auth_client.c

this is simple sip stack.

/*
 * This file is part of the Sofia-SIP package
 *
 * Copyright (C) 2005 Nokia Corporation.
 *
 * Contact: Pekka Pessi <pekka.pessi@nokia.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA
 *
 */

/**@CFILE auth_client.c  Authenticators for SIP client
 *
 * @author Pekka Pessi <Pekka.Pessi@nokia.com>
 *
 * @date Created: Wed Feb 14 18:32:58 2001 ppessi
 */

#include "config.h"

#include <sofia-sip/su.h>
#include <sofia-sip/su_md5.h>

#include "sofia-sip/auth_client.h"
#include "sofia-sip/auth_client_plugin.h"

#include <sofia-sip/msg_header.h>

#include <sofia-sip/auth_digest.h>

#include <sofia-sip/base64.h>
#include <sofia-sip/su_uniqueid.h>
#include <sofia-sip/string0.h>

#include <sofia-sip/su_debug.h>

#include <stddef.h>
#include <stdlib.h>
#include <string.h>

#include <assert.h>

static auth_client_t *ca_create(su_home_t *home, 
				char const *scheme,
				char const *realm);

static void ca_destroy(su_home_t *home, auth_client_t *ca);

static int ca_challenge(auth_client_t *ca,
			msg_auth_t const *auth, 
			msg_hclass_t *credential_class,
			char const *scheme,
			char const *realm);

static int ca_credentials(auth_client_t *ca, 
			  char const *scheme,
			  char const *realm, 
			  char const *user,
			  char const *pass);

static int ca_clear_credentials(auth_client_t *ca, 
				char const *scheme,
				char const *realm);


/** Initialize authenticators.
 *
 * The function auc_challenge() merges the challenge @a ch to the list of
 * authenticators @a auc_list.  
 *
 * @param auc_list [in/out] list of authenticators to be updated
 * @param home     [in/out] memory home used for allocating authenticators
 * @param ch       [in] challenge to be processed
 * @param crcl     [in] credential class
 * 
 * @retval 1 when challenge was updated
 * @retval 0 when there was no new challenges
 * @retval -1 upon an error
 */
int auc_challenge(auth_client_t **auc_list,
		  su_home_t *home, 
		  msg_auth_t const *ch,
		  msg_hclass_t *crcl)
{
  auth_client_t **cca;
  int retval = 0;

  /* Go through each challenge in Authenticate or Proxy-Authenticate headers */
  for (; ch; ch = ch->au_next) {
    char const *scheme = ch->au_scheme;
    char const *realm = msg_header_find_param(ch->au_common, "realm=");
    int matched = 0, updated;

    if (!scheme || !realm)
      continue;

    /* Update matching authenticator */
    for (cca = auc_list; (*cca); cca = &(*cca)->ca_next) {
      updated = ca_challenge((*cca), ch, crcl, scheme, realm);
      if (updated < 0)
	return -1;
      if (updated == 0)
	continue;		/* No match, next */
      matched = 1;
      if (updated > 1)
	retval = 1;		/* Updated authenticator */
    }

    if (!matched) {
      /* There was no matching authenticator, create a new one */
      *cca = ca_create(home, scheme, realm);
      if (ca_challenge((*cca), ch, crcl, scheme, realm) < 0) {
	ca_destroy(home, *cca), *cca = NULL;
	return -1;
      }
      retval = 1;		/* Updated authenticator */
    }
  }

  return retval;
}

/** Update authentication client. 
 *
 * @retval -1 upon an error
 * @retval 0 when challenge did not match
 * @retval 1 when challenge did match but was not updated
 * @retval 2 when challenge did match and updated client
 */
static
int ca_challenge(auth_client_t *ca, 
		 msg_auth_t const *ch,
		 msg_hclass_t *credential_class,
		 char const *scheme, 
		 char const *realm)
{
  int stale = 0;

  assert(ca); assert(ch);

  if (!ca || !ch)
    return -1;

  if (strcmp(ca->ca_scheme, scheme))
    return 0;
  if (strcmp(ca->ca_realm, realm))
    return 0;

  if (ca->ca_credential_class && 
      ca->ca_credential_class != credential_class)
    return 0;

  if (ca->ca_auc->auc_challenge)
    stale = ca->ca_auc->auc_challenge(ca, ch);
  if (stale < 0)
    return -1;

  if (!ca->ca_credential_class)
    stale = 1, ca->ca_credential_class = credential_class;

  return stale ? 2 : 1;
}

/**Feed authentication data to the authenticator.
 *
 * The function auc_credentials() is used to provide the authenticators in
 * with authentication data (user name, secret).  The authentication data
 * has format as follows:
 *
 * scheme:"realm":user:pass
 *
 * For instance, @c Basic:"nokia-proxy":ppessi:verysecret
 *
 * @todo The authentication data format sucks.
 *
 * @param auc_list [in/out] list of authenticators 
 * @param home     [in/out] memory home used for allocations
 * @param data     [in]     colon-separated authentication data
 * 
 * @retval 0 when successful
 * @retval -1 upon an error
 */
int auc_credentials(auth_client_t **auc_list, su_home_t *home, 
		    char const *data)
{
  int retval = 0, match;
  char *s0, *s;
  char *scheme = NULL, *user = NULL, *pass = NULL, *realm = NULL;

  s0 = s = su_strdup(NULL, data);

  /* Parse authentication data */
  /* Data is string like "Basic:\"agni\":user1:secret" */
  if (s && (s = strchr(scheme = s, ':')))
    *s++ = 0;
  if (s && (s = strchr(realm = s, ':')))
    *s++ = 0;
  if (s && (s = strchr(user = s, ':')))
    *s++ = 0;
  if (s && (s = strchr(pass = s, ':')))
    *s++ = 0;

  if (scheme && realm && user && pass) {
    for (; *auc_list; auc_list = &(*auc_list)->ca_next) {
      match = ca_credentials(*auc_list, scheme, realm, user, pass);
      if (match < 0) {
	retval = -1;
	break;
      }
      if (match) 
	retval++;
    }
  }

  su_free(NULL, s0);

  return retval;
}

/**Feed authentication data to the authenticator.
 *
 * The function auc_credentials() is used to provide the authenticators in
 * with authentication tuple (scheme, realm, user name, secret).  
 *
 * scheme:"realm":user:pass
 *
 * @todo The authentication data format sucks.
 *
 * @param auc_list [in/out] list of authenticators 
 * @param scheme   [in]     scheme to use (NULL, if any)
 * @param realm    [in]     realm to use (NULL, if any)
 * @param user     [in]     username 
 * @param pass     [in]     password
 * 
 * @retval number of matching clients
 * @retval 0 when no matching client was found
 * @retval -1 upon an error
 */
int auc_all_credentials(auth_client_t **auc_list, 
			char const *scheme,
			char const *realm, 
			char const *user,
			char const *pass)
{
  int retval = 0, match;

#if HAVE_SC_CRED_H
  /* XXX: add */
#endif

  if (user && pass) {
    for (; *auc_list; auc_list = &(*auc_list)->ca_next) {
      match = ca_credentials(*auc_list, scheme, realm, user, pass);
      if (match < 0)
	return -1;
      if (match) 
	retval++;
    }
  }

  return retval;
}

int ca_credentials(auth_client_t *ca, 
		   char const *scheme,
		   char const *realm, 
		   char const *user,
		   char const *pass)
{
  assert(ca);

  if (!ca || !ca->ca_scheme || !ca->ca_realm)
    return -1;

  if ((scheme != NULL && strcasecmp(scheme, ca->ca_scheme)) ||
      (realm != NULL && strcmp(realm, ca->ca_realm)))
    return -1;

  ca->ca_user = su_strdup(ca->ca_home, user);
  ca->ca_pass = su_strdup(ca->ca_home, pass);

  if (!ca->ca_user || !ca->ca_pass)
    return -1;

  return 1;
}


/** Copy authentication data from @a src to @a dst.
 *
 * @retval >0 if credentials were copied
 * @retval 0 if there was no credentials to copy
 * @retval <0 if an error occurred.
 */
int auc_copy_credentials(auth_client_t **dst,
			 auth_client_t const *src)
{
  int retval = 0;

  if (!dst)
    return -1;

  for (;*dst; dst = &(*dst)->ca_next) {
    auth_client_t *d = *dst;
    auth_client_t const *ca;

    for (ca = src; ca; ca = ca->ca_next) {
      char *u, *p;
      if (!ca->ca_user || !ca->ca_pass)
	continue;
      if (!ca->ca_scheme[0] || strcmp(ca->ca_scheme, d->ca_scheme))
	continue;
      if (!ca->ca_realm[0] || strcmp(ca->ca_realm, d->ca_realm))
	continue;

      if (d->ca_user && strcmp(d->ca_user, ca->ca_user) == 0 &&
	  d->ca_pass && strcmp(d->ca_pass, ca->ca_pass) == 0) {
	retval++;
	break;
      }

      u = su_strdup(d->ca_home, ca->ca_user);
      p = su_strdup(d->ca_home, ca->ca_pass);
      if (!u || !p)
	return -1;

      if (d->ca_user) su_free(d->ca_home, (void *)d->ca_user);
      if (d->ca_pass) su_free(d->ca_home, (void *)d->ca_pass);
      d->ca_user = u, d->ca_pass = p;
      retval++;
      break;
    }
  }

  return retval;
}
      	      

/**Clear authentication data from the authenticator.
 *
 * The function auc_clear_credentials() is used to remove the credentials
 * from the authenticators.
 *
 * @param auc_list [in/out] list of authenticators 
 * @param scheme   [in] scheme (if non-null, remove only matching credentials) 
 * @param realm    [in] realm (if non-null, remove only matching credentials)
 *
 * @retval 0 when successful
 * @retval -1 upon an error
 */
int auc_clear_credentials(auth_client_t **auc_list, 
			 char const *scheme,
			 char const *realm)
{
  int retval = 0;

  for (; *auc_list; auc_list = &(*auc_list)->ca_next) {
    int match = ca_clear_credentials(*auc_list, scheme, realm);
    if (match < 0) {
      retval = -1;
      break;
    }
    if (match) 
      retval++;
  }

  return retval;
}

static
int ca_clear_credentials(auth_client_t *ca, 
			 char const *scheme,
			 char const *realm)
{
  assert(ca);

  if (!ca || !ca->ca_scheme || !ca->ca_realm)
    return -1;

  if ((scheme != NULL && strcasecmp(scheme, ca->ca_scheme)) ||
      (realm != NULL && strcmp(realm, ca->ca_realm)))
    return -1;

  su_free(ca->ca_home, (void *)ca->ca_user), ca->ca_user = NULL;
  su_free(ca->ca_home, (void *)ca->ca_pass), ca->ca_pass = NULL;

  return 1;
}

/**Authorize a request.
 *
 * The function auc_authorization() is used to add correct authentication
 * headers to a request. The authentication headers will contain the
 * credentials generated by the list of authenticators.
 *
 * @param auc_list [in/out] list of authenticators 
 * @param msg      [out]    message to be authenticated
 * @param pub      [out]    headers of the message
 * @param method   [in]     request method
 * @param url      [in]     request URI
 * @param body     [in]     message body (NULL if empty)
 * 
 * @retval 1 when successful
 * @retval 0 when there is not enough credentials
 * @retval -1 upon an error
 */
int auc_authorization(auth_client_t **auc_list, msg_t *msg, msg_pub_t *pub,
		      char const *method, 
		      url_t const *url, 
		      msg_payload_t const *body)
{
  auth_client_t *ca;
  msg_mclass_t const *mc = msg_mclass(msg);

  if (auc_list == NULL || msg == NULL)
    return -1;

  if (pub == NULL)
    pub = msg_object(msg);

  /* Make sure every challenge has credentials */
  for (ca = *auc_list; ca; ca = ca->ca_next) {
    if (!ca->ca_user || !ca->ca_pass || !ca->ca_credential_class)
      return 0;
  }

  /* Remove existing credentials */
  for (ca = *auc_list; ca; ca = ca->ca_next) {
    msg_header_t **hh = msg_hclass_offset(mc, pub, ca->ca_credential_class);

    while (hh && *hh)