1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
/*
* $Id$
*
* Digest Authentication Module
*
* Copyright (C) 2001-2003 FhG Fokus
*
* This file is part of ser, a free SIP server.
*
* ser is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version
*
* For a license to use the ser software under conditions
* other than those described here, or to purchase support for this
* software, please contact iptel.org by e-mail at the following addresses:
* info@iptel.org
*
* ser is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef API_H
#define API_H
#include "../../parser/msg_parser.h"
#include "../../parser/digest/digest.h"
#include "../../sr_module.h"
#include "../../usr_avp.h"
#include "../../parser/hf.h"
#include "../../str.h"
#include "challenge.h"
#include "rfc2617.h"
/**
* return codes to config by auth functions
*/
typedef enum auth_cfg_result {
AUTH_USER_MISMATCH = -8, /*!< Auth user != From/To user */
AUTH_NONCE_REUSED = -6, /*!< Returned if nonce is used more than once */
AUTH_NO_CREDENTIALS = -5, /*!< Credentials missing */
AUTH_STALE_NONCE = -4, /*!< Stale nonce */
AUTH_USER_UNKNOWN = -3, /*!< User not found */
AUTH_INVALID_PASSWORD = -2, /*!< Invalid password */
AUTH_ERROR = -1, /*!< Error occurred */
AUTH_DROP = 0, /*!< Error, stop config execution */
AUTH_OK = 1 /*!< Success */
} auth_cfg_result_t;
/**
* flags for checks in auth functions
*/
#define AUTH_CHECK_ID_F 1<<0
#define AUTH_CHECK_SKIPFWD_F 1<<1
/**
* return codes to auth API functions
*/
typedef enum auth_result {
NONCE_REUSED = -5, /* Returned if nonce is used more than once */
NO_CREDENTIALS, /* Credentials missing */
STALE_NONCE, /* Stale nonce */
ERROR, /* Error occurred, a reply has been sent out -> return 0 to the ser core */
NOT_AUTHENTICATED, /* Don't perform authentication, credentials missing */
DO_AUTHENTICATION, /* Perform digest authentication */
AUTHENTICATED, /* Authenticated by default, no digest authentication necessary */
BAD_CREDENTIALS, /* Digest credentials are malformed */
CREATE_CHALLENGE, /* when AKAv1-MD5 is used first request does not contain credentials,
* only usename, realm and algorithm. Server should get Authentication
* Vector from AuC/HSS, create challenge and send it to the UE. */
DO_RESYNCHRONIZATION /* When AUTS is received we need do resynchronization
* of sequnce numbers with mobile station. */
} auth_result_t;
typedef int (*check_auth_hdr_t)(struct sip_msg* msg, auth_body_t* auth_body,
auth_result_t* auth_res);
int check_auth_hdr(struct sip_msg* msg, auth_body_t* auth_body,
auth_result_t* auth_res);
/*
* Purpose of this function is to find credentials with given realm,
* do sanity check, validate credential correctness and determine if
* we should really authenticate (there must be no authentication for
* ACK and CANCEL
*/
typedef auth_result_t (*pre_auth_t)(struct sip_msg* msg, str* realm,
hdr_types_t hftype, struct hdr_field** hdr,
check_auth_hdr_t check_auth_hdr);
auth_result_t pre_auth(struct sip_msg* msg, str* realm, hdr_types_t hftype,
struct hdr_field** hdr, check_auth_hdr_t check_auth_hdr);
/*
* Purpose of this function is to do post authentication steps like
* marking authorized credentials and so on.
*/
typedef auth_result_t (*post_auth_t)(struct sip_msg* msg,
struct hdr_field* hdr);
auth_result_t post_auth(struct sip_msg* msg, struct hdr_field* hdr);
typedef int (*check_response_t)(dig_cred_t* cred, str* method, char* ha1);
int auth_check_response(dig_cred_t* cred, str* method, char* ha1);
typedef int (*auth_challenge_f)(struct sip_msg *msg, str *realm, int flags,
int hftype);
int auth_challenge(struct sip_msg *msg, str *realm, int flags,
int hftype);
typedef int (*pv_authenticate_f)(struct sip_msg *msg, str *realm, str *passwd,
int flags, int hftype, str *method);
int pv_authenticate(struct sip_msg *msg, str *realm, str *passwd,
int flags, int hftype, str *method);
typedef int (*consume_credentials_f)(struct sip_msg* msg);
int consume_credentials(struct sip_msg* msg);
/*
* Auth module API
*/
typedef struct auth_api_s {
pre_auth_t pre_auth; /* The function to be called before authentication */
post_auth_t post_auth; /* The function to be called after authentication */
build_challenge_hf_t build_challenge; /* Function to build digest challenge header */
struct qp* qop; /* qop module parameter */
calc_HA1_t calc_HA1;
calc_response_t calc_response;
check_response_t check_response;
auth_challenge_f auth_challenge;
pv_authenticate_f pv_authenticate;
consume_credentials_f consume_credentials;
} auth_api_s_t;
typedef int (*bind_auth_s_t)(auth_api_s_t* api);
int bind_auth_s(auth_api_s_t* api);
/**
* load AUTH module API
*/
static inline int auth_load_api(auth_api_s_t* api)
{
bind_auth_s_t bind_auth;
/* bind to auth module and import the API */
bind_auth = (bind_auth_s_t)find_export("bind_auth_s", 0, 0);
if (!bind_auth) {
LM_ERR("unable to find bind_auth function. Check if you load"
" the auth module.\n");
return -1;
}
if (bind_auth(api) < 0) {
LM_ERR("unable to bind auth module\n");
return -1;
}
return 0;
}
#endif /* API_H */
|
