int ds_hash_authusername(struct sip_msg *msg, unsigned int *hash)
{
/* Header, which contains the authorization */
struct hdr_field* h = 0;
/* The Username */
str username = {0, 0};
/* The Credentials from this request */
auth_body_t* cred;
if(msg==NULL || hash == NULL)
{
LM_ERR("bad parameters\n");
return -1;
}
if (parse_headers(msg, HDR_PROXYAUTH_F, 0) == -1)
{
LM_ERR("error parsing headers!\n");
return -1;
}
if (msg->proxy_auth && !msg->proxy_auth->parsed)
parse_credentials(msg->proxy_auth);
if (msg->proxy_auth && msg->proxy_auth->parsed) {
h = msg->proxy_auth;
}
if (!h)
{
if (parse_headers(msg, HDR_AUTHORIZATION_F, 0) == -1)
{
LM_ERR("error parsing headers!\n");
return -1;
}
if (msg->authorization && !msg->authorization->parsed)
parse_credentials(msg->authorization);
if (msg->authorization && msg->authorization->parsed) {
h = msg->authorization;
}
}
if (!h)
{
LM_DBG("No Authorization-Header!\n");
return 1;
}
cred=(auth_body_t*)(h->parsed);
if (!cred || !cred->digest.username.user.len)
{
LM_ERR("No Authorization-Username or Credentials!\n");
return 1;
}
username.s = cred->digest.username.user.s;
username.len = cred->digest.username.user.len;
trim(&username);
*hash = ds_get_hash(&username, NULL);
return 0;
}
void
process(char *name, pid_t *cids, int cnum)
{
pid_t pid = getpid();
pid_t ppid = getppid();
pid_t pgrp = getpgrp();
pid_t sid = getsid(0);
FILE *fp;
fp = fopen(name, "w");
fprintf(fp, "pid/spid\tppid/sppid\tsid/ssid\n");
fclose(fp);
while (1) {
int ret = 0, i;
fp = fopen(name, "a");
fprintf(fp, "%d/%d\t%d/%d\t%d/%d\n",
getpid(), pid,
getppid(), ppid,
getsid(0), sid);
fclose(fp);
ret = check_credentials(pid, ppid, pgrp, sid);
if (ret) {
parse_credentials(ret, name, pid, ppid, pgrp, sid);
}
for (i = 0; i < cnum; i++) {
if (kill(cids[i], 0) < 0) {
printf("%s: no child #%d = %d\n", name, i, cids[i]);
}
}
sleep(1);
}
}
/**
* Returns the Private Identity extracted from the Authorization header.
* If none found there takes the SIP URI in To without the "sip:" prefix
* \todo - remove the fallback case to the To header
* @param msg - the SIP message
* @param realm - the realm to match in an Authorization header
* @returns the str containing the private id, no mem dup
*/
str cscf_get_private_identity(struct sip_msg *msg, str realm) {
str pi = {0, 0};
struct hdr_field* h = 0;
int ret, i, res;
if ((parse_headers(msg, HDR_AUTHORIZATION_F, 0) != 0) && (parse_headers(msg, HDR_PROXYAUTH_F, 0) != 0)) {
return pi;
}
h = msg->authorization;
if (!msg->authorization) {
goto fallback;
}
if (realm.len && realm.s) {
ret = find_credentials(msg, &realm, HDR_AUTHORIZATION_F, &h);
if (ret < 0) {
ret = find_credentials(msg, &realm, HDR_PROXYAUTH_F, &h);
if (ret < 0) {
goto fallback;
} else {
if (ret >0) {
goto fallback;
}
h = msg->proxy_auth;
}
} else {
if (ret > 0) {
goto fallback;
}
}
}
if (!h)
goto fallback;
res = parse_credentials(h);
if (res != 0) {
LOG(L_ERR, "Error while parsing credentials\n");
return pi;
}
if (h) pi = ((auth_body_t*) h->parsed)->digest.username.whole;
goto done;
fallback:
pi = cscf_get_public_identity(msg);
if (pi.len > 4 && strncasecmp(pi.s, "sip:", 4) == 0) {
pi.s += 4;
pi.len -= 4;
}
for (i = 0; i < pi.len; i++)
if (pi.s[i] == ';') {
pi.len = i;
break;
}
done:
return pi;
}
static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *userid;
X509 *xs;
PROXY_CERT_INFO_EXTENSION *pci;
char *credstr;
PVFS_credentials *credentials;
char error_msg[256];
int ret;
/* prior verifies have succeeded */
if (ok == 1)
{
/* parse the credential string uid/gid from the policy */
xs = ctx->current_cert;
if (xs->ex_flags & EXFLAG_PROXY)
{
/* get userid for error logging */
userid = (char *) X509_STORE_CTX_get_ex_data(ctx,
get_proxy_auth_ex_data_userid());
/* get credentials in {UID}/{GID} form from cert policy */
pci = (PROXY_CERT_INFO_EXTENSION *)
X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL);
if (pci->proxyPolicy->policy != NULL && pci->proxyPolicy->policy->length > 0)
{
credstr = (char *) pci->proxyPolicy->policy->data;
credentials = (PVFS_credentials *) X509_STORE_CTX_get_ex_data(
ctx, get_proxy_auth_ex_data_cred());
ret = parse_credentials(credstr, &credentials->uid,
&credentials->gid);
if (ret != 0)
{
_snprintf(error_msg, sizeof(error_msg), "User %s: proxy "
"certificate contains invalid credential policy",
userid);
report_cert_error(error_msg);
ok = 0;
}
}
else
{
_snprintf(error_msg, sizeof(error_msg), "User %s: proxy "
"certificate contains no credential policy",
userid);
report_cert_error(error_msg);
ok = 0;
}
PROXY_CERT_INFO_EXTENSION_free(pci);
}
}
return ok;
}
static str
get_diverter(struct sip_msg *msg)
{
struct hdr_field *header;
dig_cred_t *credentials;
int_str avpname, avpvalue;
static str diverter;
diverter.s = "None";
diverter.len = 4;
avpname.n = diverter_avp_id;
if (search_first_avp(AVP_VAL_STR, avpname, &avpvalue, NULL)) {
// have a diverted call
diverter = avpvalue.s;
} else {
get_authorized_cred(msg->proxy_auth, &header);
if (header) {
credentials = &((auth_body_t*)(header->parsed))->digest;
} else {
if (parse_headers(msg, HDR_PROXYAUTH_F, 0) == -1) {
LOG(L_ERR, "cannot parse Proxy-Authorization header\n");
return diverter;
}
if (!msg->proxy_auth)
return diverter;
if (parse_credentials(msg->proxy_auth) != 0) {
LOG(L_ERR, "cannot parse credentials\n");
return diverter;
}
credentials = &((auth_body_t*)(msg->proxy_auth->parsed))->digest;
}
if (credentials->username.user.len > 0 &&
credentials->username.domain.len > 0 &&
credentials->realm.len == 0 &&
credentials->nonce.len == 0 &&
credentials->response.len == 0) {
// this is a call diverted from the failure route
// and sent back to proxy with append_pa_hf()
diverter = credentials->username.whole;
}
}
return diverter;
}
/**
* Find credentials with given realm in a SIP message header.
* @param _m - the SIP message to look into
* @param _realm - the realm to match in the authorization header
* @param _hftype - the header type (HDR_AUTHORIZATION_T,HDR_PROXYAUTH_T)
* @param _h - header pointer to fill with the match
* @returns 0 on success, 1 if not found
* \note This function is taken from the auth module
*/
inline int find_credentials(struct sip_msg* _m, str* _realm,
hdr_types_t _hftype, struct hdr_field** _h)
{
struct hdr_field** hook, *ptr, *prev;
hdr_flags_t hdr_flags;
int res;
str* r;
/*
* Determine if we should use WWW-Authorization or
* Proxy-Authorization header fields, this parameter
* is set in www_authorize and proxy_authorize
*/
switch(_hftype) {
case HDR_AUTHORIZATION_T:
hook = &(_m->authorization);
hdr_flags=HDR_AUTHORIZATION_F;
break;
case HDR_PROXYAUTH_T:
hook = &(_m->proxy_auth);
hdr_flags=HDR_PROXYAUTH_F;
break;
default:
hook = &(_m->authorization);
hdr_flags=HDR_T2F(_hftype);
break;
}
/*
* If the credentials haven't been parsed yet, do it now
*/
if (*hook == 0) {
/* No credentials parsed yet */
if (parse_headers(_m, hdr_flags, 0) == -1) {
LOG(L_ERR, "find_credentials(): Error while parsing headers\n");
return -1;
}
}
ptr = *hook;
/*
* Iterate through the credentials in the message and
* find credentials with given realm
*/
while(ptr) {
res = parse_credentials(ptr);
ptr->type = HDR_AUTHORIZATION_T;
if (res < 0) {
LOG(L_ERR, "find_credentials(): Error while parsing credentials\n");
return (res == -1) ? -2 : -3;
} else if (res == 0) {
if (_realm->len) {
r = &(((auth_body_t*)(ptr->parsed))->digest.realm);
if (r->len == _realm->len) {
if (!strncasecmp(_realm->s, r->s, r->len)) {
*_h = ptr;
return 0;
}
}
}
else {
*_h = ptr;
return 0;
}
}
prev = ptr;
if (parse_headers(_m, hdr_flags, 1) == -1) {
LOG(L_ERR, "find_credentials(): Error while parsing headers\n");
return -4;
} else {
if (prev != _m->last_header) {
if (_m->last_header->type == _hftype) ptr = _m->last_header;
else break;
} else break;
}
}
/*
* Credentials with given realm not found
*/
return 1;
}
/* Find credentials with given realm in a SIP message header */
int find_credentials(struct sip_msg* _m, str* _realm, int _hftype,
struct hdr_field** _h)
{
struct hdr_field** hook, *ptr, *prev;
int res;
str* r;
switch(_hftype)
{
case HDR_AUTHORIZATION: hook = &(_m->authorization); break;
case HDR_PROXYAUTH: hook = &(_m->proxy_auth); break;
default: hook = &(_m->authorization); break;
}
/* If the credentials haven't been parsed yet, do it now */
if (*hook == 0)
if (parse_headers(_m, _hftype, 0) == -1)
{
LOG(L_ERR, M_NAME":find_credentials(): Error while parsing headers\n");
return -1;
}
ptr = *hook;
/* Iterate through the credentials of the message to find
credentials with given realm
*/
while(ptr)
{
res = parse_credentials(ptr);
if (res < 0)
{
LOG(L_ERR, M_NAME":find_credentials(): Error while parsing "
"credentials\n");
return (res == -1) ? -2 : -3;
}
else
if (res == 0)
{
r = &(((auth_body_t*)(ptr->parsed))->digest.realm);
if (r->len == _realm->len)
{
if (!strncasecmp(_realm->s, r->s, r->len))
{
*_h = ptr;
return 0;
}
}
}
prev = ptr;
if (parse_headers(_m, _hftype, 1) == -1)
{
LOG(L_ERR, M_NAME":find_credentials(): Error while parsing"
" headers\n");
return -4;
}
else
{
if (prev != _m->last_header)
{
if (_m->last_header->type == _hftype) ptr = _m->last_header;
else break;
}
else break;
}
}
/* Credentials with given realm not found */
return 1;
}
/*
* Find credentials with given realm in a SIP message header
*/
int find_credentials(struct sip_msg* msg, str* realm,
hdr_types_t hftype, struct hdr_field** hdr)
{
struct hdr_field** hook, *ptr;
hdr_flags_t hdr_flags;
int res;
str* r;
/*
* Determine if we should use WWW-Authorization or
* Proxy-Authorization header fields, this parameter
* is set in www_authorize and proxy_authorize
*/
switch(hftype) {
case HDR_AUTHORIZATION_T:
hook = &(msg->authorization);
hdr_flags=HDR_AUTHORIZATION_F;
break;
case HDR_PROXYAUTH_T:
hook = &(msg->proxy_auth);
hdr_flags=HDR_PROXYAUTH_F;
break;
default:
hook = &(msg->authorization);
hdr_flags=HDR_T2F(hftype);
break;
}
/*
* If the credentials haven't been parsed yet, do it now
*/
if (*hook == 0) {
/* No credentials parsed yet */
if (parse_headers(msg, hdr_flags, 0) == -1) {
LM_ERR("error while parsing headers\n");
return -1;
}
}
ptr = *hook;
/*
* Iterate through the credentials in the message and
* find credentials with given realm
*/
while(ptr) {
res = parse_credentials(ptr);
if (res < 0) {
LM_ERR("error while parsing credentials\n");
return (res == -1) ? -2 : -3;
} else if (res == 0) {
r = &(((auth_body_t*)(ptr->parsed))->digest.realm);
if (r->len == realm->len) {
if (!strncasecmp(realm->s, r->s, r->len)) {
*hdr = ptr;
return 0;
}
}
}
if (parse_headers(msg, hdr_flags, 1) == -1) {
LM_ERR("error while parsing headers\n");
return -4;
} else {
ptr = next_sibling_hdr(ptr);
if (!ptr)
break;
}
}
/*
* Credentials with given realm not found
*/
return 1;
}
/*
* This function encodes an arbitrary header into a chunk of bytes,
* ready to be sent to the Application Server.
*
* The header codes start with this encoded-bytes:
* 2: SIP-MSG-START based pointer to the header (including header name)
* 2: length of the header
* 1: length of the header name
*/
int encode_header(struct sip_msg *sipmsg,struct hdr_field *hdr,unsigned char *payload,int paylen)
{
int len=0;
unsigned int integer,*methods=0;
char *hdrstart,*tmp;
unsigned short int ptr;
struct to_body *tobody=0;
struct via_body *viabody=0;
struct cseq_body *cseqbody=0;
char *msg,*myerror;
int mlen;
msg=sipmsg->buf;
mlen=sipmsg->len;
hdrstart = hdr->name.s;
if(hdrstart-msg<0){
LM_ERR("header(%.*s) does not belong to sip_msg(hdrstart<msg)\n",
hdr->name.len,hdr->name.s);
return -1;
}
ptr=htons((short int)(hdrstart-msg));
if((hdrstart-msg)>mlen){
LM_ERR("out of the sip_msg bounds (%d>%d)\n",ntohs(ptr),mlen);
return -1;
}
if(hdr->len>(1<<16)){
LM_ERR("length of header too long\n");
return -1;
}
memcpy(payload,&ptr,2);
ptr=htons((short int)(hdr->len));
memcpy(payload+HEADER_LEN_IDX,&ptr,2);
payload[HEADER_NAME_LEN_IDX]=(unsigned char)hdr->name.len;
switch(hdr->type){
case HDR_FROM_T:
case HDR_TO_T:
case HDR_REFER_TO_T:
case HDR_RPID_T:
if(!hdr->parsed){
if((tobody=pkg_malloc(sizeof(struct to_body)))==0){
myerror="Out of memory !!\n";
goto error;
}
parse_to(hdr->body.s,hdr->body.s+hdr->body.len+1,tobody);
if (tobody->error == PARSE_ERROR) {
myerror="bad (REFER,TO,FROM,RPID) header\n";
pkg_free(tobody);
return 5;
goto error;
}
hdr->parsed=(struct to_body*)tobody;
}else
tobody=(struct to_body*)hdr->parsed;
if((len=encode_to_body(hdr->name.s,hdr->len,tobody,payload+5))<0){
myerror="parsing from or to header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_CONTACT_T:
if(!hdr->parsed)
if(parse_contact(hdr)<0){
myerror="parsing contact\n";
goto error;
}
if((len=encode_contact_body(hdr->name.s,hdr->len,(contact_body_t*)hdr->parsed,payload+5))<0){
myerror="encoding contact header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_ROUTE_T:
case HDR_RECORDROUTE_T:
if(!hdr->parsed)
if(parse_rr(hdr)<0){
myerror="encoding route or recordroute\n";
goto error;
}
if((len=encode_route_body(hdr->name.s,hdr->len,(rr_t*)hdr->parsed,payload+5))<0){
myerror="encoding route or recordroute header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_CONTENTLENGTH_T:
if(!hdr->parsed){
tmp=parse_content_length(hdr->body.s,hdr->body.s+hdr->body.len+1,(int*)&integer);
if (tmp==0){
myerror="bad content_length header\n";
goto error;
}
hdr->parsed=(void*)(long)integer;
}
if((len=encode_contentlength(hdr->name.s,hdr->len,(long int)hdr->parsed,(char*)(payload+5)))<0){
myerror="encoding content-length header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_VIA_T:
if(!hdr->parsed){
if((viabody=pkg_malloc(sizeof(struct via_body)))==0){
myerror="out of memory\n";
goto error;
}
memset(viabody,0,sizeof(struct via_body));
if(parse_via(hdr->body.s,hdr->body.s+hdr->body.len+1,viabody)==0){
myerror="encoding via \n";
goto error;
}
hdr->parsed=viabody;
}
if((len=encode_via_body(hdr->name.s,hdr->len,(struct via_body*)hdr->parsed,payload+5))<0){
myerror="encoding via header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_ACCEPT_T:
if(!hdr->parsed){
if(parse_accept_hdr(sipmsg)<0){
return 5;
}
}
if((len=encode_accept(hdr->name.s,hdr->len,(unsigned int*)hdr->parsed,(char*)(payload+5)))<0){
myerror="encoding via header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_CONTENTTYPE_T:
if(!hdr->parsed){
if(parse_content_type_hdr(sipmsg)<0){
myerror="encoding content-type header\n";
goto error;
}
}
if((len=encode_content_type(hdr->name.s,hdr->len,(unsigned int)get_content_type(sipmsg),(char*)(payload+5)))<0){
myerror="encoding via header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_CSEQ_T:
if(!hdr->parsed){
if((cseqbody=pkg_malloc(sizeof(struct cseq_body)))==0){
myerror="out of memory\n";
goto error;
}
memset(cseqbody,0,sizeof(struct cseq_body));
if(parse_cseq(hdr->name.s,hdr->body.s+hdr->body.len+1,cseqbody)==0){
myerror="encoding cseq header\n";
goto error;
}
hdr->parsed=cseqbody;
}
if((len=encode_cseq(hdr->name.s,hdr->len,(struct cseq_body*)hdr->parsed,payload+5))<0){
myerror="encoding via header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_EXPIRES_T:
if(!hdr->parsed){
if(parse_expires(hdr)<0){
myerror="encoding expires header\n";
goto error;
}
}
if((len=encode_expires(hdr->name.s,hdr->len,(exp_body_t *)hdr->parsed,payload+5))<0){
myerror="encoding expires header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_ALLOW_T:
if(!hdr->parsed){
if((methods=pkg_malloc(sizeof(unsigned int)))==0){
myerror="out of memory\n";
goto error;
}
*methods=0;
if(parse_methods(&hdr->body,methods)!=0){
myerror="encoding allow header\n";
pkg_free(methods);
return 5;
/*goto error;*/
}
hdr->parsed=methods;
}
if((len=encode_allow(hdr->name.s,hdr->len,(unsigned int*)hdr->parsed,(char*)(payload+5)))<0){
myerror="encoding allow header\n";
goto error;
}else{
return 5+len;
}
break;
case HDR_AUTHORIZATION_T:
case HDR_PROXYAUTH_T:
if(!hdr->parsed){
if(parse_credentials(hdr)<0){
myerror="encoding a digest header\n";
goto error;
}
}
if((len=encode_digest(hdr->name.s,hdr->len,(dig_cred_t*)(&(((auth_body_t*)hdr->parsed)->digest)),payload+5))<0){
myerror="encoding allow header\n";
goto error;
}else{
return 5+len;
}
break;
default:
return 5;
}
return 1;
error:
if(tobody)
pkg_free(tobody);
if(cseqbody)
pkg_free(cseqbody);
if(viabody)
free_via_list(viabody);
if(methods)
pkg_free(methods);
LM_ERR("%s",myerror);
return -1;
}