|
1 // Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // Name : RSIPSecChallengeResolver.cpp |
|
15 // Part of : SIPDigestPlugin |
|
16 // Version : SIP/6.0 |
|
17 // |
|
18 |
|
19 |
|
20 |
|
21 #include "siperr.h" |
|
22 #include "SipAssert.h" |
|
23 #include "sipsecurityserverheader.h" |
|
24 #include "sipauthenticateheaderbase.h" |
|
25 #include "CSIPSecDigest.h" |
|
26 #include "RSIPSecChallengeResolver.h" |
|
27 #include "sipsecdigestcache.h" |
|
28 #include "CSIPSecChallengeMD5.h" |
|
29 #include "CSIPSecChallengeAKA.h" |
|
30 #include "CSIPSecCredentials.h" |
|
31 #include "sipresponse.h" |
|
32 #include "sipsecplugincontext.h" |
|
33 #include "sipstrings.h" |
|
34 #include "sipstrconsts.h" |
|
35 |
|
36 // CONSTANTS |
|
37 const TInt KSIPSecMaxChallengesPerResponse( 10 ); |
|
38 |
|
39 // ============================ MEMBER FUNCTIONS =============================== |
|
40 |
|
41 |
|
42 // ----------------------------------------------------------------------------- |
|
43 // RSIPSecChallengeResolver::RSIPSecChallengeResolver |
|
44 // ----------------------------------------------------------------------------- |
|
45 // |
|
46 RSIPSecChallengeResolver::RSIPSecChallengeResolver( |
|
47 TSIPSecPluginCtxResponse& aContext, |
|
48 CSIPSecDigest& aMechanism ) : |
|
49 RPointerArray< CSIPSecChallenge >(), |
|
50 iContext( &aContext ), |
|
51 iMechanism( aMechanism ) |
|
52 { |
|
53 } |
|
54 |
|
55 // ----------------------------------------------------------------------------- |
|
56 // RSIPSecChallengeResolver::Close |
|
57 // ----------------------------------------------------------------------------- |
|
58 // |
|
59 void RSIPSecChallengeResolver::Close() |
|
60 { |
|
61 ResetAndDestroy(); |
|
62 } |
|
63 |
|
64 // ----------------------------------------------------------------------------- |
|
65 // RSIPSecChallengeResolver::OpenL |
|
66 // ----------------------------------------------------------------------------- |
|
67 // |
|
68 void RSIPSecChallengeResolver::OpenL( const MSIPSecUser& aUser ) |
|
69 { |
|
70 CSIPResponse& response = iContext->SIPResponse(); |
|
71 RStringF algorithm; |
|
72 RStringF qop; |
|
73 TBool digestInSecServer = |
|
74 GetDigestParamsFromSecurityServer( response, algorithm, qop ); |
|
75 |
|
76 ResetAndDestroy(); |
|
77 const RStringF proxyAuth = |
|
78 SIPStrings::StringF( SipStrConsts::EProxyAuthenticateHeader ); |
|
79 |
|
80 TBool digestInAuthHeaders( EFalse ); |
|
81 |
|
82 TInt challengeCount = 0; |
|
83 if ( response.HeaderCount( proxyAuth ) > 0 ) |
|
84 { |
|
85 TSglQueIter< CSIPHeaderBase > authHeaders = |
|
86 response.Headers( proxyAuth ); |
|
87 FindAndCreateChallengesL( authHeaders, CSIPSecDigest::EProxy, |
|
88 challengeCount, algorithm, qop, |
|
89 digestInAuthHeaders ); |
|
90 } |
|
91 |
|
92 const RStringF wwwAuth = |
|
93 SIPStrings::StringF( SipStrConsts::EWWWAuthenticateHeader ); |
|
94 if ( response.HeaderCount( wwwAuth ) > 0 && |
|
95 challengeCount < KSIPSecMaxChallengesPerResponse ) |
|
96 { |
|
97 TSglQueIter< CSIPHeaderBase > authHeaders = response.Headers( wwwAuth ); |
|
98 FindAndCreateChallengesL( authHeaders, CSIPSecDigest::EEndPoint, |
|
99 challengeCount, algorithm, qop, |
|
100 digestInAuthHeaders ); |
|
101 } |
|
102 |
|
103 PrepareCache( aUser ); |
|
104 |
|
105 // If 401/407 has no www-authenticate or proxy-authenticate headers or all |
|
106 // challenges are ignored => error. |
|
107 if ( ( digestInSecServer || digestInAuthHeaders ) && |
|
108 ( response.ResponseCode() == 401 || response.ResponseCode() == 407 ) && |
|
109 Count() == 0 ) |
|
110 { |
|
111 User::Leave( KErrSIPForbidden ); |
|
112 } |
|
113 } |
|
114 |
|
115 // ----------------------------------------------------------------------------- |
|
116 // RSIPSecChallengeResolver::FindAndCreateChallengesL |
|
117 // ----------------------------------------------------------------------------- |
|
118 // |
|
119 void RSIPSecChallengeResolver::FindAndCreateChallengesL( |
|
120 TSglQueIter< CSIPHeaderBase >& aAuthHeaders, |
|
121 CSIPSecDigest::TChallengeType aType, |
|
122 TInt& aCount, |
|
123 RStringF aAlgorithm, |
|
124 RStringF aQop, |
|
125 TBool& aDigestInAuthHeaders ) |
|
126 { |
|
127 while ( aAuthHeaders ) |
|
128 { |
|
129 CSIPAuthenticateHeaderBase* header = |
|
130 static_cast< CSIPAuthenticateHeaderBase* >( aAuthHeaders++ ); |
|
131 if ( IsDigestChallenge( *header ) ) |
|
132 { |
|
133 aDigestInAuthHeaders = ETrue; |
|
134 if ( IsValidChallenge( *header ) && |
|
135 aCount < KSIPSecMaxChallengesPerResponse ) |
|
136 { |
|
137 CreateChallengeL( *header, aType, aCount, aAlgorithm, aQop ); |
|
138 } |
|
139 } |
|
140 } |
|
141 } |
|
142 |
|
143 // ----------------------------------------------------------------------------- |
|
144 // RSIPSecChallengeResolver::Pop |
|
145 // ----------------------------------------------------------------------------- |
|
146 // |
|
147 CSIPSecChallenge* RSIPSecChallengeResolver::Pop() |
|
148 { |
|
149 CSIPSecChallenge* challenge( NULL ); |
|
150 if ( Count() > 0 ) |
|
151 { |
|
152 challenge = ( *this )[ 0 ]; |
|
153 Remove( 0 ); |
|
154 } |
|
155 |
|
156 return challenge; |
|
157 } |
|
158 |
|
159 // ----------------------------------------------------------------------------- |
|
160 // RSIPSecChallengeResolver::PrepareCache |
|
161 // Ignore challenges that match a cache entry, but have different algorithm. |
|
162 // Then check if any matching cache entries must be removed. |
|
163 // ----------------------------------------------------------------------------- |
|
164 // |
|
165 void RSIPSecChallengeResolver::PrepareCache( const MSIPSecUser& aUser ) |
|
166 { |
|
167 TRegistrationId regId = iContext->RegistrationId(); |
|
168 CSIPSecDigestCacheEntry* entry( NULL ); |
|
169 CSIPSecCredentials* credentials( NULL ); |
|
170 TInt i( 0 ); |
|
171 |
|
172 // Start search from the end of the array, so if a challenge is removed, it |
|
173 // won't affect the position of challenges that haven't yet been checked. |
|
174 for ( i = Count() - 1; i >= 0; i-- ) |
|
175 { |
|
176 CSIPSecChallenge* challenge = ( *this )[ i ]; |
|
177 TSIPSecDigestCacheIterator iterator( *iContext ); |
|
178 iContext->Cache().InitializeIterator( iterator ); |
|
179 |
|
180 while ( ( entry = iterator.Next() ) != NULL && challenge ) |
|
181 { |
|
182 credentials = static_cast< CSIPSecCredentials* >( entry ); |
|
183 if ( credentials->DoesMatch( *challenge, aUser, regId ) && |
|
184 MixedAlgorithms( *credentials, *challenge )) |
|
185 { |
|
186 Remove( i ); |
|
187 delete challenge; |
|
188 challenge = NULL; // exits while-loop |
|
189 } |
|
190 } |
|
191 } |
|
192 |
|
193 for ( i = 0; i < Count(); i++ ) |
|
194 { |
|
195 CSIPSecChallenge* challenge = ( *this )[ i ]; |
|
196 TSIPSecDigestCacheIterator iterator( *iContext ); |
|
197 iContext->Cache().InitializeIterator( iterator ); |
|
198 |
|
199 while ( ( entry = iterator.Next() ) != NULL ) |
|
200 { |
|
201 credentials = static_cast< CSIPSecCredentials* >( entry ); |
|
202 if ( credentials->Type( *iContext ) == CSIPSecDigest::EProxy ) |
|
203 { |
|
204 __SIP_ASSERT_RETURN( |
|
205 credentials->IsUsedByUser(iContext->SIPSecUser(), |
|
206 ETrue, |
|
207 regId ), |
|
208 KErrGeneral ); |
|
209 } |
|
210 |
|
211 if ( credentials->DoesMatch( *challenge, aUser, regId ) && |
|
212 credentials->ChallengeReceived( *challenge ) ) |
|
213 { |
|
214 iContext->Cache().RemoveEntry( *credentials ); |
|
215 } |
|
216 } |
|
217 } |
|
218 |
|
219 RemoveObsoleteAKAEntries(); |
|
220 } |
|
221 |
|
222 // ----------------------------------------------------------------------------- |
|
223 // RSIPSecChallengeResolver::RemoveObsoleteAKAEntries |
|
224 // Don't compare SIPSec user. Cache can have only one CSIPSecSIMRecord, |
|
225 // regardless of SIPSec user. |
|
226 // ----------------------------------------------------------------------------- |
|
227 // |
|
228 void RSIPSecChallengeResolver::RemoveObsoleteAKAEntries() const |
|
229 { |
|
230 for ( TInt i = 0; i < Count(); ++i ) |
|
231 { |
|
232 CSIPSecChallenge* challenge = ( *this )[ i ]; |
|
233 |
|
234 if ( challenge->Algorithm().AlgorithmName() == |
|
235 CSIPSecChallengeAKA::SupportedAlgorithm() ) |
|
236 { |
|
237 iContext->Cache().ClearAKAEntriesWithOldRealm( challenge->Realm() ); |
|
238 } |
|
239 } |
|
240 } |
|
241 |
|
242 // ----------------------------------------------------------------------------- |
|
243 // RSIPSecChallengeResolver::CreateChallengeL |
|
244 // If qop exists, but has unknown value, ignore the challenge. |
|
245 // ----------------------------------------------------------------------------- |
|
246 // |
|
247 void |
|
248 RSIPSecChallengeResolver::CreateChallengeL( CSIPAuthenticateHeaderBase& aHeader, |
|
249 CSIPSecDigest::TChallengeType aType, |
|
250 TInt& aCount, |
|
251 RStringF aAlgorithm, |
|
252 RStringF aQop ) |
|
253 { |
|
254 CSIPSecRequestData::TQop qop = SelectQopL( aHeader, aQop ); |
|
255 if ( qop != CSIPSecRequestData::EUnknown ) |
|
256 { |
|
257 SelectAlgorithm( aHeader, iMechanism.Algorithm(), aAlgorithm ); |
|
258 aHeader.SetParamL( SIPStrings::StringF( SipStrConsts::EAlgorithm ), |
|
259 aAlgorithm ); |
|
260 |
|
261 CSIPSecChallenge* challenge( NULL ); |
|
262 if ( aAlgorithm == CSIPSecChallengeMD5::SupportedAlgorithm() ) |
|
263 { |
|
264 challenge = CSIPSecChallengeMD5::NewLC( aType, aHeader, qop ); |
|
265 } |
|
266 if ( aAlgorithm == CSIPSecChallengeAKA::SupportedAlgorithm() ) |
|
267 { |
|
268 challenge = CSIPSecChallengeAKA::NewLC( aType, aHeader, qop ); |
|
269 } |
|
270 |
|
271 if ( challenge ) |
|
272 { |
|
273 AppendL( challenge ); |
|
274 CleanupStack::Pop( challenge ); |
|
275 ++aCount; |
|
276 } |
|
277 } |
|
278 } |
|
279 |
|
280 // ----------------------------------------------------------------------------- |
|
281 // RSIPSecChallengeResolver::IsValidDigestChallenge |
|
282 // ----------------------------------------------------------------------------- |
|
283 // |
|
284 TBool RSIPSecChallengeResolver::IsValidDigestChallenge( |
|
285 const CSIPAuthHeaderBase& aHeader ) |
|
286 { |
|
287 return IsDigestChallenge( aHeader ) && IsValidChallenge( aHeader ); |
|
288 } |
|
289 |
|
290 // ----------------------------------------------------------------------------- |
|
291 // RSIPSecChallengeResolver::GetDigestParamsFromSecurityServer |
|
292 // ----------------------------------------------------------------------------- |
|
293 // |
|
294 TBool RSIPSecChallengeResolver::GetDigestParamsFromSecurityServer( |
|
295 CSIPResponse& aResponse, |
|
296 RStringF& aAlgorithm, |
|
297 RStringF& aQop ) |
|
298 { |
|
299 const RStringF empty = SIPStrings::StringF( SipStrConsts::EEmpty ); |
|
300 aAlgorithm = empty; |
|
301 aQop = empty; |
|
302 |
|
303 RStringF secServer = |
|
304 SIPStrings::StringF( SipStrConsts::ESecurityServerHeader ); |
|
305 if ( aResponse.HasHeader( secServer ) ) |
|
306 { |
|
307 TSglQueIter< CSIPHeaderBase > iter = aResponse.Headers( secServer ); |
|
308 for ( CSIPHeaderBase* header = iter++; header; header = iter++ ) |
|
309 { |
|
310 CSIPSecurityServerHeader* secServerHeader = |
|
311 static_cast< CSIPSecurityServerHeader* >( header ); |
|
312 if ( secServerHeader->MechanismName().CompareF( |
|
313 KSIPSecDigestScheme ) == 0 ) |
|
314 { |
|
315 aAlgorithm = secServerHeader->ParamValue( |
|
316 SIPStrings::StringF( SipStrConsts::EDigestAlgorithm ) ); |
|
317 aQop = secServerHeader->ParamValue( |
|
318 SIPStrings::StringF( SipStrConsts::EDigestQop ) ); |
|
319 return ETrue; |
|
320 } |
|
321 } |
|
322 } |
|
323 return EFalse; |
|
324 } |
|
325 |
|
326 // ----------------------------------------------------------------------------- |
|
327 // RSIPSecChallengeResolver::SelectQopL |
|
328 // Security-Server can have one qop value. If it has, use it. Challenge can have |
|
329 // a list of qop values ("auth,auth-int"). Qop is not case-sensitive. |
|
330 // ----------------------------------------------------------------------------- |
|
331 // |
|
332 CSIPSecRequestData::TQop |
|
333 RSIPSecChallengeResolver::SelectQopL( CSIPAuthenticateHeaderBase& aHeader, |
|
334 RStringF aQopInSecurityServer ) const |
|
335 { |
|
336 if ( aQopInSecurityServer != SIPStrings::StringF( SipStrConsts::EEmpty ) ) |
|
337 { |
|
338 if ( aQopInSecurityServer.DesC().CompareF( KSIPSecAuthInt ) == 0 ) |
|
339 { |
|
340 return CSIPSecRequestData::EAuthInt; |
|
341 } |
|
342 if ( aQopInSecurityServer.DesC().CompareF( KSIPSecAuth ) == 0 ) |
|
343 { |
|
344 return CSIPSecRequestData::EAuth; |
|
345 } |
|
346 } |
|
347 |
|
348 |
|
349 if ( !aHeader.HasParam( SIPStrings::StringF( SipStrConsts::EQop ) ) ) |
|
350 { |
|
351 // No qop => accept, but "auth" is used later on. |
|
352 return CSIPSecRequestData::EDoesNotExist; |
|
353 } |
|
354 |
|
355 // If many values ("auth,auth-int"), use strongest ("auth-int") |
|
356 if ( aHeader.HasQopValueL( KSIPSecAuthInt ) ) |
|
357 { |
|
358 return CSIPSecRequestData::EAuthInt; |
|
359 } |
|
360 if ( aHeader.HasQopValueL( KSIPSecAuth ) ) |
|
361 { |
|
362 return CSIPSecRequestData::EAuth; |
|
363 } |
|
364 |
|
365 return CSIPSecRequestData::EUnknown; |
|
366 } |
|
367 |
|
368 // ----------------------------------------------------------------------------- |
|
369 // RSIPSecChallengeResolver::SelectAlgorithm |
|
370 // ----------------------------------------------------------------------------- |
|
371 // |
|
372 void |
|
373 RSIPSecChallengeResolver::SelectAlgorithm( const CSIPAuthHeaderBase& aHeader, |
|
374 RStringF aDefaultAlgorithm, |
|
375 RStringF& aAlgorithm ) |
|
376 { |
|
377 const RStringF empty = SIPStrings::StringF( SipStrConsts::EEmpty ); |
|
378 if ( aAlgorithm == empty ) |
|
379 { |
|
380 // No algorithm in Security-Server, use challenge's algorithm |
|
381 aAlgorithm = aHeader.ParamValue( |
|
382 SIPStrings::StringF( SipStrConsts::EAlgorithm ) ); |
|
383 } |
|
384 |
|
385 if ( aAlgorithm == empty ) |
|
386 { |
|
387 // Use the default algorithm. If it isn't set yet (security agreement |
|
388 // not yet done), assume MD5. |
|
389 if ( aDefaultAlgorithm == empty ) |
|
390 { |
|
391 aAlgorithm = SIPStrings::StringF( SipStrConsts::EMD5 ); |
|
392 } |
|
393 else |
|
394 { |
|
395 aAlgorithm = aDefaultAlgorithm; |
|
396 } |
|
397 } |
|
398 } |
|
399 |
|
400 // ----------------------------------------------------------------------------- |
|
401 // RSIPSecChallengeResolver::IsDigestChallenge |
|
402 // Scheme is not case-sensitive. |
|
403 // ----------------------------------------------------------------------------- |
|
404 // |
|
405 TBool RSIPSecChallengeResolver::IsDigestChallenge( |
|
406 const CSIPAuthHeaderBase& aHeader ) |
|
407 { |
|
408 return aHeader.AuthScheme().DesC().CompareF( KSIPSecDigestScheme ) == 0; |
|
409 } |
|
410 |
|
411 // ----------------------------------------------------------------------------- |
|
412 // RSIPSecChallengeResolver::IsValidChallenge |
|
413 // ----------------------------------------------------------------------------- |
|
414 // |
|
415 TBool RSIPSecChallengeResolver::IsValidChallenge( |
|
416 const CSIPAuthHeaderBase& aHeader ) |
|
417 { |
|
418 return aHeader.HasParam( SIPStrings::StringF( SipStrConsts::ERealm ) ) && |
|
419 aHeader.HasParam( SIPStrings::StringF( SipStrConsts::ENonce ) ); |
|
420 } |
|
421 |
|
422 // ----------------------------------------------------------------------------- |
|
423 // RSIPSecChallengeResolver::MixedAlgorithms |
|
424 // ----------------------------------------------------------------------------- |
|
425 // |
|
426 TBool |
|
427 RSIPSecChallengeResolver::MixedAlgorithms( CSIPSecCredentials& aCredentials, |
|
428 CSIPSecChallenge& aChallenge ) const |
|
429 { |
|
430 RStringF alg = aCredentials.Challenge().Algorithm().AlgorithmName(); |
|
431 RStringF challengeAlg = aChallenge.Algorithm().AlgorithmName(); |
|
432 RStringF md5 = CSIPSecChallengeMD5::SupportedAlgorithm(); |
|
433 RStringF aka = CSIPSecChallengeAKA::SupportedAlgorithm(); |
|
434 |
|
435 return ( ( md5 == alg ) ^ ( md5 == challengeAlg ) ) && |
|
436 ( ( aka == alg ) ^ ( aka == challengeAlg ) ); |
|
437 } |