[asterisk-commits] branch oej/res_auth r15365 - in
/team/oej/res_auth: ./ channels/ include/aste...
asterisk-commits at lists.digium.com
asterisk-commits at lists.digium.com
Mon Mar 27 15:30:15 MST 2006
Author: oej
Date: Mon Mar 27 16:30:13 2006
New Revision: 15365
URL: http://svn.digium.com/view/asterisk?rev=15365&view=rev
Log:
Adding the res_auth code
Added:
team/oej/res_auth/include/asterisk/auth.h (with props)
team/oej/res_auth/res/res_auth.c (with props)
Modified:
team/oej/res_auth/Makefile
team/oej/res_auth/channels/chan_sip.c
Modified: team/oej/res_auth/Makefile
URL: http://svn.digium.com/view/asterisk/team/oej/res_auth/Makefile?rev=15365&r1=15364&r2=15365&view=diff
==============================================================================
--- team/oej/res_auth/Makefile (original)
+++ team/oej/res_auth/Makefile Mon Mar 27 16:30:13 2006
@@ -74,6 +74,12 @@
#ifneq ($(CROSS_COMPILE),)
#OPTIONS += -DLOW_MEMORY
#endif
+
+ifneq ($(wildcard $(CROSS_COMPILE_TARGET)/usr/local/include/radiusclient-ng.h),)
+ AUTH_LDFLAGS+=-DHAVE_RADIUS_CLIENT_H
+ AUTH_LDLIBS+=-lradiusclient-ng
+endif
+
#
# Asterisk SMDI integration
@@ -472,6 +478,12 @@
db1-ast/libdb1.a: FORCE
$(MAKE) -C db1-ast libdb1.a
+
+res_auth.so: res_auth.o
+ $(CC) $(SOLINK) -o $@ ${CYGSOLINK} $< ${CYGSOLIB} ${AUTH_LDLIBS}
+
+res_auth.o: res_auth.c
+ $(CC) $(CFLAGS) ${AUTH_LDFLAGS} -c -o $@ $<
ifneq ($(wildcard .depend),)
include .depend
@@ -732,7 +744,7 @@
echo " modules are compatible with this version before" ;\
echo " attempting to run Asterisk." ;\
echo "" ;\
- for f in $(OLDMODS); do \
+ for f in "$(OLDMODS)"; do \
echo " $$f" ;\
done ;\
echo "" ;\
Modified: team/oej/res_auth/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/team/oej/res_auth/channels/chan_sip.c?rev=15365&r1=15364&r2=15365&view=diff
==============================================================================
--- team/oej/res_auth/channels/chan_sip.c (original)
+++ team/oej/res_auth/channels/chan_sip.c Mon Mar 27 16:30:13 2006
@@ -92,6 +92,7 @@
#include "asterisk/linkedlists.h"
#include "asterisk/stringfields.h"
#include "asterisk/monitor.h"
+#include "asterisk/auth.h"
#ifdef OSP_SUPPORT
#include "asterisk/astosp.h"
@@ -6444,12 +6445,92 @@
usednonce = keys[K_NONCE].s;
}
- if (!ast_strlen_zero(md5secret))
+ char a1[256];
+ char pwd[256];
+ struct ast_flags res = {0};
+
+ res.flags = ast_parse_secret(username, secret, pwd);
+
+ /* password has been retrieved from config file, or from
+ an external source. Let's now process it */
+ if (ast_test_flag(&res, PW_SET)) {
+
+ if (ast_test_flag(&res, PW_CLEAR)) {
+ ast_log(LOG_NOTICE, "Doing LOCAL (clear pw) authentication for user '%s'\n", username);
+
+ snprintf(a1, sizeof(a1), "%s:%s:%s", username, global_realm, pwd);
+ ast_md5_hash(a1_hash, a1);
+
+ }
+ else if (ast_test_flag(&res, PW_MD5)) {
+ ast_log(LOG_NOTICE, "Doing LOCAL (HA1 pw) authentication for user '%s'\n", username);
+ ast_copy_string(a1_hash, pwd, sizeof(a1_hash));
+ }
+ }
+ /* no password retrieved, let's try to directly authenticate
+ the user */
+
+ /* With RADIUS SIP DIGEST authentication
+ (draft-sterman-aaa-sip-00.txt etc) */
+ else if (ast_test_flag(&res, AUTH_RADIUS)) {
+ int retval;
+ const char* user = username;
+ struct digest_parameters params;
+ digest_attr_t aux;
+
+ ast_log(LOG_NOTICE, "Doing RADIUS authentication for user '%s'\n", username);
+
+ memset(¶ms, 0, sizeof(params));
+
+ /* Build up the params structure with the attributes we got after having parsed the URI */
+ params.num_attrs = 0;
+ ast_copy_string(params.digest_response, keys[K_RESP].s, sizeof(params.digest_response));
+
+
+ /* realm attribute */
+ aux.type = PW_DIGEST_REALM;
+ aux.length = strlen(global_realm);
+ ast_copy_string(aux.value, global_realm, sizeof(aux.value));
+ push_digest_attribute(¶ms, &aux);
+
+ /* nonce attribute */
+ aux.type = PW_DIGEST_NONCE;
+ aux.length = strlen(keys[K_NONCE].s);
+ ast_copy_string(aux.value, keys[K_NONCE].s, sizeof(aux.value));
+ push_digest_attribute(¶ms, &aux);
+
+ /* method attribute */
+ aux.type = PW_DIGEST_METHOD;
+ aux.length = strlen(sip_methods[sipmethod].text);
+ ast_copy_string(aux.value, sip_methods[sipmethod].text, sizeof(aux.value));
+ push_digest_attribute(¶ms, &aux);
+
+ /* uri attribute */
+ aux.type = PW_DIGEST_URI;
+ aux.length = strlen(keys[K_URI].s);
+ ast_copy_string(aux.value, keys[K_URI].s, sizeof(aux.value));
+ push_digest_attribute(¶ms, &aux);
+
+ /* algo attribute */
+ aux.type = PW_DIGEST_ALGORITHM;
+ aux.length = strlen("MD5");
+ ast_copy_string(aux.value, "MD5", sizeof("MD5"));
+ push_digest_attribute(¶ms, &aux);
+
+ /* Username attribute */
+ aux.type = PW_DIGEST_USER_NAME;
+ aux.length = strlen(keys[K_USER].s);
+ ast_copy_string(aux.value, keys[K_USER].s, sizeof(aux.value));
+ push_digest_attribute(¶ms, &aux);
+
+ retval = ast_digest_authenticate(user, ¶ms);
+ return retval;
+
+ }
+
+ /* overwrite with md5secret for backward compatibility */
+ if (!ast_strlen_zero(md5secret)) {
ast_copy_string(a1_hash, md5secret, sizeof(a1_hash));
- else {
- char a1[256];
- snprintf(a1, sizeof(a1), "%s:%s:%s", username, global_realm, secret);
- ast_md5_hash(a1_hash, a1);
}
/* compute the expected response to compare with what we received */
Added: team/oej/res_auth/include/asterisk/auth.h
URL: http://svn.digium.com/view/asterisk/team/oej/res_auth/include/asterisk/auth.h?rev=15365&view=auto
==============================================================================
--- team/oej/res_auth/include/asterisk/auth.h (added)
+++ team/oej/res_auth/include/asterisk/auth.h Mon Mar 27 16:30:13 2006
@@ -1,0 +1,84 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 1999 - 2006, Digium, Inc.
+ *
+ * Mark Spencer <markster at digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*! \file
+ * \brief User Authentication Module
+ */
+
+#ifdef HAVE_RADIUS_CLIENT_H
+#include <radiusclient-ng.h>
+
+#ifndef RC_CONFIG_FILE
+#define RC_CONFIG_FILE "/usr/local/etc/radiusclient-ng/radiusclient.conf"
+#endif
+
+#endif /* HAVE_RADIUS_CLIENT_H */
+
+
+/* define these attributes if we don't have the header file */
+#ifndef HAVE_RADIUS_CLIENT_H
+#define PW_DIGEST_REALM 1063 /* string */
+#define PW_DIGEST_NONCE 1064 /* string */
+#define PW_DIGEST_METHOD 1065 /* string */
+#define PW_DIGEST_URI 1066 /* string */
+#define PW_DIGEST_QOP 1067 /* string */
+#define PW_DIGEST_ALGORITHM 1068 /* string */
+#define PW_DIGEST_BODY_DIGEST 1069 /* string */
+#define PW_DIGEST_CNONCE 1070 /* string */
+#define PW_DIGEST_NONCE_COUNT 1071 /* string */
+#define PW_DIGEST_USER_NAME 1072 /* string */
+#endif
+
+
+#define MAX_DIGEST_ATTRS 10 /* The maximum number of digest attributes in the RADIUS request we might send */
+
+typedef struct digest_attr {
+ unsigned short type;
+ char length;
+ char value[256];
+} digest_attr_t;
+
+struct digest_parameters {
+ char digest_response[32];
+ int num_attrs;
+ digest_attr_t d_attrs_list[MAX_DIGEST_ATTRS];
+};
+
+
+
+#define AUTH_ERR -1
+
+#define AUTH_LOCAL (1 << 0)
+#define AUTH_LDAP (1 << 1)
+#define AUTH_PAM (1 << 2)
+#define AUTH_RADIUS (1 << 3)
+
+#define PW_SET (1 << 4)
+#define PW_CLEAR (1 << 5)
+#define PW_DIGEST_HA1 (1 << 6)
+#define PW_IAX_MD5 (1 << 7)
+#define PW_MD5 (1 << 8)
+
+int ast_parse_secret(const char*, const char *, char *);
+
+char* ast_get_auth(const char *);
+
+int push_digest_attribute(struct digest_parameters* , digest_attr_t*);
+
+int ast_digest_authenticate(const char*, struct digest_parameters *);
+
Propchange: team/oej/res_auth/include/asterisk/auth.h
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: team/oej/res_auth/include/asterisk/auth.h
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Propchange: team/oej/res_auth/include/asterisk/auth.h
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: team/oej/res_auth/res/res_auth.c
URL: http://svn.digium.com/view/asterisk/team/oej/res_auth/res/res_auth.c?rev=15365&view=auto
==============================================================================
--- team/oej/res_auth/res/res_auth.c (added)
+++ team/oej/res_auth/res/res_auth.c Mon Mar 27 16:30:13 2006
@@ -1,0 +1,275 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 1999 - 2006, Digium, Inc.
+ *
+ * Mark Spencer <markster at digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*! \file
+ *
+ * \brief User Authentication Module
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+
+#include "asterisk.h"
+
+ASTERISK_FILE_VERSION(__FILE__, "$Rev$")
+
+#include "asterisk/logger.h"
+#include "asterisk/config.h"
+#include "asterisk/pbx.h"
+#include "asterisk/module.h"
+#include "asterisk/cli.h"
+#include "asterisk/lock.h"
+#include "asterisk/md5.h"
+#include "asterisk/astobj.h"
+#include "asterisk/utils.h"
+#include "asterisk/auth.h"
+
+static char *tdesc = "User Authentication Resource";
+
+#ifdef HAVE_RADIUS_CLIENT_H
+AST_MUTEX_DEFINE_STATIC(rc_lock);
+
+static rc_handle *rh = NULL;
+#endif
+
+/*! \brief Parses the secret configuration string for Asterisk resources
+ The user credentials format should be in the form :
+ <auth>:[pw_form]:[password]
+
+ 'auth' refers to the authentication protocol used to either
+ effectively authenticate the user (ex : radius, pam), or to
+ retrieve a password string from an external source (ex : ldap, sql).
+ In the latter case, the configuration info needed to connect to the
+ external source should be provided in config files.
+
+ 'pw_form' : the password storage form : clear or md5 (or even RSA?).
+
+ 'password' : the password string, or its MD5 hash, (or its location
+ if pw_form == rsa?)
+
+ \param username the user we want to authenticate
+ \param secret the string that needs parsing
+ \param pwd set to the fetch password if applicable, NULL instead
+
+ \return a set of flags that needs to be interpreted by the resource
+ asking for authentication
+*/
+
+int ast_parse_secret(const char *username, const char *secret, char *pwd)
+{
+ char auth[256];
+ char *pw_form;
+ char *password;
+ unsigned int res = 0;
+ struct ast_flags locflags = {0};
+
+ ast_copy_string(auth, secret, sizeof(auth));
+
+ /* split the auth string into pieces */
+ pw_form = strchr(auth, ':');
+ if (pw_form) {
+ *pw_form = '\0';
+ pw_form++;
+
+ password = strchr(pw_form, ':');
+ if (password) {
+ *password = '\0';
+ password ++;
+ ast_copy_string(pwd, password, strlen(password) + 1);
+ ast_set_flag(&locflags, PW_SET);
+ }
+
+ }
+ else {
+ /* let's kindly accept old formatted secrets */
+ ast_copy_string(pwd, secret, strlen(secret) + 1);
+ ast_set_flag(&locflags, AUTH_LOCAL);
+ ast_set_flag(&locflags, PW_SET);
+ ast_set_flag(&locflags, PW_CLEAR);
+
+ res = locflags.flags;
+ return res;
+ }
+
+ /* check 'auth' string */
+ if (!ast_strlen_zero(auth)) {
+ if (!strcasecmp(auth, "local")) {
+ ast_set_flag(&locflags, AUTH_LOCAL);
+ }
+ else if (!strcasecmp(auth, "ldap")) {
+ ast_set_flag(&locflags, AUTH_LDAP);
+ }
+ else if (!strcasecmp(auth, "radius")) {
+ ast_set_flag(&locflags, AUTH_RADIUS);
+ }
+ else if (!strcasecmp(auth, "pam")) {
+ ast_set_flag(&locflags, AUTH_PAM);
+ }
+ else {
+ res = AUTH_ERR;
+ }
+ }
+
+ /* check pw_form */
+ if (!ast_strlen_zero(pw_form)) {
+ if (!strcasecmp(pw_form, "clear")) {
+ ast_set_flag(&locflags, PW_CLEAR);
+ }
+ if (!strcasecmp(pw_form, "md5")) {
+ ast_set_flag(&locflags, PW_MD5);
+ }
+ }
+
+ res = locflags.flags;
+ return res;
+}
+
+char *ast_get_auth(const char *userid)
+{
+ char *pwd = NULL;
+ return pwd;
+}
+
+/*!\brief A utility function that helps filling correctly a digest_parameters
+ structure
+*/
+int push_digest_attribute(struct digest_parameters *params, digest_attr_t *attr)
+{
+ params->d_attrs_list[params->num_attrs].type = attr->type;
+ params->d_attrs_list[params->num_attrs].length = attr->length;
+ strncpy(params->d_attrs_list[params->num_attrs].value, attr->value, sizeof(attr->value));
+ params->num_attrs ++;
+ return 1;
+}
+
+#ifdef HAVE_RADIUS_CLIENT_H
+/*!\brief Authenticate using the radiusclient-ng library
+ Acting as a RADIUS client, Asterisk sends a RADIUS authentication request
+ to a RADIUS server, and waits for the answer.
+
+ The RADIUS client configuration file location is set in RC_CONFIG_FILE
+
+ \param user the user we want to authenticate
+ \param params a structure that contains the RADIUS attributes needed
+ to build the authentication request
+
+ \return -1 on error, 0 on authentication success
+ */
+int ast_digest_authenticate(const char* user, struct digest_parameters *params)
+{
+ int res;
+ int i;
+ struct digest_parameters aux;
+ VALUE_PAIR *send, *received;
+ char msg[4096];
+
+ ast_mutex_lock(&rc_lock);
+
+ send = NULL;
+
+ aux.num_attrs = params->num_attrs;
+
+ /* Add a User-Name attribute */
+ if (rc_avpair_add(rh, &send, PW_USER_NAME, (char *)user, -1, 0) == NULL) {
+ return -1;
+ }
+
+ /* Fill in Digest-Response */
+ ast_copy_string(aux.digest_response, params->digest_response, sizeof(aux.digest_response));
+ if (rc_avpair_add(rh, &send, PW_DIGEST_RESPONSE, aux.digest_response, 32, 0) == NULL) {
+ return -1;
+ }
+
+ /*
+ * Fill in Digest attributes
+ */
+ for (i = 0; i < aux.num_attrs; i++) {
+ aux.d_attrs_list[i].type = params->d_attrs_list[i].type;
+ aux.d_attrs_list[i].length = params->d_attrs_list[i].length;
+ ast_copy_string(aux.d_attrs_list[i].value, params->d_attrs_list[i].value, sizeof(params->d_attrs_list[i].value));
+
+ /* Add the digest attribute to the RADIUS request */
+ if (rc_avpair_add(rh, &send, aux.d_attrs_list[i].type, aux.d_attrs_list[i].value, aux.d_attrs_list[i].length, 0) == NULL) {
+ return -1;
+ }
+
+ }
+
+ res = rc_auth(rh, 0, send, &received, msg);
+
+ /* free resources */
+ rc_avpair_free(send);
+ if (received)
+ rc_avpair_free(received);
+
+ ast_mutex_unlock(&rc_lock);
+
+ /* send result */
+ return res;
+}
+#endif /* HAVE_RADIUS_CLIENT_H */
+
+char *description(void)
+{
+ return tdesc;
+}
+
+int usecount(void)
+{
+ return 1;
+}
+
+char *key()
+{
+ return ASTERISK_GPL_KEY;
+}
+
+int unload_module(void)
+{
+ ast_log(LOG_NOTICE, "res_auth unloaded.\n");
+ return 0;
+}
+
+int load_module(void)
+{
+#ifdef HAVE_RADIUS_CLIENT_H
+ /* start logging */
+ rc_openlog("asterisk");
+
+ /* read radiusclient-ng config file */
+ if ((rh = rc_read_config(RC_CONFIG_FILE)) == NULL) {
+ ast_log(LOG_NOTICE, "Cannot load radiusclient-ng configuration file %s.\n", RC_CONFIG_FILE);
+ return -1;
+ }
+
+ /* read radiusclient-ng dictionaries */
+ if (rc_read_dictionary(rh, rc_conf_str(rh, "dictionary")) != 0) {
+ ast_log(LOG_NOTICE, "Cannot load radiusclient-ng dictionary file.\n");
+ return -1;
+ }
+
+#endif /* HAVE_RADIUS_CLIENT_H */
+
+ ast_log(LOG_NOTICE, "res_auth loaded.\n");
+ return 0;
+}
+
Propchange: team/oej/res_auth/res/res_auth.c
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: team/oej/res_auth/res/res_auth.c
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Propchange: team/oej/res_auth/res/res_auth.c
------------------------------------------------------------------------------
svn:mime-type = text/plain
More information about the asterisk-commits
mailing list