/** * Returns the Private Identity extracted from the Authorization header. * If none found there takes the SIP URI in To without the "sip:" prefix * \todo - remove the fallback case to the To header * @param msg - the SIP message * @param realm - the realm to match in an Authorization header * @param is_proxy_auth 0 if the header is Authorization, anything else for Proxy-Authorization * @returns the str containing the private id, no mem dup */ str get_private_identity(struct sip_msg *msg, str realm, int is_proxy_auth) { str pi={0,0}; struct hdr_field* h=0; int ret,i; if (parse_headers(msg, is_proxy_auth ? HDR_PROXYAUTH_F : HDR_AUTHORIZATION_F,0)!=0) { return pi; } if (!(is_proxy_auth ? msg->proxy_auth : msg->authorization)){ goto fallback; } ret = find_credentials(msg, &realm, is_proxy_auth ? HDR_PROXYAUTH_F : HDR_AUTHORIZATION_F, &h); if (ret < 0) { goto fallback; } else if (ret > 0) { goto fallback; } if (h) pi=((auth_body_t*)h->parsed)->digest.username.whole; goto done; fallback: pi = get_public_identity(msg); if (pi.len>4&&strncasecmp(pi.s,"sip:",4)==0) {pi.s+=4;pi.len-=4;} for(i=0;i<pi.len;i++) if (pi.s[i]==';') { pi.len=i; break; } done: return pi; }
void async_cdp_callback(int is_timeout, void *param, AAAMessage *maa, long elapsed_msecs) { int i, j; int rc = -1, experimental_rc = -1; saved_transaction_t* data = (saved_transaction_t*) param; struct cell *t = 0; int result = CSCF_RETURN_TRUE; int sip_number_auth_items; struct auth_data_item_list *adi_list = 0; AAA_AVP *auth_data; auth_data = 0; int item_number; str authenticate = {0, 0}, authorization2 = {0, 0}, ck = {0, 0}, ik = {0, 0}, ip = {0, 0}, ha1 = {0, 0}; str line_identifier = {0, 0}; str response_auth = {0, 0}, digest_realm = {0, 0}; auth_vector *av = 0, **avlist = 0; HASHHEX ha1_hex; HASHHEX result_hex; str etsi_nonce = {0, 0}; str private_identity, public_identity; str algorithm; if (is_timeout) { update_stat(stat_mar_timeouts, 1); LM_ERR("Transaction timeout - did not get MAA\n"); result = CSCF_RETURN_ERROR; goto error; } if (!maa) { LM_ERR("Error sending message via CDP\n"); result = CSCF_RETURN_ERROR; goto error; } update_stat(mar_replies_received, 1); update_stat(mar_replies_response_time, elapsed_msecs); if (tmb.t_lookup_ident(&t, data->tindex, data->tlabel) < 0) { LM_ERR("t_continue: transaction not found\n"); result = CSCF_RETURN_ERROR; goto error; } /* get the private_identity */ private_identity = get_private_identity(t->uas.request, data->realm, data->is_proxy_auth); if (!private_identity.len) { LM_ERR("No private identity specified (Authorization: username)\n"); stateful_request_reply_async(t, t->uas.request, 403, MSG_403_NO_PRIVATE); result = CSCF_RETURN_FALSE; goto error; } /* get the public_identity */ public_identity = get_public_identity(t->uas.request); if (!public_identity.len) { LM_ERR("No public identity specified (To:)\n"); stateful_request_reply_async(t, t->uas.request, 403, MSG_403_NO_PUBLIC); result = CSCF_RETURN_FALSE; goto error; } //get each individual element from the MAA cxdx_get_result_code(maa, &rc); cxdx_get_experimental_result_code(maa, &experimental_rc); cxdx_get_sip_number_auth_items(maa, &sip_number_auth_items); //now assign the auth_data_item elements //there can be many of these in the MAA struct auth_data_item *adi; int adi_len; char *p; while ((cxdx_get_auth_data_item_answer(maa, &auth_data, &item_number, &algorithm, &authenticate, &authorization2, &ck, &ik, &ip, &ha1, &response_auth, &digest_realm, &line_identifier))) { //create an auth_data_item for each entry in the MAA adi_len = sizeof (struct auth_data_item) +authenticate.len + authorization2.len + ck.len + ik.len + ip.len + ha1.len + line_identifier.len + response_auth.len + digest_realm.len + algorithm.len; adi = (struct auth_data_item*) shm_malloc(adi_len); if (!adi) { LM_CRIT("Out of memory!\n"); result = CSCF_RETURN_ERROR; goto done; } memset(adi, 0, adi_len); //put all elements in the auth_data_item entry p = (char*) (adi + 1); adi->authenticate.s = p; adi->authenticate.len = authenticate.len; memcpy(p, authenticate.s, authenticate.len); p += authenticate.len; adi->authorization.s = p; adi->authorization.len = authorization2.len; memcpy(p, authorization2.s, authorization2.len); p += authorization2.len; adi->auth_scheme.s = p; adi->auth_scheme.len = algorithm.len; memcpy(p, algorithm.s, algorithm.len); p += algorithm.len; adi->ck.s = p; adi->ck.len = ck.len; memcpy(p, ck.s, ck.len); p += ck.len; adi->ik.s = p; adi->ik.len = ik.len; memcpy(p, ik.s, ik.len); p += ik.len; adi->ip.s = p; adi->ip.len = ip.len; memcpy(p, ip.s, ip.len); p += ip.len; adi->ha1.s = p; adi->ha1.len = ha1.len; memcpy(p, ha1.s, ha1.len); p += ha1.len; adi->line_identifier.s = p; adi->line_identifier.len = line_identifier.len; memcpy(p, line_identifier.s, line_identifier.len); p += line_identifier.len; adi->response_auth.s = p; adi->response_auth.len = response_auth.len; memcpy(p, response_auth.s, response_auth.len); p += response_auth.len; adi->digest_realm.s = p; adi->digest_realm.len = digest_realm.len; memcpy(p, digest_realm.s, digest_realm.len); p += digest_realm.len; if (p != (((char*) adi) + adi_len)) { LM_CRIT("buffer overflow\n"); shm_free(adi); adi = 0; result = CSCF_RETURN_ERROR; goto done; } auth_data->code = -auth_data->code; adi->item_number = item_number; int len = sizeof (struct auth_data_item_list); adi_list = (struct auth_data_item_list*) shm_malloc(len); memset(adi_list, 0, len); if (adi_list->first == 0) { adi_list->first = adi_list->last = adi; } else { adi_list->last->next = adi; adi->previous = adi_list->last; adi_list->last = adi; } } if (!(rc) && !(experimental_rc)) { stateful_request_reply_async(t, t->uas.request, 480, MSG_480_DIAMETER_MISSING_AVP); result = CSCF_RETURN_FALSE; goto done; } switch (rc) { case -1: switch (experimental_rc) { case RC_IMS_DIAMETER_ERROR_USER_UNKNOWN: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_USER_UNKNOWN); result = CSCF_RETURN_FALSE; break; case RC_IMS_DIAMETER_ERROR_IDENTITIES_DONT_MATCH: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_IDENTITIES_DONT_MATCH); result = CSCF_RETURN_FALSE; break; case RC_IMS_DIAMETER_ERROR_AUTH_SCHEME_NOT_SUPPORTED: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_AUTH_SCHEME_UNSOPPORTED); result = CSCF_RETURN_FALSE; break; default: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_UNKOWN_EXPERIMENTAL_RC); result = CSCF_RETURN_FALSE; } break; case AAA_UNABLE_TO_COMPLY: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_UNABLE_TO_COMPLY); result = CSCF_RETURN_FALSE; break; case AAA_SUCCESS: goto success; break; default: stateful_request_reply_async(t, t->uas.request, 403, MSG_403_UNKOWN_RC); result = CSCF_RETURN_FALSE; } goto done; success: if (!sip_number_auth_items) { stateful_request_reply_async(t, t->uas.request, 403, MSG_403_NO_AUTH_DATA); result = CSCF_RETURN_FALSE; goto done; } avlist = shm_malloc(sizeof (auth_vector *) * sip_number_auth_items); if (!avlist) { stateful_request_reply_async(t, t->uas.request, 403, MSG_480_HSS_ERROR); result = CSCF_RETURN_FALSE; goto done; } sip_number_auth_items = 0; struct auth_data_item *tmp; tmp = adi_list->first; while (tmp) { if (tmp->ip.len) av = new_auth_vector(tmp->item_number, tmp->auth_scheme, empty_s, tmp->ip, empty_s, empty_s); else if (tmp->line_identifier.len) av = new_auth_vector(tmp->item_number, tmp->auth_scheme, empty_s, line_identifier, empty_s, empty_s); else if (tmp->ha1.len) { if (tmp->response_auth.len) //HSS check { memset(ha1_hex, 0, HASHHEXLEN + 1); memcpy(ha1_hex, tmp->ha1.s, tmp->ha1.len > HASHHEXLEN ? 32 : tmp->ha1.len); etsi_nonce.len = tmp->authenticate.len / 2; etsi_nonce.s = pkg_malloc(etsi_nonce.len); if (!etsi_nonce.s) { LM_ERR("error allocating %d bytes\n", etsi_nonce.len); goto done; } etsi_nonce.len = base16_to_bin(tmp->authenticate.s, tmp->authenticate.len, etsi_nonce.s); calc_response(ha1_hex, &etsi_nonce, &empty_s, &empty_s, &empty_s, 0, &(t->uas.request->first_line.u.request.method), &scscf_name_str, 0, result_hex); pkg_free(etsi_nonce.s); if (!tmp->response_auth.len == 32 || strncasecmp(tmp->response_auth.s, result_hex, 32)) { LM_ERR("The HSS' Response-Auth is different from what we compute locally!\n" " BUT! If you sent an MAR with auth scheme unknown (HSS-Selected Authentication), this is normal.\n" "HA1=\t|%s|\nNonce=\t|%.*s|\nMethod=\t|%.*s|\nuri=\t|%.*s|\nxresHSS=\t|%.*s|\nxresSCSCF=\t|%s|\n", ha1_hex, tmp->authenticate.len, tmp->authenticate.s, t->uas.request->first_line.u.request.method.len, t->uas.request->first_line.u.request.method.s, scscf_name_str.len, scscf_name_str.s, tmp->response_auth.len, tmp->response_auth.s, result_hex); //stateful_register_reply(msg,514,MSG_514_HSS_AUTH_FAILURE); //goto done; } } av = new_auth_vector(tmp->item_number, tmp->auth_scheme, tmp->authenticate, tmp->ha1, empty_s, empty_s); } else av = new_auth_vector(tmp->item_number, tmp->auth_scheme, tmp->authenticate, tmp->authorization, tmp->ck, tmp->ik); if (sip_number_auth_items == 0) avlist[sip_number_auth_items++] = av; else { i = sip_number_auth_items; while (i > 0 && avlist[i - 1]->item_number > av->item_number) i--; for (j = sip_number_auth_items; j > i; j--) avlist[j] = avlist[j - 1]; avlist[i] = av; sip_number_auth_items++; } //TODO need to confirm that removing this has done no problems //tmp->auth_data->code = -tmp->auth_data->code; LM_DBG("Added new auth-vector.\n"); tmp = tmp->next; } //MAA returns a whole list of av! Which should we use? //right now we take the first and put the rest in the AV queue //then we use the first one and then add it to the queue as sent! for (i = 1; i < sip_number_auth_items; i++) if (!add_auth_vector(private_identity, public_identity, avlist[i])) free_auth_vector(avlist[i]); if (!pack_challenge(t->uas.request, data->realm, avlist[0], data->is_proxy_auth)) { stateful_request_reply_async(t, t->uas.request, 500, MSG_500_PACK_AV); result = CSCF_RETURN_FALSE; goto done; } if (data->is_proxy_auth) stateful_request_reply_async(t, t->uas.request, 407, MSG_407_CHALLENGE); else stateful_request_reply_async(t, t->uas.request, 401, MSG_401_CHALLENGE); done: if (avlist) { start_reg_await_timer(avlist[0]); //start the timer to remove stale or unused Auth Vectors //now we add it to the queue as sent as we have already sent the challenge and used it and set the status to SENT if (!add_auth_vector(private_identity, public_identity, avlist[0])) free_auth_vector(avlist[0]); } //free memory if (maa) cdpb.AAAFreeMessage(&maa); if (avlist) { shm_free(avlist); avlist = 0; } if (adi_list) { struct auth_data_item *tmp1 = adi_list->first; while (tmp1) { struct auth_data_item *tmp2 = tmp1->next; shm_free(tmp1); tmp1 = tmp2; } shm_free(adi_list); adi_list = 0; } LM_DBG("DBG:UAR Async CDP callback: ... Done resuming transaction\n"); set_avp_list(AVP_TRACK_FROM | AVP_CLASS_URI, &t->uri_avps_from); set_avp_list(AVP_TRACK_TO | AVP_CLASS_URI, &t->uri_avps_to); set_avp_list(AVP_TRACK_FROM | AVP_CLASS_USER, &t->user_avps_from); set_avp_list(AVP_TRACK_TO | AVP_CLASS_USER, &t->user_avps_to); set_avp_list(AVP_TRACK_FROM | AVP_CLASS_DOMAIN, &t->domain_avps_from); set_avp_list(AVP_TRACK_TO | AVP_CLASS_DOMAIN, &t->domain_avps_to); //make sure we delete any private lumps we created create_return_code(result); if (t) { del_nonshm_lump_rpl(&t->uas.request->reply_lump); tmb.unref_cell(t); } tmb.t_continue(data->tindex, data->tlabel, data->act); free_saved_transaction_data(data); return; error: //don't need to set result code as by default it is ERROR! if (t) { del_nonshm_lump_rpl(&t->uas.request->reply_lump); tmb.unref_cell(t); } tmb.t_continue(data->tindex, data->tlabel, data->act); free_saved_transaction_data(data); }