registration.c

Go to the documentation of this file.

/*
 * $Id: registration.c 582 2008-09-05 16:15:51Z vingarzan $
 *  
 * Copyright (C) 2004-2006 FhG Fokus
 *
 * This file is part of Open IMS Core - an open source IMS CSCFs & HSS
 * implementation
 *
 * Open IMS Core is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * For a license to use the Open IMS Core software under conditions
 * other than those described here, or to purchase support for this
 * software, please contact Fraunhofer FOKUS by e-mail at the following
 * addresses:
 *     info@open-ims.org
 *
 * Open IMS Core is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * It has to be noted that this Open Source IMS Core System is not 
 * intended to become or act as a product in a commercial context! Its 
 * sole purpose is to provide an IMS core reference implementation for 
 * IMS technology testing and IMS application prototyping for research 
 * purposes, typically performed in IMS test-beds.
 * 
 * Users of the Open Source IMS Core System have to be aware that IMS
 * technology may be subject of patents and licence terms, as being 
 * specified within the various IMS-related IETF, ITU-T, ETSI, and 3GPP
 * standards. Thus all Open IMS Core users have to take notice of this 
 * fact and have to agree to check out carefully before installing, 
 * using and extending the Open Source IMS Core System, if related 
 * patents and licences may become applicable to the intended usage 
 * context.  
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 * 
 */
 
#include "registration.h"

#include "../tm/tm_load.h"
#include "../cdp/cdp_load.h"
#include "sip.h"
#include "cx.h"
#include "cx_avp.h"
#include "conversion.h"
#include "registrar.h"
#include "sip_messages.h" 
#include "rfc2617.h"
#include "s_persistency.h"
#include "ims_pm.h"

extern struct tm_binds tmb;                     
extern struct cdp_binds cdpb;                   
unsigned char registration_default_algorithm_type;  
extern int registration_disable_early_ims;      
extern int registration_disable_nass_bundled;   
extern str scscf_name_str;                      
extern str scscf_service_route;                 
extern int auth_data_hash_size;                 
extern int auth_vector_timeout;                 
extern int auth_data_timeout;                   
extern int av_request_at_once;                  
extern int av_request_at_sync;                  
extern str registration_qop_str;                        
str algorithm_types[] = {
    {"unknown",7},
    {"AKAv1-MD5",9},
    {"AKAv2-MD5",9},
    {"Early-IMS",9},
    {"MD5",3},
    {"CableLabs-Digest",16},
    {"TISPAN-HTTP_DIGEST_MD5",22},
    {"NASS-Bundled",12},
    {0,0}
};

str auth_scheme_types[] = {
    {"unknown",7},
    {"Digest-AKAv1-MD5",16},
    {"Digest-AKAv2-MD5",16},
    {"Early-IMS-Security",18},
    {"Digest-MD5",10},
    {"Digest",6},
    {"HTTP_DIGEST_MD5",15},
    {"NASS-Bundled",12},
    {0,0}   
};

#define get_param(src,name,dst) \
{\
    int i,j;\
    (dst).s=0;(dst).len=0;\
    for(i=0;i<(src).len-(name).len;i++)\
        if (strncasecmp((src).s+i,(name).s,(name).len)==0 &&\
            ((src).s[i-1]==' ' ||(src).s[i-1]==';'||(src).s[i-1]=='\t')){\
            j=i+(name).len;\
            (dst).s = (src).s+j;\
            (dst).len = 0;\
            while(j<(src).len && (src).s[j]!=','&& (src).s[j]!=' '&& (src).s[j]!='\t'&& (src).s[j]!=';') \
                j++;            \
            (dst).len = j-i-(name).len;\
            break;\
        }       \
}

unsigned char get_algorithm_type(str algorithm)
{   
    int i;
    for(i=0;algorithm_types[i].len>0;i++)
        if (algorithm_types[i].len == algorithm.len &&
            strncasecmp(algorithm_types[i].s,algorithm.s,algorithm.len)==0)
        return i;
    return AUTH_UNKNOWN;        
}

unsigned char get_auth_scheme_type(str scheme)
{
    int i;
    for(i=0;auth_scheme_types[i].len>0;i++)
        if (auth_scheme_types[i].len == scheme.len &&
            strncasecmp(auth_scheme_types[i].s,scheme.s,scheme.len)==0)
        return i;
    return AUTH_UNKNOWN;        
}



int S_add_path_service_routes(struct sip_msg *msg,char *str1,char *str2 )
{
    struct hdr_field *h;
    str t={0,0};
    if (parse_headers(msg,HDR_EOH_F,0)<0){
        LOG(L_ERR,"ERR:"M_NAME":S_add_path_service_routes: Error parsing headers\n");
        return CSCF_RETURN_FALSE;
    }
    h = msg->headers;
    while(h){
        if (h->name.len == 4 &&
            strncasecmp(h->name.s,"Path",4)==0)
        {
            t.s = h->name.s;
            t.len = h->len;
            if (!cscf_add_header_rpl(msg,&(t))) return CSCF_RETURN_FALSE;
        }
        h = h->next;
    }
    
    if (!cscf_add_header_rpl(msg,&scscf_service_route)) return CSCF_RETURN_FALSE;

    return CSCF_RETURN_TRUE;
}

static str s_allow_s={"Allow: ",7};
static str s_allow_e={"\r\n",2};
int S_add_allow(struct sip_msg *msg,char *str1,char *str2 )
{
    str hdr={0,0};
    str allow;
    allow.s = str1;
    allow.len = strlen(str1);
    
    hdr.len = s_allow_s.len+allow.len+s_allow_e.len;
    hdr.s = pkg_malloc(hdr.len);
    if (!hdr.s){
        LOG(L_ERR,"ERR:"M_NAME":S_add_allow: Error allocating %d bytes\n",hdr.len);
        return CSCF_RETURN_FALSE;
    }       
    hdr.len = 0;
    STR_APPEND(hdr,s_allow_s);
    STR_APPEND(hdr,allow);
    STR_APPEND(hdr,s_allow_e);
    
    if (!cscf_add_header_rpl(msg,&hdr)) {
        if (hdr.s) pkg_free(hdr.s);
        return CSCF_RETURN_FALSE;
    }
    
    if (hdr.s) pkg_free(hdr.s);
    return CSCF_RETURN_TRUE;
}

static str s_service_route_s = {"Service-Route: <",16};
static str s_service_route_e = {";lr>\r\n",6};
int S_add_service_route(struct sip_msg *msg,char *str1,char *str2 )
{
    str sr={0,0};
    str uri;
    uri.s = str1;
    uri.len = strlen(str1);
    
    sr.len = s_service_route_s.len+uri.len+s_service_route_e.len;
    sr.s = pkg_malloc(sr.len);
    if (!sr.s){
        LOG(L_ERR,"ERR:"M_NAME":S_add_service_route: Error allocating %d bytes\n",sr.len);
        return CSCF_RETURN_FALSE;
    }       
    sr.len = 0;
    STR_APPEND(sr,s_service_route_s);
    STR_APPEND(sr,uri);
    STR_APPEND(sr,s_service_route_e);
    
    if (!cscf_add_header_rpl(msg,&sr)) {
        if (sr.s) pkg_free(sr.s);
        return CSCF_RETURN_FALSE;
    }
    
    if (sr.s) pkg_free(sr.s);
    return CSCF_RETURN_TRUE;
}

static str s_p_charging_function_addresses_s = {"P-Charging-Function-Addresses:",30};
static str s_p_charging_function_addresses_1 = {" ccf=",5};
static str s_p_charging_function_addresses_2 = {" ecf=",5};
static str s_p_charging_function_addresses_3 = {";",1};
static str s_p_charging_function_addresses_e = {"\r\n",2};
int S_add_p_charging_function_addresses(struct sip_msg *msg,char *str1,char *str2 )
{
    str hdr={0,0};
    int ccnt=0,ecnt=0;
    str public_identity;    
    r_public *p=0;
    int ret = CSCF_RETURN_FALSE;
    
    public_identity = cscf_get_public_identity(msg);    
    LOG(L_INFO,"DBG:"M_NAME":S_add_p_charging_function_addresses: Looking for <%.*s>\n",public_identity.len,public_identity.s);
    p = get_r_public(public_identity);
    
    if (!p) {
        LOG(L_INFO,"DBG:"M_NAME":S_add_p_charging_function_addresses: No entry in registrar for <%.*s>\n",public_identity.len,public_identity.s);
        goto done;
    }
    
    ccnt = (p->ccf1.len!=0) + (p->ccf2.len!=0);
    ecnt = (p->ecf1.len!=0) + (p->ecf2.len!=0);     
    if (!(ccnt+ecnt)){
        LOG(L_INFO,"DBG:"M_NAME":S_add_p_charging_function_addresses: <%.*s> has no charging functions storred \n",public_identity.len,public_identity.s);
        goto done;
    }           
    
    hdr.len = s_p_charging_function_addresses_s.len + 
              s_p_charging_function_addresses_1.len * ccnt + p->ccf1.len + p->ccf2.len +
              s_p_charging_function_addresses_2.len * ecnt + p->ecf1.len + p->ecf2.len +
              s_p_charging_function_addresses_3.len * (ccnt+ecnt) +           
              s_p_charging_function_addresses_e.len;
    
    hdr.s = pkg_malloc(hdr.len);
    if (!hdr.s){
        LOG(L_ERR,"ERR:"M_NAME":S_add_p_charging_function_addresses: Error allocating %d bytes\n",hdr.len);
        goto done;
    }       
    hdr.len = 0;
    STR_APPEND(hdr,s_p_charging_function_addresses_s);
    ccnt = 0;
    if (p->ccf1.len) {
        STR_APPEND(hdr,s_p_charging_function_addresses_1);
        STR_APPEND(hdr,p->ccf1);        
        ccnt++;     
    } 
    if (p->ccf2.len) {
        if (ccnt) STR_APPEND(hdr,s_p_charging_function_addresses_3);
        STR_APPEND(hdr,s_p_charging_function_addresses_1);
        STR_APPEND(hdr,p->ccf2);        
        ccnt++;     
    } 
    if (p->ecf1.len) {
        if (ccnt) STR_APPEND(hdr,s_p_charging_function_addresses_3);
        STR_APPEND(hdr,s_p_charging_function_addresses_2);
        STR_APPEND(hdr,p->ecf1);        
        ccnt++;     
    } 
    if (p->ecf2.len) {
        if (ccnt) STR_APPEND(hdr,s_p_charging_function_addresses_3);
        STR_APPEND(hdr,s_p_charging_function_addresses_2);
        STR_APPEND(hdr,p->ecf2);        
        ccnt++;     
    } 
    
    STR_APPEND(hdr,s_p_charging_function_addresses_e);
    
    if (!cscf_add_header_rpl(msg,&hdr)) {
        LOG(L_ERR,"ERR:"M_NAME":S_add_p_charging_function_addresses: Error adding header <%.*s>\n",hdr.len,hdr.s);
        goto done;
    }
    ret = CSCF_RETURN_TRUE;
    
done:   
    if (hdr.s) pkg_free(hdr.s);
    if (p) r_unlock(p->hash);
    return ret;
}


int S_REGISTER_reply(struct sip_msg *msg, int code,  char *text)
{
    struct hdr_field *h;
    str t={0,0};
    if (parse_headers(msg,HDR_EOH_F,0)<0){
        LOG(L_ERR,"ERR:"M_NAME":S_REGISTER_reply: Error parsing headers\n");
        return -1;
    }
    h = msg->headers;
    while(h){
        if (h->name.len == 4 &&
            strncasecmp(h->name.s,"Path",4)==0)
        {
            t.s = h->name.s;
            t.len = h->len;
            cscf_add_header_rpl(msg,&(t));
        }
        h = h->next;
    }
    
    if (code==200){
        cscf_add_header_rpl(msg,&scscf_service_route);
    }
    return cscf_reply_transactional(msg,code,text);
}

int S_check_visited_network_id(struct sip_msg *msg,char *str1,char *str2 )
{
    int ret = CSCF_RETURN_FALSE;
    char c;
    str v={0,0};
    regmatch_t pmatch;
    struct hdr_field *hdr;
    v = cscf_get_visited_network_id(msg,&hdr);
    c = v.s[v.len];
    v.s[v.len] = 0;
    if (regexec(((fparam_t*)str1)->v.regex, v.s, 1, &pmatch, 0)==0) ret = CSCF_RETURN_TRUE;
    v.s[v.len] = c;
    return ret;
}

int S_is_integrity_protected(struct sip_msg *msg,char *str1,char *str2 )
{
    str realm={0,0};
    int ret=0;

    realm.s = str1;realm.len = strlen(str1);
    if (!realm.len) {
        LOG(L_ERR,"ERR:"M_NAME":S_is_integrity_protected: No realm found\n");
        return CSCF_RETURN_BREAK;
    }
    if (cscf_get_integrity_protected(msg,realm)) ret = 1;
    
    LOG(L_DBG,"DBG:"M_NAME":S_is_integrity_protected: returns %d\n",ret);
    
    return ret?CSCF_RETURN_TRUE:CSCF_RETURN_FALSE;
}

static int matchesEarlyIMSIP(str ip,str sent_by)
{
    struct addrinfo *ainfo,*res=0,hints;
    int error;
    char c;
    //int i;
    
    memset (&hints, 0, sizeof(hints));
    
    c = sent_by.s[sent_by.len];
    sent_by.s[sent_by.len]=0;
    
    error = getaddrinfo(sent_by.s, 0, &hints, &res);
    
    sent_by.s[sent_by.len]=c;
    
    if (error!=0){
        LOG(L_ERR,"ERROR:matchesEarlyIMSIP(): Error on getaddrinfo for sent_by = <%.*s>  >%s\n",
            sent_by.len,sent_by.s,gai_strerror(error));
        goto error;
    }
        
    for(ainfo = res;ainfo;ainfo = ainfo->ai_next)
    {   
//      for(i=0;i<ainfo->ai_addrlen;i++)
//          LOG(L_CRIT,">> %2d. \t %3d \t %.02x\n",i,ainfo->ai_addr->sa_data[i],ainfo->ai_addr->sa_data[i]);
        switch (ainfo->ai_family){
            case AF_INET:
                if (ip.len==4&&memcmp(ainfo->ai_addr->sa_data+2,ip.s,4)==0)
                        goto success;
                break;
            case AF_INET6:
                if (ip.len==16&&memcmp(ainfo->ai_addr->sa_data+6,ip.s,16)==0)
                        goto success;
                break;
            default:
                LOG(L_ERR,"ERROR:matchesEarlyIMSIP(): Invalid ai_family %d\n",ainfo->ai_family);            
        }
    }
error:
    if (res) freeaddrinfo(res);      
    return 0;
success:
    if (res) freeaddrinfo(res);      
    return 1;   
}


char *zero_padded="00000000000000000000000000000000";
static str empty_s={0,0};
static str cell_id = {"dsl-location=", 13};
int S_is_authorized(struct sip_msg *msg,char *str1,char *str2 )
{
    int ret=CSCF_RETURN_FALSE;
    unsigned int aud_hash=0;
    str realm;
    str private_identity,public_identity;
    str nonce,response16,nc,cnonce,qop_str={0,0},body;
    enum qop_type qop=QOP_UNSPEC;
    str uri={0,0};
    HASHHEX expected,ha1,hbody;
    int expected_len=32;
    auth_vector *av=0;
    r_public *p=0;
    

    LOG(L_DBG,"DBG:"M_NAME":S_is_authorized: Checking if REGISTER is authorized...\n");
    
    /* First check the parameters */
    if (msg->first_line.type!=SIP_REQUEST||
        msg->first_line.u.request.method.len!=8||
        memcmp(msg->first_line.u.request.method.s,"REGISTER",8)!=0)
    {
        LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: This message is not a REGISTER request\n");
        goto error;
    }       
    realm.s = str1;realm.len = strlen(str1);
    if (!realm.len) {
        LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: No realm found\n");
        return CSCF_RETURN_BREAK;
    }
    
    private_identity = cscf_get_private_identity(msg,realm);
    if (!private_identity.len) {
        LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: private identity missing\n");
        return ret;
    }
    
    public_identity = cscf_get_public_identity(msg);
    if (!public_identity.len) {
        LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: public identity missing\n");       
        return ret;
    }
    
    /* check for Early-IMS case */
    if (!registration_disable_early_ims && !msg->authorization){
        str sent_by={0,0},received={0,0};
        
        sent_by = cscf_get_last_via_sent_by(msg);
        if (sent_by.len){
            ret = CSCF_RETURN_FALSE;

            LOG(L_INFO,"DBG:"M_NAME":S_is_authorized: Possible Early-IMS identified\n");
            received = cscf_get_last_via_received(msg);
            if (received.len) sent_by=received;
            /* if match, return authorized */
            p = get_r_public(public_identity);
            
            if (p && p->early_ims_ip.len!=0 &&
                matchesEarlyIMSIP(p->early_ims_ip,sent_by)){
                ret = CSCF_RETURN_TRUE;
                goto done_early_ims;
            }
            do {
                /* try and do MAR */
                if (!S_MAR(msg,public_identity,private_identity,1,              
                    auth_scheme_types[AUTH_EARLY_IMS],empty_s,empty_s,scscf_name_str,realm)){
                    /* on fail, return not authorized */
//                  if (p && p->early_ims_ip.s){
//                      shm_free(p->early_ims_ip.s);
//                      p->early_ims_ip.s=0;p->early_ims_ip.len=0;
//                  }
                    goto done_early_ims;
                }                                       
                av = get_auth_vector(private_identity,public_identity,AUTH_VECTOR_UNUSED,0,&aud_hash);
            } while(!av);
            switch (av->authorization.len){
                case 4:
                    LOG(L_ERR,"DBG:"M_NAME":S_is_authorized: IP address in MAA was <%d.%d.%d.%d>\n",
                        (unsigned char)av->authorization.s[0],
                        (unsigned char)av->authorization.s[1],
                        (unsigned char)av->authorization.s[2],
                        (unsigned char)av->authorization.s[3]);
                    break;
                case 16:
                    LOG(L_ERR,"DBG:"M_NAME":S_is_authorized: IP address in MAA was <%.02x%.02x:%.02x%.02x:%.02x%.02x:%.02x%.02x:%.02x%.02x:%.02x%.02x:%.02x%.02x:%.02x%.02x>\n",
                        (unsigned char)av->authorization.s[0],
                        (unsigned char)av->authorization.s[1],
                        (unsigned char)av->authorization.s[2],
                        (unsigned char)av->authorization.s[3],
                        (unsigned char)av->authorization.s[4],
                        (unsigned char)av->authorization.s[5],
                        (unsigned char)av->authorization.s[6],
                        (unsigned char)av->authorization.s[7],
                        (unsigned char)av->authorization.s[8],
                        (unsigned char)av->authorization.s[9],
                        (unsigned char)av->authorization.s[10],
                        (unsigned char)av->authorization.s[11],
                        (unsigned char)av->authorization.s[12],
                        (unsigned char)av->authorization.s[13],
                        (unsigned char)av->authorization.s[14],
                        (unsigned char)av->authorization.s[15]
                        );
                    break;
            }                   
            if (av->authorization.len &&
                matchesEarlyIMSIP(av->authorization,sent_by)){
                ret = CSCF_RETURN_TRUE;
                if (p) STR_SHM_DUP(p->early_ims_ip,av->authorization,"IP Early IMS");                                               
            }else
                ret = CSCF_RETURN_FALSE;
        done_early_ims:                 
            if (p) r_unlock(p->hash);
            if (av) {
                av->status = AUTH_VECTOR_USELESS;
                auth_data_unlock(aud_hash);
            }
            return ret;                     
        }
    }
    /* NASS-Bundled */  
    if (!registration_disable_nass_bundled && !msg->authorization){
        str access_network_info={0,0};
        str dsl_location = {0,0};
        access_network_info = cscf_get_access_network_info(msg, 0);
        if (access_network_info.len)
        {
            get_param(access_network_info, cell_id, dsl_location);
        }
        if (dsl_location.len){
            int ret = CSCF_RETURN_FALSE;            
            LOG(L_ERR,"DBG:"M_NAME":S_is_authorized: Possible NASS-Bundled Authentication identified\n");
            do {
                /* try and do MAR */
                if (!S_MAR(msg,public_identity,private_identity,1,              
                    auth_scheme_types[AUTH_NASS_BUNDLED],empty_s,empty_s,scscf_name_str,realm)){
                    /* on fail, return not authorized */
                    goto done_nass_bundled;
                }                                       
                av = get_auth_vector(private_identity,public_identity,AUTH_VECTOR_UNUSED,0,&aud_hash);
            } while(!av);
            LOG(L_DBG,"DBG:"M_NAME":S_is_authorized: HSS said : <%.*s>, P sent : <%.*s>\n",
                av->authorization.len,av->authorization.s, dsl_location.len, dsl_location.s);
            if (av->authorization.len == dsl_location.len &&
                strncasecmp(av->authorization.s, dsl_location.s, dsl_location.len)==0){
                ret = CSCF_RETURN_TRUE;
            }else
                ret = CSCF_RETURN_FALSE;
        done_nass_bundled:  
            if (av) {
                av->status = AUTH_VECTOR_USELESS;
                auth_data_unlock(aud_hash);
            }
            return ret;                     
        }
    }
    
    if (!cscf_get_nonce_response(msg,realm,&nonce,&response16,&qop,&qop_str,&nc,&cnonce,&uri)||
        !nonce.len || !response16.len)
    {
        LOG(L_DBG,"DBG:"M_NAME":S_is_authorized: Nonce or reponse missing\n");
        return ret;
    }   
    
    if (qop==QOP_AUTHINT){
        body = cscf_get_body(msg);
        calc_H(&body,hbody);
    }
        
    av = get_auth_vector(private_identity,public_identity,AUTH_VECTOR_SENT,&nonce,&aud_hash);

    LOG(L_INFO,"DBG:"M_NAME":S_is_authorized: uri=%.*s nonce=%.*s response=%.*s qop=%.*s nc=%.*s cnonce=%.*s hbody=%.*s\n",
        uri.len,uri.s,
        nonce.len,nonce.s,
        response16.len,response16.s,
        qop_str.len,qop_str.s,
        nc.len,nc.s,
        cnonce.len,cnonce.s,
        32,hbody);
    
    if (!av) {
        LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: no matching auth vector found - maybe timer expired\n");       
        return ret;
    }
    switch (av->type){
        case AUTH_AKAV1_MD5:
        case AUTH_AKAV2_MD5:
        case AUTH_MD5:
//          LOG(L_CRIT,"A1: %.*s:%.*s:%.*s\n",private_identity.len,private_identity.s,
//              realm.len,realm.s,av->authorization.len,av->authorization.s);
            
            calc_HA1(HA_MD5,&private_identity,&realm,&(av->authorization),&(av->authenticate),&cnonce,ha1);
            calc_response(ha1,&(av->authenticate),
                &nc,
                &cnonce,
                &qop_str,
                qop==QOP_AUTHINT,
                &msg->first_line.u.request.method,&uri,hbody,expected);
            LOG(L_INFO,"DBG:"M_NAME":S_is_authorized: UE said: %.*s and we  expect %.*s ha1 %.*s\n",
                response16.len,response16.s,/*av->authorization.len,av->authorization.s,*/32,expected,32,ha1);
            break;      
        case AUTH_DIGEST:
        case AUTH_HTTP_DIGEST_MD5:
//          LOG(L_CRIT,"A1: %.*s:%.*s:%.*s\n",private_identity.len,private_identity.s,
//              realm.len,realm.s,av->authorization.len,av->authorization.s);
            
            memcpy(ha1,av->authorization.s,HASHHEXLEN);                 
            calc_response(ha1,&(av->authenticate),
                &nc,
                &cnonce,
                &qop_str,
                qop==QOP_AUTHINT,
                &msg->first_line.u.request.method,&uri,hbody,expected);
            LOG(L_INFO,"DBG:"M_NAME":S_is_authorized: UE said: %.*s and we  expect %.*s ha1 %.*s\n",
                response16.len,response16.s,/*av->authorization.len,av->authorization.s,*/32,expected,32,ha1);
            break;      
        default:
            LOG(L_ERR,"ERR:"M_NAME":S_is_authorized: algorithm %.*s is not handled.\n",
                algorithm_types[av->type].len,algorithm_types[av->type].s);
            goto error;
    }

    if (response16.len==expected_len && strncasecmp(response16.s,expected,response16.len)==0){  
        av->status = AUTH_VECTOR_USELESS;
        ret = CSCF_RETURN_TRUE;     
    }else {
        av->status = AUTH_VECTOR_USED;/* first mistake, you're out! (but maybe it's synchronization) */
        LOG(L_DBG,"DBG:"M_NAME":S_is_authorized: UE said: %.*s, but we have %.*s and expect %.*s\n",
            response16.len,response16.s,av->authorization.len,av->authorization.s,32,expected);     
    }       
    
        
    auth_data_unlock(aud_hash);
    return ret; 
error:
out_of_memory:
    if (p) r_unlock(p->hash);
    if (av) {
        auth_data_unlock(aud_hash);
    }
    ret = CSCF_RETURN_ERROR;        
    return ret;
}

int S_challenge(struct sip_msg *msg,char *str1,char *str2 )
{
    int ret=CSCF_RETURN_FALSE;
    unsigned int aud_hash;
    str realm,private_identity,public_identity,auts={0,0},nonce={0,0};
    auth_vector *av=0;
//  str algo={0,0};
    int algo_type;
    
    LOG(L_DBG,"DBG:"M_NAME":S_challenge: Challenging the REGISTER...\n");

    /* First check the parameters */
    if (msg->first_line.type!=SIP_REQUEST||
        msg->first_line.u.request.method.len!=8||
        memcmp(msg->first_line.u.request.method.s,"REGISTER",8)!=0)
    {
        LOG(L_ERR,"ERR:"M_NAME":S_challenge: This message is not a REGISTER request\n");
        goto error;
    }       
    realm.s = str1;realm.len = strlen(str1);
    if (!realm.len) {
        LOG(L_ERR,"ERR:"M_NAME":S_challenge: No realm found\n");
        return CSCF_RETURN_BREAK;
    }
    /* get the private_identity */
    private_identity = cscf_get_private_identity(msg,realm);
    if (!private_identity.len){
        LOG(L_ERR,"ERR:"M_NAME":S_challenge: No private identity specified (Authorization: username)\n");
        S_REGISTER_reply(msg,403,MSG_403_NO_PRIVATE);
        goto abort;
    }
    /* get the public_identity */
    public_identity = cscf_get_public_identity(msg);
    if (!public_identity.len){
        LOG(L_ERR,"ERR:"M_NAME":S_challenge: No public identity specified (To:)\n");
        S_REGISTER_reply(msg,403,MSG_403_NO_PUBLIC);
        goto abort;
    }
    /* get the requested algorithm */
//  algo = cscf_get_algorithm(msg,realm);
//  if (algo.len==0)
//      algo = registration_default_algorithm_s;
//  algo_type = get_algorithm_type(algo);
    algo_type = registration_default_algorithm_type;    
    
    /* check if it is a synchronization request */
    auts = cscf_get_auts(msg,realm);
    if (auts.len){
        LOG(L_DBG,"DBG:"M_NAME":S_challenge: Syncronization requested <%.*s>\n",
            auts.len,auts.s);
        
        nonce = cscf_get_nonce(msg,realm);
        if (nonce.len==0){
            LOG(L_DBG,"L_DBG:"M_NAME":S_challenge: Nonce not found (Authorization: nonce)\n");
            S_REGISTER_reply(msg,403,MSG_403_NO_NONCE);
            goto abort;
        }
        av = get_auth_vector(private_identity,public_identity,AUTH_VECTOR_USED,&nonce,&aud_hash);
        if (!av)
            av = get_auth_vector(private_identity,public_identity,AUTH_VECTOR_SENT,&nonce,&aud_hash);
                    
        if (!av){
            LOG(L_ERR,"DBG:"M_NAME":S_challenge: Nonce not regonized as sent, no sync!\n");         
            auts.len = 0; auts.s=0;
        }else{
            av->status = AUTH_VECTOR_USELESS;
            auth_data_unlock(aud_hash);
            av =0;
        }
        /* if synchronization - force MAR - if MAR ok, old avs will be droped*/
        S_MAR(msg,public_identity,private_identity,av_request_at_sync,
                auth_scheme_types[algo_type],nonce,auts,scscf_name_str,realm);
    }
    
    /* loop because some other process might steal the auth_vector that we just retrieved */
    while(!(av=get_auth_vector(private_identity,public_identity,AUTH_VECTOR_UNUSED,0,&aud_hash))){
        if (!S_MAR(msg,public_identity,private_identity,av_request_at_once,
                auth_scheme_types[algo_type],nonce,auts,scscf_name_str,realm)) break;
        /* do sync just once */
        auts.len=0;auts.s=0;
    }

    if (!av){
        LOG(L_ERR,"ERR:"M_NAME":S_challenge: Error retrieving an auth vector\n");
        goto abort;
    }

    if (!pack_challenge(msg,realm,av)){
        S_REGISTER_reply(msg,500,MSG_500_PACK_AV);
        auth_data_unlock(aud_hash);
        goto error;
    }
    start_reg_await_timer(av);
    //S_REGISTER_reply(msg,401,MSG_401_CHALLENGE);
    auth_data_unlock(aud_hash);
    return ret;
error:
    ret = CSCF_RETURN_BREAK;    
    return  ret;
abort:
    ret = CSCF_RETURN_BREAK;    
    return  ret;
}


str S_WWW_Authorization_AKA={"WWW-Authenticate: Digest realm=\"%.*s\","
    " nonce=\"%.*s\", algorithm=%.*s, ck=\"%.*s\", ik=\"%.*s\"%.*s\r\n",106};
str S_WWW_Authorization_MD5={"WWW-Authenticate: Digest realm=\"%.*s\","
    " nonce=\"%.*s\", algorithm=%.*s%.*s\r\n",101};

int pack_challenge(struct sip_msg *msg,str realm,auth_vector *av)
{
    str x={0,0};
    char ck[32],ik[32];
    int ck_len,ik_len;
    switch (av->type){
        case AUTH_AKAV1_MD5:
        case AUTH_AKAV2_MD5:
            /* AKA */
            ck_len = bin_to_base16(av->ck.s,16,ck);
            ik_len = bin_to_base16(av->ik.s,16,ik);
            x.len = S_WWW_Authorization_AKA.len +
                realm.len+
                av->authenticate.len+
                algorithm_types[av->type].len+
                ck_len+
                ik_len+
                registration_qop_str.len;       
            x.s = pkg_malloc(x.len);
            if (!x.s) {
                LOG(L_ERR,"ERR:"M_NAME":pack_challenge: Error allocating %d bytes\n",
                    x.len);
                goto error;
            }           
            sprintf(x.s,S_WWW_Authorization_AKA.s,
                realm.len,realm.s,
                av->authenticate.len,av->authenticate.s,
                algorithm_types[av->type].len,algorithm_types[av->type].s,
                ck_len,ck,
                ik_len,ik,
                registration_qop_str.len,registration_qop_str.s);
            x.len = strlen(x.s);
            break;

        case AUTH_HTTP_DIGEST_MD5:
            /* ETSI HTTP_DIGEST MD5 */
            /* this one continues into the next one */          
        case AUTH_DIGEST:
            /* Cable-Labs MD5 */
            /* this one continues into the next one */          
        case AUTH_MD5:
            /* FOKUS MD5 */
            x.len = S_WWW_Authorization_MD5.len +
                realm.len+
                av->authenticate.len+
                algorithm_types[av->type].len+
                registration_qop_str.len;
            x.s = pkg_malloc(x.len);
            if (!x.s) {
                LOG(L_ERR,"ERR:"M_NAME":pack_challenge: Error allocating %d bytes\n",
                    x.len);
                goto error;
            }           
            sprintf(x.s,S_WWW_Authorization_MD5.s,
                realm.len,realm.s,
                av->authenticate.len,av->authenticate.s,
                algorithm_types[AUTH_MD5].len,algorithm_types[AUTH_MD5].s,
                registration_qop_str.len,registration_qop_str.s);
            x.len = strlen(x.s);
            break;
        default:
            LOG(L_CRIT,"ERR:"M_NAME":pack_challenge: not implemented for algorithm %.*s\n",
                algorithm_types[av->type].len,algorithm_types[av->type].s);
            goto error;
    }
        
    if (cscf_add_header_rpl(msg,&x)) {
        pkg_free(x.s);
        return 1;
    }
    
error:
    if (x.s) pkg_free(x.s);         
    return 0;
}

int S_MAR(struct sip_msg *msg, str public_identity, str private_identity,
                    int count,str auth_scheme,str nonce,str auts,str server_name,str realm)
{
    AAAMessage *maa;
    AAA_AVP *auth_data;
    int rc=-1,experimental_rc=-1;
    auth_vector *av=0, **avlist=0;
    int cnt,i,j;
    int item_number;
    int is_sync=0;
    str authenticate={0,0},authorization={0,0},ck={0,0},ik={0,0},ip={0,0},ha1={0,0};
    str line_identifier = {0,0};
    str response_auth = {0, 0}, etsi_nonce={0,0},digest_realm={0,0};
    HASHHEX ha1_hex;
    HASHHEX result;
        
    if (auts.len){
        authorization.s = pkg_malloc(nonce.len*3/4+auts.len*3/4+8);
        if (!authorization.s) goto done;
        authorization.len = base64_to_bin(nonce.s,nonce.len,authorization.s);
        authorization.len = RAND_LEN;
        authorization.len += base64_to_bin(auts.s,auts.len,authorization.s+authorization.len);      
        is_sync=1;
    }
        
    maa = Cx_MAR(msg,public_identity,private_identity,count,auth_scheme,authorization,
                    server_name,realm);

    if (authorization.s) pkg_free(authorization.s);
    
    if (!maa){
        //TODO - add the warning code 99 in the reply   
        S_REGISTER_reply(msg,480,MSG_480_DIAMETER_TIMEOUT);     
        goto done;
    }
    
    if (!Cx_get_result_code(maa,&rc)&&
        !Cx_get_experimental_result_code(maa,&experimental_rc))
    {
        S_REGISTER_reply(msg,480,MSG_480_DIAMETER_MISSING_AVP);     
        goto done;  
    }
    
    switch(rc){
        case -1:
            switch(experimental_rc){
                case RC_IMS_DIAMETER_ERROR_USER_UNKNOWN:
                    S_REGISTER_reply(msg,403,MSG_403_USER_UNKNOWN);     
                    break;
                case RC_IMS_DIAMETER_ERROR_IDENTITIES_DONT_MATCH:
                    S_REGISTER_reply(msg,403,MSG_403_IDENTITIES_DONT_MATCH);        
                    break;
                case RC_IMS_DIAMETER_ERROR_AUTH_SCHEME_NOT_SUPPORTED:
                    S_REGISTER_reply(msg,403,MSG_403_AUTH_SCHEME_UNSOPPORTED);      
                    break;
                
                default:
                    S_REGISTER_reply(msg,403,MSG_403_UNKOWN_EXPERIMENTAL_RC);       
            }
            break;
        
        case AAA_UNABLE_TO_COMPLY:
            S_REGISTER_reply(msg,403,MSG_403_UNABLE_TO_COMPLY);     
            break;
                
        case AAA_SUCCESS:
            goto success;           
            break;
                        
        default:
            S_REGISTER_reply(msg,403,MSG_403_UNKOWN_RC);        
    }
    
goto done;      
    
success:

    /* if HSS accepted the synchronization, drop old auth vectors */
    if (is_sync)
        drop_auth_userdata(private_identity,public_identity);

    Cx_get_sip_number_auth_items(maa,&cnt);
    if (!cnt) {
        S_REGISTER_reply(msg,403,MSG_403_NO_AUTH_DATA);     
        goto done;
    }
    avlist = shm_malloc(sizeof(auth_vector *)*cnt);
    if (!avlist) {