Module: sip-router Branch: 3.1 Commit: c7974ebd1d2f9a55d3b742964ab6940236204e33 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=c7974ebd...
Author: Juha Heinanen jh@tutpro.com Committer: Juha Heinanen jh@tutpro.com Date: Thu Oct 7 17:59:27 2010 +0300
modules/auth: fixed sending of [www|proxy]_challenge reply - By default, [www|proxy]_challenge functions now send reply statefully if transaction exists and statelessly otherwise. - Added force_stateless_reply module param that can be used to change the default behavior. - Credits to Andrei Pelinescu-Onciul.
---
modules/auth/README | 29 ++++++++++++++++++++++------- modules/auth/auth_mod.c | 12 ++++++++++-- modules/auth/doc/functions.xml | 6 ++++-- modules/auth/doc/params.xml | 19 +++++++++++++++++++ 4 files changed, 55 insertions(+), 11 deletions(-)
diff --git a/modules/auth/README b/modules/auth/README index 92e4641..0f0214b 100644 --- a/modules/auth/README +++ b/modules/auth/README @@ -36,6 +36,7 @@ Daniel-Constantin Mierla 1.3.10. secret (string) 1.3.11. nonce_expire (integer) 1.3.12. nonce_auth_max_drift (integer) + 1.3.13. force_stateless_reply (boolean)
1.4. Functions
@@ -450,6 +451,18 @@ modparam("auth", "nonce_expire", 600) # Set nonce_expire to 600s modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s ...
+1.3.13. force_stateless_reply (boolean) + + If set to 1, www_challenge() and proxy_challenge() functions send reply + statelessly no matter if transaction exists or not. If set to 0 + (default), reply is sent statefully if transaction exists and + stelelessly otherwise. + + Example 13. force_stateless_reply example +... +modparam("auth", "force_stateless_reply", 1) +... + 1.4. Functions
1.4.1. consume_credentials() @@ -462,7 +475,7 @@ modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s little bit shorter. The function must be called after www_authorize, proxy_authorize, www_authenticate or proxy_authenticate.
- Example 13. consume_credentials example + Example 14. consume_credentials example ... if (www_authenticate("realm", "subscriber)) { consume_credentials(); @@ -476,7 +489,8 @@ if (www_authenticate("realm", "subscriber)) { field into a response generated from the request the server is processing and send the reply. Upon reception of such a reply the user agent should compute credentials and retry the request. For more - information regarding digest authentication see RFC2617. + information regarding digest authentication see RFC2617. See module + parameter force_stateless_reply regarding sending of the reply.
Meaning of the parameters is as follows: * realm - Realm is a opaque string that the user agent should present @@ -496,7 +510,7 @@ if (www_authenticate("realm", "subscriber)) {
This function can be used from REQUEST_ROUTE.
- Example 14. www_challenge usage + Example 15. www_challenge usage ... if (!www_authenticate("$td", "subscriber")) { www_challenge("$td", "1"); @@ -510,14 +524,15 @@ if (!www_authenticate("$td", "subscriber")) { the header field into a response generated from the request the server is processing and send the reply. Upon reception of such a reply the user agent should compute credentials and retry the request. For more - information regarding digest authentication see RFC2617. + information regarding digest authentication see RFC2617. See module + parameter force_stateless_reply regarding sending of the reply.
Meaning of the parameters the same as for function www_challenge(realm, flags)
This function can be used from REQUEST_ROUTE.
- Example 15. proxy_challenge usage + Example 16. proxy_challenge usage ... if (!proxy_authenticate("$fd", "subscriber)) { proxy_challenge("$fd", "1"); @@ -562,7 +577,7 @@ if (!proxy_authenticate("$fd", "subscriber)) {
This function can be used from REQUEST_ROUTE.
- Example 16. pv_www_authenticate usage + Example 17. pv_www_authenticate usage ... if (!pv_www_authenticate("$td", "123abc", "0")) { www_challenge("$td", "1"); @@ -584,7 +599,7 @@ if (!pv_www_authenticate("$td", "123abc", "0")) {
This function can be used from REQUEST_ROUTE.
- Example 17. pv_proxy_authenticate usage + Example 18. pv_proxy_authenticate usage ... $avp(password)="xyz"; if (!pv_proxy_authenticate("$fd", "$avp(password)", "0")) { diff --git a/modules/auth/auth_mod.c b/modules/auth/auth_mod.c index f75530b..b30f6b8 100644 --- a/modules/auth/auth_mod.c +++ b/modules/auth/auth_mod.c @@ -97,6 +97,7 @@ char* sec_param = 0; /* If the parameter was not used, the secret phrase int nonce_expire = 300; /* Nonce lifetime */ /*int auth_extra_checks = 0; -- in nonce.c */ int protect_contacts = 0; /* Do not include contacts in nonce by default */ +int force_stateless_reply = 0; /* Always send reply statelessly */
str secret1; str secret2; @@ -171,7 +172,7 @@ static param_export_t params[] = { {"one_time_nonce" , PARAM_INT, &otn_enabled }, {"otn_in_flight_no", PARAM_INT, &otn_in_flight_no }, {"otn_in_flight_order", PARAM_INT, &otn_in_flight_k }, - {"nid_pool_no", PARAM_INT, &nid_pool_no }, + {"force_stateless_reply", PARAM_INT, &force_stateless_reply }, {0, 0, 0} };
@@ -558,6 +559,8 @@ static int fixup_pv_auth(void **param, int param_no) static int auth_send_reply(struct sip_msg *msg, int code, char *reason, char *hdr, int hdr_len) { + str reason_str; + /* Add new headers if there are any */ if ((hdr!=NULL) && (hdr_len>0)) { if (add_lump_rpl(msg, hdr, hdr_len, LUMP_RPL_HDR)==0) { @@ -566,7 +569,12 @@ static int auth_send_reply(struct sip_msg *msg, int code, char *reason, } }
- return slb.zreply(msg, code, reason); + reason_str.s = reason; + reason_str.len = strlen(reason); + + return force_stateless_reply ? + slb.sreply(msg, code, &reason_str) : + slb.freply(msg, code, &reason_str); }
/** diff --git a/modules/auth/doc/functions.xml b/modules/auth/doc/functions.xml index 90f4c93..b9816bc 100644 --- a/modules/auth/doc/functions.xml +++ b/modules/auth/doc/functions.xml @@ -42,7 +42,8 @@ if (www_authenticate("realm", "subscriber)) { server is processing and send the reply. Upon reception of such a reply the user agent should compute credentials and retry the request. For more information regarding digest authentication - see RFC2617. + see RFC2617. See module parameter force_stateless_reply + regarding sending of the reply. </para> <para>Meaning of the parameters is as follows:</para> <itemizedlist> @@ -109,7 +110,8 @@ if (!www_authenticate("$td", "subscriber")) { put the header field into a response generated from the request the server is processing and send the reply. Upon reception of such a reply the user agent should compute credentials and retry the request. - For more information regarding digest authentication see RFC2617. + For more information regarding digest authentication see RFC2617. See module parameter force_stateless_reply + regarding sending of the reply. </para> <para>Meaning of the parameters the same as for function www_challenge(realm, flags)</para> diff --git a/modules/auth/doc/params.xml b/modules/auth/doc/params.xml index ad84251..67c83bb 100644 --- a/modules/auth/doc/params.xml +++ b/modules/auth/doc/params.xml @@ -572,4 +572,23 @@ modparam("auth", "nonce_auth_max_drift", 1) # set max drift to 1 s </programlisting> </example> </section> + + <section id="force_stateless_reply"> + <title><varname>force_stateless_reply</varname> (boolean)</title> + <para> + If set to 1, <function>www_challenge()</function> and + <function>proxy_challenge()</function> + functions send reply statelessly no matter if transaction + exists or not. If set to 0 (default), reply is sent statefully + if transaction exists and stelelessly otherwise. + </para> + <example> + <title>force_stateless_reply example</title> + <programlisting> +... +modparam("auth", "force_stateless_reply", 1) +... + </programlisting> + </example> + </section> </section>
-
Juha Heinanen