HRESULT CTestReader::Test1() { HRESULT hr = S_OK; StunAttribute attrib; const char* pszExpectedSoftwareAttribute = "STUN test client"; const char* pszExpectedUserName = "******"; CRefCountedBuffer spBuffer; char szStringValue[100]; const unsigned char *req = c_requestbytes; size_t requestsize = sizeof(c_requestbytes)-1; // -1 to get rid of the trailing null CStunMessageReader reader; CStunMessageReader::ReaderParseState state; // reader is expecting at least enough bytes to fill the header ChkIfA(reader.AddBytes(NULL, 0) != CStunMessageReader::HeaderNotRead, E_FAIL); ChkIfA(reader.HowManyBytesNeeded() != STUN_HEADER_SIZE, E_FAIL); state = reader.AddBytes(req, requestsize); ChkIfA(state != CStunMessageReader::BodyValidated, E_FAIL); ChkIfA(reader.HowManyBytesNeeded() != 0, E_FAIL); ChkA(reader.GetBuffer(&spBuffer)); ChkIfA(reader.GetMessageClass() != StunMsgClassRequest, E_FAIL); ChkIfA(reader.GetMessageType() != StunMsgTypeBinding, E_FAIL); ChkA(reader.GetAttributeByType(STUN_ATTRIBUTE_SOFTWARE, &attrib)); ChkIfA(attrib.attributeType != STUN_ATTRIBUTE_SOFTWARE, E_FAIL); ChkIfA(0 != ::strncmp(pszExpectedSoftwareAttribute, (const char*)(spBuffer->GetData() + attrib.offset), attrib.size), E_FAIL); ChkA(reader.GetAttributeByType(STUN_ATTRIBUTE_USERNAME, &attrib)); ChkIfA(attrib.attributeType != STUN_ATTRIBUTE_USERNAME, E_FAIL); ChkIfA(0 != ::strncmp(pszExpectedUserName, (const char*)(spBuffer->GetData() + attrib.offset), attrib.size), E_FAIL); ChkA(reader.GetStringAttributeByType(STUN_ATTRIBUTE_SOFTWARE, szStringValue, ARRAYSIZE(szStringValue))); ChkIfA(0 != ::strcmp(pszExpectedSoftwareAttribute, szStringValue), E_FAIL); ChkIfA(reader.HasFingerprintAttribute() == false, E_FAIL); ChkIfA(reader.IsFingerprintAttributeValid() == false, E_FAIL); ChkIfA(reader.HasMessageIntegrityAttribute() == false, E_FAIL); ChkA(reader.ValidateMessageIntegrityShort(c_password)); Cleanup: return hr; }
// test long-credential authentication HRESULT CTestMessageHandler::Test4() { HRESULT hr=S_OK; CStunMessageBuilder builder1, builder2; CStunMessageReader readerResponse; CSocketAddress addrMapped; uint16_t errorcode = 0; char szNonce[MAX_STUN_AUTH_STRING_SIZE+1]; char szRealm[MAX_STUN_AUTH_STRING_SIZE+1]; // ----------------------------------------------------------------------- // simulate a user making a request with no message integrity attribute (or username, or realm) InitBindingRequest(builder1); builder1.FixLengthField(); ChkA(SendHelper(builder1, &readerResponse, _spAuthLong)); Chk(readerResponse.GetErrorCode(&errorcode)); ChkIfA(readerResponse.GetMessageClass() != ::StunMsgClassFailureResponse, E_UNEXPECTED); ChkIf(errorcode != ::STUN_ERROR_UNAUTHORIZED, E_UNEXPECTED); readerResponse.GetStringAttributeByType(STUN_ATTRIBUTE_REALM, szRealm, ARRAYSIZE(szRealm)); readerResponse.GetStringAttributeByType(STUN_ATTRIBUTE_NONCE, szNonce, ARRAYSIZE(szNonce)); // -------------------------------------------------------------------------------- // now simulate the follow-up request readerResponse.Reset(); InitBindingRequest(builder2); builder2.AddNonce(szNonce); builder2.AddRealm(szRealm); builder2.AddUserName("AuthorizedUser"); builder2.AddMessageIntegrityLongTerm("AuthorizedUser", szRealm, "password"); builder2.FixLengthField(); ChkA(SendHelper(builder2, &readerResponse, _spAuthLong)); ChkIfA(readerResponse.GetMessageClass() != ::StunMsgClassSuccessResponse, E_UNEXPECTED); // should have a mapped address ChkA(readerResponse.GetMappedAddress(&addrMapped)); // and the message integrity field should be valid ChkA(readerResponse.ValidateMessageIntegrityLong("AuthorizedUser", szRealm, "password")); Cleanup: return hr; }
HRESULT CStunThreadMessageHandler::ValidateAuth(CStunMessageReader& reader) { AuthAttributes authattributes; AuthResponse authresponse; HRESULT hr = S_OK; HRESULT hrRet = S_OK; if (_spAuth == NULL) { return S_OK; // nothing to do if there is no auth mechanism in place } memset(&authattributes, '\0', sizeof(authattributes)); memset(&authresponse, '\0', sizeof(authresponse)); reader.GetStringAttributeByType(STUN_ATTRIBUTE_USERNAME, authattributes.szUser, ARRAYSIZE(authattributes.szUser)); reader.GetStringAttributeByType(STUN_ATTRIBUTE_REALM, authattributes.szRealm, ARRAYSIZE(authattributes.szRealm)); reader.GetStringAttributeByType(STUN_ATTRIBUTE_NONCE, authattributes.szNonce, ARRAYSIZE(authattributes.szNonce)); reader.GetStringAttributeByType(::STUN_ATTRIBUTE_LEGACY_PASSWORD, authattributes.szLegacyPassword, ARRAYSIZE(authattributes.szLegacyPassword)); authattributes.fMessageIntegrityPresent = reader.HasMessageIntegrityAttribute(); Chk(_spAuth->DoAuthCheck(&authattributes, &authresponse)); // enforce that everything is null terminated authresponse.szNonce[ARRAYSIZE(authresponse.szNonce)-1] = 0; authresponse.szRealm[ARRAYSIZE(authresponse.szRealm)-1] = 0; authresponse.szPassword[ARRAYSIZE(authresponse.szPassword)-1] = 0; // now decide how to handle the auth if (authresponse.responseType == StaleNonce) { _error.errorcode = STUN_ERROR_STALENONCE; } else if (authresponse.responseType == Unauthorized) { _error.errorcode = STUN_ERROR_UNAUTHORIZED; } else if (authresponse.responseType == Reject) { _error.errorcode = STUN_ERROR_BADREQUEST; } else if (authresponse.responseType == Allow) { // nothing to do! } else if (authresponse.responseType == AllowConditional) { // validate the message in // if either ValidateAuth or ProcessBindingRequest set an errorcode.... if (authresponse.authCredMech == AuthCredLongTerm) { hrRet = reader.ValidateMessageIntegrityLong(authattributes.szUser, authattributes.szRealm, authresponse.szPassword); } else { hrRet = reader.ValidateMessageIntegrityShort(authresponse.szPassword); } if (SUCCEEDED(hrRet)) { _integrity.fSendWithIntegrity = true; _integrity.fUseLongTerm = (authresponse.authCredMech == AuthCredLongTerm); COMPILE_TIME_ASSERT(sizeof(_integrity.szPassword)==sizeof(authresponse.szPassword)); strcpy(_integrity.szPassword, authresponse.szPassword); strcpy(_integrity.szUser, authattributes.szUser); strcpy(_integrity.szRealm, authattributes.szRealm); } else { // bad password - so now turn this thing into a 401 _error.errorcode = STUN_ERROR_UNAUTHORIZED; } } if ((_error.errorcode == STUN_ERROR_UNAUTHORIZED) || (_error.errorcode == STUN_ERROR_STALENONCE)) { strcpy(_error.szRealm, authresponse.szRealm); strcpy(_error.szNonce, authresponse.szNonce); } Cleanup: return hr; }