1
/* $Id: stun_auth.h 3553 2011-05-05 06:14:19Z nanang $ */
3
* Copyright (C) 2008-2011 Teluu Inc. (http://www.teluu.com)
4
* Copyright (C) 2003-2008 Benny Prijono <benny@prijono.org>
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* This program is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20
#ifndef __PJNATH_STUN_AUTH_H__
21
#define __PJNATH_STUN_AUTH_H__
25
* @brief STUN authentication.
28
#include <pjnath/stun_msg.h>
34
/* **************************************************************************/
36
* @defgroup PJNATH_STUN_AUTH STUN Authentication
37
* @brief STUN authentication helper
38
* @ingroup PJNATH_STUN_BASE
43
* Type of authentication.
45
typedef enum pj_stun_auth_type
50
PJ_STUN_AUTH_NONE = 0,
53
* Authentication using short term credential.
55
PJ_STUN_AUTH_SHORT_TERM = 1,
58
* Authentication using long term credential.
60
PJ_STUN_AUTH_LONG_TERM = 2
66
* Type of authentication data in the credential.
68
typedef enum pj_stun_auth_cred_type
71
* The credential data contains a static credential to be matched
72
* against the credential in the message. A static credential can be
73
* used as both client side or server side authentication.
75
PJ_STUN_AUTH_CRED_STATIC,
78
* The credential data contains callbacks to be called to verify the
79
* credential in the message. A dynamic credential is suitable when
80
* performing server side authentication where server does not know
81
* in advance the identity of the user requesting authentication.
83
PJ_STUN_AUTH_CRED_DYNAMIC
85
} pj_stun_auth_cred_type;
89
* Type of encoding applied to the password stored in the credential.
91
typedef enum pj_stun_passwd_type
94
* Plain text password.
96
PJ_STUN_PASSWD_PLAIN = 0,
99
* Hashed password, valid for long term credential only. The hash value
100
* of the password is calculated as MD5(USERNAME ":" REALM ":" PASSWD)
101
* with all quotes removed from the username and realm values.
103
PJ_STUN_PASSWD_HASHED = 1
105
} pj_stun_passwd_type;
109
* This structure contains the descriptions needed to perform server side
110
* authentication. Depending on the \a type set in the structure, application
111
* may specify a static username/password combination, or to have callbacks
112
* called by the function to authenticate the credential dynamically.
114
typedef struct pj_stun_auth_cred
117
* The type of authentication information in this structure.
119
pj_stun_auth_cred_type type;
122
* This union contains the authentication data.
127
* This structure contains static data for performing authentication.
128
* A non-empty realm indicates whether short term or long term
129
* credential is used.
134
* If not-empty, it indicates that this is a long term credential.
139
* The username of the credential.
144
* Data type to indicate the type of password in the \a data field.
146
pj_stun_passwd_type data_type;
149
* The data, which depends depends on the value of \a data_type
150
* field. When \a data_type is zero, this field will contain the
151
* plaintext password.
163
* This structure contains callback to be called by the framework
164
* to authenticate the incoming message.
169
* User data which will be passed back to callback functions.
174
* This callback is called by pj_stun_verify_credential() when
175
* server needs to challenge the request with 401 response.
177
* @param user_data The user data as specified in the credential.
178
* @param pool Pool to allocate memory.
179
* @param realm On return, the function should fill in with
180
* realm if application wants to use long term
181
* credential. Otherwise application should set
182
* empty string for the realm.
183
* @param nonce On return, if application wants to use long
184
* term credential, it MUST fill in the nonce
185
* with some value. Otherwise if short term
186
* credential is wanted, it MAY set this value.
187
* If short term credential is wanted and the
188
* application doesn't want to include NONCE,
189
* then it must set this to empty string.
191
* @return The callback should return PJ_SUCCESS, or
192
* otherwise response message will not be
195
pj_status_t (*get_auth)(void *user_data,
201
* Get the credential to be put in outgoing request.
203
* @param msg The outgoing message where the credential is
205
* @param user_data The user data as specified in the credential.
206
* @param pool Pool where the callback can allocate memory
207
* to fill in the credential.
208
* @param realm On return, the callback may specify the realm
209
* if long term credential is desired, otherwise
210
* this string must be set to empty.
211
* @param username On return, the callback must fill in with the
213
* @param nonce On return, the callback may optionally fill in
214
* this argument with NONCE value if desired,
215
* otherwise this argument must be set to empty.
216
* @param data_type On return, the callback must set this argument
217
* with the type of password in the data argument.
218
* @param data On return, the callback must set this with
219
* the password, encoded according to data_type
222
* @return The callback must return PJ_SUCCESS, otherwise
223
* the message transmission will be cancelled.
225
pj_status_t (*get_cred)(const pj_stun_msg *msg,
231
pj_stun_passwd_type *data_type,
235
* Get the password for the specified username. This function
236
* is also used to check whether the username is valid.
238
* @param msg The STUN message where the password will be
240
* @param user_data The user data as specified in the credential.
241
* @param realm The realm as specified in the message.
242
* @param username The username as specified in the message.
243
* @param pool Pool to allocate memory when necessary.
244
* @param data_type On return, application should fill up this
245
* argument with the type of data (which should
246
* be zero if data is a plaintext password).
247
* @param data On return, application should fill up this
248
* argument with the password according to
251
* @return The callback should return PJ_SUCCESS if
252
* username has been successfully verified
253
* and password was obtained. If non-PJ_SUCCESS
254
* is returned, it is assumed that the
255
* username is not valid.
257
pj_status_t (*get_password)(const pj_stun_msg *msg,
259
const pj_str_t *realm,
260
const pj_str_t *username,
262
pj_stun_passwd_type *data_type,
266
* This callback will be called to verify that the NONCE given
267
* in the message can be accepted. If this callback returns
268
* PJ_FALSE, 438 (Stale Nonce) response will be created.
270
* This callback is optional.
272
* @param msg The STUN message where the nonce was received.
273
* @param user_data The user data as specified in the credential.
274
* @param realm The realm as specified in the message.
275
* @param username The username as specified in the message.
276
* @param nonce The nonce to be verified.
278
* @return The callback MUST return non-zero if the
279
* NONCE can be accepted.
281
pj_bool_t (*verify_nonce)(const pj_stun_msg *msg,
283
const pj_str_t *realm,
284
const pj_str_t *username,
285
const pj_str_t *nonce);
295
* This structure contains the credential information that is found and
296
* used to authenticate incoming requests. Application may use this
297
* information when generating authentication for the outgoing response.
299
typedef struct pj_stun_req_cred_info
302
* The REALM value found in the incoming request. If short term
303
* credential is used, the value will be empty.
308
* The USERNAME value found in the incoming request.
318
* Authentication key that was used to authenticate the incoming
319
* request. This key is created with #pj_stun_create_key(), and
320
* it can be used to encode the credential of the outgoing
325
} pj_stun_req_cred_info;
329
* Duplicate authentication credential.
331
* @param pool Pool to be used to allocate memory.
332
* @param dst Destination credential.
333
* @param src Source credential.
335
PJ_DECL(void) pj_stun_auth_cred_dup(pj_pool_t *pool,
336
pj_stun_auth_cred *dst,
337
const pj_stun_auth_cred *src);
340
* Duplicate request credential.
342
* @param pool Pool to be used to allocate memory.
343
* @param dst Destination credential.
344
* @param src Source credential.
346
PJ_DECL(void) pj_stun_req_cred_info_dup(pj_pool_t *pool,
347
pj_stun_req_cred_info *dst,
348
const pj_stun_req_cred_info *src);
352
* Create authentication key to be used for encoding the message with
353
* MESSAGE-INTEGRITY. If short term credential is used (i.e. the realm
354
* argument is NULL or empty), the key will be copied from the password.
355
* If long term credential is used, the key will be calculated from the
356
* MD5 hash of the realm, username, and password.
358
* @param pool Pool to allocate memory for the key.
359
* @param key String to receive the key.
360
* @param realm The realm of the credential, if long term credential
361
* is to be used. If short term credential is wanted,
362
* application can put NULL or empty string here.
363
* @param username The username.
364
* @param data_type Password encoding.
365
* @param data The password.
367
PJ_DECL(void) pj_stun_create_key(pj_pool_t *pool,
369
const pj_str_t *realm,
370
const pj_str_t *username,
371
pj_stun_passwd_type data_type,
372
const pj_str_t *data);
375
* Verify credential in the STUN request. Note that before calling this
376
* function, application must have checked that the message contains
377
* PJ_STUN_ATTR_MESSAGE_INTEGRITY attribute by calling pj_stun_msg_find_attr()
378
* function, because this function will reject the message with 401 error
379
* if it doesn't contain PJ_STUN_ATTR_MESSAGE_INTEGRITY attribute.
381
* @param pkt The original packet which has been parsed into
382
* the message. This packet MUST NOT have been modified
384
* @param pkt_len The length of the packet.
385
* @param msg The parsed message to be verified.
386
* @param cred Pointer to credential to be used to authenticate
388
* @param pool If response is to be created, then memory will
389
* be allocated from this pool.
390
* @param info Optional pointer to receive authentication information
391
* found in the request and the credential that is used
392
* to authenticate the request.
393
* @param p_response Optional pointer to receive the response message
394
* then the credential in the request fails to
397
* @return PJ_SUCCESS if credential is verified successfully.
398
* If the verification fails and \a p_response is not
399
* NULL, an appropriate response will be returned in
402
PJ_DECL(pj_status_t) pj_stun_authenticate_request(const pj_uint8_t *pkt,
404
const pj_stun_msg *msg,
405
pj_stun_auth_cred *cred,
407
pj_stun_req_cred_info *info,
408
pj_stun_msg **p_response);
412
* Determine if STUN message can be authenticated. Some STUN error
413
* responses cannot be authenticated since they cannot contain STUN
414
* MESSAGE-INTEGRITY attribute. STUN Indication messages also cannot
417
* @param msg The STUN message.
419
* @return Non-zero if the STUN message can be authenticated.
421
PJ_DECL(pj_bool_t) pj_stun_auth_valid_for_msg(const pj_stun_msg *msg);
425
* Verify credential in the STUN response. Note that before calling this
426
* function, application must have checked that the message contains
427
* PJ_STUN_ATTR_MESSAGE_INTEGRITY attribute by calling pj_stun_msg_find_attr()
428
* function, because otherwise this function will report authentication
431
* @param pkt The original packet which has been parsed into
432
* the message. This packet MUST NOT have been modified
434
* @param pkt_len The length of the packet.
435
* @param msg The parsed message to be verified.
436
* @param key Authentication key to calculate MESSAGE-INTEGRITY
437
* value. Application can create this key by using
438
* #pj_stun_create_key() function.
440
* @return PJ_SUCCESS if credential is verified successfully.
442
PJ_DECL(pj_status_t) pj_stun_authenticate_response(const pj_uint8_t *pkt,
444
const pj_stun_msg *msg,
445
const pj_str_t *key);
456
#endif /* __PJNATH_STUN_AUTH_H__ */