a2e9dbdad1
- new module 'msg' for generic message handling (SIP, HTTP) - decode content-type field in HTTP and SIP
167 lines
3.2 KiB
C
167 lines
3.2 KiB
C
/**
|
|
* @file http/auth.c HTTP Authentication
|
|
*
|
|
* Copyright (C) 2011 Creytiv.com
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include <time.h>
|
|
#include <re_types.h>
|
|
#include <re_sys.h>
|
|
#include <re_md5.h>
|
|
#include <re_sa.h>
|
|
#include <re_list.h>
|
|
#include <re_fmt.h>
|
|
#include <re_msg.h>
|
|
#include <re_httpauth.h>
|
|
#include <re_http.h>
|
|
|
|
|
|
enum {
|
|
NONCE_EXPIRES = 300,
|
|
NONCE_MIN_SIZE = 33,
|
|
};
|
|
|
|
|
|
static uint64_t secret;
|
|
static bool secret_set;
|
|
|
|
|
|
/**
|
|
* Print HTTP digest authentication challenge
|
|
*
|
|
* @param pf Print function for output
|
|
* @param auth Authentication parameteres
|
|
*
|
|
* @return 0 if success, otherwise errorcode
|
|
*/
|
|
int http_auth_print_challenge(struct re_printf *pf,
|
|
const struct http_auth *auth)
|
|
{
|
|
uint8_t key[MD5_SIZE];
|
|
uint64_t nv[2];
|
|
|
|
if (!auth)
|
|
return 0;
|
|
|
|
if (!secret_set) {
|
|
secret = rand_u64();
|
|
secret_set = true;
|
|
}
|
|
|
|
nv[0] = time(NULL);
|
|
nv[1] = secret;
|
|
|
|
md5((uint8_t *)nv, sizeof(nv), key);
|
|
|
|
return re_hprintf(pf,
|
|
"Digest realm=\"%s\", nonce=\"%w%llx\", "
|
|
"qop=\"auth\"%s",
|
|
auth->realm,
|
|
key, sizeof(key), nv[0],
|
|
auth->stale ? ", stale=true" : "");
|
|
}
|
|
|
|
|
|
static int chk_nonce(const struct pl *nonce, uint32_t expires)
|
|
{
|
|
uint8_t nkey[MD5_SIZE], ckey[MD5_SIZE];
|
|
uint64_t nv[2];
|
|
struct pl pl;
|
|
int64_t age;
|
|
unsigned i;
|
|
|
|
if (!nonce || !nonce->p || nonce->l < NONCE_MIN_SIZE)
|
|
return EINVAL;
|
|
|
|
pl = *nonce;
|
|
|
|
for (i=0; i<sizeof(nkey); i++) {
|
|
nkey[i] = ch_hex(*pl.p++) << 4;
|
|
nkey[i] += ch_hex(*pl.p++);
|
|
pl.l -= 2;
|
|
}
|
|
|
|
nv[0] = pl_x64(&pl);
|
|
nv[1] = secret;
|
|
|
|
md5((uint8_t *)nv, sizeof(nv), ckey);
|
|
|
|
if (memcmp(nkey, ckey, MD5_SIZE))
|
|
return EAUTH;
|
|
|
|
age = time(NULL) - nv[0];
|
|
|
|
if (age < 0 || age > expires)
|
|
return ETIMEDOUT;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/**
|
|
* Check HTTP digest authorization
|
|
*
|
|
* @param hval Authorization header value
|
|
* @param method Request method
|
|
* @param auth Authentication parameteres
|
|
* @param authh Authentication handler
|
|
* @param arg Authentication handler argument
|
|
*
|
|
* @return true if check is passed, otherwise false
|
|
*/
|
|
bool http_auth_check(const struct pl *hval, const struct pl *method,
|
|
struct http_auth *auth, http_auth_h *authh, void *arg)
|
|
{
|
|
struct httpauth_digest_resp resp;
|
|
uint8_t ha1[MD5_SIZE];
|
|
|
|
if (!hval || !method || !auth || !authh)
|
|
return false;
|
|
|
|
if (httpauth_digest_response_decode(&resp, hval))
|
|
return false;
|
|
|
|
if (pl_strcasecmp(&resp.realm, auth->realm))
|
|
return false;
|
|
|
|
if (chk_nonce(&resp.nonce, NONCE_EXPIRES)) {
|
|
auth->stale = true;
|
|
return false;
|
|
}
|
|
|
|
if (authh(&resp.username, ha1, arg))
|
|
return false;
|
|
|
|
if (httpauth_digest_response_auth(&resp, method, ha1))
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
|
|
/**
|
|
* Check HTTP digest authorization of an HTTP request
|
|
*
|
|
* @param msg HTTP message
|
|
* @param auth Authentication parameteres
|
|
* @param authh Authentication handler
|
|
* @param arg Authentication handler argument
|
|
*
|
|
* @return true if check is passed, otherwise false
|
|
*/
|
|
bool http_auth_check_request(const struct http_msg *msg,
|
|
struct http_auth *auth,
|
|
http_auth_h *authh, void *arg)
|
|
{
|
|
const struct http_hdr *hdr;
|
|
|
|
if (!msg)
|
|
return false;
|
|
|
|
hdr = http_msg_hdr(msg, HTTP_HDR_AUTHORIZATION);
|
|
if (!hdr)
|
|
return false;
|
|
|
|
return http_auth_check(&hdr->val, &msg->met, auth, authh, arg);
|
|
}
|