Gitiles
Code Review Sign In
review.jami.net / jami-client-android / 0a300ffae3ee3834c401ac190ad335ad80c61045 / . / jni / pjproject-android / .svn / pristine / a8 / a818a59b19884abc3210397087a14acef518446e.svn-base
blob: 4093c1bb98ccfdc9ccd639867fc1f4cd35a70275 [file] [log] [blame]
Tristan Matthews0a329cc2013-07-17 13:20:14 -0400[diff] [blame]1/* $Id$ */
2/*
3 * Copyright (C) 2008-2011 Teluu Inc. (http://www.teluu.com)
4 * Copyright (C) 2003-2008 Benny Prijono <benny@prijono.org>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
20#include "test.h"
21
22#define THIS_FILE "sess_auth.c"
23
24#define REALM "STUN session test"
25#define USERNAME "theusername"
26#define PASSWORD "thepassword"
27#define NONCE "thenonce"
28
29
30/* STUN config */
31static pj_stun_config stun_cfg;
32
33
34//////////////////////////////////////////////////////////////////////////////////////////
35//
36// SERVER PART
37//
38
39
40/* Server instance */
41static struct server
42{
43 pj_pool_t *pool;
44 pj_sockaddr addr;
45 pj_stun_session *sess;
46
47 pj_bool_t responding;
48 unsigned recv_count;
49 pj_stun_auth_type auth_type;
50
51 pj_sock_t sock;
52
53 pj_bool_t quit;
54 pj_thread_t *thread;
55} *server;
56
57
58static pj_status_t server_send_msg(pj_stun_session *sess,
59 void *token,
60 const void *pkt,
61 pj_size_t pkt_size,
62 const pj_sockaddr_t *dst_addr,
63 unsigned addr_len)
64{
65 pj_ssize_t len = pkt_size;
66
67 PJ_UNUSED_ARG(sess);
68 PJ_UNUSED_ARG(token);
69
70 return pj_sock_sendto(server->sock, pkt, &len, 0, dst_addr, addr_len);
71}
72
73static pj_status_t server_on_rx_request(pj_stun_session *sess,
74 const pj_uint8_t *pkt,
75 unsigned pkt_len,
76 const pj_stun_rx_data *rdata,
77 void *token,
78 const pj_sockaddr_t *src_addr,
79 unsigned src_addr_len)
80{
81 PJ_UNUSED_ARG(pkt);
82 PJ_UNUSED_ARG(pkt_len);
83 PJ_UNUSED_ARG(token);
84
85 return pj_stun_session_respond(sess, rdata, 0, NULL, NULL, PJ_TRUE,
86 src_addr, src_addr_len);
87}
88
89
90static pj_status_t server_get_auth(void *user_data,
91 pj_pool_t *pool,
92 pj_str_t *realm,
93 pj_str_t *nonce)
94{
95 PJ_UNUSED_ARG(user_data);
96 PJ_UNUSED_ARG(pool);
97
98 if (server->auth_type == PJ_STUN_AUTH_SHORT_TERM) {
99 realm->slen = nonce->slen = 0;
100 } else {
101 *realm = pj_str(REALM);
102 *nonce = pj_str(NONCE);
103 }
104
105 return PJ_SUCCESS;
106}
107
108
109static pj_status_t server_get_password( const pj_stun_msg *msg,
110 void *user_data,
111 const pj_str_t *realm,
112 const pj_str_t *username,
113 pj_pool_t *pool,
114 pj_stun_passwd_type *data_type,
115 pj_str_t *data)
116{
117 PJ_UNUSED_ARG(msg);
118 PJ_UNUSED_ARG(user_data);
119 PJ_UNUSED_ARG(pool);
120
121 if (server->auth_type == PJ_STUN_AUTH_SHORT_TERM) {
122 if (realm && realm->slen) {
123 PJ_LOG(4,(THIS_FILE, " server expecting short term"));
124 return -1;
125 }
126 } else {
127 if (realm==NULL || realm->slen==0) {
128 PJ_LOG(4,(THIS_FILE, " realm not present"));
129 return -1;
130 }
131 }
132
133 if (pj_strcmp2(username, USERNAME) != 0) {
134 PJ_LOG(4,(THIS_FILE, " wrong username"));
135 return -1;
136 }
137
138 *data_type = PJ_STUN_PASSWD_PLAIN;
139 *data = pj_str(PASSWORD);
140
141 return PJ_SUCCESS;
142}
143
144
145static pj_bool_t server_verify_nonce(const pj_stun_msg *msg,
146 void *user_data,
147 const pj_str_t *realm,
148 const pj_str_t *username,
149 const pj_str_t *nonce)
150{
151 PJ_UNUSED_ARG(msg);
152 PJ_UNUSED_ARG(user_data);
153 PJ_UNUSED_ARG(realm);
154 PJ_UNUSED_ARG(username);
155
156 if (pj_strcmp2(nonce, NONCE) != 0)
157 return PJ_FALSE;
158
159 return PJ_TRUE;
160}
161
162
163static int server_thread(void *unused)
164{
165 PJ_UNUSED_ARG(unused);
166
167 PJ_LOG(5,("", " server thread started"));
168
169 while (!server->quit) {
170 pj_fd_set_t readset;
171 pj_time_val delay = {0, 10};
172
173 PJ_FD_ZERO(&readset);
174 PJ_FD_SET(server->sock, &readset);
175
176 if (pj_sock_select((int)server->sock+1, &readset, NULL, NULL, &delay)==1
177 && PJ_FD_ISSET(server->sock, &readset))
178 {
179 char pkt[1000];
180 pj_ssize_t len;
181 pj_status_t status;
182 pj_sockaddr src_addr;
183 int src_addr_len;
184
185 len = sizeof(pkt);
186 src_addr_len = sizeof(src_addr);
187
188 status = pj_sock_recvfrom(server->sock, pkt, &len, 0, &src_addr, &src_addr_len);
189 if (status != PJ_SUCCESS)
190 continue;
191
192 /* Increment server's receive count */
193 server->recv_count++;
194
195 /* Only pass to server if we allow to respond */
196 if (!server->responding)
197 continue;
198
199 pj_stun_session_on_rx_pkt(server->sess, pkt, len,
200 PJ_STUN_CHECK_PACKET | PJ_STUN_IS_DATAGRAM,
201 NULL, NULL, &src_addr, src_addr_len);
202 }
203 }
204
205 return 0;
206}
207
208
209/* Destroy server */
210static void destroy_server(void)
211{
212 if (server->thread) {
213 server->quit = PJ_TRUE;
214 pj_thread_join(server->thread);
215 pj_thread_destroy(server->thread);
216 }
217
218 if (server->sock) {
219 pj_sock_close(server->sock);
220 }
221
222 if (server->sess) {
223 pj_stun_session_destroy(server->sess);
224 }
225
226 pj_pool_release(server->pool);
227 server = NULL;
228}
229
230/* Instantiate standard server */
231static int create_std_server(pj_stun_auth_type auth_type,
232 pj_bool_t responding)
233{
234 pj_pool_t *pool;
235 pj_stun_session_cb sess_cb;
236 pj_stun_auth_cred cred;
237 pj_status_t status;
238
239 /* Create server */
240 pool = pj_pool_create(mem, "server", 1000, 1000, NULL);
241 server = PJ_POOL_ZALLOC_T(pool, struct server);
242 server->pool = pool;
243 server->auth_type = auth_type;
244 server->responding = responding;
245
246 /* Create STUN session */
247 pj_bzero(&sess_cb, sizeof(sess_cb));
248 sess_cb.on_rx_request = &server_on_rx_request;
249 sess_cb.on_send_msg = &server_send_msg;
250 status = pj_stun_session_create(&stun_cfg, "server", &sess_cb, PJ_FALSE, NULL, &server->sess);
251 if (status != PJ_SUCCESS) {
252 destroy_server();
253 return -10;
254 }
255
256 /* Configure credential */
257 pj_bzero(&cred, sizeof(cred));
258 cred.type = PJ_STUN_AUTH_CRED_DYNAMIC;
259 cred.data.dyn_cred.get_auth = &server_get_auth;
260 cred.data.dyn_cred.get_password = &server_get_password;
261 cred.data.dyn_cred.verify_nonce = &server_verify_nonce;
262 status = pj_stun_session_set_credential(server->sess, auth_type, &cred);
263 if (status != PJ_SUCCESS) {
264 destroy_server();
265 return -20;
266 }
267
268 /* Create socket */
269 status = pj_sock_socket(pj_AF_INET(), pj_SOCK_DGRAM(), 0, &server->sock);
270 if (status != PJ_SUCCESS) {
271 destroy_server();
272 return -30;
273 }
274
275 /* Bind */
276 pj_sockaddr_in_init(&server->addr.ipv4, NULL, 0);
277 status = pj_sock_bind(server->sock, &server->addr, pj_sockaddr_get_len(&server->addr));
278 if (status != PJ_SUCCESS) {
279 destroy_server();
280 return -40;
281 } else {
282 /* Get the bound IP address */
283 int namelen = sizeof(server->addr);
284 pj_sockaddr addr;
285
286 status = pj_sock_getsockname(server->sock, &server->addr, &namelen);
287 if (status != PJ_SUCCESS) {
288 destroy_server();
289 return -43;
290 }
291
292 status = pj_gethostip(pj_AF_INET(), &addr);
293 if (status != PJ_SUCCESS) {
294 destroy_server();
295 return -45;
296 }
297
298 pj_sockaddr_copy_addr(&server->addr, &addr);
299 }
300
301
302 /* Create worker thread */
303 status = pj_thread_create(pool, "server", &server_thread, 0, 0, 0, &server->thread);
304 if (status != PJ_SUCCESS) {
305 destroy_server();
306 return -30;
307 }
308
309 return 0;
310}
311
312
313//////////////////////////////////////////////////////////////////////////////////////////
314//
315// CLIENT PART
316//
317
318static struct client
319{
320 pj_pool_t *pool;
321 pj_stun_session *sess;
322 pj_sem_t *test_complete;
323 pj_sock_t sock;
324
325 pj_bool_t responding;
326 unsigned recv_count;
327
328 pj_status_t response_status;
329 pj_stun_msg *response;
330
331 pj_bool_t quit;
332 pj_thread_t *thread;
333} *client;
334
335
336static pj_status_t client_send_msg(pj_stun_session *sess,
337 void *token,
338 const void *pkt,
339 pj_size_t pkt_size,
340 const pj_sockaddr_t *dst_addr,
341 unsigned addr_len)
342{
343 pj_ssize_t len = pkt_size;
344
345 PJ_UNUSED_ARG(sess);
346 PJ_UNUSED_ARG(token);
347
348 return pj_sock_sendto(client->sock, pkt, &len, 0, dst_addr, addr_len);
349}
350
351
352static void client_on_request_complete( pj_stun_session *sess,
353 pj_status_t status,
354 void *token,
355 pj_stun_tx_data *tdata,
356 const pj_stun_msg *response,
357 const pj_sockaddr_t *src_addr,
358 unsigned src_addr_len)
359{
360 PJ_UNUSED_ARG(sess);
361 PJ_UNUSED_ARG(token);
362 PJ_UNUSED_ARG(tdata);
363 PJ_UNUSED_ARG(src_addr);
364 PJ_UNUSED_ARG(src_addr_len);
365
366 client->response_status = status;
367 if (response)
368 client->response = pj_stun_msg_clone(client->pool, response);
369
370 pj_sem_post(client->test_complete);
371}
372
373
374static int client_thread(void *unused)
375{
376 PJ_UNUSED_ARG(unused);
377
378 while (!client->quit) {
379 pj_fd_set_t readset;
380 pj_time_val delay = {0, 10};
381
382 /* Also poll the timer heap */
383 pj_timer_heap_poll(stun_cfg.timer_heap, NULL);
384
385 /* Poll client socket */
386 PJ_FD_ZERO(&readset);
387 PJ_FD_SET(client->sock, &readset);
388
389 if (pj_sock_select((int)client->sock+1, &readset, NULL, NULL, &delay)==1
390 && PJ_FD_ISSET(client->sock, &readset))
391 {
392 char pkt[1000];
393 pj_ssize_t len;
394 pj_status_t status;
395 pj_sockaddr src_addr;
396 int src_addr_len;
397
398 len = sizeof(pkt);
399 src_addr_len = sizeof(src_addr);
400
401 status = pj_sock_recvfrom(client->sock, pkt, &len, 0, &src_addr, &src_addr_len);
402 if (status != PJ_SUCCESS)
403 continue;
404
405 /* Increment client's receive count */
406 client->recv_count++;
407
408 /* Only pass to client if we allow to respond */
409 if (!client->responding)
410 continue;
411
412 pj_stun_session_on_rx_pkt(client->sess, pkt, len,
413 PJ_STUN_CHECK_PACKET | PJ_STUN_IS_DATAGRAM,
414 NULL, NULL, &src_addr, src_addr_len);
415 }
416
417 }
418
419 return 0;
420}
421
422
423static void destroy_client_server(void)
424{
425 if (client->thread) {
426 client->quit = 1;
427 pj_thread_join(client->thread);
428 pj_thread_destroy(client->thread);
429 }
430
431 if (client->sess)
432 pj_stun_session_destroy(client->sess);
433
434 if (client->sock)
435 pj_sock_close(client->sock);
436
437 if (client->test_complete)
438 pj_sem_destroy(client->test_complete);
439
440 if (server)
441 destroy_server();
442}
443
444static int run_client_test(const char *title,
445
446 pj_bool_t server_responding,
447 pj_stun_auth_type server_auth_type,
448
449 pj_stun_auth_type client_auth_type,
450 const char *realm,
451 const char *username,
452 const char *nonce,
453 const char *password,
454 pj_bool_t dummy_mi,
455
456 pj_bool_t expected_error,
457 pj_status_t expected_code,
458 const char *expected_realm,
459 const char *expected_nonce,
460
461 int (*more_check)(void))
462{
463 pj_pool_t *pool;
464 pj_stun_session_cb sess_cb;
465 pj_stun_auth_cred cred;
466 pj_stun_tx_data *tdata;
467 pj_status_t status;
468 int rc = 0;
469
470 PJ_LOG(3,(THIS_FILE, " %s test", title));
471
472 /* Create client */
473 pool = pj_pool_create(mem, "client", 1000, 1000, NULL);
474 client = PJ_POOL_ZALLOC_T(pool, struct client);
475 client->pool = pool;
476 client->responding = PJ_TRUE;
477
478 /* Create STUN session */
479 pj_bzero(&sess_cb, sizeof(sess_cb));
480 sess_cb.on_request_complete = &client_on_request_complete;
481 sess_cb.on_send_msg = &client_send_msg;
482 status = pj_stun_session_create(&stun_cfg, "client", &sess_cb, PJ_FALSE, NULL, &client->sess);
483 if (status != PJ_SUCCESS) {
484 destroy_client_server();
485 return -200;
486 }
487
488 /* Create semaphore */
489 status = pj_sem_create(pool, "client", 0, 1, &client->test_complete);
490 if (status != PJ_SUCCESS) {
491 destroy_client_server();
492 return -205;
493 }
494
495 /* Create client socket */
496 status = pj_sock_socket(pj_AF_INET(), pj_SOCK_DGRAM(), 0, &client->sock);
497 if (status != PJ_SUCCESS) {
498 destroy_client_server();
499 return -210;
500 }
501
502 /* Bind client socket */
503 status = pj_sock_bind_in(client->sock, 0, 0);
504 if (status != PJ_SUCCESS) {
505 destroy_client_server();
506 return -220;
507 }
508
509 /* Create client thread */
510 status = pj_thread_create(pool, "client", &client_thread, NULL, 0, 0, &client->thread);
511 if (status != PJ_SUCCESS) {
512 destroy_client_server();
513 return -230;
514 }
515
516 /* Initialize credential */
517 pj_bzero(&cred, sizeof(cred));
518 cred.type = PJ_STUN_AUTH_CRED_STATIC;
519 if (realm) cred.data.static_cred.realm = pj_str((char*)realm);
520 if (username) cred.data.static_cred.username = pj_str((char*)username);
521 if (nonce) cred.data.static_cred.nonce = pj_str((char*)nonce);
522 if (password) cred.data.static_cred.data = pj_str((char*)password);
523 cred.data.static_cred.data_type = PJ_STUN_PASSWD_PLAIN;
524 status = pj_stun_session_set_credential(client->sess, client_auth_type, &cred);
525 if (status != PJ_SUCCESS) {
526 destroy_client_server();
527 return -240;
528 }
529
530 /* Create the server */
531 status = create_std_server(server_auth_type, server_responding);
532 if (status != 0) {
533 destroy_client_server();
534 return status;
535 }
536
537 /* Create request */
538 status = pj_stun_session_create_req(client->sess, PJ_STUN_BINDING_REQUEST,
539 PJ_STUN_MAGIC, NULL, &tdata);
540 if (status != PJ_SUCCESS) {
541 destroy_client_server();
542 return -250;
543 }
544
545 /* Add our own attributes if client authentication is set to none */
546 if (client_auth_type == PJ_STUN_AUTH_NONE) {
547 pj_str_t tmp;
548 if (realm)
549 pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_REALM, pj_cstr(&tmp, realm));
550 if (username)
551 pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_USERNAME, pj_cstr(&tmp, username));
552 if (nonce)
553 pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_NONCE, pj_cstr(&tmp, nonce));
554 if (password) {
555 // ignored
556 }
557 if (dummy_mi) {
558 pj_stun_msgint_attr *mi;
559
560 pj_stun_msgint_attr_create(tdata->pool, &mi);
561 pj_stun_msg_add_attr(tdata->msg, &mi->hdr);
562 }
563
564 }
565
566 /* Send the request */
567 status = pj_stun_session_send_msg(client->sess, NULL, PJ_FALSE, PJ_TRUE, &server->addr,
568 pj_sockaddr_get_len(&server->addr), tdata);
569 if (status != PJ_SUCCESS) {
570 destroy_client_server();
571 return -270;
572 }
573
574 /* Wait until test complete */
575 pj_sem_wait(client->test_complete);
576
577
578 /* Verify response */
579 if (expected_error) {
580 if (expected_code != client->response_status) {
581 char e1[PJ_ERR_MSG_SIZE], e2[PJ_ERR_MSG_SIZE];
582
583 pj_strerror(expected_code, e1, sizeof(e1));
584 pj_strerror(client->response_status, e2, sizeof(e2));
585
586 PJ_LOG(3,(THIS_FILE, " err: expecting %d (%s) but got %d (%s) response",
587 expected_code, e1, client->response_status, e2));
588 rc = -500;
589 }
590
591 } else {
592 int res_code = 0;
593 pj_stun_realm_attr *arealm;
594 pj_stun_nonce_attr *anonce;
595
596 if (client->response_status != 0) {
597 PJ_LOG(3,(THIS_FILE, " err: expecting successful operation but got error %d",
598 client->response_status));
599 rc = -600;
600 goto done;
601 }
602
603 if (PJ_STUN_IS_ERROR_RESPONSE(client->response->hdr.type)) {
604 pj_stun_errcode_attr *aerr = NULL;
605
606 aerr = (pj_stun_errcode_attr*)
607 pj_stun_msg_find_attr(client->response,
608 PJ_STUN_ATTR_ERROR_CODE, 0);
609 if (aerr == NULL) {
610 PJ_LOG(3,(THIS_FILE, " err: received error response without ERROR-CODE"));
611 rc = -610;
612 goto done;
613 }
614
615 res_code = aerr->err_code;
616 } else {
617 res_code = 0;
618 }
619
620 /* Check that code matches */
621 if (expected_code != res_code) {
622 PJ_LOG(3,(THIS_FILE, " err: expecting response code %d but got %d",
623 expected_code, res_code));
624 rc = -620;
625 goto done;
626 }
627
628 /* Find REALM and NONCE attributes */
629 arealm = (pj_stun_realm_attr*)
630 pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0);
631 anonce = (pj_stun_nonce_attr*)
632 pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0);
633
634 if (expected_realm) {
635 if (arealm == NULL) {
636 PJ_LOG(3,(THIS_FILE, " err: expecting REALM in esponse"));
637 rc = -630;
638 goto done;
639 }
640 if (pj_strcmp2(&arealm->value, expected_realm)!=0) {
641 PJ_LOG(3,(THIS_FILE, " err: REALM mismatch in response"));
642 rc = -640;
643 goto done;
644 }
645 } else {
646 if (arealm != NULL) {
647 PJ_LOG(3,(THIS_FILE, " err: non expecting REALM in response"));
648 rc = -650;
649 goto done;
650 }
651 }
652
653 if (expected_nonce) {
654 if (anonce == NULL) {
655 PJ_LOG(3,(THIS_FILE, " err: expecting NONCE in esponse"));
656 rc = -660;
657 goto done;
658 }
659 if (pj_strcmp2(&anonce->value, expected_nonce)!=0) {
660 PJ_LOG(3,(THIS_FILE, " err: NONCE mismatch in response"));
661 rc = -670;
662 goto done;
663 }
664 } else {
665 if (anonce != NULL) {
666 PJ_LOG(3,(THIS_FILE, " err: non expecting NONCE in response"));
667 rc = -680;
668 goto done;
669 }
670 }
671 }
672
673 /* Our tests are okay so far. Let caller do some more tests if
674 * it wants to.
675 */
676 if (rc==0 && more_check) {
677 rc = (*more_check)();
678 }
679
680
681done:
682 destroy_client_server();
683 return rc;
684}
685
686
687//////////////////////////////////////////////////////////////////////////////////////////
688//
689// More verification
690//
691
692/* Retransmission test */
693static int retransmit_check(void)
694{
695
696 if (server->recv_count != PJ_STUN_MAX_TRANSMIT_COUNT) {
697 PJ_LOG(3,("", " expecting %d retransmissions, got %d",
698 PJ_STUN_MAX_TRANSMIT_COUNT, server->recv_count));
699 return -700;
700 }
701 if (client->recv_count != 0)
702 return -710;
703
704 return 0;
705}
706
707static int long_term_check1(void)
708{
709 /* SHOULD NOT contain USERNAME or MESSAGE-INTEGRITY */
710 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
711 return -800;
712 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_MESSAGE_INTEGRITY, 0))
713 return -800;
714
715 return 0;
716}
717
718static int long_term_check2(void)
719{
720 /* response SHOULD NOT include a USERNAME, NONCE, REALM or
721 * MESSAGE-INTEGRITY attribute.
722 */
723 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
724 return -900;
725 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0))
726 return -910;
727 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0))
728 return -920;
729 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_MESSAGE_INTEGRITY, 0))
730 return -930;
731
732 return 0;
733}
734
735static int long_term_check3(void)
736{
737 /* response SHOULD NOT include a USERNAME, NONCE, and REALM */
738 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
739 return -1000;
740 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0))
741 return -1010;
742 if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0))
743 return -1020;
744
745 return 0;
746}
747
748//////////////////////////////////////////////////////////////////////////////////////////
749//
750// TEST MAIN
751//
752
753
754int sess_auth_test(void)
755{
756 pj_pool_t *pool;
757 int rc;
758
759 PJ_LOG(3,(THIS_FILE, " STUN session authentication test"));
760
761 /* Init STUN config */
762 pj_stun_config_init(&stun_cfg, mem, 0, NULL, NULL);
763
764 /* Create pool and timer heap */
765 pool = pj_pool_create(mem, "authtest", 200, 200, NULL);
766 if (pj_timer_heap_create(pool, 20, &stun_cfg.timer_heap)) {
767 pj_pool_release(pool);
768 return -5;
769 }
770
771 /* Basic retransmission test */
772 rc = run_client_test("Retransmission", // title
773 PJ_FALSE, // server responding
774 PJ_STUN_AUTH_NONE, // server auth
775 PJ_STUN_AUTH_NONE, // client auth
776 NULL, // realm
777 NULL, // username
778 NULL, // nonce
779 NULL, // password
780 PJ_FALSE, // dummy MI
781 PJ_TRUE, // expected error
782 PJNATH_ESTUNTIMEDOUT,// expected code
783 NULL, // expected realm
784 NULL, // expected nonce
785 &retransmit_check // more check
786 );
787 if (rc != 0) {
788 goto done;
789 }
790
791 /*
792 * Short term credential.
793 * draft-ietf-behave-rfc3489bis-15#section-10.1.2
794 */
795
796 /*
797 * If the message does not contain both a MESSAGE-INTEGRITY and a
798 * USERNAME attribute, If the message is a request, the server MUST
799 * reject the request with an error response. This response MUST
800 * use an error code of 400 (Bad Request).
801 */
802 rc = run_client_test("Missing MESSAGE-INTEGRITY (short term)", // title
803 PJ_TRUE, // server responding
804 PJ_STUN_AUTH_SHORT_TERM, // server auth
805 PJ_STUN_AUTH_NONE, // client auth
806 NULL, // realm
807 NULL, // username
808 NULL, // nonce
809 NULL, // password
810 PJ_FALSE, // dummy MI
811 PJ_TRUE, // expected error
812 PJ_STATUS_FROM_STUN_CODE(400),// expected code
813 NULL, // expected realm
814 NULL, // expected nonce
815 NULL // more check
816 );
817 if (rc != 0) {
818 goto done;
819 }
820
821 /* If the USERNAME does not contain a username value currently valid
822 * within the server: If the message is a request, the server MUST
823 * reject the request with an error response. This response MUST use
824 * an error code of 401 (Unauthorized).
825 */
826 rc = run_client_test("USERNAME mismatch (short term)", // title
827 PJ_TRUE, // server responding
828 PJ_STUN_AUTH_SHORT_TERM, // server auth
829 PJ_STUN_AUTH_SHORT_TERM, // client auth
830 NULL, // realm
831 "anotheruser", // username
832 NULL, // nonce
833 "anotherpass", // password
834 PJ_FALSE, // dummy MI
835 PJ_TRUE, // expected error
836 PJ_STATUS_FROM_STUN_CODE(401),// expected code
837 NULL, // expected realm
838 NULL, // expected nonce
839 NULL // more check
840 );
841 if (rc != 0) {
842 goto done;
843 }
844
845 /* Using the password associated with the username, compute the value
846 * for the message-integrity as described in Section 15.4. If the
847 * resulting value does not match the contents of the MESSAGE-
848 * INTEGRITY attribute:
849 *
850 * - If the message is a request, the server MUST reject the request
851 * with an error response. This response MUST use an error code
852 * of 401 (Unauthorized).
853 */
854 rc = run_client_test("MESSAGE-INTEGRITY mismatch (short term)", // title
855 PJ_TRUE, // server responding
856 PJ_STUN_AUTH_SHORT_TERM, // server auth
857 PJ_STUN_AUTH_SHORT_TERM, // client auth
858 NULL, // realm
859 USERNAME, // username
860 NULL, // nonce
861 "anotherpass", // password
862 PJ_FALSE, // dummy MI
863 PJ_TRUE, // expected error
864 PJ_STATUS_FROM_STUN_CODE(401),// expected code
865 NULL, // expected realm
866 NULL, // expected nonce
867 NULL // more check
868 );
869 if (rc != 0) {
870 goto done;
871 }
872
873 /* USERNAME is not present, server must respond with 400 (Bad
874 * Request).
875 */
876 rc = run_client_test("Missing USERNAME (short term)",// title
877 PJ_TRUE, // server responding
878 PJ_STUN_AUTH_SHORT_TERM, // server auth
879 PJ_STUN_AUTH_NONE, // client auth
880 NULL, // realm
881 NULL, // username
882 NULL, // nonce
883 NULL, // password
884 PJ_TRUE, // dummy MI
885 PJ_TRUE, // expected error
886 PJ_STATUS_FROM_STUN_CODE(400), // expected code
887 NULL, // expected realm
888 NULL, // expected nonce
889 NULL // more check
890 );
891 if (rc != 0) {
892 goto done;
893 }
894
895 /* Successful short term authentication */
896 rc = run_client_test("Successful scenario (short term)", // title
897 PJ_TRUE, // server responding
898 PJ_STUN_AUTH_SHORT_TERM, // server auth
899 PJ_STUN_AUTH_SHORT_TERM, // client auth
900 NULL, // realm
901 USERNAME, // username
902 NULL, // nonce
903 PASSWORD, // password
904 PJ_FALSE, // dummy MI
905 PJ_FALSE, // expected error
906 PJ_SUCCESS, // expected code
907 NULL, // expected realm
908 NULL, // expected nonce
909 NULL // more check
910 );
911 if (rc != 0) {
912 goto done;
913 }
914
915 /*
916 * (our own) Extended tests for long term credential
917 */
918
919 /* When server wants to use short term credential, but request has
920 * REALM, reject with .... 401 ???
921 */
922 rc = run_client_test("Unwanted REALM (short term)", // title
923 PJ_TRUE, // server responding
924 PJ_STUN_AUTH_SHORT_TERM, // server auth
925 PJ_STUN_AUTH_NONE, // client auth
926 REALM, // realm
927 USERNAME, // username
928 NULL, // nonce
929 PASSWORD, // password
930 PJ_TRUE, // dummy MI
931 PJ_TRUE, // expected error
932 PJ_STATUS_FROM_STUN_CODE(401), // expected code
933 NULL, // expected realm
934 NULL, // expected nonce
935 &long_term_check2 // more check
936 );
937 if (rc != 0) {
938 goto done;
939 }
940
941
942 /*
943 * Long term credential.
944 * draft-ietf-behave-rfc3489bis-15#section-10.2.2
945 */
946
947 /* If the message does not contain a MESSAGE-INTEGRITY attribute, the
948 * server MUST generate an error response with an error code of 401
949 * (Unauthorized). This response MUST include a REALM value. It is
950 * RECOMMENDED that the REALM value be the domain name of the
951 * provider of the STUN server. The response MUST include a NONCE,
952 * selected by the server. The response SHOULD NOT contain a
953 * USERNAME or MESSAGE-INTEGRITY attribute.
954 */
955 rc = run_client_test("Missing M-I (long term)", // title
956 PJ_TRUE, // server responding
957 PJ_STUN_AUTH_LONG_TERM, // server auth
958 PJ_STUN_AUTH_NONE, // client auth
959 NULL, // client realm
960 NULL, // client username
961 NULL, // client nonce
962 NULL, // client password
963 PJ_FALSE, // client dummy MI
964 PJ_TRUE, // expected error
965 PJ_STATUS_FROM_STUN_CODE(401), // expected code
966 REALM, // expected realm
967 NONCE, // expected nonce
968 &long_term_check1 // more check
969 );
970 if (rc != 0) {
971 goto done;
972 }
973
974 /* If the message contains a MESSAGE-INTEGRITY attribute, but is
975 * missing the USERNAME, REALM or NONCE attributes, the server MUST
976 * generate an error response with an error code of 400 (Bad
977 * Request). This response SHOULD NOT include a USERNAME, NONCE,
978 * REALM or MESSAGE-INTEGRITY attribute.
979 */
980 /* Missing USERNAME */
981 rc = run_client_test("Missing USERNAME (long term)", // title
982 PJ_TRUE, // server responding
983 PJ_STUN_AUTH_LONG_TERM, // server auth
984 PJ_STUN_AUTH_NONE, // client auth
985 REALM, // client realm
986 NULL, // client username
987 NONCE, // client nonce
988 PASSWORD, // client password
989 PJ_TRUE, // client dummy MI
990 PJ_TRUE, // expected error
991 PJ_STATUS_FROM_STUN_CODE(400), // expected code
992 NULL, // expected realm
993 NULL, // expected nonce
994 &long_term_check2 // more check
995 );
996 if (rc != 0) {
997 goto done;
998 }
999
1000 /* Missing REALM */
1001 rc = run_client_test("Missing REALM (long term)", // title
1002 PJ_TRUE, // server responding
1003 PJ_STUN_AUTH_LONG_TERM, // server auth
1004 PJ_STUN_AUTH_NONE, // client auth
1005 NULL, // client realm
1006 USERNAME, // client username
1007 NONCE, // client nonce
1008 PASSWORD, // client password
1009 PJ_TRUE, // client dummy MI
1010 PJ_TRUE, // expected error
1011 PJ_STATUS_FROM_STUN_CODE(400), // expected code
1012 NULL, // expected realm
1013 NULL, // expected nonce
1014 &long_term_check2 // more check
1015 );
1016 if (rc != 0) {
1017 goto done;
1018 }
1019
1020 /* Missing NONCE */
1021 rc = run_client_test("Missing NONCE (long term)", // title
1022 PJ_TRUE, // server responding
1023 PJ_STUN_AUTH_LONG_TERM, // server auth
1024 PJ_STUN_AUTH_NONE, // client auth
1025 REALM, // client realm
1026 USERNAME, // client username
1027 NULL, // client nonce
1028 PASSWORD, // client password
1029 PJ_TRUE, // client dummy MI
1030 PJ_TRUE, // expected error
1031 PJ_STATUS_FROM_STUN_CODE(400), // expected code
1032 NULL, // expected realm
1033 NULL, // expected nonce
1034 &long_term_check2 // more check
1035 );
1036 if (rc != 0) {
1037 goto done;
1038 }
1039
1040 /* If the NONCE is no longer valid, the server MUST generate an error
1041 * response with an error code of 438 (Stale Nonce). This response
1042 * MUST include a NONCE and REALM attribute and SHOULD NOT incude the
1043 * USERNAME or MESSAGE-INTEGRITY attribute. Servers can invalidate
1044 * nonces in order to provide additional security. See Section 4.3
1045 * of [RFC2617] for guidelines.
1046 */
1047 // how??
1048
1049 /* If the username in the USERNAME attribute is not valid, the server
1050 * MUST generate an error response with an error code of 401
1051 * (Unauthorized). This response MUST include a REALM value. It is
1052 * RECOMMENDED that the REALM value be the domain name of the
1053 * provider of the STUN server. The response MUST include a NONCE,
1054 * selected by the server. The response SHOULD NOT contain a
1055 * USERNAME or MESSAGE-INTEGRITY attribute.
1056 */
1057 rc = run_client_test("Invalid username (long term)", // title
1058 PJ_TRUE, // server responding
1059 PJ_STUN_AUTH_LONG_TERM, // server auth
1060 PJ_STUN_AUTH_LONG_TERM, // client auth
1061 REALM, // client realm
1062 "anotheruser", // client username
1063 "a nonce", // client nonce
1064 "somepassword", // client password
1065 PJ_FALSE, // client dummy MI
1066 PJ_TRUE, // expected error
1067 PJ_STATUS_FROM_STUN_CODE(401), // expected code
1068 REALM, // expected realm
1069 NONCE, // expected nonce
1070 &long_term_check1 // more check
1071 );
1072 if (rc != 0) {
1073 goto done;
1074 }
1075
1076 /* Successful long term authentication */
1077 rc = run_client_test("Successful scenario (long term)", // title
1078 PJ_TRUE, // server responding
1079 PJ_STUN_AUTH_LONG_TERM, // server auth
1080 PJ_STUN_AUTH_LONG_TERM, // client auth
1081 REALM, // client realm
1082 USERNAME, // client username
1083 "anothernonce", // client nonce
1084 PASSWORD, // client password
1085 PJ_FALSE, // client dummy MI
1086 PJ_FALSE, // expected error
1087 0, // expected code
1088 NULL, // expected realm
1089 NULL, // expected nonce
1090 &long_term_check3 // more check
1091 );
1092 if (rc != 0) {
1093 goto done;
1094 }
1095
1096 /*
1097 * (our own) Extended tests for long term credential
1098 */
1099
1100 /* If REALM doesn't match, server must respond with 401
1101 */
1102#if 0
1103 // STUN session now will just use the realm sent in the
1104 // response, so this test will fail because it will
1105 // authenticate successfully.
1106
1107 rc = run_client_test("Invalid REALM (long term)", // title
1108 PJ_TRUE, // server responding
1109 PJ_STUN_AUTH_LONG_TERM, // server auth
1110 PJ_STUN_AUTH_LONG_TERM, // client auth
1111 "anotherrealm", // client realm
1112 USERNAME, // client username
1113 NONCE, // client nonce
1114 PASSWORD, // client password
1115 PJ_FALSE, // client dummy MI
1116 PJ_TRUE, // expected error
1117 PJ_STATUS_FROM_STUN_CODE(401), // expected code
1118 REALM, // expected realm
1119 NONCE, // expected nonce
1120 &long_term_check1 // more check
1121 );
1122 if (rc != 0) {
1123 goto done;
1124 }
1125#endif
1126
1127 /* Invalid HMAC */
1128
1129 /* Valid static short term, without NONCE */
1130
1131 /* Valid static short term, WITH NONCE */
1132
1133 /* Valid static long term (with NONCE */
1134
1135 /* Valid dynamic short term (without NONCE) */
1136
1137 /* Valid dynamic short term (with NONCE) */
1138
1139 /* Valid dynamic long term (with NONCE) */
1140
1141
1142done:
1143 pj_timer_heap_destroy(stun_cfg.timer_heap);
1144 pj_pool_release(pool);
1145 return rc;
1146}