Support for 3GPP/IMS digest AKA (AKAv1-MD5) SIP authentication

[bennylp]

Digest AKA is utilized by 3GPP/IMS, and is specified in RFC 3310: Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA).

[bennylp]

In r1488:

Initial support for AKA framework in r:

• added new library, libmilenage, under third_party directory for Milenage algorithms. This was taken directly from 3GPP spec.
• the SIP credential structure (pjsip_cred_info) has been improved to support specifying non-MD5 credential and specifying callback to compute the response digest, and added with new information specific to AKA authentication.
• added sip_auth_aka.[h|c] for the implementation of AKA response calculation.
• added base64 encoding and decoding in PJLIB-UTIL

This implementation adds support for AKA authentication without adding footprint overhead to the stack.

To support AKA authentication, application just need to specify a new type of credential that uses callback function to calculate the response. Below is the snippet on how this should be used:

 pjsip_cred_info cred;

 // Always bzero as a good practice
 pj_bzero(&cred, sizeof(cred));

 cred.realm = pj_str("*");
 cred.scheme = pj_str("digest");
 cred.username = pj_str("THE_USER");
 cred.data_type = PJSIP_CRED_DATA_PLAIN_PASSWD | PJSIP_CRED_DATA_EXT_AKA;  // <-- NEW !!!
 cred.data = .. the password ..;  // <-- For MD5 authentication

 // AKA specific info
 cred.ext.aka.k = ...;   // permanent key
 cred.ext.aka.op = ...;  // operator variant key
 cred.ext.aka.amf = ...; // authentication management field.
 cred.ext.aka.cb = &pjsip_auth_create_akav1;

The PJSIP_CRED_DATA_EXT_AKA flag indicates that digest computation will be performed by the callback function in ext.aka.cb rather than the built-in MD5.

A new pjsip_auth_create_akav1() function is provided in the library to compute AKAv1 digest. When the algorithm in the challenge is "AKAv1-MD5" (case-insensitive), this function will parse nonce in the challenge to get RAND and AUTN values and compute AKAv1-MD5 response digest according to the AKA keys specified in the credential.

The pjsip_auth_create_akav1() function also supports falling back to the normal MD5 authentication, if the challenge specifies "MD5" as the algorithm. In this case, it assumes that data field contains the password of the credential, either in plain-text if PJSIP_CRED_DATA_PLAIN_PASSWD flag is specified, or hashed password if PJSIP_CRED_DATA_DIGEST flag is specified.

Alternatively application may create and use response calculation function other than pjsip_auth_create_akav1(), for example to support AKAv2 authentication.

[bennylp]

r1489 added PJSIP_HAS_DIGEST_AKAv1_AUTH configuration to enable AKA support. Default is disabled for now.

[bennylp]

Fixed compilation warnings in r1490 and r1492.

[bennylp]

Updated Symbian DEF file in r1494

[bennylp]

In r1500:

• tested AKAv1 authentication (and it worked!)
• implemented AKAv2
• update pjsua to create AKA credential when AKA is enabled
• fixed miscellaneous authentication stuffs to support AKA, including supporting sending empty Authorization header to force proxy server to use MD5 challenge.

[bennylp]

Updated documentation. Please see: ​PJSIP Digest AKAv1 and AKAv2 Authentication API on how to enable and use AKA authentication.

[bennylp]

Updated VS2005 and eVC projects in r1505

[bennylp]

r1511: Updated libmilenage Visual Studio project to option to use /MD instead of /MT