void ServerConnection::receive() {
int res = tcp_recv_msg(conn.dia_conn, &conn.rb,
0, CONN_WAIT_USECS);
if (res < 0) {
if (res == AAA_CONN_SHUTDOWN) {
INFO( M_NAME "receive(): shutdown - closing connection.\n");
closeConnection(true);
} else {
closeConnection();
ERROR( M_NAME "receive(): tcp_recv_reply() failed.\n");
}
return;
}
if (!res) // nothing received
return;
/* obtain the structure corresponding to the message */
AAAMessage* msg = AAATranslateMessage(conn.rb.buf, conn.rb.buf_len, 0);
if(!msg) {
ERROR( M_NAME "receive(): message structure not obtained from message.\n");
closeConnection();
return;
}
#ifdef EXTRA_DEBUG
AAAPrintMessage(msg);
#endif
if (is_req(msg))
handleRequest(msg);
else
handleReply(msg);
AAAFreeMessage(&msg);
}
/*
* This function creates and submits diameter authentication request as per
* draft-srinivas-aaa-basic-digest-00.txt.
* Service type of the request is Authenticate-Only.
* Returns:
* 1 - success
* -1 - error
*
*/
int diameter_authorize(struct hdr_field* hdr, str* p_method, struct sip_uri uri,
struct sip_uri ruri, unsigned int m_id, rd_buf_t* rb)
{
str method, user_name;
AAAMessage *req;
AAA_AVP *avp, *position;
int name_flag, port_flag;
dig_cred_t* cred;
unsigned int tmp;
user_name.s=0; /* fixes gcc 4.0 warning */
if ( !p_method )
{
LOG(L_ERR, M_NAME":diameter_authorize(): Invalid parameter value\n");
return -1;
}
if ( (req=AAAInMessage(AA_REQUEST, AAA_APP_NASREQ))==NULL)
return -1;
if(hdr && hdr->parsed)
cred = &(((auth_body_t*)hdr->parsed)->digest);
else
cred = NULL;
method = *p_method;
if(!cred)
{
/* Username AVP */
user_name.len = uri.user.len + uri.host.len;
if(user_name.len>0)
{
user_name.len += 2;
user_name.s = (char*)ad_malloc(user_name.len*sizeof(char));
memset(user_name.s, 0, user_name.len);
memcpy(user_name.s, uri.user.s, uri.user.len);
if(uri.user.len>0)
{
memcpy(user_name.s+uri.user.len, "@", 1);
memcpy(user_name.s+uri.user.len+1, uri.host.s, uri.host.len);
}
else
memcpy(user_name.s, uri.host.s, uri.host.len);
}
if( (avp=AAACreateAVP(AVP_User_Name, 0, 0, user_name.s,
user_name.len, AVP_FREE_DATA)) == 0)
{
LOG(L_ERR,M_NAME":diameter_authorize(): no more free memory!\n");
if(user_name.len>0)
pkg_free(user_name.s);
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
}
else /* it is a SIP message with credentials */
{
/* Add Username AVP */
if (cred->username.domain.len>0)
{
if( (avp=AAACreateAVP(AVP_User_Name, 0, 0, cred->username.whole.s,
cred->username.whole.len, AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free "
"memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
}
else
{
user_name.len = cred->username.user.len + cred->realm.len;
if(user_name.len>0)
{
user_name.s = ad_malloc(user_name.len);
if (!user_name.s)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free "
"memory\n");
goto error;
}
memcpy(user_name.s, cred->username.whole.s,
cred->username.whole.len);
if(cred->username.whole.len>0)
{
user_name.s[cred->username.whole.len] = '@';
memcpy(user_name.s + cred->username.whole.len + 1,
cred->realm.s, cred->realm.len);
}
else
memcpy(user_name.s, cred->realm.s, cred->realm.len);
}
if( (avp=AAACreateAVP(AVP_User_Name, 0, 0, user_name.s,
user_name.len, AVP_FREE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free "
"memory!\n");
if(user_name.len>0)
pkg_free(user_name.s);
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
}
}
/* SIP_MSGID AVP */
DBG("******* m_id=%d\n", m_id);
tmp = m_id;
if( (avp=AAACreateAVP(AVP_SIP_MSGID, 0, 0, (char*)(&tmp),
sizeof(m_id), AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
/* SIP Service AVP */
if( (avp=AAACreateAVP(AVP_Service_Type, 0, 0, SIP_AUTHENTICATION,
SERVICE_LEN, AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
/* Destination-Realm AVP */
if( (avp=AAACreateAVP(AVP_Destination_Realm, 0, 0, uri.host.s,
uri.host.len, AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
goto error;
}
#ifdef DEBUG
DBG("Destination Realm: %.*s\n", uri.host.len, uri.host.s);
#endif
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
/* Resource AVP */
user_name.len = ruri.user.len + ruri.host.len + ruri.port.len + 2;
user_name.s = (char*)ad_malloc(user_name.len*sizeof(char));
memset(user_name.s, 0, user_name.len);
memcpy(user_name.s, ruri.user.s, ruri.user.len);
name_flag= 0;
if(ruri.user.s)
{
name_flag = 1;
memcpy(user_name.s+ruri.user.len, "@", 1);
}
memcpy(user_name.s+ruri.user.len+name_flag, ruri.host.s, ruri.host.len);
port_flag=0;
if(ruri.port.s)
{
port_flag = 1;
memcpy(user_name.s+ruri.user.len+ruri.host.len+1, ":", 1);
}
memcpy(user_name.s+ruri.user.len+ruri.host.len+name_flag+port_flag,
ruri.port.s, ruri.port.len);
#ifdef DEBUG
DBG(M_NAME": AVP_Resource=%.*s\n", user_name.len, user_name.s);
#endif
if( (avp=AAACreateAVP(AVP_Resource, 0, 0, user_name.s,
user_name.len, AVP_FREE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
if(user_name.s)
pkg_free(user_name.s);
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
if(cred) /* it is a SIP message with credentials */
{
/* Response AVP */
if( (avp=AAACreateAVP(AVP_Response, 0, 0, hdr->body.s,
hdr->body.len, AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
goto error;
}
position = AAAGetLastAVP(&(req->avpList));
if( AAAAddAVPToMessage(req, avp, position)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
/* Method AVP */
if( (avp=AAACreateAVP(AVP_Method, 0, 0, p_method->s,
p_method->len, AVP_DUPLICATE_DATA)) == 0)
{
LOG(L_ERR, M_NAME":diameter_authorize(): no more free memory!\n");
goto error;
}
position = AAAGetLastAVP(&(req->avpList));
if( AAAAddAVPToMessage(req, avp, position)!= AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): avp not added \n");
goto error1;
}
}
#ifdef DEBUG
AAAPrintMessage(req);
#endif
/* build a AAA message buffer */
if(AAABuildMsgBuffer(req) != AAA_ERR_SUCCESS)
{
LOG(L_ERR, M_NAME":diameter_authorize(): message buffer not created\n");
goto error;
}
if(sockfd==AAA_NO_CONNECTION)
{
sockfd = init_mytcp(diameter_client_host, diameter_client_port);
if(sockfd==AAA_NO_CONNECTION)
{
LOG(L_ERR, M_NAME":diameter_authorize(): failed to reconnect"
" to Diameter client\n");
goto error;
}
}
/* send the message to the DIAMETER CLIENT */
switch( tcp_send_recv(sockfd, req->buf.s, req->buf.len, rb, m_id) )
{
case AAA_ERROR: /* a transmission error occurred */
LOG(L_ERR, M_NAME":diameter_authorize(): message sending to the"
" DIAMETER backend authorization server failed\n");
goto error;
case AAA_CONN_CLOSED:
LOG(L_NOTICE, M_NAME":diameter_authorize(): connection to Diameter"
" client closed.It will be reopened by the next request\n");
close(sockfd);
sockfd = AAA_NO_CONNECTION;
goto error;
case AAA_TIMEOUT:
LOG(L_NOTICE,M_NAME":diameter_authorize(): no response received\n");
close(sockfd);
sockfd = AAA_NO_CONNECTION;
goto error;
}
AAAFreeMessage(&req);
return 1;
error1:
AAAFreeAVP(&avp);
error:
AAAFreeMessage(&req);
return -1;
}
void ServerConnection::openConnection() {
DBG("init TCP connection\n");
if (conn.dia_conn) {
ERROR("CRITICAL: trying to open new connection, while current one still"
" opened.\n");
abort();
}
conn.dia_conn = tcp_create_connection(server_name.c_str(), server_port,
ca_file.c_str(), cert_file.c_str());
if (!conn.dia_conn) {
ERROR("establishing connection to %s\n",
server_name.c_str());
setRetryConnectLater();
return;
}
// send CER
AAAMessage* cer;
if ((cer=AAAInMessage(AAA_CC_CER, AAA_APP_DIAMETER_COMMON_MSG))==NULL) {
ERROR(M_NAME":openConnection(): can't create new "
"CER AAA message!\n");
conn.terminate();
setRetryConnectLater();
return;
}
if (addOrigin(cer)
|| addDataAVP(cer, AVP_Host_IP_Address, origin_ip_address, sizeof(origin_ip_address))
|| addDataAVP(cer, AVP_Vendor_Id, (char*)&vendorID, sizeof(vendorID))
|| addDataAVP(cer, AVP_Supported_Vendor_Id, (char*)&vendorID, sizeof(vendorID))
|| addStringAVP(cer, AVP_Product_Name, product_name)) {
ERROR("openConnection(): adding AVPs failed\n");
conn.terminate();
setRetryConnectLater();
return;
}
// supported applications
AAA_AVP* vs_appid;
if( (vs_appid=AAACreateAVP(AVP_Vendor_Specific_Application_Id, (AAA_AVPFlag)AAA_AVP_FLAG_NONE, 0, 0,
0, AVP_DONT_FREE_DATA)) == 0) {
ERROR( M_NAME":openConnection(): creating AVP failed."
" (no more free memory!)\n");
conn.terminate();
setRetryConnectLater();
return;
}
// feels like c coding...
if (addGroupedAVP(vs_appid, AVP_Auth_Application_Id,
(char*)&app_id, sizeof(app_id)) ||
addGroupedAVP(vs_appid, AVP_Vendor_Id,
(char*)&vendorID, sizeof(vendorID)) ||
(AAAAddAVPToMessage(cer, vs_appid, 0) != AAA_ERR_SUCCESS)
) {
ERROR( M_NAME":openConnection(): creating AVP failed."
" (no more free memory!)\n");
conn.terminate();
setRetryConnectLater();
return;
}
#ifdef EXTRA_DEBUG
AAAPrintMessage(cer);
#endif
conn.setIDs(cer);
if(AAABuildMsgBuffer(cer) != AAA_ERR_SUCCESS) {
ERROR( " openConnection(): message buffer not created\n");
AAAFreeMessage(&cer);
return;
}
int ret = tcp_send(conn.dia_conn, cer->buf.s, cer->buf.len);
if (ret) {
ERROR( "openConnection(): could not send message\n");
conn.terminate();
setRetryConnectLater();
AAAFreeMessage(&cer);
return;
}
AAAFreeMessage(&cer);
unsigned int cea_receive_cnt = 3;
while (true) {
int res = tcp_recv_msg(conn.dia_conn, &conn.rb,
CONNECT_CEA_REPLY_TIMEOUT, 0);
if (res <= 0) {
if (!res) {
ERROR( " openConnection(): did not receive response (CEA).\n");
} else {
ERROR( " openConnection(): error receiving response (CEA).\n");
}
conn.terminate();
setRetryConnectLater();
return;
}
/* obtain the structure corresponding to the message */
AAAMessage* cea = AAATranslateMessage(conn.rb.buf, conn.rb.buf_len, 0);
if(!cea) {
ERROR( " openConnection(): could not decipher response (CEA).\n");
conn.terminate();
setRetryConnectLater();
return;
}
if (cea->commandCode == AAA_CC_CEA) {
#ifdef EXTRA_DEBUG
AAAPrintMessage(cea);
#endif
AAAFreeMessage(&cea);
break;
}
AAAFreeMessage(&cea);
if (!(cea_receive_cnt--)) {
ERROR( " openConnection(): no CEA received.\n");
conn.terminate();
setRetryConnectLater();
return;
}
}
DBG("Connection opened.\n");
open = true;
}
/* it checks if a user is member of a group */
int diameter_is_user_in(struct sip_msg* _m, char* _hf, char* _group)
{
str *grp, user_name, user, domain, uri;
dig_cred_t* cred = 0;
int hf_type;
struct hdr_field* h;
struct sip_uri puri;
AAAMessage *req;
AAA_AVP *avp;
int ret;
unsigned int tmp;
grp = (str*)_group; /* via fixup */
hf_type = (int)(long)_hf;
uri.s = 0;
uri.len = 0;
/* extract the uri according with the _hf parameter */
switch(hf_type)
{
case 1: /* Request-URI */
uri = *(GET_RURI(_m));
break;
case 2: /* To */
if (get_to_uri(_m, &uri) < 0)
{
LM_ERR("failed to extract To\n");
return -2;
}
break;
case 3: /* From */
if (get_from_uri(_m, &uri) < 0)
{
LM_ERR("failed to extract From URI\n");
return -3;
}
break;
case 4: /* Credentials */
get_authorized_cred(_m->authorization, &h);
if (!h)
{
get_authorized_cred(_m->proxy_auth, &h);
if (!h)
{
LM_ERR("no authorized credentials found "
"(error in scripts)\n");
return -4;
}
}
cred = &((auth_body_t*)(h->parsed))->digest;
break;
}
if (hf_type != 4)
{
if (parse_uri(uri.s, uri.len, &puri) < 0)
{
LM_ERR("failed to parse URI\n");
return -5;
}
user = puri.user;
domain = puri.host;
}
else
{
user = cred->username.user;
domain = cred->realm;
}
/* user@domain mode */
if (use_domain)
{
user_name.s = 0;
user_name.len = user.len + domain.len;
if(user_name.len>0)
{
user_name.len++;
user_name.s = (char*)pkg_malloc(user_name.len);
if (!user_name.s)
{
LM_ERR("no pkg memory left\n");
return -6;
}
memcpy(user_name.s, user.s, user.len);
if(user.len>0)
{
user_name.s[user.len] = '@';
memcpy(user_name.s + user.len + 1, domain.s, domain.len);
}
else
memcpy(user_name.s, domain.s, domain.len);
}
}
else
user_name = user;
if ( (req=AAAInMessage(AA_REQUEST, AAA_APP_NASREQ))==NULL)
{
LM_ERR("can't create new AAA message!\n");
return -1;
}
/* Username AVP */
if( (avp=AAACreateAVP(AVP_User_Name, 0, 0, user_name.s,
user_name.len, AVP_DUPLICATE_DATA)) == 0)
{
LM_ERR("no more pkg memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LM_ERR("avp not added \n");
goto error1;
}
/* Usergroup AVP */
if( (avp=AAACreateAVP(AVP_User_Group, 0, 0, grp->s,
grp->len, AVP_DUPLICATE_DATA)) == 0)
{
LM_ERR("no more pkg memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LM_ERR("avp not added \n");
goto error1;
}
/* SIP_MSGID AVP */
LM_DBG("******* m_id=%d\n", _m->id);
tmp = _m->id;
if( (avp=AAACreateAVP(AVP_SIP_MSGID, 0, 0, (char*)(&tmp),
sizeof(tmp), AVP_DUPLICATE_DATA)) == 0)
{
LM_ERR("no more pkg memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LM_ERR("avp not added \n");
goto error1;
}
/* ServiceType AVP */
if( (avp=AAACreateAVP(AVP_Service_Type, 0, 0, SIP_GROUP_CHECK,
SERVICE_LEN, AVP_DUPLICATE_DATA)) == 0)
{
LM_ERR("no more pkg memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LM_ERR("avp not added \n");
goto error1;
}
/* Destination-Realm AVP */
uri = *(GET_RURI(_m));
parse_uri(uri.s, uri.len, &puri);
if( (avp=AAACreateAVP(AVP_Destination_Realm, 0, 0, puri.host.s,
puri.host.len, AVP_DUPLICATE_DATA)) == 0)
{
LM_ERR("no more pkg memory!\n");
goto error;
}
if( AAAAddAVPToMessage(req, avp, 0)!= AAA_ERR_SUCCESS)
{
LM_ERR("avp not added \n");
goto error1;
}
#ifdef DEBUG
AAAPrintMessage(req);
#endif
/* build a AAA message buffer */
if(AAABuildMsgBuffer(req) != AAA_ERR_SUCCESS)
{
LM_ERR("message buffer not created\n");
goto error;
}
if(sockfd==AAA_NO_CONNECTION)
{
sockfd = init_mytcp(diameter_client_host, diameter_client_port);
if(sockfd==AAA_NO_CONNECTION)
{
LM_ERR("failed to reconnect to Diameter client\n");
goto error;
}
}
ret =tcp_send_recv(sockfd, req->buf.s, req->buf.len, rb, _m->id);
if(ret == AAA_CONN_CLOSED)
{
LM_NOTICE("connection to Diameter client closed."
"It will be reopened by the next request\n");
close(sockfd);
sockfd = AAA_NO_CONNECTION;
goto error;
}
if(ret != AAA_USER_IN_GROUP)
{
LM_ERR("message sending to the DIAMETER backend authorization server"
"failed or user is not in group\n");
goto error;
}
AAAFreeMessage(&req);
return 1;
error1:
AAAFreeAVP(&avp);
error:
AAAFreeMessage(&req);
return -1;
}
