From 6c6d2aad765606f3465bb20a441c88ccf03e4c25 Mon Sep 17 00:00:00 2001 From: Anthony Minessale Date: Fri, 20 Apr 2007 18:06:06 +0000 Subject: [PATCH] add ip auth git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@4988 d0543943-73ff-0310-b7d9-9358b9ac24b2 --- src/include/switch_xml.h | 7 + src/mod/endpoints/mod_sofia/mod_sofia.h | 2 +- src/mod/endpoints/mod_sofia/sofia.c | 7 +- src/mod/endpoints/mod_sofia/sofia_glue.c | 3 - src/mod/endpoints/mod_sofia/sofia_reg.c | 218 +++++++++++------------ src/switch_xml.c | 40 +++++ 6 files changed, 154 insertions(+), 123 deletions(-) diff --git a/src/include/switch_xml.h b/src/include/switch_xml.h index a40a2c17c6..e7b1eb7b24 100644 --- a/src/include/switch_xml.h +++ b/src/include/switch_xml.h @@ -317,6 +317,13 @@ SWITCH_DECLARE(switch_status_t) switch_xml_locate(const char *section, const char *key_name, const char *key_value, switch_xml_t * root, switch_xml_t * node, const char *params); +SWITCH_DECLARE(switch_status_t) switch_xml_locate_domain(char *domain_name, char *params, switch_xml_t *root, switch_xml_t *domain); +SWITCH_DECLARE(switch_status_t) switch_xml_locate_user(char *user_name, char *domain_name, + char *ip, + switch_xml_t *root, + switch_xml_t *domain, + switch_xml_t *user); + ///\brief open a config in the core registry ///\param file_path the name of the config section e.g. modules.conf ///\param node a pointer to point to the node if it is found diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h index c8454e13d3..10c07a80b0 100644 --- a/src/mod/endpoints/mod_sofia/mod_sofia.h +++ b/src/mod/endpoints/mod_sofia/mod_sofia.h @@ -399,7 +399,7 @@ void sofia_presence_event_handler(switch_event_t *event); void sofia_presence_mwi_event_handler(switch_event_t *event); void sofia_presence_cancel(void); switch_status_t config_sofia(int reload); -auth_res_t parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, char *np, size_t nplen); +auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, char *np, size_t nplen, char *ip); void sofia_reg_handle_sip_r_challenge(int status, char const *phrase, nua_t *nua, sofia_profile_t *profile, nua_handle_t *nh, switch_core_session_t *session, sip_t const *sip, tagi_t tags[]); diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c index 585656c7b4..2715670fb2 100644 --- a/src/mod/endpoints/mod_sofia/sofia.c +++ b/src/mod/endpoints/mod_sofia/sofia.c @@ -78,7 +78,7 @@ void sofia_event_callback(nua_event_t event, if ((profile->pflags & PFLAG_AUTH_ALL) && tech_pvt && tech_pvt->key && sip) { sip_authorization_t const *authorization = NULL; - + if (sip->sip_authorization) { authorization = sip->sip_authorization; } else if (sip->sip_proxy_authorization) { @@ -86,7 +86,10 @@ void sofia_event_callback(nua_event_t event, } if (authorization) { - auth_res = parse_auth(profile, authorization, (char *) sip->sip_request->rq_method_name, tech_pvt->key, strlen(tech_pvt->key)); + char network_ip[80]; + get_addr(network_ip, sizeof(network_ip), &((struct sockaddr_in *) msg_addrinfo(nua_current_request(nua))->ai_addr)->sin_addr); + auth_res = sofia_reg_parse_auth(profile, authorization, + (char *) sip->sip_request->rq_method_name, tech_pvt->key, strlen(tech_pvt->key), network_ip); } if (auth_res != AUTH_OK) { diff --git a/src/mod/endpoints/mod_sofia/sofia_glue.c b/src/mod/endpoints/mod_sofia/sofia_glue.c index aaf8be82bf..e668071a24 100644 --- a/src/mod/endpoints/mod_sofia/sofia_glue.c +++ b/src/mod/endpoints/mod_sofia/sofia_glue.c @@ -1459,9 +1459,6 @@ int sofia_glue_init_sql(sofia_profile_t *profile) char auth_sql[] = "CREATE TABLE sip_authentication (\n" - " user VARCHAR(255),\n" - " host VARCHAR(255),\n" - " passwd VARCHAR(255),\n" " nonce VARCHAR(255),\n" " expires INTEGER(8)" ");\n"; diff --git a/src/mod/endpoints/mod_sofia/sofia_reg.c b/src/mod/endpoints/mod_sofia/sofia_reg.c index 76c23b9cb3..2237024b1f 100644 --- a/src/mod/endpoints/mod_sofia/sofia_reg.c +++ b/src/mod/endpoints/mod_sofia/sofia_reg.c @@ -36,6 +36,7 @@ #include "mod_sofia.h" + void sofia_reg_unregister(sofia_profile_t *profile) { outbound_reg_t *gateway_ptr; @@ -211,19 +212,6 @@ char *sofia_reg_find_reg_url(sofia_profile_t *profile, const char *user, const c } } -static char *sofia_reg_get_auth_data(sofia_profile_t *profile, char *nonce, char *npassword, size_t len, switch_mutex_t *mutex) -{ - char *sql, *ret; - - sql = switch_mprintf("select passwd from sip_authentication where nonce='%q'", nonce); - assert(sql != NULL); - - ret = sofia_glue_execute_sql2str(profile, mutex, sql, npassword, len); - - free(sql); - return ret; -} - uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_handle_t * nh, sip_t const *sip, sofia_regtype_t regtype, char *key, uint32_t keylen) { @@ -231,27 +219,25 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han sip_expires_t const *expires = NULL; sip_authorization_t const *authorization = NULL; sip_contact_t const *contact = NULL; - switch_xml_t domain, xml, user, param, xparams; - char params[1024] = ""; char *sql; switch_event_t *s_event; const char *from_user = NULL; const char *from_host = NULL; char contact_str[1024] = ""; char buf[512]; - const char *passwd = NULL; - const char *a1_hash = NULL; - uint8_t stale = 0, ret = 0, forbidden = 0; + uint8_t stale = 0, forbidden = 0; auth_res_t auth_res; long exptime = 60; switch_event_t *event; const char *rpid = "unknown"; const char *display = "\"user\""; - char network_addr[80]; + char network_ip[80]; /* all callers must confirm that sip, sip->sip_request and sip->sip_contact are not NULL */ assert(sip != NULL && sip->sip_contact != NULL && sip->sip_request != NULL); + get_addr(network_ip, sizeof(network_ip), &((struct sockaddr_in *) msg_addrinfo(nua_current_request(nua))->ai_addr)->sin_addr); + expires = sip->sip_expires; authorization = sip->sip_authorization; contact = sip->sip_contact; @@ -310,7 +296,7 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han } if (authorization) { - if ((auth_res = parse_auth(profile, authorization, sip->sip_request->rq_method_name, key, keylen)) == AUTH_STALE) { + if ((auth_res = sofia_reg_parse_auth(profile, authorization, sip->sip_request->rq_method_name, key, keylen, network_ip)) == AUTH_STALE) { stale = 1; } @@ -326,101 +312,33 @@ uint8_t sofia_reg_handle_register(nua_t * nua, sofia_profile_t *profile, nua_han } if (!authorization || stale) { - get_addr(network_addr, sizeof(network_addr), &((struct sockaddr_in *) msg_addrinfo(nua_current_request(nua))->ai_addr)->sin_addr); - snprintf(params, sizeof(params), "network_addr=%s&from_user=%s&from_host=%s&contact=%s", network_addr, from_user, from_host, contact_str); + switch_uuid_t uuid; + char uuid_str[SWITCH_UUID_FORMATTED_LENGTH + 1]; + char *sql, *auth_str; + switch_uuid_get(&uuid); + switch_uuid_format(uuid_str, &uuid); - if (switch_xml_locate("directory", "domain", "name", from_host, &xml, &domain, params) != SWITCH_STATUS_SUCCESS) { - switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "can't find domain for [%s@%s]\n", from_user, from_host); - nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS(nua), SIPTAG_CONTACT(contact), TAG_END()); - return 1; + switch_mutex_lock(profile->ireg_mutex); + sql = switch_mprintf("insert into sip_authentication (nonce, expires) values('%q', %ld)", + uuid_str, time(NULL) + profile->nonce_ttl); + assert(sql != NULL); + sofia_glue_execute_sql(profile, SWITCH_FALSE, sql, NULL); + switch_safe_free(sql); + switch_mutex_unlock(profile->ireg_mutex); + + auth_str = + switch_mprintf("Digest realm=\"%q\", nonce=\"%q\",%s algorithm=MD5, qop=\"auth\"", from_host, uuid_str, stale ? " stale=\"true\"," : ""); + + if (regtype == REG_REGISTER) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Requesting Registration from: [%s@%s]\n", from_user, from_host); + nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS(nua), SIPTAG_WWW_AUTHENTICATE_STR(auth_str), TAG_END()); + } else if (regtype == REG_INVITE) { + nua_respond(nh, SIP_407_PROXY_AUTH_REQUIRED, NUTAG_WITH_THIS(nua), SIPTAG_PROXY_AUTHENTICATE_STR(auth_str), TAG_END()); } - if (!(user = switch_xml_find_child(domain, "user", "id", from_user))) { - switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "can't find user [%s@%s]\n", from_user, from_host); - nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS(nua), SIPTAG_CONTACT(contact), TAG_END()); - switch_xml_free(xml); - return 1; - } - - if (!(xparams = switch_xml_child(user, "params"))) { - switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "can't find params for user [%s@%s]\n", from_user, from_host); - nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS(nua), SIPTAG_CONTACT(contact), TAG_END()); - switch_xml_free(xml); - return 1; - } - - - for (param = switch_xml_child(xparams, "param"); param; param = param->next) { - const char *var = switch_xml_attr_soft(param, "name"); - const char *val = switch_xml_attr_soft(param, "value"); - - if (!strcasecmp(var, "password")) { - passwd = val; - } - - if (!strcasecmp(var, "a1-hash")) { - a1_hash = val; - } - } - - if (passwd || a1_hash) { - switch_uuid_t uuid; - char uuid_str[SWITCH_UUID_FORMATTED_LENGTH + 1]; - char *sql, *auth_str; - - su_md5_t ctx; - char hexdigest[2 * SU_MD5_DIGEST_SIZE + 1]; - char *input; - - if (!a1_hash) { - input = switch_mprintf("%s:%s:%s", from_user, from_host, passwd); - su_md5_init(&ctx); - su_md5_strupdate(&ctx, input); - su_md5_hexdigest(&ctx, hexdigest); - su_md5_deinit(&ctx); - switch_safe_free(input); - - switch_uuid_get(&uuid); - switch_uuid_format(uuid_str, &uuid); - a1_hash = hexdigest; - } - - switch_mutex_lock(profile->ireg_mutex); - sql = switch_mprintf("delete from sip_authentication where user='%q' and host='%q';", from_user, from_host); - assert(sql != NULL); - sofia_glue_execute_sql(profile, SWITCH_FALSE, sql, NULL); - switch_safe_free(sql); - sql = switch_mprintf("insert into sip_authentication values('%q','%q','%q','%q', %ld)", - from_user, from_host, a1_hash, uuid_str, time(NULL) + profile->nonce_ttl); - assert(sql != NULL); - sofia_glue_execute_sql(profile, SWITCH_FALSE, sql, NULL); - switch_safe_free(sql); - switch_mutex_unlock(profile->ireg_mutex); - - auth_str = - switch_mprintf("Digest realm=\"%q\", nonce=\"%q\",%s algorithm=MD5, qop=\"auth\"", from_host, uuid_str, stale ? " stale=\"true\"," : ""); - - - if (regtype == REG_REGISTER) { - switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Requesting Registration from: [%s@%s]\n", from_user, from_host); - nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS(nua), SIPTAG_WWW_AUTHENTICATE_STR(auth_str), TAG_END()); - } else if (regtype == REG_INVITE) { - nua_respond(nh, SIP_407_PROXY_AUTH_REQUIRED, NUTAG_WITH_THIS(nua), SIPTAG_PROXY_AUTHENTICATE_STR(auth_str), TAG_END()); - - } - - switch_safe_free(auth_str); - ret = 1; - } else { - ret = 0; - } - - switch_xml_free(xml); - - if (ret) { - return ret; - } + switch_safe_free(auth_str); + return 1; } reg: @@ -668,18 +586,18 @@ void sofia_reg_handle_sip_r_challenge(int status, } -auth_res_t parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, char *np, size_t nplen) +auth_res_t sofia_reg_parse_auth(sofia_profile_t *profile, sip_authorization_t const *authorization, const char *regstr, char *np, size_t nplen, char *ip) { int indexnum; const char *cur; su_md5_t ctx; char uridigest[2 * SU_MD5_DIGEST_SIZE + 1]; char bigdigest[2 * SU_MD5_DIGEST_SIZE + 1]; - char *nonce, *uri, *qop, *cnonce, *nc, *response, *input = NULL, *input2 = NULL; + char *username, *realm, *nonce, *uri, *qop, *cnonce, *nc, *response, *input = NULL, *input2 = NULL; auth_res_t ret = AUTH_FORBIDDEN; char *npassword = NULL; int cnt = 0; - nonce = uri = qop = cnonce = nc = response = NULL; + username = realm = nonce = uri = qop = cnonce = nc = response = NULL; if (authorization->au_params) { for (indexnum = 0; (cur = authorization->au_params[indexnum]); indexnum++) { @@ -696,7 +614,13 @@ auth_res_t parse_auth(sofia_profile_t *profile, sip_authorization_t const *autho *p = '\0'; } - if (!strcasecmp(var, "nonce")) { + if (!strcasecmp(var, "username")) { + username = strdup(val); + cnt++; + } else if (!strcasecmp(var, "realm")) { + realm = strdup(val); + cnt++; + } else if (!strcasecmp(var, "nonce")) { nonce = strdup(val); cnt++; } else if (!strcasecmp(var, "uri")) { @@ -722,16 +646,74 @@ auth_res_t parse_auth(sofia_profile_t *profile, sip_authorization_t const *autho } } - if (cnt != 6) { + if (cnt != 8) { switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Invalid Authorization header!\n"); goto end; } if (switch_strlen_zero(np)) { - if (!sofia_reg_get_auth_data(profile, nonce, np, nplen, profile->ireg_mutex)) { + switch_xml_t domain, xml, user, param, xparams; + const char *passwd = NULL; + const char *a1_hash = NULL; + char *sql; + + sql = switch_mprintf("select nonce from sip_authentication where nonce='%q'", nonce); + assert(sql != NULL); + if (!sofia_glue_execute_sql2str(profile, profile->ireg_mutex, sql, np, nplen)) { + free(sql); ret = AUTH_STALE; goto end; } + free(sql); + + if (switch_xml_locate_user(username, realm, ip, &xml, &domain, &user) != SWITCH_STATUS_SUCCESS) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "can't find user [%s@%s]\n", username, realm); + ret = AUTH_FORBIDDEN; + goto end; + } + + if (!(xparams = switch_xml_child(user, "params"))) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "can't find params for user [%s@%s]\n", username, realm); + ret = AUTH_FORBIDDEN; + goto end; + } + + for (param = switch_xml_child(xparams, "param"); param; param = param->next) { + const char *var = switch_xml_attr_soft(param, "name"); + const char *val = switch_xml_attr_soft(param, "value"); + + if (!strcasecmp(var, "password")) { + passwd = val; + } + + if (!strcasecmp(var, "a1-hash")) { + a1_hash = val; + } + } + + if (switch_strlen_zero(passwd) && switch_strlen_zero(a1_hash)) { + ret = AUTH_OK; + goto end; + } + + if (!a1_hash) { + su_md5_t ctx; + char hexdigest[2 * SU_MD5_DIGEST_SIZE + 1]; + char *input; + + input = switch_mprintf("%s:%s:%s", username, realm, passwd); + su_md5_init(&ctx); + su_md5_strupdate(&ctx, input); + su_md5_hexdigest(&ctx, hexdigest); + su_md5_deinit(&ctx); + switch_safe_free(input); + a1_hash = hexdigest; + + } + + np = strdup(a1_hash); + + switch_xml_free(xml); } npassword = np; @@ -760,6 +742,8 @@ auth_res_t parse_auth(sofia_profile_t *profile, sip_authorization_t const *autho end: switch_safe_free(input); switch_safe_free(input2); + switch_safe_free(username); + switch_safe_free(realm); switch_safe_free(nonce); switch_safe_free(uri); switch_safe_free(qop); diff --git a/src/switch_xml.c b/src/switch_xml.c index 584528c4af..d5525e73f8 100644 --- a/src/switch_xml.c +++ b/src/switch_xml.c @@ -1173,6 +1173,46 @@ SWITCH_DECLARE(switch_status_t) switch_xml_locate(const char *section, return SWITCH_STATUS_FALSE; } +SWITCH_DECLARE(switch_status_t) switch_xml_locate_domain(char *domain_name, char *params, switch_xml_t *root, switch_xml_t *domain) +{ + *domain = NULL; + return switch_xml_locate("directory", "domain", "name", domain_name, root, domain, params); +} + + +SWITCH_DECLARE(switch_status_t) switch_xml_locate_user(char *user_name, char *domain_name, + char *ip, + switch_xml_t *root, + switch_xml_t *domain, + switch_xml_t *user) +{ + char params[1024] = ""; + switch_status_t status; + *root = NULL; + *user = NULL; + *domain = NULL; + + snprintf(params, sizeof(params), "user=%s&domain=%s&ip=%s", switch_str_nil(user_name), switch_str_nil(domain_name), switch_str_nil(ip)); + if ((status = switch_xml_locate_domain(domain_name, params, root, domain)) != SWITCH_STATUS_SUCCESS) { + return status; + } + + if (ip) { + if ((*user = switch_xml_find_child(*domain, "user", "ip", ip))) { + return SWITCH_STATUS_SUCCESS; + } + } + + if (user_name) { + if (!(*user = switch_xml_find_child(*domain, "user", "id", user_name))) { + return SWITCH_STATUS_FALSE; + } + return SWITCH_STATUS_SUCCESS; + } + + return SWITCH_STATUS_FALSE; +} + SWITCH_DECLARE(switch_xml_t) switch_xml_root(void) {