Browse code

modules_k/auth_radius: module is now using api from modules_s/auth

Juha Heinanen authored on 02/07/2010 13:53:33
Showing 7 changed files
... ...
@@ -22,42 +22,41 @@ Jan Janak
22 22
 
23 23
    <jan@iptel.org>
24 24
 
25
-   Copyright � 2002, 2003 FhG FOKUS
25
+   Copyright © 2002, 2003 FhG FOKUS
26 26
 
27
-   Copyright � 2005 voice-system.ro
27
+   Copyright © 2005 voice-system.ro
28 28
 
29
-   Copyright � 2008 Juha Heinanen
29
+   Copyright © 2008 Juha Heinanen
30 30
    Revision History
31
-   Revision $Revision$ $Date: 2008-03-08 01:03:56 +0200
32
-                              (Sat, 08 Mar 2008) $
33
-     __________________________________________________________
31
+   Revision $Revision$ $Date$
32
+     __________________________________________________________________
34 33
 
35 34
    Table of Contents
36 35
 
37 36
    1. Admin Guide
38 37
 
39
-        1.1. Overview
40
-        1.2. Additional Credentials
41
-        1.3. Dependencies
38
+        1. Overview
39
+        2. Additional Credentials
40
+        3. Dependencies
42 41
 
43
-              1.3.1. Kamailio Modules
44
-              1.3.2. External Libraries or Applications
42
+              3.1. Modules
43
+              3.2. External Libraries or Applications
45 44
 
46
-        1.4. Exported Parameters
45
+        4. Exported Parameters
47 46
 
48
-              1.4.1. radius_config (string)
49
-              1.4.2. service_type (integer)
50
-              1.4.3. auth_extra (string)
51
-              1.4.4. use_ruri_flag (integer)
47
+              4.1. radius_config (string)
48
+              4.2. service_type (integer)
49
+              4.3. auth_extra (string)
50
+              4.4. use_ruri_flag (integer)
52 51
 
53
-        1.5. Exported Functions
52
+        5. Exported Functions
54 53
 
55
-              1.5.1. radius_www_authorize(realm)
56
-              1.5.2. radius_proxy_authorize(realm [, uri_user])
54
+              5.1. radius_www_authorize(realm)
55
+              5.2. radius_proxy_authorize(realm [, uri_user])
57 56
 
58 57
    List of Examples
59 58
 
60
-   1.1. "SIP-AVP" RADIUS AVP exmaples
59
+   1.1. “SIP-AVP” RADIUS AVP exmaples
61 60
    1.2. radius_config parameter usage
62 61
    1.3. service_type parameter usage
63 62
    1.4. auth_extra parameter usage
... ...
@@ -67,30 +66,50 @@ Jan Janak
67 66
 
68 67
 Chapter 1. Admin Guide
69 68
 
70
-1.1. Overview
71
-
72
-   This module contains functions that are used to perform
73
-   authentication using a Radius server. Basically the proxy will
74
-   pass along the credentials to the radius server which will in
75
-   turn send a reply containing result of the authentication. So
76
-   basically the whole authentication is done in the Radius
77
-   server. Before sending the request to the radius server we
78
-   perform some sanity checks over the credentials to make sure
79
-   that only well formed credentials will get to the server. We
80
-   have implemented radius authentication according to
81
-   draft-sterman-aaa-sip-00. This module requires radiusclient-ng
82
-   library version 0.5.0 or higher which is available from
69
+   Table of Contents
70
+
71
+   1. Overview
72
+   2. Additional Credentials
73
+   3. Dependencies
74
+
75
+        3.1. Modules
76
+        3.2. External Libraries or Applications
77
+
78
+   4. Exported Parameters
79
+
80
+        4.1. radius_config (string)
81
+        4.2. service_type (integer)
82
+        4.3. auth_extra (string)
83
+        4.4. use_ruri_flag (integer)
84
+
85
+   5. Exported Functions
86
+
87
+        5.1. radius_www_authorize(realm)
88
+        5.2. radius_proxy_authorize(realm [, uri_user])
89
+
90
+1. Overview
91
+
92
+   This module contains functions that are used to perform authentication
93
+   using a Radius server. Basically the proxy will pass along the
94
+   credentials to the radius server which will in turn send a reply
95
+   containing result of the authentication. So basically the whole
96
+   authentication is done in the Radius server. Before sending the request
97
+   to the radius server we perform some sanity checks over the credentials
98
+   to make sure that only well formed credentials will get to the server.
99
+   We have implemented radius authentication according to
100
+   draft-sterman-aaa-sip-00. This module requires radiusclient-ng library
101
+   version 0.5.0 or higher which is available from
83 102
    http://developer.berlios.de/projects/radiusclient-ng/.
84 103
 
85
-1.2. Additional Credentials
104
+2. Additional Credentials
86 105
 
87
-   When performing authentification, the RADIUS server may include
88
-   in the response additional credentials. This scheme is very
89
-   useful in fetching additional user information from the RADIUS
90
-   server without making extra queries.
106
+   When performing authentification, the RADIUS server may include in the
107
+   response additional credentials. This scheme is very useful in fetching
108
+   additional user information from the RADIUS server without making extra
109
+   queries.
91 110
 
92
-   The additional credentials are embedded in the RADIUS reply as
93
-   AVPs "SIP-AVP". The syntax of the value is:
111
+   The additional credentials are embedded in the RADIUS reply as AVPs
112
+   “SIP-AVP”. The syntax of the value is:
94 113
      * value = SIP_AVP_NAME SIP_AVP_VALUE
95 114
      * SIP_AVP_NAME = STRING_NAME | '#'ID_NUMBER
96 115
      * SIP_AVP_VALUE = ':'STRING_VALUE | '#'NUMBER_VALUE
... ...
@@ -100,7 +119,7 @@ Chapter 1. Admin Guide
100 119
 
101 120
    The RPID value may be fetch via this mechanism.
102 121
 
103
-   Example 1.1. "SIP-AVP" RADIUS AVP exmaples
122
+   Example 1.1. “SIP-AVP” RADIUS AVP exmaples
104 123
 ....
105 124
 "email:joe@yahoo.com"
106 125
     - STRING NAME AVP (email) with STRING VALUE (joe@yahoo.com)
... ...
@@ -112,165 +131,186 @@ Chapter 1. Admin Guide
112 131
     - ID AVP (14) with INTEGER VALUE (28)
113 132
 ....
114 133
 
115
-1.3. Dependencies
134
+3. Dependencies
135
+
136
+   3.1. Modules
137
+   3.2. External Libraries or Applications
116 138
 
117
-1.3.1. Kamailio Modules
139
+3.1. Modules
118 140
 
119
-   The module depends on the following modules (in the other words
120
-   the listed modules must be loaded before this module):
121
-     * auth -- Generic authentication functions
141
+   The module depends on the following modules (in the other words the
142
+   listed modules must be loaded before this module):
143
+     * modules_s/auth -- Generic authentication functions
122 144
 
123
-1.3.2. External Libraries or Applications
145
+3.2. External Libraries or Applications
124 146
 
125
-   The following libraries or applications must be installed
126
-   before compilling Kamailio with this module loaded:
127
-     * radiusclient-ng 0.5.0 or higher -- library and development
128
-       files. See
129
-       http://developer.berlios.de/projects/radiusclient-ng/.
147
+   The following libraries or applications must be installed before
148
+   compilling Kamailio with this module loaded:
149
+     * radiusclient-ng 0.5.0 or higher -- library and development files.
150
+       See http://developer.berlios.de/projects/radiusclient-ng/.
130 151
 
131
-1.4. Exported Parameters
152
+4. Exported Parameters
132 153
 
133
-1.4.1. radius_config (string)
154
+   4.1. radius_config (string)
155
+   4.2. service_type (integer)
156
+   4.3. auth_extra (string)
157
+   4.4. use_ruri_flag (integer)
158
+
159
+4.1. radius_config (string)
134 160
 
135 161
    This is the location of the configuration file of radius client
136 162
    libraries.
137 163
 
138
-   Default value is
139
-   "/usr/local/etc/radiusclient-ng/radiusclient.conf".
164
+   Default value is “/usr/local/etc/radiusclient-ng/radiusclient.conf”.
140 165
 
141 166
    Example 1.2. radius_config parameter usage
142 167
 modparam("auth_radius", "radius_config", "/etc/radiusclient.conf")
143 168
 
144
-1.4.2. service_type (integer)
169
+4.2. service_type (integer)
145 170
 
146
-   This is the value of the Service-Type radius attribute to be
147
-   used. The default should be fine for most people. See your
148
-   radius client include files for numbers to be put in this
149
-   parameter if you need to change it.
171
+   This is the value of the Service-Type radius attribute to be used. The
172
+   default should be fine for most people. See your radius client include
173
+   files for numbers to be put in this parameter if you need to change it.
150 174
 
151
-   Default value is "15".
175
+   Default value is “15”.
152 176
 
153 177
    Example 1.3. service_type parameter usage
154 178
 modparam("auth_radius", "service_type", 15)
155 179
 
156
-1.4.3. auth_extra (string)
180
+4.3. auth_extra (string)
157 181
 
158 182
    Semi-colon separated list of extra RADIUS attribute name=pseudo
159
-   variable pairs. When radius_www_authorize() or
160
-   radius_proxy_authorize() function is called, listed extra
161
-   attributes are included in RADIUS request with current values
162
-   of corresponding pseudo variables.
183
+   variable pairs. When radius_www_authorize() or radius_proxy_authorize()
184
+   function is called, listed extra attributes are included in RADIUS
185
+   request with current values of corresponding pseudo variables.
163 186
 
164
-   There is no default value, i.e., by default no extra attributes
165
-   are included.
187
+   There is no default value, i.e., by default no extra attributes are
188
+   included.
166 189
 
167 190
    Example 1.4. auth_extra parameter usage
168 191
 modparam("auth_radius", "auth_extra", "Acct-Session-Id=$ci")
169 192
 
170
-1.4.4. use_ruri_flag (integer)
193
+4.4. use_ruri_flag (integer)
171 194
 
172
-   When this parameter is set to the value other than "-1" and the
173
-   request being authenticated has flag with matching number set
174
-   via setflag() function, use Request URI instead of uri
175
-   parameter value from the Authorization / Proxy-Authorization
176
-   header field to perform RADIUS authentication. This is intended
177
-   to provide workaround for misbehaving NAT / routers / ALGs that
178
-   alter request in the transit, breaking authentication. At the
179
-   time of this writing, certain versions of Linksys WRT54GL are
180
-   known to do that.
195
+   When this parameter is set to the value other than "-1" and the request
196
+   being authenticated has flag with matching number set via setflag()
197
+   function, use Request URI instead of uri parameter value from the
198
+   Authorization / Proxy-Authorization header field to perform RADIUS
199
+   authentication. This is intended to provide workaround for misbehaving
200
+   NAT / routers / ALGs that alter request in the transit, breaking
201
+   authentication. At the time of this writing, certain versions of
202
+   Linksys WRT54GL are known to do that.
181 203
 
182
-   Default value is "-1".
204
+   Default value is “-1”.
183 205
 
184 206
    Example 1.5. use_ruri_flag parameter usage
185 207
 modparam("auth_radius", "use_ruri_flag", 22)
186 208
 
187
-1.5. Exported Functions
209
+5. Exported Functions
210
+
211
+   5.1. radius_www_authorize(realm)
212
+   5.2. radius_proxy_authorize(realm [, uri_user])
188 213
 
189
-1.5.1. radius_www_authorize(realm)
214
+5.1. radius_www_authorize(realm)
190 215
 
191 216
    The function verifies credentials according to RFC2617. If the
192
-   credentials are verified successfully then the function will
193
-   succeed and mark the credentials as authorized (marked
194
-   credentials can be later used by some other functions). If the
195
-   function was unable to verify the credentials for some reason
196
-   then it will fail and the script should call www_challenge
197
-   which will challenge the user again.
217
+   credentials are verified successfully then the function will succeed
218
+   and mark the credentials as authorized (marked credentials can be later
219
+   used by some other functions).
220
+
221
+   If the function was unable to verify the credentials for some reason,
222
+   it fails and assigns a WWW-Authorize header containing a new challenge
223
+   to digest_challenge AVP (see modules_s/auth). The script should then
224
+   respond with 401 that includes this header, which will challenge the
225
+   user again.
198 226
 
199 227
    Negative codes may be interpreted as follows:
200
-     * -5 (generic error) - some generic error occurred and no
201
-       reply was sent out;
202
-     * -4 (no credentials) - credentials were not found in
203
-       request;
228
+     * -5 (internal error) - some internal error occurred;
229
+     * -4 (no credentials) - credentials were not found in request;
204 230
      * -3 (stale nonce) - stale nonce;
231
+     * -2 (bad request) - something wrong in request, for example,
232
+       credentials were not filled properly;
233
+     * -1 (authorization failed) - RADIUS responded with Access Reject
205 234
 
206
-   This function will, in fact, perform sanity checks over the
207
-   received credentials and then pass them along to the radius
208
-   server which will verify the credentials and return whether
209
-   they are valid or not.
235
+   This function will, in fact, perform sanity checks over the received
236
+   credentials and then pass them along to the radius server which will
237
+   verify the credentials and return whether they are valid or not.
210 238
 
211 239
    Meaning of the parameter is as follows:
212
-     * realm - Realm is a opaque string that the user agent should
213
-       present to the user so he can decide what username and
214
-       password to use. Usually this is domain of the host the
215
-       server is running on.
216
-       If an empty string "" is used then the server will generate
217
-       it from the request. In case of REGISTER requests To header
218
-       field domain will be used (because this header field
219
-       represents a user being registered), for all other messages
220
-       From header field domain will be used.
240
+     * realm - Realm is a opaque string that the user agent should present
241
+       to the user so he can decide what username and password to use. In
242
+       case of REGISTER requests it is usually hostpart of To URI.
221 243
        The string may contain pseudo variables.
222 244
 
223 245
    This function can be used from REQUEST_ROUTE.
224 246
 
225 247
    Example 1.6. radius_www_authorize usage
226 248
 ...
227
-if (!radius_www_authorize("siphub.net")) {
228
-        www_challenge("siphub.net", "1");
229
-};
249
+    if (!radius_www_authorize("$td")) {
250
+    switch ($rc) {
251
+    case -5:
252
+        send_reply("500", "Server Internal Error");
253
+        exit;
254
+    case -2:
255
+        send_reply("400", "Bad Request");
256
+        exit;
257
+    default:
258
+    };
259
+    if (defined($avp(digest_challenge)) &&
260
+            ($avp(digest_challenge) != "")) {
261
+        append_to_reply("$avp(digest_challenge)");
262
+    };
263
+    send_reply("401", "Unauthorized");
264
+    exit;
230 265
 ...
231 266
 
232
-1.5.2. radius_proxy_authorize(realm [, uri_user])
267
+5.2. radius_proxy_authorize(realm [, uri_user])
233 268
 
234 269
    The function verifies credentials according to RFC2617. If the
235
-   credentials are verified successfully then the function will
236
-   succeed and mark the credentials as authorized (marked
237
-   credentials can be later used by some other functions). If the
238
-   function was unable to verify the credentials for some reason
239
-   then it will fail and the script should call proxy_challenge
240
-   which will challenge the user again. For more about the
241
-   negative return codes, see the above function.
242
-
243
-   This function will, in fact, perform sanity checks over the
244
-   received credentials and then pass them along to the radius
245
-   server which will verify the credentials and return whether
246
-   they are valid or not.
270
+   credentials are verified successfully then the function will succeed
271
+   and mark the credentials as authorized (marked credentials can be later
272
+   used by some other functions).
273
+
274
+   If the function was unable to verify the credentials for some reason,
275
+   it fails and assigns a WWW-Authorize header containing a new challenge
276
+   to digest_challenge AVP. The script should then respond with 407 that
277
+   includes this header, which will challenge the user again. For more
278
+   about the negative return codes, see the above function.
279
+
280
+   This function will, in fact, perform sanity checks over the received
281
+   credentials and then pass them along to the radius server which will
282
+   verify the credentials and return whether they are valid or not.
247 283
 
248 284
    Meaning of the parameters is as follows:
249
-     * realm - Realm is a opaque string that the user agent should
250
-       present to the user so he can decide what username and
251
-       password to use. This is usually one of the domains the
252
-       proxy is responsible for. If an empty string "" is used
253
-       then the server will generate realm from host part of From
254
-       header field URI.
285
+     * realm - Realm is a opaque string that the user agent should present
286
+       to the user so he can decide what username and password to use. In
287
+       case of non-REGISTER requests it is usually hostpart of From or
288
+       P-Preferred-Identity URI.
255 289
        The string may contain pseudo variables.
256
-     * uri_user - Uri_user is an optional pseudo variable
257
-       parameter whose value, if present, will be given to Radius
258
-       server as value of SIP-URI-User check item. If uri_user
259
-       pseudo variable parameter is not present, the server will
260
-       generate SIP-URI-User check item value from user part of
261
-       To/From URI.
290
+     * uri_user - Uri_user is an optional pseudo variable parameter whose
291
+       value, if present, will be given to Radius server as value of
292
+       SIP-URI-User check item. If uri_user pseudo variable parameter is
293
+       not present, the server will generate SIP-URI-User check item value
294
+       from user part of To/From URI.
262 295
 
263 296
    This function can be used from REQUEST_ROUTE.
264 297
 
265 298
    Example 1.7. proxy_authorize usage
266 299
 ...
267
-if (!radius_proxy_authorize("")) {   # Realm and URI user will be autoge
268
-nerated
269
-        proxy_challenge("", "1");
270
-};
271
-...
272
-if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are ta
273
-ken
274
-        proxy_challenge("$pd", "1");         # from P-Preferred-Identity
275
-};                                           # header field
300
+    if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
301
+    switch ($rc) {                               # from P-Preferred-Identity
302
+    case -5:                                     # header field
303
+        send_reply("500", "Server Internal Error");
304
+        exit;
305
+    case -2:
306
+        send_reply("400", "Bad Request");
307
+        exit;
308
+    default:
309
+    };
310
+    if (defined($avp(digest_challenge)) &&
311
+            ($avp(digest_challenge) != "")) {
312
+        append_to_reply("$avp(digest_challenge)");
313
+    };
314
+    send_reply("407", "Proxy Authentication Required");
315
+    exit;
276 316
 ...
... ...
@@ -4,6 +4,7 @@
4 4
  * Digest Authentication - Radius support
5 5
  *
6 6
  * Copyright (C) 2001-2003 FhG Fokus
7
+ * Copyright (C) 2010 Juha Heinanen
7 8
  *
8 9
  * This file is part of Kamailio, a free SIP server.
9 10
  *
... ...
@@ -41,7 +42,7 @@
41 42
 #include "../../dprint.h"
42 43
 #include "../../ut.h"
43 44
 #include "../../pvar.h"
44
-#include "../../modules_k/auth/api.h"
45
+#include "../../modules_s/auth/api.h"
45 46
 #include "authorize.h"
46 47
 #include "sterman.h"
47 48
 #include "authrad_mod.h"
... ...
@@ -77,7 +78,7 @@ static inline int get_uri_user(struct sip_msg* _m, str** _uri_user)
77 78
  * Authorize digest credentials
78 79
  */
79 80
 static inline int authorize(struct sip_msg* _msg, pv_elem_t* _realm,
80
-			    pv_spec_t * _uri_user, int _hftype)
81
+			    pv_spec_t * _uri_user, hdr_types_t _hftype)
81 82
 {
82 83
     int res;
83 84
     auth_result_t ret;
... ...
@@ -87,22 +88,47 @@ static inline int authorize(struct sip_msg* _msg, pv_elem_t* _realm,
87 88
     str user, domain;
88 89
     pv_value_t pv_val;
89 90
 
91
+    cred = 0;
92
+    ret = -1;
93
+    user.s = 0;
94
+
90 95
     /* get pre_auth domain from _realm pvar (if exists) */
91 96
     if (_realm) {
92
-	if (pv_printf_s(_msg, _realm, &domain)!=0) {
97
+	if (pv_printf_s(_msg, _realm, &domain) != 0) {
93 98
 	    LM_ERR("pv_printf_s failed\n");
94
-	    return AUTH_ERROR;
99
+	    return -5;
95 100
 	}
96 101
     } else {
97
-	/* get pre_auth domain from To/From header */
98 102
 	domain.len = 0;
99 103
 	domain.s = 0;
100 104
     }
101 105
 
102
-    ret = auth_api.pre_auth(_msg, &domain, _hftype, &h);
103
-
104
-    if (ret != DO_AUTHORIZATION)
105
-	return ret;
106
+    switch(auth_api.pre_auth(_msg, &domain, _hftype, &h, NULL)) {
107
+    default:
108
+	BUG("unexpected reply '%d'.\n",
109
+	    auth_api.pre_auth(_msg, &domain, _hftype, &h, NULL));
110
+#ifdef EXTRA_DEBUG
111
+	abort();
112
+#endif
113
+	ret = -5;
114
+	goto end;
115
+
116
+    case ERROR:
117
+    case BAD_CREDENTIALS:
118
+	ret = -2;
119
+	goto end;
120
+	
121
+    case NOT_AUTHENTICATED:
122
+	ret = -4;
123
+	goto end;
124
+	
125
+    case DO_AUTHENTICATION:
126
+	break;
127
+	
128
+    case AUTHENTICATED:
129
+	ret = 1;
130
+	goto end;
131
+    }
106 132
 
107 133
     cred = (auth_body_t*)h->parsed;
108 134
 
... ...
@@ -112,39 +138,71 @@ static inline int authorize(struct sip_msg* _msg, pv_elem_t* _realm,
112 138
 	if (pv_get_spec_value(_msg, _uri_user, &pv_val) == 0) {
113 139
 	    if (pv_val.flags & PV_VAL_STR) {
114 140
 		res = radius_authorize_sterman(_msg, &cred->digest, 
115
-					       &_msg->first_line.u.request.method,
141
+					       &_msg->
142
+					       first_line.u.request.method,
116 143
 					       &pv_val.rs);
117 144
 	    } else {
118 145
 		LM_ERR("uri_user pvar value is not string\n");
119
-		return AUTH_ERROR;
146
+		ret = -5;
147
+		goto end;
120 148
 	    }
121 149
 	} else {
122 150
 	    LM_ERR("cannot get uri_user pvar value\n");
123
-	    return AUTH_ERROR;
151
+	    ret = -5;
152
+	    goto end;
124 153
 	}
125 154
     } else {
126 155
 	if (get_uri_user(_msg, &uri_user) < 0) {
127 156
 	    LM_ERR("To/From URI not found\n");
128
-	    return AUTH_ERROR;
157
+	    ret = -2;
158
+	    goto end;
129 159
 	}
130 160
 	user.s = (char *)pkg_malloc(uri_user->len);
131 161
 	if (user.s == NULL) {
132 162
 	    LM_ERR("no pkg memory left for user\n");
133
-	    return AUTH_ERROR;
163
+	    ret = -5;
164
+	    goto end;
134 165
 	}
135 166
 	un_escape(uri_user, &user);
136 167
 	res = radius_authorize_sterman(_msg, &cred->digest, 
137 168
 				       &_msg->first_line.u.request.method,
138 169
 				       &user);
139
-	pkg_free(user.s);
140 170
     }
141 171
 
142 172
     if (res == 1) {
143
-	ret = auth_api.post_auth(_msg, h);
144
-	return ret;
173
+	switch(auth_api.post_auth(_msg, h)) {
174
+	default:
175
+	    BUG("unexpected reply '%d'.\n",
176
+		auth_api.pre_auth(_msg, &domain, _hftype, &h, NULL));
177
+#ifdef EXTRA_DEBUG
178
+	    abort();
179
+#endif
180
+	    ret = -5;
181
+	    break;
182
+	case ERROR:             
183
+	    ret = -2;
184
+	    break;
185
+	case NOT_AUTHENTICATED:
186
+	    ret = -3;
187
+	    break;
188
+	case AUTHENTICATED:
189
+	    ret = 1;
190
+	    break;
191
+	}
192
+    } else {
193
+	ret = -1;
145 194
     }
146 195
 
147
-    return AUTH_ERROR;
196
+ end:
197
+    if (user.s) pkg_free(user.s);
198
+    if (ret < 0) {
199
+	if (auth_api.build_challenge(_msg, (cred ? cred->stale : 0), &domain,
200
+				     NULL, NULL, _hftype) < 0) {
201
+	    LM_ERR("while creating challenge\n");
202
+	    ret = -5;
203
+	}
204
+    }
205
+    return ret;
148 206
 }
149 207
 
150 208
 
... ...
@@ -52,7 +52,7 @@ struct attr attrs[A_MAX+MAX_EXTRA];
52 52
 struct val vals[V_MAX+MAX_EXTRA];
53 53
 void *rh;
54 54
 
55
-auth_api_k_t auth_api;
55
+auth_api_s_t auth_api;
56 56
 
57 57
 static int mod_init(void);         /* Module initialization function */
58 58
 static int auth_fixup(void** param, int param_no); /* char* -> str* */
... ...
@@ -120,7 +120,7 @@ struct module_exports exports = {
120 120
 static int mod_init(void)
121 121
 {
122 122
 	DICT_VENDOR *vend;
123
-	bind_auth_k_t bind_auth;
123
+	bind_auth_s_t bind_auth;
124 124
 	int n;
125 125
 
126 126
 	if ((rh = rc_read_config(radius_config)) == NULL) {
... ...
@@ -133,7 +133,7 @@ static int mod_init(void)
133 133
 		return -2;
134 134
 	}
135 135
 
136
-	bind_auth = (bind_auth_k_t)find_export("bind_auth_k", 0, 0);
136
+	bind_auth = (bind_auth_s_t)find_export("bind_auth_s", 0, 0);
137 137
 	if (!bind_auth) {
138 138
 		LM_ERR("unable to find bind_auth function. Check if you load the auth module.\n");
139 139
 		return -1;
... ...
@@ -30,7 +30,7 @@
30 30
 #ifndef AUTHRAD_MOD_H
31 31
 #define AUTHRAD_MOD_H
32 32
 
33
-#include "../../modules_k/auth/api.h"
33
+#include "../../modules_s/auth/api.h"
34 34
 #include "../../lib/kcore/radius.h"
35 35
 
36 36
 extern struct attr attrs[];
... ...
@@ -41,6 +41,6 @@ extern struct extra_attr *auth_extra;
41 41
 
42 42
 extern int use_ruri_flag;
43 43
 
44
-extern auth_api_k_t auth_api;
44
+extern auth_api_s_t auth_api;
45 45
 
46 46
 #endif /* AUTHRAD_MOD_H */
... ...
@@ -78,14 +78,15 @@
78 78
 	<section>
79 79
 	<title>Dependencies</title>
80 80
 		<section>
81
-			<title>&kamailio; Modules</title>
81
+			<title>Modules</title>
82 82
 			<para>
83 83
 			The module depends on the following modules (in the other words 
84 84
 			the listed modules must be loaded before this module):
85 85
 			<itemizedlist>
86 86
 				<listitem>
87
-				<para><emphasis>auth</emphasis> -- Generic authentication 
88
-				functions</para>
87
+				<para><emphasis>modules_s/auth</emphasis>
88
+				-- Generic authentication functions
89
+				</para>
89 90
 				</listitem>
90 91
 			</itemizedlist>
91 92
 			</para>
... ...
@@ -198,45 +199,55 @@ modparam("auth_radius", "use_ruri_flag", 22)
198 199
 		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
199 200
 		the credentials are verified successfully then the function will 
200 201
 		succeed and mark the credentials as authorized (marked credentials can 
201
-		be later used by some other functions). If the function was unable to 
202
-		verify the credentials for some reason then it will fail and
203
-		the script should call
204
-		<function moreinfo="none">www_challenge</function>
205
-		which will challenge the user again.
202
+		be later used by some other functions).
203
+		</para>
204
+		<para>
205
+		If the function	was unable to  
206
+		verify the credentials for some reason, it fails and
207
+		assigns a WWW-Authorize header containing a new
208
+	challenge to digest_challenge AVP (see modules_s/auth).
209
+	The script should
210
+	then respond with 401 that includes this header, which will
211
+	challenge the user again.
206 212
 		</para>
207 213
 		<para>Negative codes may be interpreted as follows:</para>
208 214
 		<itemizedlist>
209 215
 			<listitem><para>
210
-			<emphasis>-5 (generic error)</emphasis> - some generic error
211
-			occurred and no reply was sent out;
216
+			<emphasis>-5 (internal error)</emphasis> - some
217
+			internal error occurred;
212 218
 			</para></listitem>
213 219
 			<listitem><para>
214
-			<emphasis>-4 (no credentials)</emphasis> - credentials were not
215
-			found in request;
220
+			<emphasis>-4 (no credentials)</emphasis> -
221
+			credentials were not found in request;
216 222
 			</para></listitem>
217 223
 			<listitem><para>
218 224
 			<emphasis>-3 (stale nonce)</emphasis> - stale nonce;
219 225
 			</para></listitem>
226
+			<listitem><para>
227
+			<emphasis>-2 (bad request)</emphasis> -
228
+			something wrong in request, for example, credentials were not filled properly;
229
+			</para></listitem>
230
+			<listitem><para>
231
+			<emphasis>-1 (authorization failed)</emphasis> -
232
+			RADIUS responded with Access Reject
233
+			</para></listitem>
220 234
 		</itemizedlist>
221 235
 		<para>
222
-		This function will, in fact, perform sanity checks over the received 
223
-		credentials and then pass them along to the radius server which will 
236
+		This function will, in fact, perform sanity checks over
237
+	the received  
238
+		credentials and then pass them along to the radius
239
+	server which will  
224 240
 		verify the credentials and return whether they are valid or not.
225 241
 		</para>
226 242
 		<para>Meaning of the parameter is as follows:</para>
227 243
 		<itemizedlist>
228 244
 		<listitem>
229
-			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
230
-			the user agent should present to the user so he can decide what 
231
-			username and password to use. Usually this is domain of the host 
232
-			the server is running on.
233
-			</para>
234
-			<para>
235
-			If an empty string <quote></quote> is used then the server will 
236
-			generate it from the request. In case of REGISTER requests To 
237
-			header field domain will be used (because this header field 
238
-			represents a user being registered), for all other messages From 
239
-			header field domain will be used.
245
+			<para><emphasis>realm</emphasis> - Realm is a
246
+	opaque string that  
247
+			the user agent should present to the user so he
248
+	can decide what  
249
+			username and password to use.  In case of
250
+	REGISTER requests it is usually hostpart of To URI.
240 251
 			</para>
241 252
 			<para>
242 253
 			The string may contain pseudo variables.
... ...
@@ -250,9 +261,22 @@ modparam("auth_radius", "use_ruri_flag", 22)
250 261
 		<title><function moreinfo="none">radius_www_authorize</function> usage</title>
251 262
 		<programlisting format="linespecific">
252 263
 ...
253
-if (!radius_www_authorize("siphub.net")) {
254
-	www_challenge("siphub.net", "1");
255
-};
264
+    if (!radius_www_authorize("$td")) {
265
+    switch ($rc) {
266
+    case -5:
267
+	send_reply("500", "Server Internal Error");
268
+	exit;
269
+    case -2:
270
+        send_reply("400", "Bad Request");
271
+        exit;
272
+    default:
273
+    };
274
+    if (defined($avp(digest_challenge)) &amp;&amp;
275
+            ($avp(digest_challenge) != "")) {
276
+        append_to_reply("$avp(digest_challenge)");
277
+    };
278
+    send_reply("401", "Unauthorized");
279
+    exit;
256 280
 ...
257 281
 </programlisting>
258 282
 		</example>
... ...
@@ -266,10 +290,15 @@ if (!radius_www_authorize("siphub.net")) {
266 290
 		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
267 291
 		the credentials are verified successfully then the function will 
268 292
 		succeed and mark the credentials as authorized (marked credentials can 
269
-		be later used by some other functions). If the function was unable to 
270
-		verify the credentials for some reason then it will fail and the script 
271
-		should call <function moreinfo="none">proxy_challenge</function> which 
272
-		will challenge the user again. For more about the negative return 
293
+		be later used by some other functions).  
294
+		</para>
295
+		<para>If the function was unable to  
296
+		verify the credentials for some reason, it fails and
297
+		assigns a WWW-Authorize header containing a new
298
+	challenge to digest_challenge AVP.  The script should
299
+	then respond with 407 that includes this header, which will
300
+	challenge the user again.
301
+		For more about the negative return 
273 302
 		codes, see the above function.
274 303
 		</para>
275 304
 		<para>
... ...
@@ -282,10 +311,9 @@ if (!radius_www_authorize("siphub.net")) {
282 311
 		<listitem>
283 312
 			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
284 313
 			the user agent should present to the user so he can decide what 
285
-			username and password to use.  This is usually
286
-			one of the domains the proxy is responsible for.
287
-			If an empty string <quote></quote> is used then the server will 
288
-			generate realm from host part of From header field URI.
314
+			username and password to use.  In case of
315
+	non-REGISTER requests it is usually hostpart of From or
316
+		P-Preferred-Identity URI.
289 317
 			</para>
290 318
 			<para>
291 319
 			The string may contain pseudo variables.
... ...
@@ -310,13 +338,22 @@ if (!radius_www_authorize("siphub.net")) {
310 338
 		<title><function moreinfo="none">proxy_authorize</function> usage</title>
311 339
 		<programlisting format="linespecific">
312 340
 ...
313
-if (!radius_proxy_authorize("")) {   # Realm and URI user will be autogenerated
314
-	proxy_challenge("", "1");
315
-};
316
-...
317
-if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
318
-	proxy_challenge("$pd", "1");         # from P-Preferred-Identity
319
-};                                           # header field
341
+    if (!radius_proxy_authorize("$pd", "$pU")) { # Realm and URI user are taken
342
+    switch ($rc) {                               # from P-Preferred-Identity
343
+    case -5:                                     # header field
344
+	send_reply("500", "Server Internal Error");
345
+	exit;
346
+    case -2:
347
+        send_reply("400", "Bad Request");
348
+        exit;
349
+    default:
350
+    };
351
+    if (defined($avp(digest_challenge)) &amp;&amp;
352
+            ($avp(digest_challenge) != "")) {
353
+        append_to_reply("$avp(digest_challenge)");
354
+    };
355
+    send_reply("407", "Proxy Authentication Required");
356
+    exit;
320 357
 ...
321 358
 </programlisting>
322 359
 		</example>
... ...
@@ -35,7 +35,7 @@
35 35
 #include "../../usr_avp.h"
36 36
 #include "../../lib/kcore/radius.h"
37 37
 #include "../../ut.h"
38
-#include "../../modules_k/auth/api.h"
38
+#include "../../modules_s/auth/api.h"
39 39
 #include "sterman.h"
40 40
 #include "authrad_mod.h"
41 41
 #include "extra.h"
... ...
@@ -40,6 +40,7 @@
40 40
  * which can be be used as a check item in the request.  Service type of
41 41
  * the request is Authenticate-Only.
42 42
  */
43
-int radius_authorize_sterman(struct sip_msg* _msg, dig_cred_t* _cred, str* _method, str* _user); 
43
+int radius_authorize_sterman(struct sip_msg* _msg, dig_cred_t* _cred,
44
+			     str* _method, str* _user); 
44 45
 
45 46
 #endif /* STERMAN_H */