTER request\n"); return CSCF_RETURN_ERROR; } } /* get the private_identity */ private_identity = cscf_get_private_identity(msg, realm); if (!private_identity.len) { LM_ERR("No private identity specified (Authorization: username)\n"); stateful_request_reply(msg, 403, MSG_403_NO_PRIVATE); return CSCF_RETURN_BREAK; } /* get the public_identity */ public_identity = cscf_get_public_identity(msg); if (!public_identity.len) { LM_ERR("No public identity specified (To:)\n"); stateful_request_reply(msg, 403, MSG_403_NO_PUBLIC); return CSCF_RETURN_BREAK; } if (algo.len > 0) { algo_type = get_algorithm_type(algo); } else { algo_type = registration_default_algorithm_type; } // /* check if it is a synchronization request */ // //TODO this is MAR syncing - have removed it currently - TOD maybe put back in // auts = ims_get_auts(msg, realm, is_proxy_auth); // if (auts.len) { // LM_DBG("IMS Auth Synchronization requested <%.*s>\n", auts.len, auts.s); // // nonce = ims_get_nonce(msg, realm); // if (nonce.len == 0) { // LM_DBG("Nonce not found (Authorization: nonce)\n"); // stateful_request_reply(msg, 403, MSG_403_NO_NONCE); // return CSCF_RETURN_BREAK; // } // av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_USED, &nonce, &aud_hash); // if (!av) // av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_SENT, &nonce, &aud_hash); // // if (!av) { // LM_ERR("nonce not recognized as sent, no sync!\n"); // auts.len = 0; // auts.s = 0; // } else { // av->status = AUTH_VECTOR_USELESS; // auth_data_unlock(aud_hash); // av = 0; // resync = 1; // } // } //RICHARD changed this //Previous approach sent MAR, got MAA then put auth vectors into queue //Then we try and get that auth vector out the queue (it might be used by someone else so we loop) //new approach //we do MAR get MAA (asynchronously) get auth vector use it to pack the vector etc. //set it to sent and set an expires on it //then add it to the queue! /* loop because some other process might steal the auth_vector that we just retrieved */ //while (!(av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_UNUSED, 0, &aud_hash))) { if ((av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_UNUSED, 0, &aud_hash))) { if (!av) { LM_ERR("Error retrieving an auth vector\n"); return CSCF_RETURN_ERROR; } if (!pack_challenge(msg, realm, av, is_proxy_auth)) { stateful_request_reply(msg, 500, MSG_500_PACK_AV); auth_data_unlock(aud_hash); return CSCF_RETURN_ERROR; } start_reg_await_timer(av); //start the timer to remove stale or unused Auth Vectors if (is_proxy_auth) { stateful_request_reply(msg, 407, MSG_407_CHALLENGE); } else { stateful_request_reply(msg, 401, MSG_401_CHALLENGE); } auth_data_unlock(aud_hash); } else { //before we send lets suspend the transaction t = tmb.t_gett(); if (t == NULL || t == T_UNDEFINED) { if (tmb.t_newtran(msg) < 0) { LM_ERR("cannot create the transaction for MAR async\n"); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } t = tmb.t_gett(); if (t == NULL || t == T_UNDEFINED) { LM_ERR("cannot lookup the transaction\n"); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } } saved_t = shm_malloc(sizeof (saved_transaction_t)); if (!saved_t) { LM_ERR("no more memory trying to save transaction state\n"); return CSCF_RETURN_ERROR; } memset(saved_t, 0, sizeof (saved_transaction_t)); saved_t->act = cfg_action; saved_t->realm.s = (char*) shm_malloc(realm.len + 1); if (!saved_t->realm.s) { LM_ERR("no more memory trying to save transaction state : callid\n"); shm_free(saved_t); return CSCF_RETURN_ERROR; } memset(saved_t->realm.s, 0, realm.len + 1); memcpy(saved_t->realm.s, realm.s, realm.len); saved_t->realm.len = realm.len; saved_t->is_proxy_auth = is_proxy_auth; LM_DBG("Suspending SIP TM transaction\n"); if (tmb.t_suspend(msg, &saved_t->tindex, &saved_t->tlabel) < 0) { LM_ERR("failed to suspend the TM processing\n"); free_saved_transaction_data(saved_t); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } if (multimedia_auth_request(msg, public_identity, private_identity, av_request_at_once, auth_scheme_types[algo_type], nonce, auts, scscf_name_str, saved_t)!=0) { LM_ERR("ERR:I_MAR: Error sending MAR or MAR time-out\n"); tmb.t_cancel_suspend(saved_t->tindex, saved_t->tlabel); free_saved_transaction_data(saved_t); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } } return CSCF_RETURN_BREAK; } int www_challenge2(struct sip_msg* msg, char* _route, char* str1, char* str2) { return challenge(msg, str1, 0, 0, _route); } int www_challenge3(struct sip_msg* msg, char* _route, char* str1, char* str2) { return challenge(msg, str1, str2, 0, _route); } int www_resync_auth(struct sip_msg* msg, char* _route, char* str1, char* str2) { str realm = {0, 0}; unsigned int aud_hash; str private_identity, public_identity, auts = {0, 0}, nonce = {0, 0}; auth_vector *av = 0; int algo_type; int is_proxy_auth=0; str route_name; saved_transaction_t* saved_t; tm_cell_t *t = 0; cfg_action_t* cfg_action; if (fixup_get_svalue(msg, (gparam_t*) _route, &route_name) != 0) { LM_ERR("no async route block for assign_server_unreg\n"); return -1; } LM_DBG("Looking for route block [%.*s]\n", route_name.len, route_name.s); int ri = route_get(&main_rt, route_name.s); if (ri < 0) { LM_ERR("unable to find route block [%.*s]\n", route_name.len, route_name.s); return -1; } cfg_action = main_rt.rlist[ri]; if (cfg_action == NULL) { LM_ERR("empty action lists in route block [%.*s]\n", route_name.len, route_name.s); return -1; } if (get_str_fparam(&realm, msg, (fparam_t*) str1) < 0) { LM_ERR("failed to get realm value\n"); return CSCF_RETURN_ERROR; } if (realm.len == 0) { LM_ERR("invalid realm value - empty content\n"); return CSCF_RETURN_ERROR; } create_return_code(CSCF_RETURN_ERROR); if (msg->first_line.type != SIP_REQUEST) { LM_ERR("This message is not a request\n"); return CSCF_RETURN_ERROR; } /* get the private_identity */ private_identity = cscf_get_private_identity(msg, realm); if (!private_identity.len) { LM_ERR("No private identity specified (Authorization: username)\n"); stateful_request_reply(msg, 403, MSG_403_NO_PRIVATE); return CSCF_RETURN_BREAK; } /* get the public_identity */ public_identity = cscf_get_public_identity(msg); if (!public_identity.len) { LM_ERR("No public identity specified (To:)\n"); stateful_request_reply(msg, 403, MSG_403_NO_PUBLIC); return CSCF_RETURN_BREAK; } algo_type = registration_default_algorithm_type; /* check if it is a synchronization request */ //TODO this is MAR syncing - have removed it currently - TOD maybe put back in auts = ims_get_auts(msg, realm, is_proxy_auth); if (auts.len) { LM_DBG("IMS Auth Synchronization requested <%.*s>\n", auts.len, auts.s); nonce = ims_get_nonce(msg, realm); if (nonce.len == 0) { LM_DBG("Nonce not found (Authorization: nonce)\n"); stateful_request_reply(msg, 403, MSG_403_NO_NONCE); return CSCF_RETURN_BREAK; } av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_USED, &nonce, &aud_hash); if (!av) av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_SENT, &nonce, &aud_hash); if (!av) { LM_ERR("nonce not recognized as sent, no sync!\n"); auts.len = 0; auts.s = 0; } else { av->status = AUTH_VECTOR_USELESS; auth_data_unlock(aud_hash); av = 0; } } //before we send lets suspend the transaction t = tmb.t_gett(); if (t == NULL || t == T_UNDEFINED) { if (tmb.t_newtran(msg) < 0) { LM_ERR("cannot create the transaction for MAR async\n"); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } t = tmb.t_gett(); if (t == NULL || t == T_UNDEFINED) { LM_ERR("cannot lookup the transaction\n"); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } } saved_t = shm_malloc(sizeof(saved_transaction_t)); if (!saved_t) { LM_ERR("no more memory trying to save transaction state\n"); return CSCF_RETURN_ERROR; } memset(saved_t, 0, sizeof(saved_transaction_t)); saved_t->act = cfg_action; saved_t->realm.s = (char*) shm_malloc(realm.len + 1); if (!saved_t->realm.s) { LM_ERR("no more memory trying to save transaction state : callid\n"); shm_free(saved_t); return CSCF_RETURN_ERROR; } memset(saved_t->realm.s, 0, realm.len + 1); memcpy(saved_t->realm.s, realm.s, realm.len); saved_t->realm.len = realm.len; saved_t->is_proxy_auth = is_proxy_auth; saved_t->is_resync = 1; LM_DBG("Suspending SIP TM transaction\n"); if (tmb.t_suspend(msg, &saved_t->tindex, &saved_t->tlabel) < 0) { LM_ERR("failed to suspend the TM processing\n"); free_saved_transaction_data(saved_t); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } if (multimedia_auth_request(msg, public_identity, private_identity, av_request_at_sync, auth_scheme_types[algo_type], nonce, auts, scscf_name_str, saved_t) != 0) { LM_ERR("ERR:I_MAR: Error sending MAR or MAR time-out\n"); tmb.t_cancel_suspend(saved_t->tindex, saved_t->tlabel); free_saved_transaction_data(saved_t); stateful_request_reply(msg, 480, MSG_480_DIAMETER_ERROR); return CSCF_RETURN_BREAK; } return CSCF_RETURN_BREAK; } int proxy_challenge(struct sip_msg* msg, char* _route, char* str1, char* str2) { return challenge(msg, str1, str2, 1, _route); } /** * Replies to a REGISTER and also adds the need headers * Path and Service-Route are added. * @param msg - the SIP message to operator on * @param code - Reason Code for the response * @param text - Reason Phrase for the response * @returns #CSCF_RETURN_TRUE on success or #CSCF_RETURN_FALSE if not added */ int stateful_request_reply(struct sip_msg *msg, int code, char *text) { unsigned int hash, label; struct hdr_field *h; str t = {0, 0}; if (parse_headers(msg, HDR_EOH_F, 0) < 0) { LM_ERR("Error parsing headers\n"); return -1; } h = msg->headers; while (h) { if (h->name.len == 4 && strncasecmp(h->name.s, "Path", 4) == 0) { t.s = h->name.s; t.len = h->len; ims_add_header_rpl(msg, &(t)); } h = h->next; } /*if (code==200){ ims_add_header_rpl(msg,&scscf_service_route); }*/ //TODO: need to get the service route from somewhere - registrar? if (tmb.t_get_trans_ident(msg, &hash, &label) < 0) { if (tmb.t_newtran(msg) < 0) LM_INFO("Failed creating SIP transaction\n"); } return tmb.t_reply(msg, code, text); } /** * Replies to a REGISTER and also adds the need headers * Path and Service-Route are added. * @param msg - the SIP message to operator on * @param code - Reason Code for the response * @param text - Reason Phrase for the response * @returns #CSCF_RETURN_TRUE on success or #CSCF_RETURN_FALSE if not added */ int stateful_request_reply_async(struct cell* t_cell, struct sip_msg *msg, int code, char *text) { struct hdr_field *h; str t = {0, 0}; if (parse_headers(msg, HDR_EOH_F, 0) < 0) { LM_ERR("Error parsing headers\n"); return -1; } h = msg->headers; while (h) { if (h->name.len == 4 && strncasecmp(h->name.s, "Path", 4) == 0) { t.s = h->name.s; t.len = h->len; ims_add_header_rpl(msg, &(t)); } h = h->next; } return tmb.t_reply_trans(t_cell, msg, code, text); } int authenticate(struct sip_msg* msg, char* _realm, char* str2, int is_proxy_auth) { int ret = -1; //CSCF_RETURN_FALSE; unsigned int aud_hash = 0; str realm; str private_identity, public_identity; str nonce, response16, nc, cnonce, qop_str = {0, 0}, auts = {0, 0}, body, *next_nonce = &empty_s; enum qop_type qop = QOP_UNSPEC; str uri = {0, 0}; HASHHEX expected, ha1, hbody, rspauth; int expected_len = 32; int expires = 0; auth_vector *av = 0; uint32_t nc_parsed = 0; /* the numerical representation of nc */ ret = AUTH_ERROR; if (get_str_fparam(&realm, msg, (fparam_t*) _realm) < 0) { LM_ERR("failed to get realm value\n"); return AUTH_NO_CREDENTIALS; } if (realm.len == 0) { LM_ERR("invalid realm value - empty content\n"); return AUTH_NO_CREDENTIALS; } if (msg->first_line.type != SIP_REQUEST) { LM_ERR("This message is not a request\n"); ret = AUTH_ERROR; goto end; } if (!is_proxy_auth) { LM_DBG("Checking if REGISTER is authorized for realm [%.*s]...\n", realm.len, realm.s); /* First check the parameters */ if (msg->first_line.u.request.method.len != 8 || memcmp(msg->first_line.u.request.method.s, "REGISTER", 8) != 0) { LM_ERR("This message is not a REGISTER request\n"); ret = AUTH_ERROR; goto end; } } if (!realm.len) { LM_ERR("No realm found\n"); return 0; //CSCF_RETURN_BREAK; } private_identity = cscf_get_private_identity(msg, realm); if (!private_identity.len) { LM_ERR("private identity missing\n"); return AUTH_NO_CREDENTIALS; } public_identity = cscf_get_public_identity(msg); if (!public_identity.len) { LM_ERR("public identity missing\n"); return AUTH_NO_CREDENTIALS; } if (!get_nonce_response(msg, realm, &nonce, &response16, &qop, &qop_str, &nc, &cnonce, &uri, is_proxy_auth) || !nonce.len || !response16.len) { LM_DBG("Nonce or response missing: nonce len [%i], response16 len[%i]\n", nonce.len, response16.len); return AUTH_ERROR; } if (qop == QOP_AUTHINT) { body = ims_get_body(msg); calc_H(&body, hbody); } /* first, look for an already used vector (if nonce reuse is enabled) */ if (max_nonce_reuse > 0) { LM_DBG("look for an already used vector for %.*s\n", private_identity.len, private_identity.s); av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_USED, &nonce, &aud_hash); } if (!av) { /* if none found, or nonce reuse is disabled, look for a fresh vector * We should also drop every other used vector at this point * (there souldn't be more than one) */ LM_DBG("Looking for auth vector based on IMPI: [%.*s] and IMPU: [%.*s]\n", private_identity.len, private_identity.s, public_identity.len, public_identity.s); auth_userdata *aud; auth_vector *av_it; aud = get_auth_userdata(private_identity, public_identity); if (aud) { av_it = aud->head; while (av_it) { if (av_it->status == AUTH_VECTOR_USED) { LM_DBG("vector %p is marked for deletion\n", av_it); av_it->status = AUTH_VECTOR_USELESS; } av_it = av_it->next; } auth_data_unlock(aud->hash); } LM_DBG("look for a fresh vector for %.*s\n", private_identity.len, private_identity.s); av = get_auth_vector(private_identity, public_identity, AUTH_VECTOR_SENT, &nonce, &aud_hash); } LM_INFO("uri=%.*s nonce=%.*s response=%.*s qop=%.*s nc=%.*s cnonce=%.*s hbody=%.*s\n", uri.len, uri.s, nonce.len, nonce.s, response16.len, response16.s, qop_str.len, qop_str.s, nc.len, nc.s, cnonce.len, cnonce.s, 32, hbody); if (!av) { LM_DBG("no matching auth vector found - maybe timer expired\n"); if (ignore_failed_auth) { LM_WARN("NB: Ignoring all failed auth - check your config if you don't expect this\n"); ret = AUTH_OK; } goto end; } if (qop != QOP_UNSPEC) { /* if QOP is sent, nc must be specified */ /* the expected nc is the last used one plus 1 */ int p; for (p = 0; p < 8; ++p) { /* nc is 8LHEX (RFC 2617 ยง3.2.2) */ nc_parsed = (nc_parsed << 4) | UNHEX((int) nc.s[p]); } LM_DBG("nc is %08x, expected: %08x\n", nc_parsed, av->use_nb + 1); if (nc_parsed <= av->use_nb) { /* nc is lower than expected */ ret = AUTH_NONCE_REUSED; av->status = AUTH_VECTOR_USELESS; /* invalidate this vector if any mistake/error occurs */ goto cleanup; } else if (nc_parsed > av->use_nb + 1) { /* nc is bigger than expected */ ret = AUTH_ERROR; av->status = AUTH_VECTOR_USELESS; goto cleanup; } } switch (av->type) { case AUTH_AKAV1_MD5: case AUTH_AKAV2_MD5: case AUTH_MD5: calc_HA1(HA_MD5, &private_identity, &realm, &(av->authorization), &(av->authenticate), &cnonce, ha1); calc_response(ha1, &(av->authenticate), &nc, &cnonce, &qop_str, qop == QOP_AUTHINT, &msg->first_line.u.request.method, &uri, hbody, expected); LM_INFO("UE said: %.*s and we expect %.*s ha1 %.*s (%.*s)\n", response16.len, response16.s, /*av->authorization.len,av->authorization.s,*/32, expected, 32, ha1, msg->first_line.u.request.method.len, msg->first_line.u.request.method.s); break; case AUTH_SIP_DIGEST: case AUTH_DIGEST: // memcpy of received HA1 memcpy(ha1, av->authorization.s, HASHHEXLEN); calc_response(ha1, &(av->authenticate), &nc, &cnonce, &qop_str, qop == QOP_AUTHINT, &msg->first_line.u.request.method, &uri, hbody, expected); LM_INFO("UE said: %.*s and we expect %.*s ha1 %.*s (%.*s)\n", response16.len, response16.s, 32,expected, 32,ha1, msg->first_line.u.request.method.len, msg->first_line.u.request.method.s); break; default: LM_ERR("algorithm %.*s is not handled.\n", algorithm_types[av->type].len, algorithm_types[av->type].s); ret = AUTH_ERROR; goto cleanup; /* release aud before returning */ } expires = cscf_get_max_expires(msg, 0); if (response16.len == expected_len && strncasecmp(response16.s, expected, response16.len) == 0) { if (max_nonce_reuse > 0 && av->status == AUTH_VECTOR_SENT) { /* first use of a reusable vector */ /* set the vector's new timeout */ LM_DBG("vector %p now expires in %d seconds\n", av, auth_used_vector_timeout); av->expires = get_ticks() + auth_used_vector_timeout; } av->use_nb++; LM_DBG("vector %p successfully used %d time(s)\n", av, av->use_nb); if (av->use_nb == max_nonce_reuse + 1) { LM_DBG("vector %p isn't fresh anymore, recycle it with a new nonce\n", av); int i; char y[NONCE_LEN]; for (i = 0; i < NONCE_LEN; i++) y[i] = (unsigned char) ((int) (256.0 * rand() / (RAND_MAX + 1.0))); if (unlikely((av->authenticate.len < 2 * NONCE_LEN))) { if (av->authenticate.s) { shm_free(av->authenticate.s); } av->authenticate.len = 2 * NONCE_LEN; av->authenticate.s = shm_malloc(av->authenticate.len); } if (!av->authenticate.s) { LM_ERR("new_auth_vector: failed allocating %d bytes!\n", av->authenticate.len); av->authenticate.len = 0; goto cleanup; } av->authenticate.len = bin_to_base16(y, NONCE_LEN, av->authenticate.s); next_nonce = &(av->authenticate); av->status = AUTH_VECTOR_USED; av->use_nb = 0; av->expires = get_ticks() + auth_used_vector_timeout; /* reset the timer */ } else if (expires == 0) { /* de-registration */ LM_DBG("de-registration, vector %p isn't needed anymore\n", av); av->status = AUTH_VECTOR_USELESS; } else { av->status = AUTH_VECTOR_USED; /* nextnonce is the current nonce */ next_nonce = &nonce; } ret = AUTH_OK; if (add_authinfo_hdr && expires != 0 /* don't add auth. info if de-registation */) { /* calculate rspauth */ calc_response(ha1, &nonce, &nc, &cnonce, &qop_str, qop == QOP_AUTHINT, 0, &uri, hbody, rspauth); add_authinfo_resp_hdr(msg, *next_nonce, qop_str, rspauth, cnonce, nc); } } else { char authorise[200]; char authenticate_bin[200]; char authenticate_hex[200]; memset(authorise, 0, 200); memset(authenticate_bin, 0, 200); memset(authenticate_hex, 0, 200); int authorise_len = bin_to_base16(av->authorization.s, av->authorization.len, authorise); int authenticate_len = base64_to_bin(av->authenticate.s, av->authenticate.len, authenticate_bin); int authenticate_hex_len = bin_to_base16(authenticate_bin, authenticate_len, authenticate_hex); av->status = AUTH_VECTOR_USELESS; /* first mistake, you're out! (but maybe it's synchronization) */ LM_DBG("UE said: %.*s, but we expect %.*s : authenticate(b64) is [%.*s], authenticate(hex) is [%.*s], authorise is [%d] [%.*s]\n", response16.len, response16.s, 32, expected, av->authenticate.len, av->authenticate.s, authenticate_hex_len,authenticate_hex, authorise_len, authorise_len, authorise); // /* check for auts in authorization header - if it is then we need to resync */ auts = ims_get_auts(msg, realm, is_proxy_auth); if (auts.len) { LM_DBG("IMS Auth Synchronization requested <%.*s>\n", auts.len, auts.s); ret = AUTH_RESYNC_REQUESTED; av->status = AUTH_VECTOR_SENT; } else { ret = AUTH_INVALID_PASSWORD; } } if (ignore_failed_auth) { LM_WARN("NB: Ignoring all failed auth - check your config if you don't expect this\n"); ret = AUTH_OK; } cleanup: auth_data_unlock(aud_hash); end: return ret; } /* * Authenticate using WWW-Authorize header field */ int www_authenticate(struct sip_msg* msg, char* _realm, char* str2) { return authenticate(msg, _realm, str2, 0); } /* * Authenticate using WWW-Authorize header field */ int proxy_authenticate(struct sip_msg* msg, char* _realm, char* str2) { return authenticate(msg, _realm, str2, 1); } /** * @brief bind functions to IMS AUTH API structure */ int bind_ims_auth(ims_auth_api_t * api) { if (!api) { ERR("Invalid parameter value\n"); return -1; } api->digest_authenticate = digest_authenticate; return 0; } /** * Retrieve an authentication vector. * \note returns with a lock, so unlock it when done * @param private_identity - the private identity * @param public_identity - the public identity * @param status - the status of the authentication vector * @param nonce - the nonce in the auth vector * @param hash - the hash to unlock when done * @returns the auth_vector* if found or NULL if not */ auth_vector * get_auth_vector(str private_identity, str public_identity, int status, str *nonce, unsigned int *hash) { auth_userdata *aud; auth_vector *av; aud = get_auth_userdata(private_identity, public_identity); if (!aud) { LM_ERR("no auth userdata\n"); goto error; } av = aud->head; while (av) { LM_DBG("looping through AV status is %d and were looking for %d\n", av->status, status); if (av->status == status && (nonce == 0 || (nonce->len == av->authenticate.len && memcmp(nonce->s, av->authenticate.s, nonce->len) == 0))) { LM_DBG("Found result\n"); *hash = aud->hash; return av; } av = av->next; } error: if (aud) auth_data_unlock(aud->hash); return 0; } /** * Locks the required slot of the auth_data. * @param hash - the index of the slot */ inline void auth_data_lock(unsigned int hash) { lock_get(auth_data[(hash)].lock); } /** * UnLocks the required slot of the auth_data * @param hash - the index of the slot */ inline void auth_data_unlock(unsigned int hash) { lock_release(auth_data[(hash)].lock); } /** * Initializes the Authorization Data structures. * @param size - size of the hash table * @returns 1 on success or 0 on error */ int auth_data_init(int size) { int i; auth_data = shm_malloc(sizeof (auth_hash_slot_t) * size); if (!auth_data) { LM_ERR("error allocating mem\n"); return 0; } memset(auth_data, 0, sizeof (auth_hash_slot_t) * size); for (i = 0; i < size; i++) { auth_data[i].lock = lock_alloc(); lock_init(auth_data[i].lock); } act_auth_data_hash_size = size; return 1; } /** * Destroy the Authorization Data structures */ void auth_data_destroy() { int i; auth_userdata *aud, *next; for (i = 0; i < act_auth_data_hash_size; i++) { auth_data_lock(i); lock_destroy(auth_data[i].lock); lock_dealloc(auth_data[i].lock); aud = auth_data[i].head; while (aud) { next = aud->next; free_auth_userdata(aud); aud = next; } } if (auth_data) shm_free(auth_data); } /** * Create new authorization vector * @param item_number - number to index it in the vectors list * @param auth_scheme - Diameter Authorization Scheme * @param authenticate - the challenge * @param authorization - the expected response * @param ck - the cypher key * @param ik - the integrity key * @returns the new auth_vector* or NULL on error */ auth_vector * new_auth_vector(int item_number, str auth_scheme, str authenticate, str authorization, str ck, str ik) { auth_vector *x = 0; x = shm_malloc(sizeof (auth_vector)); if (!x) { LM_ERR("error allocating mem\n"); goto done; } memset(x, 0, sizeof (auth_vector)); x->item_number = item_number; x->type = get_auth_scheme_type(auth_scheme); switch (x->type) { case AUTH_AKAV1_MD5: case AUTH_AKAV2_MD5: /* AKA */ x->authenticate.len = authenticate.len * 4 / 3 + 4; x->authenticate.s = shm_malloc(x->authenticate.len); if (!x->authenticate.s) { LM_ERR("error allocating mem\n"); goto done; } x->authenticate.len = bin_to_base64(authenticate.s, authenticate.len, x->authenticate.s); x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("error allocating mem\n"); goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); x->ck.len = ck.len; x->ck.s = shm_malloc(ck.len); if (!x->ck.s) { LM_ERR("error allocating mem\n"); goto done; } memcpy(x->ck.s, ck.s, ck.len); x->ik.len = ik.len; x->ik.s = shm_malloc(ik.len); if (!x->ik.s) { LM_ERR("error allocating mem\n"); goto done; } memcpy(x->ik.s, ik.s, ik.len); break; case AUTH_MD5: /* MD5 */ x->authenticate.len = authenticate.len * 2; x->authenticate.s = shm_malloc(x->authenticate.len); if (!x->authenticate.s) { LM_ERR("new_auth_vector: error allocating mem\n"); goto done; } x->authenticate.len = bin_to_base16(authenticate.s, authenticate.len, x->authenticate.s); x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("new_auth_vector: error allocating mem\n"); goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); x->authorization.len = authorization.len; break; case AUTH_DIGEST: case AUTH_SIP_DIGEST: { int i; char y[NONCE_LEN]; for (i = 0; i < NONCE_LEN; i++) y[i] = (unsigned char) ((int) (256.0 * rand() / (RAND_MAX + 1.0))); x->authenticate.len = 2 * NONCE_LEN; x->authenticate.s = shm_malloc(x->authenticate.len); if (!x->authenticate.s) { LM_ERR("new_auth_vector: failed allocating %d bytes!\n", x->authenticate.len); x->authenticate.len = 0; goto done; } x->authenticate.len = bin_to_base16(y, NONCE_LEN, x->authenticate.s); } x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("new_auth_vector: error allocating mem\n"); x->authorization.len = 0; goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); x->authorization.len = authorization.len; break; case AUTH_HTTP_DIGEST_MD5: x->authenticate.len = authenticate.len; x->authenticate.s = shm_malloc(x->authenticate.len); if (!x->authenticate.s) { LM_ERR("new_auth_vector: error allocating mem\n"); x->authenticate.len = 0; goto done; } memcpy(x->authenticate.s, authenticate.s, authenticate.len); x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("new_auth_vector: error allocating mem\n"); x->authorization.len = 0; goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); break; case AUTH_EARLY_IMS: /* early IMS */ x->authenticate.len = 0; x->authenticate.s = 0; x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("new_auth_vector: error allocating mem\n"); goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); x->authorization.len = authorization.len; break; case AUTH_NASS_BUNDLED: /* NASS-Bundled */ x->authenticate.len = 0; x->authenticate.s = 0; x->authorization.len = authorization.len; x->authorization.s = shm_malloc(x->authorization.len); if (!x->authorization.s) { LM_ERR("new_auth_vector: error allocating mem\n"); goto done; } memcpy(x->authorization.s, authorization.s, authorization.len); x->authorization.len = authorization.len; break; default: /* all else */ x->authenticate.len = 0; x->authenticate.s = 0; } x->use_nb = 0; x->next = 0; x->prev = 0; x->status = AUTH_VECTOR_UNUSED; x->expires = 0; LM_DBG("new auth-vector with ck [%.*s] with status %d\n", x->ck.len, x->ck.s, x->status); done: return x; } /** * Frees the memory taken by a authentication vector * @param av - the vector to be freed */ void free_auth_vector(auth_vector * av) { if (av) { if (av->authenticate.s) shm_free(av->authenticate.s); if (av->authorization.s) shm_free(av->authorization.s); if (av->ck.s) shm_free(av->ck.s); if (av->ik.s) shm_free(av->ik.s); shm_free(av); } } /** * Creates a new Authorization Userdata structure. * @param private_identity - the private identity to attach to * @param public_identity - the public identity to attach to * @returns the new auth_userdata* on success or NULL on error */ auth_userdata * new_auth_userdata(str private_identity, str public_identity) { auth_userdata *x = 0; x = shm_malloc(sizeof (auth_userdata)); if (!x) { LM_ERR("error allocating mem\n"); goto done; } x->private_identity.len = private_identity.len; x->private_identity.s = shm_malloc(private_identity.len); if (!x) { LM_ERR("error allocating mem\n"); goto done; } memcpy(x->private_identity.s, private_identity.s, private_identity.len); x->public_identity.len = public_identity.len; x->public_identity.s = shm_malloc(public_identity.len); if (!x) { LM_ERR("error allocating mem\n"); goto done; } memcpy(x->public_identity.s, public_identity.s, public_identity.len); x->head = 0; x->tail = 0; x->next = 0; x->prev = 0; done: return x; } /** * Deallocates the auth_userdata. * @param aud - the auth_userdata to be deallocated */ void free_auth_userdata(auth_userdata * aud) { auth_vector *av, *next; if (aud) { if (aud->private_identity.s) shm_free(aud->private_identity.s); if (aud->public_identity.s) shm_free(aud->public_identity.s); av = aud->head; while (av) { next = av->next; free_auth_vector(av); av = next; } shm_free(aud); } } /** * Computes a hash based on the private and public identities * @param private_identity - the private identity * @param public_identity - the public identity * @returns the hash % Auth_data->size */ inline unsigned int get_hash_auth(str private_identity, str public_identity) { if (av_check_only_impu) return core_hash(&public_identity, 0, act_auth_data_hash_size); else return core_hash(&public_identity, 0, act_auth_data_hash_size); /* #define h_inc h+=v^(v>>3) char* p; register unsigned v; register unsigned h; h = 0; for (p = private_identity.s; p <= (private_identity.s + private_identity.len - 4); p += 4) { v = (*p << 24)+(p[1] << 16)+(p[2] << 8) + p[3]; h_inc; } v = 0; for (; p < (private_identity.s + private_identity.len); p++) { v <<= 8; v += *p; } h_inc; for (p = public_identity.s; p <= (public_identity.s + public_identity.len - 4); p += 4) { v = (*p << 24)+(p[1] << 16)+(p[2] << 8) + p[3]; h_inc; } v = 0; for (; p < (public_identity.s + public_identity.len); p++) { v <<= 8; v += *p; } h = ((h)+(h >> 11))+((h >> 13)+(h >> 23)); return (h) % auth_data_hash_size; #undef h_inc */ } /** * Retrieve the auth_userdata for a user. * \note you will return with lock on the hash slot, so release it! * @param private_identity - the private identity * @param public_identity - the public identity * @returns the auth_userdata* found or newly created on success, NULL on error */ auth_userdata * get_auth_userdata(str private_identity, str public_identity) { unsigned int hash = 0; auth_userdata *aud = 0; hash = get_hash_auth(private_identity, public_identity); auth_data_lock(hash); aud = auth_data[hash].head; if (av_check_only_impu) LM_DBG("Searching auth_userdata for IMPU %.*s (Hash %d)\n", public_identity.len, public_identity.s, hash); else LM_DBG("Searching auth_userdata for IMPU %.*s / IMPI %.*s (Hash %d)\n", public_identity.len, public_identity.s, private_identity.len, private_identity.s, hash); while (aud) { if (av_check_only_impu) { if (aud->public_identity.len == public_identity.len && memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0) { LM_DBG("Found auth_userdata\n"); return aud; } } else { if (aud->private_identity.len == private_identity.len && aud->public_identity.len == public_identity.len && memcmp(aud->private_identity.s, private_identity.s, private_identity.len) == 0 && memcmp(aud->public_identity.s, public_identity.s, public_identity.len) == 0) { LM_DBG("Found auth_userdata\n"); return aud; } } aud = aud->next; } /* if we get here, there is no auth_userdata for this user */ aud = new_auth_userdata(private_identity, public_identity); if (!aud) { auth_data_unlock(hash); return 0; } aud->prev = auth_data[hash].tail; aud->next = 0; aud->hash = hash; if (!auth_data[hash].head) auth_data[hash].head = aud; if (auth_data[hash].tail) auth_data[hash].tail->next = aud; auth_data[hash].tail = aud; return aud; } /** * Sends a Multimedia-Authentication-Response to retrieve some authentication vectors and maybe synchronize. * Must respond with a SIP reply every time it returns 0 * @param msg - the SIP REGISTER message * @param public_identity - the public identity * @param private_identity - the private identity * @param count - how many vectors to request * @param algorithm - which algorithm to request * @param nonce - the challenge that will be sent * @param auts - the AKA synchronization or empty string if not a synchronization * @param server_name - the S-CSCF name to be saved on the HSS * @returns 1 on success, 0 on failure */ int multimedia_auth_request(struct sip_msg *msg, str public_identity, str private_identity, int count, str auth_scheme, str nonce, str auts, str servername, saved_transaction_t* transaction_data) { str authorization = {0, 0}; int result = -1; int is_sync = 0; if (auts.len) { authorization.s = pkg_malloc(nonce.len * 3 / 4 + auts.len * 3 / 4 + 8); if (!authorization.s) { LM_ERR("no more pkg mem\n"); return result; } authorization.len = base64_to_bin(nonce.s, nonce.len, authorization.s); authorization.len = RAND_LEN; authorization.len += base64_to_bin(auts.s, auts.len, authorization.s + authorization.len); is_sync = 1; } if (is_sync) { drop_auth_userdata(private_identity, public_identity); } LM_DBG("Sending MAR\n"); result = cxdx_send_mar(msg, public_identity, private_identity, count, auth_scheme, authorization, servername, transaction_data); if (authorization.s) pkg_free(authorization.s); return result; } /** * Adds the WWW-Authenticate header for challenge, based on the authentication vector. * @param msg - SIP message to add the header to * @param realm - the realm * @param av - the authentication vector * @returns 1 on success, 0 on error */ int pack_challenge(struct sip_msg *msg, str realm, auth_vector *av, int is_proxy_auth) { str x = {0, 0}; char ck[32], ik[32]; int ck_len, ik_len; str *auth_prefix = is_proxy_auth ? &S_Proxy : &S_WWW; switch (av->type) { case AUTH_AKAV1_MD5: case AUTH_AKAV2_MD5: /* AKA */ ck_len = bin_to_base16(av->ck.s, 16, ck); ik_len = bin_to_base16(av->ik.s, 16, ik); x.len = S_Authorization_AKA.len + auth_prefix->len + realm.len + av->authenticate.len + algorithm_types[av->type].len + ck_len + ik_len + registration_qop_str.len; x.s = pkg_malloc(x.len); if (!x.s) { LM_ERR("Error allocating %d bytes\n", x.len); goto error; } sprintf(x.s, S_Authorization_AKA.s, auth_prefix->len, auth_prefix->s, realm.len, realm.s, av->authenticate.len, av->authenticate.s, algorithm_types[av->type].len, algorithm_types[av->type].s, ck_len, ck, ik_len, ik, registration_qop_str.len, registration_qop_str.s); x.len = strlen(x.s); break; case AUTH_HTTP_DIGEST_MD5: /* ETSI HTTP_DIGEST MD5 */ /* this one continues into the next one */ case AUTH_DIGEST: /* Cable-Labs MD5 */ /* this one continues into the next one */ case AUTH_SIP_DIGEST: /* 3GPP MD5 */ /* this one continues into the next one */ case AUTH_MD5: /* FOKUS MD5 */ x.len = S_Authorization_MD5.len + auth_prefix->len + realm.len + av->authenticate.len + algorithm_types[av->type].len + registration_qop_str.len; x.s = pkg_malloc(x.len); if (!x.s) { LM_ERR("pack_challenge: Error allocating %d bytes\n", x.len); goto error; } sprintf(x.s, S_Authorization_MD5.s, auth_prefix->len, auth_prefix->s, realm.len, realm.s, av->authenticate.len, av->authenticate.s, algorithm_types[AUTH_MD5].len, algorithm_types[AUTH_MD5].s, registration_qop_str.len, registration_qop_str.s); x.len = strlen(x.s); break; default: LM_CRIT("not implemented for algorithm %.*s\n", algorithm_types[av->type].len, algorithm_types[av->type].s); goto error; } if (ims_add_header_rpl(msg, &x)) { pkg_free(x.s); return 1; } error: if (x.s) pkg_free(x.s); return 0; } /** * Adds the Authentication-Info header for, based on the credentials sent by a successful REGISTER. * @param msg - SIP message to add the header to * @returns 1 on success, 0 on error */ int add_authinfo_resp_hdr(struct sip_msg *msg, str nextnonce, str qop, HASHHEX rspauth, str cnonce, str nc) { str authinfo_hdr; static const char authinfo_fmt[] = "Authentication-Info: " "nextnonce=\"%.*s\"," "qop=%.*s," "rspauth=\"%.*s\"," "cnonce=\"%.*s\"," "nc=%.*s\r\n"; authinfo_hdr.len = sizeof (authinfo_fmt) + nextnonce.len + qop.len + HASHHEXLEN + cnonce.len + nc.len - 20 /* format string parameters */ - 1 /* trailing \0 */; authinfo_hdr.s = pkg_malloc(authinfo_hdr.len + 1); if (!authinfo_hdr.s) { LM_ERR("add_authinfo_resp_hdr: Error allocating %d bytes\n", authinfo_hdr.len); goto error; } snprintf(authinfo_hdr.s, authinfo_hdr.len + 1, authinfo_fmt, nextnonce.len, nextnonce.s, qop.len, qop.s, HASHHEXLEN, rspauth, cnonce.len, cnonce.s, nc.len, nc.s); LM_DBG("authinfo hdr built: %.*s", authinfo_hdr.len, authinfo_hdr.s); if (ims_add_header_rpl(msg, &authinfo_hdr)) { LM_DBG("authinfo hdr added"); pkg_free(authinfo_hdr.s); return 1; } error: if (authinfo_hdr.s) pkg_free(authinfo_hdr.s); return 0; } /** * Add an authentication vector to the authentication userdata storage. * @param private_identity - the private identity * @param public_identity - the public identity * @param av - the authentication vector * @returns 1 on success or 0 on error */ int add_auth_vector(str private_identity, str public_identity, auth_vector * av) { auth_userdata *aud; aud = get_auth_userdata(private_identity, public_identity); if (!aud) goto error; LM_DBG("Adding auth_vector (status %d) for IMPU %.*s / IMPI %.*s (Hash %d)\n", av->status, public_identity.len, public_identity.s, private_identity.len, private_identity.s, aud->hash); av->prev = aud->tail; av->next = 0; if (!aud->head) aud->head = av; if (aud->tail) aud->tail->next = av; aud->tail = av; auth_data_unlock(aud->hash); return 1; error: return 0; } /** * Declares all auth vectors as useless when we do a synchronization * @param private_identity - the private identity * @param public_identity - the public identity * @returns 1 on sucess, 0 on error */ int drop_auth_userdata(str private_identity, str public_identity) { auth_userdata *aud; auth_vector *av; aud = get_auth_userdata(private_identity, public_identity); if (!aud) goto error; av = aud->head; while (av) { LM_DBG("dropping auth vector that was in status %d\n", av->status); av->status = AUTH_VECTOR_USELESS; av = av->next; } auth_data_unlock(aud->hash); return 1; error: LM_DBG("no authdata to drop any auth vectors\n"); if (aud) auth_data_unlock(aud->hash); return 0; }