1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<section id="digest_parser" xmlns:xi="http://www.w3.org/2001/XInclude">
<sectioninfo>
<revhistory>
<revision>
<revnumber>$Revision$</revnumber>
<date>$Date$</date>
</revision>
</revhistory>
</sectioninfo>
<title>Digest Body Parser</title>
<para>
Purpose of this parser is to parse digest response. The parser can be
found under <filename>parser/digest</filename> subdirectory. There
might be several header fields containing digest response, for example
Proxy-Authorization or WWW-Authorization. The parser can be used for
all of them.
</para>
<para>
The parser is not called automatically when by the main parser. It is
your responsibility to call the parser when you want a digest response
to be parsed.
</para>
<para>
Main function is <function>parse_credentials</function> defined in
<filename>digest.c</filename>. The function accepts one parameter which
is header field to be parsed. As result the function will create an
instance of <structname>auth_body_t</structname> structure which will
represent the parsed digest credentials. Pointer to the structure will
be put in <structfield>parsed</structfield> field of the
<structname>hdr_field</structname> structure representing the parsed
header field. It will be freed when the whole message is being
destroyed.
</para>
<para>
The digest parser contains 32-bit digest parameter parser. The parser
was in detail described in section <link linkend="hfname_parser">Header
Field Name Parser</link>. See that section for more details about the
digest parameter parser algorithm, they work in the same way.
</para>
<para>
Description of digest related structures follows:
<programlisting>
typedef struct auth_body {
/* This is pointer to header field containing
* parsed authorized digest credentials. This
* pointer is set in sip_msg->{authorization,proxy_auth}
* hooks.
*
* This is necessary for functions called after
* {www,proxy}_authorize, these functions need to know
* which credentials are authorized and they will simply
* look into
* sip_msg->{authorization,proxy_auth}->parsed->authorized
*/
struct hdr_field* authorized;
dig_cred_t digest; /* Parsed digest credentials */
unsigned char stale; /* Flag is set if nonce is stale */
int nonce_retries; /* How many times the nonce was used */
} auth_body_t;
</programlisting>
</para>
<para>
This is the "main" structure. Pointer to the structure will be stored
in <structfield>parsed</structfield> field of
<structname>hdr_field</structname> structure. Detailed description of
its fields follows:
<itemizedlist>
<listitem>
<para>
<structfield>authorized</structfield> - This is a hook to
header field containing authorized credentials.
</para>
<para>
A <acronym>SIP</acronym> message may contain several
credentials. They are distinguished using realm
parameter. When the server is trying to authorize the
message, it must first find credentials with corresponding
realm and than authorize the credentials. To authorize
credentials server calculates response string and if the
string matches to response string contained in the
credentials, credentials are authorized (in fact it means
that the user specified in the credentials knows password,
nothing more, nothing less).
</para>
<para>
It would be good idea to remember which credentials
contained in the message are authorized, there might be
other functions interested in knowing which credentials are
authorized.
</para>
<para>
That is what is this field for. A function that
successfully authorized credentials (currently there is
only one such function in the server, it is function
<function>authorize</function> in auth module) will put
pointer to header field containing the authorized
credentials in this field. Because there might be several
header field containing credentials, the pointer will be
put in <structfield>authorized</structfield> field in the
first header field in the message containing
credentials. That means that it will be either header field
whose pointer is in <structfield>www_auth</structfield> or
<structfield>proxy_auth</structfield> field of
<structname>sip_msg</structname> structure representing the
message.
</para>
<para>
When a function wants to find authorized credentials, it
will simply look in
<structfield>msg->www_auth->parsed->authorized</structfield>
or
<structfield>msg->proxy_auth->parsed->authorized</structfield>,
where <structfield>msg</structfield> is variable containing
pointer to <structname>sip_msg</structname> structure.
</para>
<para>
To simplify the task of saving and retrieving pointer to
authorized credentials, there are two convenience functions
defined in <filename>digest.c</filename> file. They will
be described later.
</para>
</listitem>
<listitem>
<para>
<structfield>digest</structfield> - Structure containing
parsed digest credentials. The structure will be described
in detail later.
</para>
</listitem>
<listitem>
<para>
<structfield>stale</structfield> - This field will be set
to 1 if the server received a stale nonce. Next time when
the server will be sending another challenge, it will use
"stale=true" parameter. "stale=true" indicates to the
client that username and password used to calculate
response were correct, but nonce was stale. The client
should recalculate response with the same username and
password (without disturbing user) and new nonce. For more
details see <acronym>RFC2617</acronym>.
</para>
</listitem>
<listitem>
<para>
<structfield>nonce_retries</structfield> - This fields
indicates number of authorization attempts with same nonce.
</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/*
* Errors returned by check_dig_cred
*/
typedef enum dig_err {
E_DIG_OK = 0, /* Everything is OK */
E_DIG_USERNAME = 1, /* Username missing */
E_DIG_REALM = 2, /* Realm missing */
E_DIG_NONCE = 4, /* Nonce value missing */
E_DIG_URI = 8, /* URI missing */
E_DIG_RESPONSE = 16, /* Response missing */
E_DIG_CNONCE = 32, /* CNONCE missing */
E_DIG_NC = 64, /* Nonce-count missing */
} dig_err_t;
</programlisting>
<para>
This is enum of all possible errors returned by
<function>check_dig_cred</function> function.
<itemizedlist>
<listitem>
<para><emphasis>E_DIG_OK</emphasis> - No error found.</para>
</listitem>
<listitem>
<para>
<emphasis>E_DIG_USERNAME</emphasis> - Username parameter
missing in digest response.
</para>
</listitem>
<listitem>
<para><emphasis>E_DIG_REALM</emphasis> - Realm parameter
missing in digest response.</para>
</listitem>
<listitem>
<para><emphasis>E_DIG_NONCE</emphasis> - Nonce parameter
missing in digest response.</para>
</listitem>
<listitem>
<para><emphasis>E_DIG_URI</emphasis> - Uri parameter missing in
digest response.</para>
</listitem>
<listitem>
<para>
<emphasis>E_DIG_RESPONSE</emphasis> - Response parameter
missing in digest response.
</para>
</listitem>
<listitem>
<para><emphasis>E_DIG_CNONCE</emphasis> - Cnonce parameter
missing in digest response.</para>
</listitem>
<listitem>
<para><emphasis>E_DIG_NC</emphasis> - Nc parameter missing in
digest response.</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/* Type of algorithm used */
typedef enum alg {
ALG_UNSPEC = 0, /* Algorithm parameter not specified */
ALG_MD5 = 1, /* MD5 - default value*/
ALG_MD5SESS = 2, /* MD5-Session */
ALG_OTHER = 4 /* Unknown */
} alg_t;
</programlisting>
<para>
This is enum of recognized algorithm types. (See description of
<structname>algorithm</structname> structure for more details).
<itemizedlist>
<listitem>
<para><emphasis>ALG_UNSPEC</emphasis> - Algorithm was not
specified in digest response.</para>
</listitem>
<listitem>
<para>
<emphasis>ALG_MD5</emphasis> - "algorithm=MD5" was found in
digest response.
</para>
</listitem>
<listitem>
<para>
<emphasis>ALG_MD5SESS</emphasis> - "algorithm=MD5-Session"
was found in digest response.
</para>
</listitem>
<listitem>
<para>
<emphasis>ALG_OTHER</emphasis> - Unknown algorithm
parameter value was found in digest response.
</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/* Quality Of Protection used */
typedef enum qop_type {
QOP_UNSPEC = 0, /* QOP parameter not present in response */
QOP_AUTH = 1, /* Authentication only */
QOP_AUTHINT = 2, /* Authentication with integrity checks */
QOP_OTHER = 4 /* Unknown */
} qop_type_t;
</programlisting>
<para>
This enum lists all recognized qop parameter values.
<itemizedlist>
<listitem>
<para>
<emphasis>QOP_UNSPEC</emphasis> - qop parameter was not
found in digest response.
</para>
</listitem>
<listitem>
<para>
<emphasis>QOP_AUTH</emphasis> - "qop=auth" was found in
digest response.
</para>
</listitem>
<listitem>
<para>
<emphasis>QOP_AUTHINT</emphasis> - "qop=auth-int" was found
in digest response.
</para>
</listitem>
<listitem>
<para>
<emphasis>QOP_OTHER</emphasis> - Unknown qop parameter
value was found in digest response.
</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/* Algorithm structure */
struct algorithm {
str alg_str; /* The original string representation */
alg_t alg_parsed; /* Parsed value */
};
</programlisting>
<para>
The structure represents "algorithm" parameter of digest
response. Description of fields follows:
<itemizedlist>
<listitem>
<para>
<structfield>alg_str</structfield> - Algorithm parameter
value as string.
</para>
</listitem>
<listitem>
<para>
<structfield>alg_parsed</structfield> - Parsed algorithm
parameter value.
</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/* QOP structure */
struct qp {
str qop_str; /* The original string representation */
qop_type_t qop_parsed; /* Parsed value */
};
</programlisting>
<para>
This structure represents "qop" parameter of digest
response. Description of fields follows:
<itemizedlist>
<listitem>
<para>
<structfield>qop_str</structfield> - Qop parameter value as
string.
</para>
</listitem>
<listitem>
<para>
<structfield>qop_parsed</structfield> - Parsed "qop"
parameter value.
</para>
</listitem>
</itemizedlist>
</para>
<programlisting>
/*
* Parsed digest credentials
*/
typedef struct dig_cred {
str username; /* Username */
str realm; /* Realm */
str nonce; /* Nonce value */
str uri; /* URI */
str response; /* Response string */
str algorithm; /* Algorithm in string representation */
struct algorithm alg; /* Type of algorithm used */
str cnonce; /* Cnonce value */
str opaque; /* Opaque data string */
struct qp qop; /* Quality Of Protection */
str nc; /* Nonce count parameter */
} dig_cred_t;
</programlisting>
<para>
This structure represents set of digest credentials
parameters. Description of field follows:
<itemizedlist>
<listitem>
<para>
<structfield>username</structfield> - Value of "username"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>realm</structfield> - Value of "realm"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>nonce</structfield> - Value of "nonce"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>uri</structfield> - Value of "uri" parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>response</structfield> - Value of "response"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>algorithm</structfield> - Value of "algorithm"
parameter as string.
</para>
</listitem>
<listitem>
<para>
<structfield>alg</structfield> - Parsed value of
"algorithm" parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>cnonce</structfield> - Value of "cnonce"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>opaque</structfield> - Value of "opaque"
parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>qop</structfield> - Value of "qop" parameter.
</para>
</listitem>
<listitem>
<para>
<structfield>nc</structfield> - Value of "nc" parameter.
</para>
</listitem>
</itemizedlist>
</para>
<section id="other_functions">
<title>Other Functions Of the Digest Parser</title>
<para>
There are some other mainly convenience functions defined in the
parser. The function will be in detail described in this
section. All the functions are defined in
<filename>digest.c</filename> file.
</para>
<funcsynopsis>
<funcprototype>
<funcdef>dig_err_t <function>check_dig_cred</function></funcdef>
<paramdef>dig_cred_t* <parameter>_c</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<para>
This function performs some basic sanity check over parsed digest
credentials. The following conditions must be met for the checks to
be successful:
<itemizedlist>
<listitem>
<para>
There must be non-empty "username" parameter in the
credentials.
</para>
</listitem>
<listitem>
<para>
There must be non-empty "realm" parameter in the
credentials.
</para>
</listitem>
<listitem>
<para>
There must be non-empty "nonce" parameter in the
credentials.
</para>
</listitem>
<listitem>
<para>
There must be non-empty "uri" parameter in the
credentials.
</para>
</listitem>
<listitem>
<para>
There must be non-empty "response" parameter in the
credentials.
</para>
</listitem>
<listitem>
<para>
If qop parameter is set to QOP_AUTH or QOP_AUTHINT,
then there must be also non-empty "cnonce" and "nc"
parameters in the digest.
</para>
</listitem>
</itemizedlist>
</para>
<note>
<para>
It is recommended to call <function>check_dig_cred</function>
before you try to authorize the credentials. If the function
fails, there is no need to try to authorize the credentials
because the authorization will fail for sure.
</para>
</note>
<funcsynopsis>
<funcprototype>
<funcdef>int <function>mark_authorized_cred</function></funcdef>
<paramdef>struct sip_msg* <parameter>_m</parameter></paramdef>
<paramdef>struct hdr_field* <parameter>_h</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<para>
This is convenience function. The function saves pointer to the
authorized credentials. For more info see description of
<structfield>authorized</structfield> field in
<structname>auth_body</structname> structure.
</para>
<funcsynopsis>
<funcprototype>
<funcdef>int <function>get_authorized_cred</function></funcdef>
<paramdef>struct sip_msg* <parameter>_m</parameter></paramdef>
<paramdef>struct hdr_field** <parameter>_h</parameter></paramdef>
</funcprototype>
</funcsynopsis>
<para>
This is convenience function. The function will retrieve pointer to
authorized credentials previously saved using
<function>mark_authorized_cred</function> function. If there is no
such credentials, 0 will be stored in variable pointed to by the
second parameter. The function returns always zero. For more
information see description of
<structfield>authorized</structfield> field in
<structname>auth_body</structname> structure.
</para>
</section>
</section>
|
