sip_security.c

Sofia SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.

/*
 * This file is part of the Sofia-SIP package
 *
 * Copyright (C) 2005 Nokia Corporation.
 *
 * Contact: Pekka Pessi <pekka.pessi@nokia.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA
 *
 */

/**@CFILE sip_security.c
 *
 * Security-related SIP header handling.
 *
 * This file contains implementation of headers related to HTTP authentication
 * (@RFC2617):
 * @ref sip_authorization "Authorization", 
 * @ref sip_authentication_info "Authentication-Info",
 * @ref sip_proxy_authenticate "Proxy-Authenticate",
 * @ref sip_proxy_authentication_info "Proxy-Authentication-Info",
 * @ref sip_proxy_authorization "Proxy-Authorization", and
 * @ref sip_www_authenticate "WWW-Authenticate".
 *
 * There is also implementation of headers related to security agreement
 * (@RFC3329):
 * @ref sip_security_client "Security-Client",
 * @ref sip_security_server "Security-Server", and
 * @ref sip_security_verify "Security-Verify" headers.
 *
 * The implementation of @ref sip_privacy "Privacy" header (@RFC3323) is
 * also here. 
 *
 * @author Pekka Pessi <Pekka.Pessi@nokia.com>.
 *
 * @date Created: Tue Jun 13 02:57:51 2000 ppessi
 */

#include "config.h"

/* Avoid casting sip_t to msg_pub_t and sip_header_t to msg_header_t */
#define MSG_PUB_T       struct sip_s
#define MSG_HDR_T       union sip_header_u

#include "sofia-sip/sip_parser.h"

#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <assert.h>

/* ====================================================================== */

/**@SIP_HEADER sip_authorization Authorization Header
 *
 * The Authorization header consists of credentials containing the
 * authentication information of the user agent for the realm of the
 * resource being requested. Its syntax is defined in @RFC2617 and @RFC3261
 * as follows:
 *
 * @code
 *    Authorization     =  "Authorization" HCOLON credentials
 *    credentials       =  ("Digest" LWS digest-response)
 *                         / other-response
 *    digest-response   =  dig-resp *(COMMA dig-resp)
 *    dig-resp          =  username / realm / nonce / digest-uri
 *                          / dresponse / algorithm / cnonce
 *                          / opaque / message-qop
 *                          / nonce-count / auth-param
 *    username          =  "username" EQUAL username-value
 *    username-value    =  quoted-string
 *    digest-uri        =  "uri" EQUAL LDQUOT digest-uri-value RDQUOT
 *    digest-uri-value  =  rquest-uri ; Equal to request-uri as specified
 *                         by HTTP/1.1
 *    message-qop       =  "qop" EQUAL qop-value
 *    cnonce            =  "cnonce" EQUAL cnonce-value
 *    cnonce-value      =  nonce-value
 *    nonce-count       =  "nc" EQUAL nc-value
 *    nc-value          =  8LHEX
 *    dresponse         =  "response" EQUAL request-digest
 *    request-digest    =  LDQUOT 32LHEX RDQUOT
 *    auth-param        =  auth-param-name EQUAL
 *                         ( token / quoted-string )
 *    auth-param-name   =  token
 *    other-response    =  auth-scheme LWS auth-param
 *                         *(COMMA auth-param)
 *    auth-scheme       =  token
 * @endcode
 *
 * The parsed Authorization header
 * is stored in #sip_authorization_t structure.
 *
 * @sa @RFC2617, auth_mod_verify(), auth_mod_check(), auth_get_params(),
 * auth_digest_response_get().
 */

/**@ingroup sip_authorization
 * @typedef typedef struct sip_authorization_s sip_authorization_t;
 *
 * The structure #sip_authorization_t contains representation of SIP
 * @Authorization header.
 *
 * The #sip_authorization_t is defined as follows:
 * @code
 * typedef struct msg_auth_s {
 *   msg_common_t       au_common[1];  // Common fragment info 
 *   msg_auth_t        *au_next;       // Link to next header 
 *   char const        *au_scheme;     // Auth-scheme like "Basic" or "Digest" 
 *   msg_param_t const *au_params;     // Comma-separated parameters
 * } sip_authorization_t;
 * @endcode
 *
 */

msg_hclass_t sip_authorization_class[] =
SIP_HEADER_CLASS_AUTH(authorization, "Authorization", single);

issize_t sip_authorization_d(su_home_t *home, sip_header_t *h, char *s, isize_t slen)
{
  return msg_auth_d(home, h, s, slen);
}

issize_t sip_authorization_e(char b[], isize_t bsiz, sip_header_t const *h, int f)
{
  assert(sip_is_authorization(h));
  return msg_auth_e(b, bsiz, h, f);
}

/* ====================================================================== */

/**@SIP_HEADER sip_proxy_authenticate Proxy-Authenticate Header
 *
 * The Proxy-Authenticate header consists of a challenge that indicates the
 * authentication scheme and parameters applicable to the proxy.  Its syntax
 * is defined in [H14.33, S10.31] as follows:
 *
 * @code
 *    Proxy-Authenticate  =  "Proxy-Authenticate" HCOLON challenge
 *    challenge           =  ("Digest" LWS digest-cln *(COMMA digest-cln))
 *                           / other-challenge
 *    other-challenge     =  auth-scheme LWS auth-param
 *                           *(COMMA auth-param)
 *    digest-cln          =  realm / domain / nonce
 *                            / opaque / stale / algorithm
 *                            / qop-options / auth-param
 *    realm               =  "realm" EQUAL realm-value
 *    realm-value         =  quoted-string
 *    domain              =  "domain" EQUAL LDQUOT URI
 *                           *( 1*SP URI ) RDQUOT
 *    URI                 =  absoluteURI / abs-path
 *    nonce               =  "nonce" EQUAL nonce-value
 *    nonce-value         =  quoted-string
 *    opaque              =  "opaque" EQUAL quoted-string
 *    stale               =  "stale" EQUAL ( "true" / "false" )
 *    algorithm           =  "algorithm" EQUAL ( "MD5" / "MD5-sess"
 *                           / token )
 *    qop-options         =  "qop" EQUAL LDQUOT qop-value
 *                           *("," qop-value) RDQUOT
 *    qop-value           =  "auth" / "auth-int" / token
 * @endcode
 *
 *
 * The parsed Proxy-Authenticate header
 * is stored in #sip_proxy_authenticate_t structure.
 */

/**@ingroup sip_proxy_authenticate
 * @typedef typedef struct sip_proxy_authenticate_s sip_proxy_authenticate_t;
 *
 * The structure #sip_proxy_authenticate_t contains representation of SIP
 * @ProxyAuthenticate header.
 *
 * The #sip_proxy_authenticate_t is defined as follows:
 * @code
 * typedef struct msg_auth_s {
 *   msg_common_t       au_common[1];  // Common fragment info 
 *   msg_auth_t        *au_next;       // Link to next header 
 *   char const        *au_scheme;     // Auth-scheme like "Basic" or "Digest" 
 *   msg_param_t const *au_params;     // Comma-separated parameters
 * } sip_proxy_authenticate_t;
 * @endcode
 *
 */

msg_hclass_t sip_proxy_authenticate_class[] =
SIP_HEADER_CLASS_AUTH(proxy_authenticate, "Proxy-Authenticate", append);

issize_t sip_proxy_authenticate_d(su_home_t *home, sip_header_t *h,
				  char *s, isize_t slen)
{
  return msg_auth_d(home, h, s, slen);
}

issize_t sip_proxy_authenticate_e(char b[], isize_t bsiz, sip_header_t const *h, int f)
{
  assert(sip_is_proxy_authenticate(h));
  return msg_auth_e(b, bsiz, h, f);
}


/* ====================================================================== */

/**@SIP_HEADER sip_proxy_authorization Proxy-Authorization Header
 *
 * The Proxy-Authorization header consists of credentials containing the
 * authentication information of the user agent for the proxy and/or realm
 * of the resource being requested.  Its syntax is defined in @RFC3261
 * as follows:
 *
 * @code
 *    Proxy-Authorization  = "Proxy-Authorization" ":" credentials
 *    credentials          =  ("Digest" LWS digest-response)
 *                            / other-response
 * @endcode
 *
 * @sa auth_mod_verify(), auth_mod_check(), auth_get_params(),
 * auth_digest_response_get().
 *
 * The parsed Proxy-Authorization header
 * is stored in #sip_proxy_authorization_t structure.
 */

/**@ingroup sip_proxy_authorization
 * @typedef typedef struct sip_proxy_authorization_s sip_proxy_authorization_t;
 *
 * The structure #sip_proxy_authorization_t contains representation of SIP
 * @ProxyAuthorization header.
 *
 * The #sip_proxy_authorization_t is defined as follows:
 * @code
 * typedef struct msg_auth_s {
 *   msg_common_t       au_common[1];  // Common fragment info 
 *   msg_auth_t        *au_next;       // Link to next header 
 *   char const        *au_scheme;     // Auth-scheme like "Basic" or "Digest" 
 *   msg_param_t const *au_params;     // Comma-separated parameters
 * } sip_proxy_authorization_t;
 * @endcode
 *
 */

msg_hclass_t sip_proxy_authorization_class[] =
SIP_HEADER_CLASS_AUTH(proxy_authorization, "Proxy-Authorization", append);

issize_t sip_proxy_authorization_d(su_home_t *home, sip_header_t *h,
				   char *s, isize_t slen)
{
  return msg_auth_d(home, h, s, slen);
}

issize_t sip_proxy_authorization_e(char b[], isize_t bsiz, sip_header_t const *h, int f)
{
  assert(sip_is_proxy_authorization(h));
  return msg_auth_e(b, bsiz, h, f);
}

/* ====================================================================== */

/**@SIP_HEADER sip_www_authenticate WWW-Authenticate Header
 *
 * The WWW-Authenticate header consists of at least one challenge that
 * indicates the authentication scheme(s) and parameters applicable to the
 * Request-URI.  Its syntax is defined in @RFC3261 as
 * follows:
 *
 * @code
 *    WWW-Authenticate  = "WWW-Authenticate" HCOLON challenge
 *    challenge         =  ("Digest" LWS digest-cln *(COMMA digest-cln))
 *                      / other-challenge
 *    other-challenge   =  auth-scheme LWS auth-param *(COMMA auth-param)
 * @endcode
 *
 * See @ProxyAuthenticate for the definition of \<digest-cln\>.
 *
 * The parsed WWW-Authenticate header
 * is stored in #sip_www_authenticate_t structure.
 */

/**@ingroup sip_www_authenticate
 * @typedef typedef struct sip_www_authenticate_s sip_www_authenticate_t;
 *
 * The structure #sip_www_authenticate_t contains representation of SIP
 * @WWWAuthenticate header.
 *
 * The #sip_www_authenticate_t is defined as follows:
 * @code
 * typedef struct msg_auth_s {
 *   msg_common_t       au_common[1];  // Common fragment info 
 *   msg_auth_t        *au_next;       // Link to next header 
 *   char const        *au_scheme;     // Auth-scheme like "Basic" or "Digest" 
 *   msg_param_t const *au_params;     // Comma-separated parameters
 * } sip_www_authenticate_t;
 * @endcode
 *
 */

msg_hclass_t sip_www_authenticate_class[] =
SIP_HEADER_CLASS_AUTH(www_authenticate, "WWW-Authenticate", single);

issize_t sip_www_authenticate_d(su_home_t *home, sip_header_t *h, char *s, isize_t slen)
{
  return msg_auth_d(home, h, s, slen);
}

issize_t sip_www_authenticate_e(char b[], isize_t bsiz, sip_header_t const *h, int f)
{
  assert(sip_is_www_authenticate(h));
  return msg_auth_e(b, bsiz, h, f);
}

/**@SIP_HEADER sip_authentication_info Authentication-Info Header
 *
 * The @b Authentication-Info header contains either a next-nonce used by
 * next request and/or authentication from server used in mutual
 * authentication. The syntax of @b Authentication-Info header is defined in
 * @RFC2617 and @RFC3261 as follows:
 *
 * @code
 *   Authentication-Info  = "Authentication-Info" HCOLON ainfo
 *                           *(COMMA ainfo)
 *   ainfo                =  nextnonce / message-qop
 *                            / response-auth / cnonce
 *                            / nonce-count
 *   nextnonce            =  "nextnonce" EQUAL nonce-value
 *   response-auth        =  "rspauth" EQUAL response-digest
 *   response-digest      =  LDQUOT *LHEX RDQUOT
 * @endcode
 *
 * The parsed Authentication-Info header
 * is stored in #sip_authentication_info_t structure.
 */

/**@ingroup sip_authentication_info
 * @typedef typedef struct sip_authentication_info_s sip_authentication_info_t;
 *
 * The structure #sip_authentication_info_t contains representation of SIP
 * @AuthenticationInfo header.
 *
 * The #sip_authentication_info_t is defined as follows:
 * @code
 * typedef struct msg_auth_info_s
 * {
 *   msg_common_t       ai_common[1];  // Common fragment info
 *   msg_error_t       *ai_next;       // Dummy link to next header
 *   msg_param_t       *ai_items;      // List of ainfo
 * } sip_authentication_info_t;
 * @endcode
 */

#define sip_authentication_info_dup_xtra msg_list_dup_xtra
#define sip_authentication_info_dup_one msg_list_dup_one
#define sip_authentication_info_update NULL

msg_hclass_t sip_authentication_info_class[] =
  SIP_HEADER_CLASS(authentication_info, "Authentication-Info", "",
		   ai_params, append, authentication_info);

issize_t sip_authentication_info_d(su_home_t *home, sip_header_t *h, char *s, isize_t slen)
{
  return msg_list_d(home, (msg_header_t *)h, s, slen);
}


issize_t sip_authentication_info_e(char b[], isize_t bsiz, sip_header_t const *h, int f)
{
  assert(sip_is_authentication_info(h));
  return msg_list_e(b, bsiz, h, f);
}


/* ====================================================================== */

/**@SIP_HEADER sip_proxy_authentication_info Proxy-Authentication-Info Header
 *
 * The @b Proxy-Authentication-Info header contains either a next-nonce used
 * by next request and/or authentication from proxy used in mutual
 * authentication. The syntax of @b Proxy-Authentication-Info header is defined
 * in @RFC2617 as follows:
 *
 * @code
 *   Proxy-Authentication-Info  = "Proxy-Authentication-Info" HCOLON ainfo
 *                           *(COMMA ainfo)
 *   ainfo                =  nextnonce / message-qop
 *                            / response-auth / cnonce
 *                            / nonce-count
 *   nextnonce            =  "nextnonce" EQUAL nonce-value
 *   response-auth        =  "rspauth" EQUAL response-digest
 *   response-digest      =  LDQUOT *LHEX RDQUOT
 * @endcode
 *
 * @note @b Proxy-Authentication-Info is not specified @RFC3261 and it is
 * mentioned by @RFC2617 but in passage.
 *
 * The parsed Proxy-Authentication-Info header
 * is stored in #sip_proxy_authentication_info_t structure.
 */

/**@ingroup sip_proxy_authentication_info
 * @typedef typedef struct msg_authentication_info_s sip_proxy_authentication_info_t;
 *
 * The structure #sip_proxy_authentication_info_t contains representation of SIP
 * @ProxyAuthenticationInfo header.
 *
 * The #sip_proxy_authentication_info_t is defined as follows:
 * @code
 * typedef struct msg_auth_info_s
 * {
 *   msg_common_t       ai_common[1];  // Common fragment info