authorize.c

Go to the documentation of this file.

/*
 * $Id: authorize.c,v 1.53 2008/06/09 15:48:21 liborc Exp $
 *
 * Digest Authentication - Database support
 *
 * Copyright (C) 2001-2003 FhG Fokus
 *
 * This file is part of ser, a free SIP server.
 *
 * ser is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version
 *
 * For a license to use the ser software under conditions
 * other than those described here, or to purchase support for this
 * software, please contact iptel.org by e-mail at the following addresses:
 *    info@iptel.org
 *
 * ser is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * history:
 * ---------
 * 2003-02-28 scratchpad compatibility abandoned
 * 2003-01-27 next baby-step to removing ZT - PRESERVE_ZT (jiri)
 * 2004-06-06 updated to the new DB api, added auth_db_{init,bind,close,ver}
 *             (andrei)
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "../../ut.h"
#include "../../str.h"
#include "../../db/db.h"
#include "../../dprint.h"
#include "../../parser/digest/digest.h"
#include "../../parser/hf.h"
#include "../../parser/parser_f.h"
#include "../../usr_avp.h"
#include "../../mem/mem.h"
#include "../../config.h"
#include "../../id.h"
#include "../auth/api.h"
#include "authdb_mod.h"


#define IS_NULL(f)      ((f).flags & DB_NULL)

static inline int get_ha1(struct username* username, str* did, str* realm,
                          authdb_table_info_t *table_info, char* ha1, db_res_t** res, db_rec_t** row)
{
        str result;
        db_cmd_t *q = NULL;
   
        if (calc_ha1) {
                q = table_info->query_password;
                DBG("querying plain password\n");
        } else {
                if (username->domain.len) {
                        q = table_info->query_pass2;
                        DBG("querying ha1b\n");
                } else {
                        q = table_info->query_pass;
                        DBG("querying ha1\n");
                }
        }
    
        q->match[0].v.lstr = username->user;
        q->match[1].v.lstr = *realm;

        if (use_did) q->match[2].v.lstr = *did;

        if (db_exec(res, q) < 0 ) {
                ERR("Error while querying database\n");
                return -1;
        }

        if (*res) *row = db_first(*res);
        else *row = NULL;
        while (*row) {
                if (IS_NULL((*row)->fld[0]) || IS_NULL((*row)->fld[1])) {
                        LOG(L_ERR, "auth_db:get_ha1: Credentials for '%.*s'@'%.*s' contain NULL value, skipping\n",
                                username->user.len, ZSW(username->user.s), realm->len, ZSW(realm->s));
                } else {
                        if ((*row)->fld[1].v.int4 & DB_DISABLED) {
                                /* disabled rows ignored */
                        } else {
                                if ((*row)->fld[1].v.int4 & DB_LOAD_SER) {
                                        /* *row = i; */
                                        break;
                                }
                        }
                }
                *row = db_next(*res);
        }

        if (!*row) {
                DBG("auth_db:get_ha1: Credentials for '%.*s'@'%.*s' not found\n",
                        username->user.len, ZSW(username->user.s), realm->len, ZSW(realm->s));
                return 1;
        }               

        result.s = (*row)->fld[0].v.cstr;
        result.len = strlen(result.s);

        if (calc_ha1) {
                /* Only plaintext passwords are stored in database,
                 * we have to calculate HA1 */
                auth_api.calc_HA1(HA_MD5, &username->whole, realm, &result, 0, 0, ha1);
                DBG("auth_db:get_ha1: HA1 string calculated: %s\n", ha1);
        } else {
                memcpy(ha1, result.s, result.len);
                ha1[result.len] = '\0';
        }

        return 0;
}

/*
 * Calculate the response and compare with the given response string
 * Authorization is successful if this two strings are same
 */
static inline int check_response(dig_cred_t* cred, str* method, char* ha1)
{
        HASHHEX resp, hent;
    
        /*
         * First, we have to verify that the response received has
         * the same length as responses created by us
         */
        if (cred->response.len != 32) {
                DBG("auth_db:check_response: Receive response len != 32\n");
                return 1;
        }
    
        /*
         * Now, calculate our response from parameters received
         * from the user agent
         */
        auth_api.calc_response(ha1, &(cred->nonce), 
                                  &(cred->nc), &(cred->cnonce), 
                                  &(cred->qop.qop_str), cred->qop.qop_parsed == QOP_AUTHINT,
                                  method, &(cred->uri), hent, resp);
    
        DBG("auth_db:check_response: Our result = \'%s\'\n", resp);
    
        /*
         * And simply compare the strings, the user is
         * authorized if they match
         */
        if (!memcmp(resp, cred->response.s, 32)) {
                DBG("auth_db:check_response: Authorization is OK\n");
                return 0;
        } else {
                DBG("auth_db:check_response: Authorization failed\n");
                return 2;
        }
}


/*
 * Generate AVPs from the database result
 */
static int generate_avps(db_res_t* result, db_rec_t *row)
{
        int i;
        int_str iname, ivalue;
        str value;
        char buf[32];
    
        for (i = 2; i < credentials_n + 2; i++) {
                value = row->fld[i].v.lstr;

                if (IS_NULL(row->fld[i]))
                        continue;

                switch (row->fld[i].type) {
                case DB_STR:
                        value = row->fld[i].v.lstr;
                        break;

                case DB_INT:
                        value.len = sprintf(buf, "%d", row->fld[i].v.int4);
                        value.s = buf;
                        break;

                default:
                        abort();
                        break;
                }

                if (value.s == NULL)
                        continue;

                iname.s = credentials[i - 2];
                ivalue.s = value;

                if (add_avp(AVP_NAME_STR | AVP_VAL_STR | AVP_CLASS_USER, iname, ivalue) < 0) {
                        LOG(L_ERR, "auth_db:generate_avps: Error while creating AVPs\n");
                        return -1;
                }

                DBG("auth_db:generate_avps: set string AVP \'%.*s = %.*s\'\n",
                        iname.s.len, ZSW(iname.s.s), value.len, ZSW(value.s));
        }
    
        return 0;
}

/* this is a dirty work around to check the credentials of all users,
 * if the database query returned more then one result
 *
 * Fills res (which must be db_free'd afterwards if the call was succesfull)
 * returns  0 on success, 1 on no match (?)
 *          and -1 on error (memory, db a.s.o).
 * WARNING: if -1 is returned res _must_ _not_ be freed (it's empty)
 *
 */
static inline int check_all_ha1(struct sip_msg* msg, struct hdr_field* hdr, 
                dig_cred_t* dig, str* method, str* did, str* realm, 
                authdb_table_info_t *table_info, db_res_t** res) 
{
        char ha1[256];
        db_rec_t *row;
        str result;
        db_cmd_t *q;
   
        if (calc_ha1) {
                q = table_info->query_password;
                DBG("querying plain password\n");
        }
        else {
            if (dig->username.domain.len) {
                        q = table_info->query_pass2;
                        DBG("querying ha1b\n");
                }
                else {
                        q = table_info->query_pass;
                        DBG("querying ha1\n");
                }
        }
    
        q->match[0].v.lstr = dig->username.user;
        if (dig->username.domain.len) 
                q->match[1].v.lstr = dig->username.domain;
        else
                q->match[1].v.lstr = *realm;

        if (use_did) q->match[2].v.lstr = *did;

        if (db_exec(res, q) < 0 ) {
                ERR("Error while querying database\n");
        }

        if (*res) row = db_first(*res);
        else row = NULL;
        while (row) {
                if (IS_NULL(row->fld[0]) || IS_NULL(row->fld[1])) {
                        LOG(L_ERR, "auth_db:check_all_ha1: Credentials for '%.*s'@'%.*s' contain NULL value, skipping\n",
                            dig->username.user.len, ZSW(dig->username.user.s), realm->len, ZSW(realm->s));
                }
                else {
                        if (row->fld[1].v.int4 & DB_DISABLED) {
                                /* disabled rows ignored */
                        }
                        else {
                                if (row->fld[1].v.int4 & DB_LOAD_SER) {
                                        result.s = row->fld[0].v.cstr;
                                        result.len = strlen(result.s);
                                        if (calc_ha1) {
                                                 /* Only plaintext passwords are stored in database,
                                                  * we have to calculate HA1 */
                                                auth_api.calc_HA1(HA_MD5, &(dig->username.whole), realm, &result, 0, 0, ha1);
                                                DBG("auth_db:check_all_ha1: HA1 string calculated: %s\n", ha1);
                                        } else {
                                                memcpy(ha1, result.s, result.len);
                                                ha1[result.len] = '\0';
                                        }

                                        if (!check_response(dig, method, ha1)) {
                                                if (auth_api.post_auth(msg, hdr) == AUTHENTICATED) {
                                                        generate_avps(*res, row);
                                                        return 0;
                                                }
                                        }
                                }
                        }
                }
                row = db_next(*res);
        }

        if (!row) {
                DBG("auth_db:check_all_ha1: Credentials for '%.*s'@'%.*s' not found",
                    dig->username.user.len, ZSW(dig->username.user.s), realm->len, ZSW(realm->s));
        }               
        return 1;


}


/*
 * Authenticate digest credentials
 * Returns:
 *      -3 -- Bad Request
 *      -2 -- Error while checking credentials (such as malformed message or database problem)
 *      -1 -- Authentication failed
 *       1 -- Authentication successful
 */
static inline int authenticate(struct sip_msg* msg, str* realm, authdb_table_info_t *table, hdr_types_t hftype)
{
        char ha1[256];
        int res, ret;
        db_rec_t *row;
        struct hdr_field* h;
        auth_body_t* cred;
        db_res_t* result;
        str did;
    
        cred = 0;
        result = 0;
        ret = -1;
    
        switch(auth_api.pre_auth(msg, realm, hftype, &h, NULL)) {
        case ERROR:
        case BAD_CREDENTIALS:
                ret = -3;
                goto end;
        case CREATE_CHALLENGE:
                ERR("auth_db:authenticate: CREATE_CHALLENGE is not a valid state\n");
                ret = -2;
                goto end;
        case DO_RESYNCHRONIZATION:
                ERR("auth_db:authenticate: DO_RESYNCHRONIZATION is not a valid state\n");
                ret = -2;
                goto end;
                
        case NOT_AUTHENTICATED: 
                ret = -1;
                goto end;
                
        case DO_AUTHENTICATION: 
                break;
                
        case AUTHENTICATED:
                ret = 1; 
                goto end;
        }
    
        cred = (auth_body_t*)h->parsed;
        
        if (use_did) {
                if (msg->REQ_METHOD == METHOD_REGISTER) {
                        ret = get_to_did(&did, msg);
                } else {
                        ret = get_from_did(&did, msg);
                }
                if (ret == 0) {
                        did.s = DEFAULT_DID;
                        did.len = sizeof(DEFAULT_DID) - 1;
                }
        } else {
                did.len = 0;
                did.s = 0;
        }       
    

        if (check_all) {
                res = check_all_ha1(msg, h, &(cred->digest), &msg->first_line.u.request.method, &did, realm, table, &result);
                if (res < 0) {
                        ret = -2;
                        goto end;
                }
                else if (res > 0) {
                        ret = -1;
                        goto end;
                }
                else {
                        ret = 1;
                        goto end;
                }
        } else {
                res = get_ha1(&cred->digest.username, &did, realm, table, ha1, &result, &row);
                if (res < 0) {
                        ret = -2;
                        goto end;
                }
                if (res > 0) {
                        /* Username not found in the database */
                        ret = -1;
                        goto end;
                }
        }
    
        /* Recalculate response, it must be same to authorize successfully */
        if (!check_response(&(cred->digest), &msg->first_line.u.request.method, ha1)) {
                switch(auth_api.post_auth(msg, h)) {
                case ERROR:
                case BAD_CREDENTIALS:
                        ret = -2; 
                        break;
                        
                case NOT_AUTHENTICATED: 
                        ret = -1; 
                        break;
                        
                case AUTHENTICATED:
                        generate_avps(result, row);
                        ret = 1;
                        break;
                        
                default:
                        ret = -1;
                        break;
                }
        } else {
                ret = -1;
        }

 end:
        if (result) db_res_free(result);
        if (ret < 0) {
                if (auth_api.build_challenge(msg, (cred ? cred->stale : 0), realm, NULL, NULL, hftype) < 0) {
                        ERR("Error while creating challenge\n");
                        ret = -2;
                }
        }
        return ret;
}


/*
 * Authenticate using Proxy-Authorize header field
 */
int proxy_authenticate(struct sip_msg* msg, char* p1, char* p2)
{
        str realm;

        if (get_str_fparam(&realm, msg, (fparam_t*)p1) < 0) {
                ERR("Cannot obtain digest realm from parameter '%s'\n", ((fparam_t*)p1)->orig);
                return -1;
        }

        return authenticate(msg, &realm, (authdb_table_info_t*)p2, HDR_PROXYAUTH_T);
}


/*
 * Authorize using WWW-Authorize header field
 */
int www_authenticate(struct sip_msg* msg, char* p1, char* p2)
{
        str realm;

        if (get_str_fparam(&realm, msg, (fparam_t*)p1) < 0) {
                ERR("Cannot obtain digest realm from parameter '%s'\n", ((fparam_t*)p1)->orig);
                return -1;
        }

        return authenticate(msg, &realm, (authdb_table_info_t*)p2, HDR_AUTHORIZATION_T);
}

---