From 0499dc21c5991f156a29bc499e73779405bae89b Mon Sep 17 00:00:00 2001 From: bitbashing Date: Thu, 3 Dec 2020 17:51:46 -0800 Subject: [PATCH] if the check response fails due to the nonce re-challenge (#143) (cherry picked from commit 59888e04291a6ff90dddda7e44b1f6e4f6bfe911) --- kamailio/authorization.cfg | 95 +++++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 43 deletions(-) diff --git a/kamailio/authorization.cfg b/kamailio/authorization.cfg index 54d7831..ed92312 100644 --- a/kamailio/authorization.cfg +++ b/kamailio/authorization.cfg @@ -50,35 +50,35 @@ route[AUTHORIZATION] route[AUTHORIZATION_CHECK] { - route(AUTHORIZATION_CHECK_TRUSTED); - route(AUTHORIZATION_CHECK_REGISTERED); + route(AUTHORIZATION_CHECK_TRUSTED); + route(AUTHORIZATION_CHECK_REGISTERED); } route[AUTHORIZATION_CHECK_TRUSTED] { - if (isflagset(FLAG_AUTHORIZED)) return; + if (isflagset(FLAG_AUTHORIZED)) return; - if (isflagset(FLAG_TRUSTED_SOURCE)) { - route(SETUP_AUTH_ORIGIN); - route(SETUP_AUTH_TRUSTED); - setflag(FLAG_AUTHORIZED); - } + if (isflagset(FLAG_TRUSTED_SOURCE)) { + route(SETUP_AUTH_ORIGIN); + route(SETUP_AUTH_TRUSTED); + setflag(FLAG_AUTHORIZED); + } } route[AUTHORIZATION_CHECK_REGISTERED] { - if (isflagset(FLAG_AUTHORIZED)) return; + if (isflagset(FLAG_AUTHORIZED)) return; - #!ifdef REGISTRAR_ROLE + #!ifdef REGISTRAR_ROLE $xavp(regcfg=>match_received) = $su; if (registered("location","sip:$Au", 2, 1) == 1) { - route(SETUP_AUTH_ORIGIN); - $xavp(hf[0]=>X-AUTH-Token) = $xavp(ulattrs=>token); - setflag(FLAG_AUTHORIZED); - setflag(FLAG_REGISTERED_ENDPOINT); + route(SETUP_AUTH_ORIGIN); + $xavp(hf[0]=>X-AUTH-Token) = $xavp(ulattrs=>token); + setflag(FLAG_AUTHORIZED); + setflag(FLAG_REGISTERED_ENDPOINT); } - #!endif + #!endif } @@ -86,10 +86,10 @@ route[AUTHORIZATION_CHECK_REGISTERED] route[HANDLE_AUTHORIZATION] { - if(!is_present_hf("Proxy-Authorization")) { - route(MAIN); - exit; - } + if(!is_present_hf("Proxy-Authorization")) { + route(MAIN); + exit; + } if (!is_method("INVITE|REFER|MESSAGE|NOTIFY|SUBSCRIBE|PUBLISH")) { consume_credentials(); @@ -138,31 +138,42 @@ onreply_route[KZ_AUTHORIZATION_CHECK_REPLY] xlog("L_INFO", "$ci|auth|received $(kzR{kz.json,Event-Category}) $(kzR{kz.json,Event-Name}) reply from $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version}) (Δ1 $(kzR{kz.json,AMQP-Elapsed-Micro}) μs , Δ2 $var(delta_to_start) μs, Δ3 $var(delta_from_query) μs)\n"); $var(password) = $(kzR{kz.json,Auth-Password}); if( $(kzR{kz.json,Event-Name}) == "authn_err" ) { - update_stat("auth:authn_err", "+1"); + update_stat("auth:authn_err", "+1"); t_reply("403", "Forbidden"); exit; } else if( $(kzR{kz.json,Event-Name}) == "authn_resp" ) { update_stat("auth:authn_resp", "+1"); route(KZ_AUTHORIZATION_CHECK_RESPONSE); } else { - update_stat("auth:authn_unknown", "+1"); - xlog("L_INFO", "$ci|auth|unhandle response from directory $Au via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version})\n"); - t_reply("403", "Forbidden"); - exit; + update_stat("auth:authn_unknown", "+1"); + xlog("L_INFO", "$ci|auth|unhandle response from directory $Au via $(kzR{kz.json,App-Name})-$(kzR{kz.json,App-Version})\n"); + t_reply("403", "Forbidden"); + exit; } } route[KZ_AUTHORIZATION_CHECK_RESPONSE] { - if (!pv_auth_check("$fd", "$var(password)", "0", "0")) { - #!ifdef ANTIFLOOD_ROLE - route(ANITFLOOD_FAILED_AUTH); - #!endif - - xlog("L_WARNING", "$ci|end|auth|$mbu\n"); - send_reply("403", "Forbidden"); - exit; - } + $var(retcode) = pv_auth_check("$fd", "$var(password)", "0", "0"); + + if (!$var(retcode)) { + xlog("L_WARNING", "$ci|end|auth failed $var(retcode)\n$mbu\n"); + switch($var(retcode)) { + case -4: + case -5: + case -6: + xlog("L_INFO", "$ci|end|auth check failed due to nonce or missing creds, challenging\n"); + auth_challenge("$fd", "1"); + exit; + break; + default: + #!ifdef ANTIFLOOD_ROLE + route(ANITFLOOD_FAILED_AUTH); + #!endif + send_reply("403", "Forbidden"); + exit; + } + } consume_credentials(); route(SETUP_AUTH_ORIGIN); @@ -175,31 +186,30 @@ route[KZ_AUTHORIZATION_CHECK_RESPONSE] route[SETUP_AUTH_ORIGIN] { - $xavp(hf=>X-AUTH-IP) = $si; + $xavp(hf=>X-AUTH-IP) = $si; $xavp(hf[0]=>X-AUTH-PORT) = $sp; } route[SETUP_AUTH_AOR] { - if ($avp(is_registered) == "true") return; + if ($avp(is_registered) == "true") return; - #!ifdef REGISTRAR_ROLE + #!ifdef REGISTRAR_ROLE $xavp(regcfg=>match_received) = $su; if (registered("location","sip:$Au", 2, 1) == 1) { - $avp(is_registered) = "true"; + $avp(is_registered) = "true"; } #!endif } route[SETUP_AUTH_TRUSTED] { - - if (isflagset(FLAG_TRUSTED_SOURCE)) { - $xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header); - $xavp(hf[0]=>X-AUTH-URI-User) = $rU; + if (isflagset(FLAG_TRUSTED_SOURCE)) { + $xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header); + $xavp(hf[0]=>X-AUTH-URI-User) = $rU; $xavp(hf[0]=>X-AUTH-URI-Realm) = $rd; if(is_present_hf("P-Asserted-Identity") && $(ai{uri.user}) != "") { - $xavp(hf[0]=>X-AUTH-From-User) = $(ai{uri.user}); + $xavp(hf[0]=>X-AUTH-From-User) = $(ai{uri.user}); } else if(is_present_hf("P-Preferred-Identity") && $pU != "") { $xavp(hf[0]=>X-AUTH-From-User) = $pU; } else if(is_present_hf("Remote-Party-ID") && $(re{uri.user}) != "") { @@ -216,7 +226,6 @@ route[SETUP_AUTH_TRUSTED] } setflag(FLAG_AUTHORIZED); } - } route[AUTH_HEADERS_JSON]