[Freeswitch-svn] [commit] r11810 - in freeswitch/trunk/libs/sofia-sip: . libsofia-sip-ua/iptsec

FreeSWITCH SVN mikej at freeswitch.org
Wed Feb 11 08:53:50 PST 2009 

Author: mikej
Date: Wed Feb 11 10:53:49 2009
New Revision: 11810

Log:
Fri Jan  9 14:51:02 CST 2009  Pekka Pessi <first.last at nokia.com>
  * auth_client.c: auc_has_authorization() is happy if one scheme is supported
  
  If there was multiple challenges with different authentication schemes,
  auc_has_authorization() required that all were supported (and used) before
  authentication could proceed.



Modified:
   freeswitch/trunk/libs/sofia-sip/.update
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c
   freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/test_auth_digest.c

Modified: freeswitch/trunk/libs/sofia-sip/.update
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/.update	(original)
+++ freeswitch/trunk/libs/sofia-sip/.update	Wed Feb 11 10:53:49 2009
@@ -1 +1 @@
-Wed Feb 11 10:53:10 CST 2009
+Wed Feb 11 10:53:44 CST 2009

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c	Wed Feb 11 10:53:49 2009
@@ -81,6 +81,8 @@
 
 static int ca_clear_credentials(auth_client_t *ca);
 
+static int ca_has_authorization(auth_client_t const *ca);
+
 
 /** Initialize authenticators.
  *
@@ -175,8 +177,10 @@
       ca->ca_credential_class != credential_class)
     return 0;
 
-  if (!ca->ca_auc)
+  if (!ca->ca_auc) {
+    ca->ca_credential_class = credential_class;
     return 1;
+  }
 
   if (ca->ca_auc->auc_challenge)
     stale = ca->ca_auc->auc_challenge(ca, ch);
@@ -536,22 +540,43 @@
  */
 int auc_has_authorization(auth_client_t **auc_list)
 {
-  auth_client_t const *ca;
+  auth_client_t const *ca, *other;
 
   if (auc_list == NULL)
     return 0;
 
-  /* Make sure every challenge has credentials */
   for (ca = *auc_list; ca; ca = ca->ca_next) {
-    if (!ca->ca_user || !ca->ca_pass || !ca->ca_credential_class)
-      return 0;
-    if (AUTH_CLIENT_IS_EXTENDED(ca) && ca->ca_clear)
-      return 0;
+    if (!ca_has_authorization(ca)) {
+      /*
+       * Check if we have another challenge with same realm but different
+       * scheme
+       */
+      for (other = *auc_list; other; other = ca->ca_next) {
+	if (ca == other)
+	  continue;
+	if (ca->ca_credential_class == other->ca_credential_class &&
+	    su_strcmp(ca->ca_realm, other->ca_realm) == 0 &&
+	    ca_has_authorization(other))
+	  break;
+      }
+
+      if (!other)
+	return 0;
+    }
   }
 
   return 1;
 }
 
+static int
+ca_has_authorization(auth_client_t const *ca)
+{
+  return ca->ca_credential_class &&
+    ca->ca_auc &&
+    ca->ca_user && ca->ca_pass &&
+    !(AUTH_CLIENT_IS_EXTENDED(ca) && ca->ca_clear);
+}
+
 /**Authorize a request.
  *
  * The function auc_authorization() is used to add correct authentication
@@ -603,6 +628,8 @@
 
     if (!ca->ca_auc)
       continue;
+    if (!ca_has_authorization(ca))
+      continue;
 
     if (ca->ca_auc->auc_authorize(ca, home, method, url, body, &h) < 0)
       return -1;
@@ -653,6 +680,8 @@
 
     if (!ca->ca_auc)
       continue;
+    if (!ca_has_authorization(ca))
+      continue;
 
     if (ca->ca_auc->auc_authorize(ca, home, method, url, body, &h) < 0)
       return -1;

Modified: freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/test_auth_digest.c
==============================================================================
--- freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/test_auth_digest.c	(original)
+++ freeswitch/trunk/libs/sofia-sip/libsofia-sip-ua/iptsec/test_auth_digest.c	Wed Feb 11 10:53:49 2009
@@ -1093,6 +1093,29 @@
 
     auth_mod_destroy(am); deinit_as(as); aucs = NULL;
 
+    /* Test client with two challenges */
+    au = sip_www_authenticate_make(
+      NULL,
+      "Digest realm=\"test-realm\", "
+      "nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", "
+      "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"");
+    au->au_next = sip_www_authenticate_make(
+      NULL,
+      "Not-Digest realm=\"test-realm\", "
+      "zip=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", "
+      "zap=\"5ccc069c403ebaf9f0171e9517f40e41\"");
+
+    TEST_1(auc_challenge(&aucs, home, (msg_auth_t *)au,
+			 sip_authorization_class) >= 1);
+    TEST_1(auc_all_credentials(&aucs, "Digest", "\"test-realm\"",
+			       "user", "pass"));
+    msg_header_remove(m2, (void *)sip, (void *)sip->sip_authorization);
+    TEST(auc_authorization(&aucs, m2, (msg_pub_t*)sip, rq->rq_method_name,
+			   (url_t *)"sip:surf3 at ims3.so.noklab.net",
+			   sip->sip_payload), 1);
+    TEST_1(sip->sip_authorization);
+    aucs = NULL;
+
     /* Test asynchronous operation */
     aucs = NULL;
     TEST_1(am = auth_mod_create(root,

More information about the Freeswitch-svn mailing list