/// Strip headers as appropriate when crossing a trust boundary.
static void proxy_strip_trusted(pjsip_tx_data *tdata)
{
TRC_DEBUG("Strip trusted headers");
PJUtils::remove_hdr(tdata->msg, &STR_P_A_N_I);
PJUtils::remove_hdr(tdata->msg, &STR_P_V_N_I);
PJUtils::remove_hdr(tdata->msg, &STR_P_SERVED_USER);
pjsip_msg_find_remove_hdr(tdata->msg, PJSIP_H_AUTHORIZATION, NULL);
pjsip_msg_find_remove_hdr(tdata->msg, PJSIP_H_PROXY_AUTHORIZATION, NULL);
}
void
addContactHeader(const pj_str_t *contact_str, pjsip_tx_data *tdata)
{
pjsip_contact_hdr *contact = pjsip_contact_hdr_create(tdata->pool);
contact->uri = pjsip_parse_uri(tdata->pool, contact_str->ptr,
contact_str->slen, PJSIP_PARSE_URI_AS_NAMEADDR);
// remove old contact header (if present)
pjsip_msg_find_remove_hdr(tdata->msg, PJSIP_H_CONTACT, NULL);
pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr*) contact);
}
pj_bool_t authenticate_rx_request(pjsip_rx_data* rdata)
{
TRC_DEBUG("Authentication module invoked");
pj_status_t status;
bool is_register = (rdata->msg_info.msg->line.req.method.id == PJSIP_REGISTER_METHOD);
SNMP::SuccessFailCountTable* auth_stats_table = NULL;
std::string resync;
SAS::TrailId trail = get_trail(rdata);
if (!needs_authentication(rdata, trail))
{
TRC_DEBUG("Request does not need authentication");
return PJ_FALSE;
}
TRC_DEBUG("Request needs authentication");
rapidjson::Document* av = NULL;
const int unauth_sc = is_register ? PJSIP_SC_UNAUTHORIZED : PJSIP_SC_PROXY_AUTHENTICATION_REQUIRED;
int sc = unauth_sc;
status = PJSIP_EAUTHNOAUTH;
pjsip_digest_credential* credentials = get_credentials(rdata);
if ((credentials != NULL) &&
(credentials->response.slen != 0))
{
std::string impi = PJUtils::pj_str_to_string(&credentials->username);
std::string nonce = PJUtils::pj_str_to_string(&credentials->nonce);
uint64_t cas = 0;
av = av_store->get_av(impi, nonce, cas, trail);
if (!is_register)
{
// Challenged non-register requests must be SIP digest, so only one table
// needed for this case.
auth_stats_table = auth_stats_tables->non_register_auth_tbl;
}
else
{
if (!pj_strcmp2(&credentials->algorithm, "MD5"))
{
auth_stats_table = auth_stats_tables->sip_digest_auth_tbl;
}
else if (!pj_strcmp2(&credentials->algorithm, "AKAv1-MD5"))
{
auth_stats_table = auth_stats_tables->ims_aka_auth_tbl;
}
else
{
// Authorization header did not specify an algorithm, so check the av for
// this information instead.
if ((av != NULL) && (av->HasMember("aka")))
{
auth_stats_table = auth_stats_tables->ims_aka_auth_tbl;
}
else
{
// Use the digest table if the AV specified digest, or as a fallback if there was no AV
auth_stats_table = auth_stats_tables->sip_digest_auth_tbl;
}
}
}
if (auth_stats_table != NULL)
{
auth_stats_table->increment_attempts();
}
// Request contains a response to a previous challenge, so pass it to
// the authentication module to verify.
TRC_DEBUG("Verify authentication information in request");
status = pjsip_auth_srv_verify2((is_register ? &auth_srv : &auth_srv_proxy), rdata, &sc, (void*)av);
if (status == PJ_SUCCESS)
{
// The authentication information in the request was verified.
TRC_DEBUG("Request authenticated successfully");
SAS::Event event(trail, SASEvent::AUTHENTICATION_SUCCESS, 0);
SAS::report_event(event);
if (auth_stats_table != NULL)
{
auth_stats_table->increment_successes();
}
// Write a tombstone flag back to the AV store, handling contention.
// We don't actually expect anything else to be writing to this row in
// the AV store, but there is a window condition where we failed to read
// from the primary, successfully read from the backup (with a different
// CAS value) and then try to write back to the primary, which fails due
// to "contention".
Store::Status store_status;
do
{
// Set the tomestone flag in the JSON authentication vector.
rapidjson::Value tombstone_value;
tombstone_value.SetBool(true);
av->AddMember("tombstone", tombstone_value, (*av).GetAllocator());
// Store it. If this fails due to contention, read the updated JSON.
store_status = av_store->set_av(impi, nonce, av, cas, trail);
if (store_status == Store::DATA_CONTENTION)
{
// LCOV_EXCL_START - No support for contention in UT
TRC_DEBUG("Data contention writing tombstone - retry");
delete av;
av = av_store->get_av(impi, nonce, cas, trail);
if (av == NULL)
{
store_status = Store::ERROR;
}
// LCOV_EXCL_STOP
}
}
while (store_status == Store::DATA_CONTENTION);
if (store_status != Store::OK)
{
// LCOV_EXCL_START
TRC_ERROR("Tried to tombstone AV for %s/%s after processing an authentication, but failed",
impi.c_str(),
nonce.c_str());
// LCOV_EXCL_STOP
}
// If doing AKA authentication, check for an AUTS parameter. We only
// check this if the request authenticated as actioning it otherwise
// is a potential denial of service attack.
if (!pj_strcmp(&credentials->algorithm, &STR_AKAV1_MD5))
{
TRC_DEBUG("AKA authentication so check for client resync request");
pjsip_param* p = pjsip_param_find(&credentials->other_param,
&STR_AUTS);
if (p != NULL)
{
// Found AUTS parameter, so UE is requesting a resync. We need to
// redo the authentication, passing an auts parameter to the HSS
// comprising the first 16 octets of the nonce (RAND) and the 14
// octets of the auts parameter. (See TS 33.203 and table 6.3.3 of
// TS 29.228 for details.)
TRC_DEBUG("AKA SQN resync request from UE");
std::string auts = PJUtils::pj_str_to_string(&p->value);
std::string nonce = PJUtils::pj_str_to_string(&credentials->nonce);
// Convert the auts and nonce to binary for manipulation
nonce = base64_decode(nonce);
auts = base64_decode(auts);
if ((auts.length() != 14) ||
(nonce.length() != 32))
{
// AUTS and/or nonce are malformed, so reject the request.
TRC_WARNING("Invalid auts/nonce on resync request from private identity %.*s",
credentials->username.slen,
credentials->username.ptr);
status = PJSIP_EAUTHINAKACRED;
sc = PJSIP_SC_FORBIDDEN;
}
else
{
// auts and nonce are as expected, so create the resync string
// that needs to be passed to the HSS, and act as if no
// authentication information was received. The resync string
// should be RAND || AUTS.
resync = base64_encode(nonce.substr(0, 16) + auts);
status = PJSIP_EAUTHNOAUTH;
sc = unauth_sc;
}
}
}
if (status == PJ_SUCCESS)
{
// Request authentication completed, so let the message through to other
// modules. Remove any Proxy-Authorization headers first so they are not
// passed to downstream devices. We can't do this for Authorization
// headers, as these may need to be included in 3rd party REGISTER
// messages.
while (pjsip_msg_find_remove_hdr(rdata->msg_info.msg,
PJSIP_H_PROXY_AUTHORIZATION,
NULL) != NULL);
delete av;
return PJ_FALSE;
}
}
}
// The message either has insufficient authentication information, or
// has failed authentication. In either case, the message will be
// absorbed and responded to by the authentication module, so we need to
// add SAS markers so the trail will become searchable.
SAS::Marker start_marker(trail, MARKER_ID_START, 1u);
SAS::report_marker(start_marker);
// Add a SAS end marker
SAS::Marker end_marker(trail, MARKER_ID_END, 1u);
SAS::report_marker(end_marker);
// Create an ACR for the message and pass the request to it. Role is always
// considered originating for a REGISTER request.
ACR* acr = acr_factory->get_acr(trail,
CALLING_PARTY,
NODE_ROLE_ORIGINATING);
acr->rx_request(rdata->msg_info.msg, rdata->pkt_info.timestamp);
pjsip_tx_data* tdata;
if ((status == PJSIP_EAUTHNOAUTH) ||
(status == PJSIP_EAUTHACCNOTFOUND))
{
// No authorization information in request, or no authentication vector
// found in the store (so request is likely stale), so must issue
// challenge.
TRC_DEBUG("No authentication information in request or stale nonce, so reject with challenge");
pj_bool_t stale = (status == PJSIP_EAUTHACCNOTFOUND);
sc = unauth_sc;
if (stale && auth_stats_table != NULL)
{
auth_stats_table->increment_failures();
}
status = PJUtils::create_response(stack_data.endpt, rdata, sc, NULL, &tdata);
if (status != PJ_SUCCESS)
{
// Failed to create a response. This really shouldn't happen, but there
// is nothing else we can do.
// LCOV_EXCL_START
delete acr;
return PJ_TRUE;
// LCOV_EXCL_STOP
}
create_challenge(credentials, stale, resync, rdata, tdata);
}
else
{
// Authentication failed.
std::string error_msg = PJUtils::pj_status_to_string(status);
TRC_ERROR("Authentication failed, %s", error_msg.c_str());
if (auth_stats_table != NULL)
{
auth_stats_table->increment_failures();
}
SAS::Event event(trail, SASEvent::AUTHENTICATION_FAILED, 0);
event.add_var_param(error_msg);
SAS::report_event(event);
if (sc != unauth_sc)
{
// Notify Homestead and the HSS that this authentication attempt
// has definitively failed.
std::string impi;
std::string impu;
PJUtils::get_impi_and_impu(rdata, impi, impu);
hss->update_registration_state(impu, impi, HSSConnection::AUTH_FAIL, trail);
}
if (analytics != NULL)
{
analytics->auth_failure(PJUtils::pj_str_to_string(&credentials->username),
PJUtils::public_id_from_uri((pjsip_uri*)pjsip_uri_get_uri(PJSIP_MSG_TO_HDR(rdata->msg_info.msg)->uri)));
}
status = PJUtils::create_response(stack_data.endpt, rdata, sc, NULL, &tdata);
if (status != PJ_SUCCESS)
{
// Failed to create a response. This really shouldn't happen, but there
// is nothing else we can do.
// LCOV_EXCL_START
delete acr;
return PJ_TRUE;
// LCOV_EXCL_STOP
}
}
acr->tx_response(tdata->msg);
// Issue the challenge response transaction-statefully. This is so that:
// * if we challenge an INVITE, the UE can ACK the 407
// * if a challenged request gets retransmitted, we don't repeat the work
pjsip_transaction* tsx = NULL;
status = pjsip_tsx_create_uas2(NULL, rdata, NULL, &tsx);
set_trail(tsx, trail);
if (status != PJ_SUCCESS)
{
// LCOV_EXCL_START - defensive code not hit in UT
TRC_WARNING("Couldn't create PJSIP transaction for authentication response: %d"
" (sending statelessly instead)", status);
// Send the response statelessly in this case - it's better than nothing
pjsip_endpt_send_response2(stack_data.endpt, rdata, tdata, NULL, NULL);
// LCOV_EXCL_STOP
}
else
{
// Let the tsx know about the original message
pjsip_tsx_recv_msg(tsx, rdata);
// Send our response in this transaction
pjsip_tsx_send_msg(tsx, tdata);
}
// Send the ACR.
acr->send();
delete acr;
delete av;
return PJ_TRUE;
}
