summaryrefslogtreecommitdiff
path: root/pjsip/src
diff options
context:
space:
mode:
Diffstat (limited to 'pjsip/src')
-rw-r--r--pjsip/src/pjsip/sip_auth_aka.c121
-rw-r--r--pjsip/src/pjsip/sip_auth_client.c103
-rw-r--r--pjsip/src/pjsip/sip_errno.c2
-rw-r--r--pjsip/src/pjsua-lib/pjsua_core.c10
4 files changed, 209 insertions, 27 deletions
diff --git a/pjsip/src/pjsip/sip_auth_aka.c b/pjsip/src/pjsip/sip_auth_aka.c
new file mode 100644
index 00000000..b88ddb7c
--- /dev/null
+++ b/pjsip/src/pjsip/sip_auth_aka.c
@@ -0,0 +1,121 @@
+/* $Id$ */
+/*
+ * Copyright (C) 2003-2007 Benny Prijono <benny@prijono.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#include <pjsip/sip_auth_aka.h>
+#include <pjsip/sip_errno.h>
+#include <pjlib-util/base64.h>
+#include <pjlib-util/md5.h>
+#include <pj/assert.h>
+#include <pj/log.h>
+#include <pj/pool.h>
+#include <pj/string.h>
+
+#include "../../third_party/milenage/milenage.h"
+
+/*
+ * Create MD5-AKA1 digest response.
+ */
+PJ_DEF(pj_status_t) pjsip_auth_create_akav1( pj_pool_t *pool,
+ const pjsip_digest_challenge*chal,
+ const pjsip_cred_info *cred,
+ const pj_str_t *method,
+ pjsip_digest_credential *auth)
+{
+ pj_str_t nonce_bin;
+ pj_uint8_t *chal_rand, *chal_autn, *chal_mac;
+ pj_uint8_t res[PJSIP_AKA_RESLEN];
+ pj_uint8_t ck[PJSIP_AKA_CKLEN];
+ pj_uint8_t ik[PJSIP_AKA_IKLEN];
+ pj_uint8_t ak[PJSIP_AKA_AKLEN];
+ pj_uint8_t sqn[PJSIP_AKA_AUTNLEN];
+ pj_uint8_t xmac[PJSIP_AKA_MACLEN];
+ pjsip_cred_info aka_cred;
+ int i;
+ pj_status_t status;
+
+ /* Check the algorithm is supported. */
+ if (pj_stricmp2(&chal->algorithm, "md5") == 0) {
+ pjsip_auth_create_digest(&auth->response, &auth->nonce, &auth->nc,
+ &auth->cnonce, &auth->qop, &auth->uri,
+ &auth->realm, cred, method);
+ return PJ_SUCCESS;
+
+ } else if (pj_stricmp2(&chal->algorithm, "AKAv1-MD5") != 0) {
+ /* Unsupported algorithm */
+ return PJSIP_EINVALIDALGORITHM;
+ }
+
+ /* Decode nonce */
+ nonce_bin.slen = PJ_BASE64_TO_BASE256_LEN(chal->nonce.slen);
+ nonce_bin.ptr = pj_pool_alloc(pool, nonce_bin.slen + 1);
+ status = pj_base64_decode(&chal->nonce, (pj_uint8_t*)nonce_bin.ptr,
+ &nonce_bin.slen);
+ if (status != PJ_SUCCESS)
+ return PJSIP_EAUTHINNONCE;
+
+ if (nonce_bin.slen < PJSIP_AKA_RANDLEN + PJSIP_AKA_AUTNLEN + PJSIP_AKA_MACLEN)
+ return PJSIP_EAUTHINNONCE;
+
+ /* Get RAND, AUTN, and MAC */
+ chal_rand = (pj_uint8_t*) (nonce_bin.ptr + 0);
+ chal_autn = (pj_uint8_t*) (nonce_bin.ptr + PJSIP_AKA_RANDLEN);
+ chal_mac = (pj_uint8_t*) (nonce_bin.ptr + PJSIP_AKA_RANDLEN + PJSIP_AKA_AUTNLEN);
+
+ /* Verify credential */
+ PJ_ASSERT_RETURN(cred->ext.aka.k.slen == PJSIP_AKA_KLEN, PJSIP_EAUTHINAKACRED);
+ PJ_ASSERT_RETURN(cred->ext.aka.op.slen == PJSIP_AKA_OPLEN, PJSIP_EAUTHINAKACRED);
+
+ /* Given key K and random challenge RAND, compute response RES,
+ * confidentiality key CK, integrity key IK and anonymity key AK.
+ */
+ f2345((pj_uint8_t*)cred->ext.aka.k.ptr,
+ chal_rand,
+ res, ck, ik, ak,
+ (pj_uint8_t*)cred->ext.aka.op.ptr);
+
+ /* Compute sequence number SQN */
+ for (i=0; i<PJSIP_AKA_AUTNLEN; ++i)
+ sqn[i] = (pj_uint8_t) (chal_autn[i] ^ ak[i]);
+
+ /* Compute XMAC */
+ f1((pj_uint8_t*)cred->ext.aka.k.ptr, chal_rand, sqn,
+ (pj_uint8_t*)cred->ext.aka.amf.ptr, xmac,
+ (pj_uint8_t*)cred->ext.aka.op.ptr);
+
+ /* Verify MAC in the challenge */
+ if (pj_memcmp(chal_mac, xmac, PJSIP_AKA_MACLEN) != 0) {
+ return PJSIP_EAUTHINNONCE;
+ }
+
+ /* Build a temporary credential info to create MD5 digest, using
+ * "res" as the password.
+ */
+ pj_memcpy(&aka_cred, cred, sizeof(aka_cred));
+ aka_cred.data_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
+ aka_cred.data.ptr = (char*)res;
+ aka_cred.data.slen = PJSIP_AKA_RESLEN;
+
+ /* Create a response */
+ pjsip_auth_create_digest(&auth->response, &chal->nonce,
+ &auth->nc, &auth->cnonce, &auth->qop, &auth->uri,
+ &chal->realm, &aka_cred, method);
+
+ /* Done */
+ return PJ_SUCCESS;
+}
+
diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c
index 7978da27..88cd3e94 100644
--- a/pjsip/src/pjsip/sip_auth_client.c
+++ b/pjsip/src/pjsip/sip_auth_client.c
@@ -19,6 +19,7 @@
#include <pjsip/sip_auth.h>
#include <pjsip/sip_auth_parser.h> /* just to get pjsip_DIGEST_STR */
+#include <pjsip/sip_auth_aka.h>
#include <pjsip/sip_transport.h>
#include <pjsip/sip_endpoint.h>
#include <pjsip/sip_errno.h>
@@ -43,6 +44,28 @@
# define AUTH_TRACE_(expr)
#endif
+#define PASSWD_MASK 0x000F
+#define EXT_MASK 0x00F0
+
+
+PJ_DEF(void) pjsip_cred_info_dup(pj_pool_t *pool,
+ pjsip_cred_info *dst,
+ const pjsip_cred_info *src)
+{
+ pj_memcpy(dst, src, sizeof(pjsip_cred_info));
+
+ pj_strdup_with_null(pool, &dst->realm, &src->realm);
+ pj_strdup_with_null(pool, &dst->scheme, &src->scheme);
+ pj_strdup_with_null(pool, &dst->username, &src->username);
+ pj_strdup_with_null(pool, &dst->data, &src->data);
+
+ if ((dst->data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
+ pj_strdup(pool, &dst->ext.aka.k, &src->ext.aka.k);
+ pj_strdup(pool, &dst->ext.aka.op, &src->ext.aka.op);
+ pj_strdup(pool, &dst->ext.aka.amf, &src->ext.aka.amf);
+ }
+}
+
/* Transform digest to string.
* output must be at least PJSIP_MD5STRLEN+1 bytes.
@@ -63,15 +86,15 @@ static void digest2str(const unsigned char digest[], char *output)
* Create response digest based on the parameters and store the
* digest ASCII in 'result'.
*/
-void pjsip_auth_create_digest( pj_str_t *result,
- const pj_str_t *nonce,
- const pj_str_t *nc,
- const pj_str_t *cnonce,
- const pj_str_t *qop,
- const pj_str_t *uri,
- const pj_str_t *realm,
- const pjsip_cred_info *cred_info,
- const pj_str_t *method)
+PJ_DEF(void) pjsip_auth_create_digest( pj_str_t *result,
+ const pj_str_t *nonce,
+ const pj_str_t *nc,
+ const pj_str_t *cnonce,
+ const pj_str_t *qop,
+ const pj_str_t *uri,
+ const pj_str_t *realm,
+ const pjsip_cred_info *cred_info,
+ const pj_str_t *method)
{
char ha1[PJSIP_MD5STRLEN];
char ha2[PJSIP_MD5STRLEN];
@@ -82,7 +105,7 @@ void pjsip_auth_create_digest( pj_str_t *result,
AUTH_TRACE_((THIS_FILE, "Begin creating digest"));
- if (cred_info->data_type == PJSIP_CRED_DATA_PLAIN_PASSWD) {
+ if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_PLAIN_PASSWD) {
/***
*** ha1 = MD5(username ":" realm ":" password)
***/
@@ -96,9 +119,11 @@ void pjsip_auth_create_digest( pj_str_t *result,
digest2str(digest, ha1);
- } else if (cred_info->data_type == PJSIP_CRED_DATA_DIGEST) {
+ } else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) {
pj_assert(cred_info->data.slen == 32);
pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen );
+ } else {
+ pj_assert(!"Invalid data_type");
}
AUTH_TRACE_((THIS_FILE, " ha1=%.32s", ha1));
@@ -220,9 +245,17 @@ static pj_status_t respond_digest( pj_pool_t *pool,
if (chal->qop.slen == 0) {
/* Server doesn't require quality of protection. */
- /* Convert digest to string and store in chal->response. */
- pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL, NULL,
- NULL, uri, &chal->realm, cred_info, method);
+ if ((cred_info->data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
+ /* Call application callback to create the response digest */
+ return (*cred_info->ext.aka.cb)(pool, chal, cred_info,
+ method, cred);
+ }
+ else {
+ /* Convert digest to string and store in chal->response. */
+ pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL,
+ NULL, NULL, uri, &chal->realm,
+ cred_info, method);
+ }
} else if (has_auth_qop(pool, &chal->qop)) {
/* Server requires quality of protection.
@@ -239,9 +272,16 @@ static pj_status_t respond_digest( pj_pool_t *pool,
pj_strdup(pool, &cred->cnonce, &dummy_cnonce);
}
- pjsip_auth_create_digest( &cred->response, &cred->nonce, &cred->nc,
- cnonce, &pjsip_AUTH_STR, uri, &chal->realm,
- cred_info, method );
+ if ((cred_info->data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
+ /* Call application callback to create the response digest */
+ return (*cred_info->ext.aka.cb)(pool, chal, cred_info,
+ method, cred);
+ }
+ else {
+ pjsip_auth_create_digest( &cred->response, &cred->nonce,
+ &cred->nc, cnonce, &pjsip_AUTH_STR,
+ uri, &chal->realm, cred_info, method );
+ }
} else {
/* Server requires quality protection that we don't support. */
@@ -424,6 +464,35 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_set_credentials( pjsip_auth_clt_sess *sess,
pj_pool_alloc(sess->pool, cred_cnt * sizeof(*c));
for (i=0; i<cred_cnt; ++i) {
sess->cred_info[i].data_type = c[i].data_type;
+
+ /* When data_type is PJSIP_CRED_DATA_EXT_AKA,
+ * callback must be specified.
+ */
+ if ((c[i].data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
+ /* Callback must be specified */
+ PJ_ASSERT_RETURN(c[i].ext.aka.cb != NULL, PJ_EINVAL);
+
+ /* Verify K len */
+ PJ_ASSERT_RETURN(c[i].ext.aka.k.slen == PJSIP_AKA_KLEN,
+ PJSIP_EAUTHINAKACRED);
+
+ /* Verify OP len */
+ PJ_ASSERT_RETURN(c[i].ext.aka.op.slen == PJSIP_AKA_OPLEN,
+ PJSIP_EAUTHINAKACRED);
+
+ /* Verify AMF len */
+ PJ_ASSERT_RETURN(c[i].ext.aka.amf.slen == PJSIP_AKA_AMFLEN,
+ PJSIP_EAUTHINAKACRED);
+
+ sess->cred_info[i].ext.aka.cb = c[i].ext.aka.cb;
+ pj_strdup(sess->pool, &sess->cred_info[i].ext.aka.k,
+ &c[i].ext.aka.k);
+ pj_strdup(sess->pool, &sess->cred_info[i].ext.aka.op,
+ &c[i].ext.aka.op);
+ pj_strdup(sess->pool, &sess->cred_info[i].ext.aka.amf,
+ &c[i].ext.aka.amf);
+ }
+
pj_strdup(sess->pool, &sess->cred_info[i].scheme, &c[i].scheme);
pj_strdup(sess->pool, &sess->cred_info[i].realm, &c[i].realm);
pj_strdup(sess->pool, &sess->cred_info[i].username, &c[i].username);
diff --git a/pjsip/src/pjsip/sip_errno.c b/pjsip/src/pjsip/sip_errno.c
index dd2724e9..2a6e9306 100644
--- a/pjsip/src/pjsip/sip_errno.c
+++ b/pjsip/src/pjsip/sip_errno.c
@@ -102,6 +102,8 @@ static const struct
PJ_BUILD_ERR( PJSIP_EAUTHINVALIDREALM, "Invalid authorization realm"),
PJ_BUILD_ERR( PJSIP_EAUTHINVALIDDIGEST,"Invalid authorization digest" ),
PJ_BUILD_ERR( PJSIP_EAUTHSTALECOUNT, "Maximum number of stale retries exceeded"),
+ PJ_BUILD_ERR( PJSIP_EAUTHINNONCE, "Invalid nonce value in authentication challenge"),
+ PJ_BUILD_ERR( PJSIP_EAUTHINAKACRED, "Invalid AKA credential"),
/* UA/dialog layer. */
PJ_BUILD_ERR( PJSIP_EMISSINGTAG, "Missing From/To tag parameter" ),
diff --git a/pjsip/src/pjsua-lib/pjsua_core.c b/pjsip/src/pjsua-lib/pjsua_core.c
index 80617605..29cee191 100644
--- a/pjsip/src/pjsua-lib/pjsua_core.c
+++ b/pjsip/src/pjsua-lib/pjsua_core.c
@@ -81,16 +81,6 @@ PJ_DEF(void) pjsua_config_default(pjsua_config *cfg)
cfg->thread_cnt = 1;
}
-PJ_DEF(void) pjsip_cred_dup( pj_pool_t *pool,
- pjsip_cred_info *dst,
- const pjsip_cred_info *src)
-{
- pj_strdup_with_null(pool, &dst->realm, &src->realm);
- pj_strdup_with_null(pool, &dst->scheme, &src->scheme);
- pj_strdup_with_null(pool, &dst->username, &src->username);
- pj_strdup_with_null(pool, &dst->data, &src->data);
-}
-
PJ_DEF(void) pjsua_config_dup(pj_pool_t *pool,
pjsua_config *dst,
const pjsua_config *src)
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 21:25:13 +0000