Browse code

auth_ephemeral: fix sha256/384/512

- sha256/384/512 broken due to use of sha1 password length, change to check and use proper lengths for each
- sha384 mistakenly using sha256 method

Justin-lavelle authored on 04/12/2021 11:09:43 • Daniel-Constantin Mierla committed on 08/12/2021 08:30:07
Showing 1 changed files
... ...
@@ -69,11 +69,11 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
69 69
 			break;
70 70
 		case AUTHEPH_SHA384:
71 71
 			hmac_len = SHA384_DIGEST_LENGTH;
72
-			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
72
+			if (HMAC(EVP_sha384(), _secret->s, _secret->len,
73 73
 					(unsigned char *) _username->s,
74 74
 					_username->len, hmac_sha1, &hmac_len) == NULL)
75 75
 			{
76
-				LM_ERR("HMAC-SHA256 failed\n");
76
+				LM_ERR("HMAC-SHA384 failed\n");
77 77
 				return -1;
78 78
 			}
79 79
 			break;
... ...
@@ -88,7 +88,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
88 88
 			}
89 89
 			break;
90 90
 		default:
91
-			LM_ERR("Inavlid SHA Algorithm\n");
91
+			LM_ERR("Invalid SHA Algorithm\n");
92 92
 			return -1;
93 93
 
94 94
 	}
... ...
@@ -479,7 +479,26 @@ int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
479 479
 
480 480
 int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
481 481
 {
482
-	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
482
+	unsigned int hmac_len = SHA_DIGEST_LENGTH;
483
+	switch(autheph_sha_alg) {
484
+		case AUTHEPH_SHA1:
485
+			hmac_len = SHA_DIGEST_LENGTH;
486
+			break;
487
+		case AUTHEPH_SHA256:
488
+			hmac_len = SHA256_DIGEST_LENGTH;
489
+			break;
490
+		case AUTHEPH_SHA384:
491
+			hmac_len = SHA384_DIGEST_LENGTH;
492
+			break;
493
+		case AUTHEPH_SHA512:
494
+			hmac_len = SHA512_DIGEST_LENGTH;
495
+			break;
496
+		default:
497
+			LM_ERR("Invalid SHA Algorithm\n");
498
+			return AUTH_ERROR;
499
+	}
500
+
501
+	char generated_password[base64_enc_len(hmac_len)];
483 502
 	str sgenerated_password;
484 503
 	struct secret *secret_struct;
485 504
 
... ...
@@ -515,14 +534,17 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
515 534
 	secret_struct = secret_list;
516 535
 	while (secret_struct != NULL)
517 536
 	{
518
-		LM_DBG("trying secret: %.*s\n",
537
+		LM_DBG("trying secret: %.*s (%i)\n",
519 538
 			secret_struct->secret_key.len,
520
-			secret_struct->secret_key.s);
539
+			secret_struct->secret_key.s,
540
+			secret_struct->secret_key.len);
521 541
 		if (get_pass(susername, &secret_struct->secret_key,
522 542
 				&sgenerated_password) == 0)
523 543
 		{
524
-			LM_DBG("generated password: %.*s\n",
525
-				sgenerated_password.len, sgenerated_password.s);
544
+			LM_DBG("generated password: %.*s (%i)\n", 
545
+				sgenerated_password.len,
546
+				sgenerated_password.s,
547
+				sgenerated_password.len);
526 548
 			if (spassword->len == sgenerated_password.len
527 549
 					&& strncmp(spassword->s, sgenerated_password.s,
528 550
 						spassword->len) == 0)
Browse code

auth_ephemeral: test the lenghts for compared passwords

Daniel-Constantin Mierla authored on 03/05/2019 09:53:15
Showing 1 changed files
... ...
@@ -523,8 +523,9 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
523 523
 		{
524 524
 			LM_DBG("generated password: %.*s\n",
525 525
 				sgenerated_password.len, sgenerated_password.s);
526
-			if (strncmp(spassword->s, sgenerated_password.s,
527
-					spassword->len) == 0)
526
+			if (spassword->len == sgenerated_password.len
527
+					&& strncmp(spassword->s, sgenerated_password.s,
528
+						spassword->len) == 0)
528 529
 			{
529 530
 				SECRET_UNLOCK;
530 531
 				return AUTH_OK;
Browse code

auth,auth_ephemeral: return code for expired username

- added AUTH_USERNAME_EXPIRED auth api return code and used it in auth
ephemeral authentication, when username is expired

Juha Heinanen authored on 27/03/2019 09:10:16 • Daniel-Constantin Mierla committed on 29/03/2019 09:10:29
Showing 1 changed files
... ...
@@ -203,7 +203,7 @@ int autheph_verify_timestamp(str *_username)
203 203
 	if (cur_time > expires)
204 204
 	{
205 205
 		LM_WARN("username has expired\n");
206
-		return -1;
206
+		return AUTH_USERNAME_EXPIRED;
207 207
 	}
208 208
 
209 209
 	return 0;
... ...
@@ -255,10 +255,16 @@ static inline int digest_authenticate(struct sip_msg *_m, str *_realm,
255 255
 	username = ((auth_body_t *) h->parsed)->digest.username.whole;
256 256
 	LM_DBG("username: %.*s\n", username.len, username.s);
257 257
 
258
-	if (autheph_verify_timestamp(&username) < 0)
258
+	int res = autheph_verify_timestamp(&username);
259
+	if (res < 0)
259 260
 	{
260
-		LM_ERR("invalid timestamp in username\n");
261
-		return AUTH_ERROR;
261
+		if (res == -1)
262
+		{
263
+			LM_ERR("invalid timestamp in username\n");
264
+			return AUTH_ERROR;
265
+		} else {
266
+			return AUTH_USERNAME_EXPIRED;
267
+		}
262 268
 	}
263 269
 
264 270
 	SECRET_LOCK;
... ...
@@ -489,10 +495,16 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
489 495
 		return AUTH_ERROR;
490 496
 	}
491 497
 
492
-	if (autheph_verify_timestamp(susername) < 0)
498
+	int res = autheph_verify_timestamp(susername);
499
+	if (res < 0)
493 500
 	{
494
-		LM_ERR("invalid timestamp in username\n");
495
-		return AUTH_ERROR;
501
+		if (res == -1)
502
+		{
503
+			LM_ERR("invalid timestamp in username\n");
504
+			return AUTH_ERROR;
505
+		} else {
506
+			return AUTH_USERNAME_EXPIRED;
507
+		}
496 508
 	}
497 509
 
498 510
 	LM_DBG("username: %.*s\n", susername->len, susername->s);
Browse code

auth_ephemeral: init the return code

Daniel-Constantin Mierla authored on 08/12/2017 15:43:17
Showing 1 changed files
... ...
@@ -213,7 +213,7 @@ static inline int digest_authenticate(struct sip_msg *_m, str *_realm,
213 213
 				hdr_types_t _hftype, str *_method)
214 214
 {
215 215
 	struct hdr_field* h;
216
-	auth_cfg_result_t ret;
216
+	auth_cfg_result_t ret = AUTH_ERROR;
217 217
 	auth_result_t rauth;
218 218
 	struct secret *secret_struct;
219 219
 	str username;
... ...
@@ -548,4 +548,4 @@ int autheph_authenticate(struct sip_msg *_m, char *_username, char *_password)
548 548
 	}
549 549
 
550 550
 	return ki_autheph_authenticate(_m, &susername, &spassword);
551
-}
552 551
\ No newline at end of file
552
+}
Browse code

auth_ephemeral: variants of auth functions exported to kemi

Daniel-Constantin Mierla authored on 07/12/2017 07:34:55
Showing 1 changed files
... ...
@@ -278,9 +278,8 @@ static inline int digest_authenticate(struct sip_msg *_m, str *_realm,
278 278
 	return ret;
279 279
 }
280 280
 
281
-int autheph_check(struct sip_msg *_m, char *_realm)
281
+int ki_autheph_check(sip_msg_t *_m, str *srealm)
282 282
 {
283
-	str srealm;
284 283
 
285 284
 	if (eph_auth_api.pre_auth == NULL)
286 285
 	{
... ...
@@ -289,24 +288,12 @@ int autheph_check(struct sip_msg *_m, char *_realm)
289 288
 		return AUTH_ERROR;
290 289
 	}
291 290
 
292
-	if(_m == NULL || _realm == NULL)
293
-	{
294
-		LM_ERR("invalid parameters\n");
295
-		return AUTH_ERROR;
296
-	}
297
-
298 291
 	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
299 292
 	{
300 293
 		return AUTH_OK;
301 294
 	}
302 295
 
303
-	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
304
-	{
305
-		LM_ERR("failed to get realm value\n");
306
-		return AUTH_ERROR;
307
-	}
308
-
309
-	if (srealm.len == 0)
296
+	if (srealm->len == 0)
310 297
 	{
311 298
 		LM_ERR("invalid realm parameter - empty value\n");
312 299
 		return AUTH_ERROR;
... ...
@@ -314,65 +301,62 @@ int autheph_check(struct sip_msg *_m, char *_realm)
314 301
 
315 302
 	if (_m->REQ_METHOD == METHOD_REGISTER)
316 303
 	{
317
-		return digest_authenticate(_m, &srealm, HDR_AUTHORIZATION_T,
304
+		return digest_authenticate(_m, srealm, HDR_AUTHORIZATION_T,
318 305
 					&_m->first_line.u.request.method);
319 306
 	}
320 307
 	else
321 308
 	{
322
-		return digest_authenticate(_m, &srealm, HDR_PROXYAUTH_T,
309
+		return digest_authenticate(_m, srealm, HDR_PROXYAUTH_T,
323 310
 					&_m->first_line.u.request.method);
324 311
 	}
325 312
 }
326 313
 
327
-int autheph_www(struct sip_msg *_m, char *_realm)
314
+int autheph_check(struct sip_msg *_m, char *_realm, char *_p2)
328 315
 {
329 316
 	str srealm;
330 317
 
331
-	if (eph_auth_api.pre_auth == NULL)
318
+	if(_m == NULL || _realm == NULL)
332 319
 	{
333
-		LM_ERR("autheph_www() cannot be used without the auth "
334
-			"module\n");
320
+		LM_ERR("invalid parameters\n");
335 321
 		return AUTH_ERROR;
336 322
 	}
337 323
 
338
-	if(_m == NULL || _realm == NULL)
324
+	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
339 325
 	{
340
-		LM_ERR("invalid parameters\n");
326
+		LM_ERR("failed to get realm value\n");
341 327
 		return AUTH_ERROR;
342 328
 	}
343 329
 
344
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
330
+	return ki_autheph_check(_m, &srealm);
331
+}
332
+
333
+int ki_autheph_www(sip_msg_t *_m, str *srealm)
334
+{
335
+	if (eph_auth_api.pre_auth == NULL)
345 336
 	{
346
-		return AUTH_OK;
337
+		LM_ERR("autheph_www() cannot be used without the auth "
338
+			"module\n");
339
+		return AUTH_ERROR;
347 340
 	}
348 341
 
349
-	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
342
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
350 343
 	{
351
-		LM_ERR("failed to get realm value\n");
352
-		return AUTH_ERROR;
344
+		return AUTH_OK;
353 345
 	}
354 346
 
355
-	if (srealm.len == 0)
347
+	if (srealm->len == 0)
356 348
 	{
357 349
 		LM_ERR("invalid realm parameter - empty value\n");
358 350
 		return AUTH_ERROR;
359 351
 	}
360 352
 
361
-	return digest_authenticate(_m, &srealm, HDR_AUTHORIZATION_T,
353
+	return digest_authenticate(_m, srealm, HDR_AUTHORIZATION_T,
362 354
 					&_m->first_line.u.request.method);
363 355
 }
364 356
 
365
-int autheph_www2(struct sip_msg *_m, char *_realm, char *_method)
357
+int autheph_www(struct sip_msg *_m, char *_realm, char *_p2)
366 358
 {
367 359
 	str srealm;
368
-	str smethod;
369
-
370
-	if (eph_auth_api.pre_auth == NULL)
371
-	{
372
-		LM_ERR("autheph_www() cannot be used without the auth "
373
-			"module\n");
374
-		return AUTH_ERROR;
375
-	}
376 360
 
377 361
 	if(_m == NULL || _realm == NULL)
378 362
 	{
... ...
@@ -380,121 +364,139 @@ int autheph_www2(struct sip_msg *_m, char *_realm, char *_method)
380 364
 		return AUTH_ERROR;
381 365
 	}
382 366
 
383
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
384
-	{
385
-		return AUTH_OK;
386
-	}
387
-
388 367
 	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
389 368
 	{
390 369
 		LM_ERR("failed to get realm value\n");
391 370
 		return AUTH_ERROR;
392 371
 	}
393 372
 
394
-	if (srealm.len == 0)
373
+	return ki_autheph_www(_m, &srealm);
374
+}
375
+
376
+int ki_autheph_www_method(sip_msg_t *_m, str *srealm, str *smethod)
377
+{
378
+	if (eph_auth_api.pre_auth == NULL)
395 379
 	{
396
-		LM_ERR("invalid realm parameter - empty value\n");
380
+		LM_ERR("autheph_www() cannot be used without the auth "
381
+			"module\n");
397 382
 		return AUTH_ERROR;
398 383
 	}
399 384
 
400
-	if (get_str_fparam(&smethod, _m, (fparam_t*)_method) < 0)
385
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
401 386
 	{
402
-		LM_ERR("failed to get method value\n");
387
+		return AUTH_OK;
388
+	}
389
+
390
+	if (srealm->len == 0)
391
+	{
392
+		LM_ERR("invalid realm parameter - empty value\n");
403 393
 		return AUTH_ERROR;
404 394
 	}
405 395
 
406
-	if (smethod.len == 0)
396
+	if (smethod->len == 0)
407 397
 	{
408 398
 		LM_ERR("invalid method value - empty value\n");
409 399
 		return AUTH_ERROR;
410 400
 	}
411 401
 
412
-	return digest_authenticate(_m, &srealm, HDR_AUTHORIZATION_T, &smethod);
402
+	return digest_authenticate(_m, srealm, HDR_AUTHORIZATION_T, smethod);
413 403
 }
414 404
 
415
-int autheph_proxy(struct sip_msg *_m, char *_realm)
405
+int autheph_www2(struct sip_msg *_m, char *_realm, char *_method)
416 406
 {
417 407
 	str srealm;
408
+	str smethod;
418 409
 
419
-	if (eph_auth_api.pre_auth == NULL)
410
+	if(_m == NULL || _realm == NULL || _method == NULL)
420 411
 	{
421
-		LM_ERR("autheph_proxy() cannot be used without the auth "
422
-			"module\n");
412
+		LM_ERR("invalid parameters\n");
423 413
 		return AUTH_ERROR;
424 414
 	}
425 415
 
426
-	if(_m == NULL || _realm == NULL)
416
+	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
427 417
 	{
428
-		LM_ERR("invalid parameters\n");
418
+		LM_ERR("failed to get realm value\n");
429 419
 		return AUTH_ERROR;
430 420
 	}
431 421
 
432
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
422
+	if (get_str_fparam(&smethod, _m, (fparam_t*)_method) < 0)
433 423
 	{
434
-		return AUTH_OK;
424
+		LM_ERR("failed to get method value\n");
425
+		return AUTH_ERROR;
435 426
 	}
436 427
 
437
-	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
428
+	return ki_autheph_www_method(_m, &srealm, &smethod);
429
+}
430
+
431
+int ki_autheph_proxy(sip_msg_t *_m, str *srealm)
432
+{
433
+	if (eph_auth_api.pre_auth == NULL)
438 434
 	{
439
-		LM_ERR("failed to get realm value\n");
435
+		LM_ERR("autheph_proxy() cannot be used without the auth "
436
+			"module\n");
440 437
 		return AUTH_ERROR;
441 438
 	}
442 439
 
443
-	if (srealm.len == 0)
440
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
441
+	{
442
+		return AUTH_OK;
443
+	}
444
+
445
+	if (srealm->len == 0)
444 446
 	{
445 447
 		LM_ERR("invalid realm parameter - empty value\n");
446 448
 		return AUTH_ERROR;
447 449
 	}
448 450
 
449
-	return digest_authenticate(_m, &srealm, HDR_PROXYAUTH_T,
451
+	return digest_authenticate(_m, srealm, HDR_PROXYAUTH_T,
450 452
 					&_m->first_line.u.request.method);
451 453
 }
452 454
 
453
-int autheph_authenticate(struct sip_msg *_m, char *_username, char *_password)
455
+int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
454 456
 {
455
-	str susername, spassword;
456
-	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
457
-	str sgenerated_password;
458
-	struct secret *secret_struct;
457
+	str srealm;
459 458
 
460
-	if (_m == NULL || _username == NULL || _password == NULL)
459
+	if(_m == NULL || _realm == NULL)
461 460
 	{
462 461
 		LM_ERR("invalid parameters\n");
463 462
 		return AUTH_ERROR;
464 463
 	}
465 464
 
466
-	if (get_str_fparam(&susername, _m, (fparam_t*)_username) < 0)
465
+	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
467 466
 	{
468
-		LM_ERR("failed to get username value\n");
467
+		LM_ERR("failed to get realm value\n");
469 468
 		return AUTH_ERROR;
470 469
 	}
471 470
 
472
-	if (susername.len == 0)
473
-	{
474
-		LM_ERR("invalid username parameter - empty value\n");
475
-		return AUTH_ERROR;
476
-	}
471
+	return ki_autheph_proxy(_m, &srealm);
472
+}
477 473
 
478
-	if (get_str_fparam(&spassword, _m, (fparam_t*)_password) < 0)
474
+int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
475
+{
476
+	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
477
+	str sgenerated_password;
478
+	struct secret *secret_struct;
479
+
480
+	if (susername->len == 0)
479 481
 	{
480
-		LM_ERR("failed to get password value\n");
482
+		LM_ERR("invalid username parameter - empty value\n");
481 483
 		return AUTH_ERROR;
482 484
 	}
483 485
 
484
-	if (spassword.len == 0)
486
+	if (spassword->len == 0)
485 487
 	{
486 488
 		LM_ERR("invalid password parameter - empty value\n");
487 489
 		return AUTH_ERROR;
488 490
 	}
489 491
 
490
-	if (autheph_verify_timestamp(&susername) < 0)
492
+	if (autheph_verify_timestamp(susername) < 0)
491 493
 	{
492 494
 		LM_ERR("invalid timestamp in username\n");
493 495
 		return AUTH_ERROR;
494 496
 	}
495 497
 
496
-	LM_DBG("username: %.*s\n", susername.len, susername.s);
497
-	LM_DBG("password: %.*s\n", spassword.len, spassword.s);
498
+	LM_DBG("username: %.*s\n", susername->len, susername->s);
499
+	LM_DBG("password: %.*s\n", spassword->len, spassword->s);
498 500
 
499 501
 	sgenerated_password.s = generated_password;
500 502
 	SECRET_LOCK;
... ...
@@ -504,13 +506,13 @@ int autheph_authenticate(struct sip_msg *_m, char *_username, char *_password)
504 506
 		LM_DBG("trying secret: %.*s\n",
505 507
 			secret_struct->secret_key.len,
506 508
 			secret_struct->secret_key.s);
507
-		if (get_pass(&susername, &secret_struct->secret_key,
509
+		if (get_pass(susername, &secret_struct->secret_key,
508 510
 				&sgenerated_password) == 0)
509 511
 		{
510 512
 			LM_DBG("generated password: %.*s\n",
511 513
 				sgenerated_password.len, sgenerated_password.s);
512
-			if (strncmp(spassword.s, sgenerated_password.s,
513
-					spassword.len) == 0)
514
+			if (strncmp(spassword->s, sgenerated_password.s,
515
+					spassword->len) == 0)
514 516
 			{
515 517
 				SECRET_UNLOCK;
516 518
 				return AUTH_OK;
... ...
@@ -522,3 +524,28 @@ int autheph_authenticate(struct sip_msg *_m, char *_username, char *_password)
522 524
 
523 525
 	return AUTH_ERROR;
524 526
 }
527
+
528
+int autheph_authenticate(struct sip_msg *_m, char *_username, char *_password)
529
+{
530
+	str susername, spassword;
531
+
532
+	if (_m == NULL || _username == NULL || _password == NULL)
533
+	{
534
+		LM_ERR("invalid parameters\n");
535
+		return AUTH_ERROR;
536
+	}
537
+
538
+	if (get_str_fparam(&susername, _m, (fparam_t*)_username) < 0)
539
+	{
540
+		LM_ERR("failed to get username value\n");
541
+		return AUTH_ERROR;
542
+	}
543
+
544
+	if (get_str_fparam(&spassword, _m, (fparam_t*)_password) < 0)
545
+	{
546
+		LM_ERR("failed to get password value\n");
547
+		return AUTH_ERROR;
548
+	}
549
+
550
+	return ki_autheph_authenticate(_m, &susername, &spassword);
551
+}
525 552
\ No newline at end of file
Browse code

auth_ephemeral: use dedicated enum type for auth return codes

- reorder safety checks not to access msg structure if null

Daniel-Constantin Mierla authored on 18/07/2017 21:24:07
Showing 1 changed files
... ...
@@ -129,7 +129,7 @@ static inline int get_ha1(struct username *_username, str *_domain,
129 129
 static inline int do_auth(struct sip_msg *_m, struct hdr_field *_h, str *_realm,
130 130
 			str *_method, str *_secret)
131 131
 {
132
-	int ret;
132
+	auth_result_t ret;
133 133
 	char ha1[512];
134 134
 	auth_body_t *cred = (auth_body_t*) _h->parsed;
135 135
 
... ...
@@ -146,21 +146,15 @@ static inline int do_auth(struct sip_msg *_m, struct hdr_field *_h, str *_realm,
146 146
 	ret = eph_auth_api.check_response(&cred->digest, _method, ha1);
147 147
 	if (ret == AUTHENTICATED)
148 148
 	{
149
-		if (eph_auth_api.post_auth(_m, _h, ha1) != AUTHENTICATED)
150
-		{
149
+		if (eph_auth_api.post_auth(_m, _h, ha1) != AUTHENTICATED) {
151 150
 			return AUTH_ERROR;
152 151
 		}
153
-	}
154
-	else if (ret == NOT_AUTHENTICATED)
155
-	{
152
+		return AUTH_OK;
153
+	} else if (ret == NOT_AUTHENTICATED) {
156 154
 		return AUTH_INVALID_PASSWORD;
155
+	} else {
156
+		return AUTH_ERROR;
157 157
 	}
158
-	else
159
-	{
160
-		ret = AUTH_ERROR;
161
-	}
162
-
163
-	return AUTH_OK;
164 158
 }
165 159
 
166 160
 int autheph_verify_timestamp(str *_username)
... ...
@@ -219,15 +213,16 @@ static inline int digest_authenticate(struct sip_msg *_m, str *_realm,
219 213
 				hdr_types_t _hftype, str *_method)
220 214
 {
221 215
 	struct hdr_field* h;
222
-	int ret;
216
+	auth_cfg_result_t ret;
217
+	auth_result_t rauth;
223 218
 	struct secret *secret_struct;
224 219
 	str username;
225 220
 
226 221
 	LM_DBG("realm: %.*s\n", _realm->len, _realm->s);
227 222
 	LM_DBG("method: %.*s\n", _method->len, _method->s);
228 223
 
229
-	ret = eph_auth_api.pre_auth(_m, _realm, _hftype, &h, NULL);
230
-	switch(ret)
224
+	rauth = eph_auth_api.pre_auth(_m, _realm, _hftype, &h, NULL);
225
+	switch(rauth)
231 226
 	{
232 227
 	case NONCE_REUSED:
233 228
 		LM_DBG("nonce reused\n");
... ...
@@ -294,17 +289,17 @@ int autheph_check(struct sip_msg *_m, char *_realm)
294 289
 		return AUTH_ERROR;
295 290
 	}
296 291
 
297
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
298
-	{
299
-		return AUTH_OK;
300
-	}
301
-
302 292
 	if(_m == NULL || _realm == NULL)
303 293
 	{
304 294
 		LM_ERR("invalid parameters\n");
305 295
 		return AUTH_ERROR;
306 296
 	}
307 297
 
298
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
299
+	{
300
+		return AUTH_OK;
301
+	}
302
+
308 303
 	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
309 304
 	{
310 305
 		LM_ERR("failed to get realm value\n");
... ...
@@ -340,17 +335,17 @@ int autheph_www(struct sip_msg *_m, char *_realm)
340 335
 		return AUTH_ERROR;
341 336
 	}
342 337
 
343
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
344
-	{
345
-		return AUTH_OK;
346
-	}
347
-
348 338
 	if(_m == NULL || _realm == NULL)
349 339
 	{
350 340
 		LM_ERR("invalid parameters\n");
351 341
 		return AUTH_ERROR;
352 342
 	}
353 343
 
344
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
345
+	{
346
+		return AUTH_OK;
347
+	}
348
+
354 349
 	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
355 350
 	{
356 351
 		LM_ERR("failed to get realm value\n");
... ...
@@ -428,17 +423,17 @@ int autheph_proxy(struct sip_msg *_m, char *_realm)
428 423
 		return AUTH_ERROR;
429 424
 	}
430 425
 
431
-	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
432
-	{
433
-		return AUTH_OK;
434
-	}
435
-
436 426
 	if(_m == NULL || _realm == NULL)
437 427
 	{
438 428
 		LM_ERR("invalid parameters\n");
439 429
 		return AUTH_ERROR;
440 430
 	}
441 431
 
432
+	if (_m->REQ_METHOD == METHOD_ACK || _m->REQ_METHOD == METHOD_CANCEL)
433
+	{
434
+		return AUTH_OK;
435
+	}
436
+
442 437
 	if (get_str_fparam(&srealm, _m, (fparam_t*)_realm) < 0)
443 438
 	{
444 439
 		LM_ERR("failed to get realm value\n");
Browse code

auth_ephemeral: Some more safety checks, added SHA384 as an option

Carsten Bock authored on 03/05/2017 12:15:56
Showing 1 changed files
... ...
@@ -44,10 +44,11 @@
44 44
 static inline int get_pass(str *_username, str *_secret, str *_password)
45 45
 {
46 46
 	unsigned int hmac_len = SHA_DIGEST_LENGTH;
47
-	unsigned char hmac_sha1[hmac_len];
47
+	unsigned char hmac_sha1[512];
48 48
 
49 49
 	switch(autheph_sha_alg) {
50 50
 		case AUTHEPH_SHA1:
51
+			hmac_len = SHA_DIGEST_LENGTH;
51 52
 			if (HMAC(EVP_sha1(), _secret->s, _secret->len,
52 53
 					(unsigned char *) _username->s,
53 54
 					_username->len, hmac_sha1, &hmac_len) == NULL)
... ...
@@ -57,6 +58,17 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
57 58
 			}
58 59
 			break;
59 60
 		case AUTHEPH_SHA256:
61
+			hmac_len = SHA256_DIGEST_LENGTH;
62
+			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
63
+					(unsigned char *) _username->s,
64
+					_username->len, hmac_sha1, &hmac_len) == NULL)
65
+			{
66
+				LM_ERR("HMAC-SHA256 failed\n");
67
+				return -1;
68
+			}
69
+			break;
70
+		case AUTHEPH_SHA384:
71
+			hmac_len = SHA384_DIGEST_LENGTH;
60 72
 			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
61 73
 					(unsigned char *) _username->s,
62 74
 					_username->len, hmac_sha1, &hmac_len) == NULL)
... ...
@@ -66,6 +78,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
66 78
 			}
67 79
 			break;
68 80
 		case AUTHEPH_SHA512:
81
+			hmac_len = SHA512_DIGEST_LENGTH;
69 82
 			if (HMAC(EVP_sha512(), _secret->s, _secret->len,
70 83
 					(unsigned char *) _username->s,
71 84
 					_username->len, hmac_sha1, &hmac_len) == NULL)
... ...
@@ -80,10 +93,13 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
80 93
 
81 94
 	}
82 95
 
96
+	LM_DBG("HMAC-Len (%i)\n", hmac_len);
97
+
98
+
83 99
 	_password->len = base64_enc(hmac_sha1, hmac_len,
84 100
 					(unsigned char *) _password->s,
85 101
 					base64_enc_len(hmac_len));
86
-	LM_DBG("calculated password: %.*s\n", _password->len, _password->s);
102
+	LM_DBG("calculated password: %.*s (%i)\n", _password->len, _password->s, _password->len);
87 103
 
88 104
 	return 0;
89 105
 }
... ...
@@ -91,7 +107,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
91 107
 static inline int get_ha1(struct username *_username, str *_domain,
92 108
 				str *_secret, char *_ha1)
93 109
 {
94
-	char password[base64_enc_len(SHA_DIGEST_LENGTH)];
110
+	char password[base64_enc_len(SHA512_DIGEST_LENGTH)];
95 111
 	str spassword;
96 112
 
97 113
 	spassword.s = (char *) password;
... ...
@@ -114,10 +130,10 @@ static inline int do_auth(struct sip_msg *_m, struct hdr_field *_h, str *_realm,
114 130
 			str *_method, str *_secret)
115 131
 {
116 132
 	int ret;
117
-	char ha1[256];
133
+	char ha1[512];
118 134
 	auth_body_t *cred = (auth_body_t*) _h->parsed;
119 135
 
120
-	LM_DBG("secret: %.*s\n", _secret->len, _secret->s);
136
+	LM_DBG("secret: %.*s (%i)\n", _secret->len, _secret->s, _secret->len);
121 137
 
122 138
 	if (get_ha1(&cred->digest.username, _realm, _secret, ha1) < 0)
123 139
 	{
... ...
@@ -125,6 +141,8 @@ static inline int do_auth(struct sip_msg *_m, struct hdr_field *_h, str *_realm,
125 141
 		return AUTH_ERROR;
126 142
 	}
127 143
 
144
+	LM_DBG("HA1: %i\n", (int)strlen(ha1));
145
+	
128 146
 	ret = eph_auth_api.check_response(&cred->digest, _method, ha1);
129 147
 	if (ret == AUTHENTICATED)
130 148
 	{
Browse code

auth_ephemeral: Support for stronger hashing algorithms

Carsten Bock authored on 01/02/2017 08:53:45
Showing 1 changed files
... ...
@@ -2,6 +2,7 @@
2 2
  * $Id$
3 3
  *
4 4
  * Copyright (C) 2013 Crocodile RCS Ltd
5
+ * Copyright (C) 2017 ng-voice GmbH
5 6
  *
6 7
  * This file is part of Kamailio, a free SIP server.
7 8
  *
... ...
@@ -45,12 +46,38 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
45 46
 	unsigned int hmac_len = SHA_DIGEST_LENGTH;
46 47
 	unsigned char hmac_sha1[hmac_len];
47 48
 
48
-	if (HMAC(EVP_sha1(), _secret->s, _secret->len,
49
-			(unsigned char *) _username->s,
50
-			_username->len, hmac_sha1, &hmac_len) == NULL)
51
-	{
52
-		LM_ERR("HMAC-SHA1 failed\n");
53
-		return -1;
49
+	switch(autheph_sha_alg) {
50
+		case AUTHEPH_SHA1:
51
+			if (HMAC(EVP_sha1(), _secret->s, _secret->len,
52
+					(unsigned char *) _username->s,
53
+					_username->len, hmac_sha1, &hmac_len) == NULL)
54
+			{
55
+				LM_ERR("HMAC-SHA1 failed\n");
56
+				return -1;
57
+			}
58
+			break;
59
+		case AUTHEPH_SHA256:
60
+			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
61
+					(unsigned char *) _username->s,
62
+					_username->len, hmac_sha1, &hmac_len) == NULL)
63
+			{
64
+				LM_ERR("HMAC-SHA256 failed\n");
65
+				return -1;
66
+			}
67
+			break;
68
+		case AUTHEPH_SHA512:
69
+			if (HMAC(EVP_sha512(), _secret->s, _secret->len,
70
+					(unsigned char *) _username->s,
71
+					_username->len, hmac_sha1, &hmac_len) == NULL)
72
+			{
73
+				LM_ERR("HMAC-SHA512 failed\n");
74
+				return -1;
75
+			}
76
+			break;
77
+		default:
78
+			LM_ERR("Inavlid SHA Algorithm\n");
79
+			return -1;
80
+
54 81
 	}
55 82
 
56 83
 	_password->len = base64_enc(hmac_sha1, hmac_len,
Browse code

auth_ephemeral: Rename module interface file #82

Victor Seva authored on 05/01/2017 11:53:22
Showing 1 changed files
... ...
@@ -37,7 +37,7 @@
37 37
 #include "../../core/parser/hf.h"
38 38
 #include "../../core/mod_fix.h"
39 39
 
40
-#include "autheph_mod.h"
40
+#include "auth_ephemeral_mod.h"
41 41
 #include "authorize.h"
42 42
 
43 43
 static inline int get_pass(str *_username, str *_secret, str *_password)
Browse code

core, lib, modules: updated include paths for header files

Daniel-Constantin Mierla authored on 07/12/2016 11:07:22
Showing 1 changed files
... ...
@@ -28,14 +28,14 @@
28 28
 #include <openssl/hmac.h>
29 29
 #include <openssl/sha.h>
30 30
 
31
-#include "../../basex.h"
32
-#include "../../dprint.h"
33
-#include "../../mod_fix.h"
34
-#include "../../str.h"
35
-#include "../../ut.h"
36
-#include "../../parser/digest/digest.h"
37
-#include "../../parser/hf.h"
38
-#include "../../mod_fix.h"
31
+#include "../../core/basex.h"
32
+#include "../../core/dprint.h"
33
+#include "../../core/mod_fix.h"
34
+#include "../../core/str.h"
35
+#include "../../core/ut.h"
36
+#include "../../core/parser/digest/digest.h"
37
+#include "../../core/parser/hf.h"
38
+#include "../../core/mod_fix.h"
39 39
 
40 40
 #include "autheph_mod.h"
41 41
 #include "authorize.h"
Browse code

core, lib, modules: restructured source code tree

- new folder src/ to hold the source code for main project applications
- main.c is in src/
- all core files are subfolder are in src/core/
- modules are in src/modules/
- libs are in src/lib/
- application Makefiles are in src/
- application binary is built in src/ (src/kamailio)

Daniel-Constantin Mierla authored on 07/12/2016 11:03:51
Showing 1 changed files
1 1
new file mode 100644
... ...
@@ -0,0 +1,484 @@
1
+/*
2
+ * $Id$
3
+ *
4
+ * Copyright (C) 2013 Crocodile RCS Ltd
5
+ *
6
+ * This file is part of Kamailio, a free SIP server.
7
+ *
8
+ * Kamailio is free software; you can redistribute it and/or modify
9
+ * it under the terms of the GNU General Public License as published by
10
+ * the Free Software Foundation; either version 2 of the License, or
11
+ * (at your option) any later version
12
+ *
13
+ * Kamailio is distributed in the hope that it will be useful,
14
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
+ * GNU General Public License for more details.
17
+ *
18
+ * You should have received a copy of the GNU General Public License 
19
+ * along with this program; if not, write to the Free Software 
20
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
21
+ *
22
+ * Exception: permission to copy, modify, propagate, and distribute a work
23
+ * formed by combining OpenSSL toolkit software and the code in this file,
24
+ * such as linking with software components and libraries released under
25
+ * OpenSSL project license.
26
+ *
27
+ */
28
+#include <openssl/hmac.h>
29
+#include <openssl/sha.h>
30
+
31
+#include "../../basex.h"
32
+#include "../../dprint.h"
33
+#include "../../mod_fix.h"
34
+#include "../../str.h"
35
+#include "../../ut.h"
36
+#include "../../parser/digest/digest.h"
37
+#include "../../parser/hf.h"
38
+#include "../../mod_fix.h"
39
+
40
+#include "autheph_mod.h"
41
+#include "authorize.h"
42
+
43
+static inline int get_pass(str *_username, str *_secret, str *_password)
44
+{
45
+	unsigned int hmac_len = SHA_DIGEST_LENGTH;
46
+	unsigned char hmac_sha1[hmac_len];
47
+
48
+	if (HMAC(EVP_sha1(), _secret->s, _secret->len,
49
+			(unsigned char *) _username->s,
50
+			_username->len, hmac_sha1, &hmac_len) == NULL)
51
+	{
52
+		LM_ERR("HMAC-SHA1 failed\n");
53
+		return -1;
54
+	}
55
+
56
+	_password->len = base64_enc(hmac_sha1, hmac_len,
57
+					(unsigned char *) _password->s,
58
+					base64_enc_len(hmac_len));
59
+	LM_DBG("calculated password: %.*s\n", _password->len, _password->s);
60
+
61
+	return 0;
62
+}
63
+
64
+static inline int get_ha1(struct username *_username, str *_domain,
65
+				str *_secret, char *_ha1)
66
+{
67
+	char password[base64_enc_len(SHA_DIGEST_LENGTH)];
68
+	str spassword;
69
+
70
+	spassword.s = (char *) password;
71
+	spassword.len = 0;
72
+
73
+	if (get_pass(&_username->whole, _secret, &spassword) < 0)
74
+	{
75
+		LM_ERR("calculating password\n");
76
+		return -1;
77
+	}
78
+
79
+	eph_auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, &spassword,
80
+				0, 0, _ha1);
81
+	LM_DBG("calculated HA1: %s\n", _ha1);
82
+
83
+	return 0;
84
+}
85
+
86
+static inline int do_auth(struct sip_msg *_m, struct hdr_field *_h, str *_realm,
87
+			str *_method, str *_secret)
88
+{
89
+	int ret;
90
+	char ha1[256];
91
+	auth_body_t *cred = (auth_body_t*) _h->parsed;
92
+
93
+	LM_DBG("secret: %.*s\n", _secret->len, _secret->s);
94
+
95
+	if (get_ha1(&cred->digest.username, _realm, _secret, ha1) < 0)
96
+	{
97
+		LM_ERR("calculating HA1\n");
98
+		return AUTH_ERROR;
99
+	}
100
+
101
+	ret = eph_auth_api.check_response(&cred->digest, _method, ha1);
102
+	if (ret == AUTHENTICATED)
103
+	{
104
+		if (eph_auth_api.post_auth(_m, _h, ha1) != AUTHENTICATED)
105
+		{