Module: sip-router
Branch: master
Commit: ba2a6ac4230dd9169943f55a9c06af3faa694356
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=ba2a6ac…
Author: Peter Dunkley <peter.dunkley(a)crocodile-rcs.com>
Committer: Peter Dunkley <peter.dunkley(a)crocodile-rcs.com>
Date: Tue May 28 00:20:20 2013 +0100
modules/auth_ephemeral: updated to handle usernames from the web-service that just consist
of timestamps
- tidied up the diagnostic output
---
modules/auth_ephemeral/README | 10 ++++--
modules/auth_ephemeral/authorize.c | 31 +++++++++++--------
.../auth_ephemeral/doc/auth_ephemeral_admin.xml | 12 ++++---
3 files changed, 31 insertions(+), 22 deletions(-)
diff --git a/modules/auth_ephemeral/README b/modules/auth_ephemeral/README
index 932c886..a28fea5 100644
--- a/modules/auth_ephemeral/README
+++ b/modules/auth_ephemeral/README
@@ -104,7 +104,7 @@ Chapter 1. Admin Guide
The request should contain the following parameters:
* service - specifies the desired service (msrp, sip, etc)
- * username - a user identifier for the service
+ * username - an optional user identifier for the service
* ttl - an optional TTL request for the lifetime of the credentials,
in seconds.
@@ -114,9 +114,11 @@ GET /?service=sip&username=foobar;&ttl=86400;
1.1.2. Response
The response should include the following parameters:
- * username - the username to use, which is a combination of the
- username parameter from the request, with a timestamp in time_t
- format, colon-separated.
+ * username - the username to use with the service, which is a
+ combination of the username parameter from the request and a
+ timestamp in time_t format, colon-separated. If a username was not
+ included in the request this parameter will just include the
+ timestamp.
* password - the password to use; this value is computed from the
secret key and the returned username value, by performing
base64(hmac-sha1(secret key, returned username)).
diff --git a/modules/auth_ephemeral/authorize.c b/modules/auth_ephemeral/authorize.c
index ea7152f..9d2dd65 100644
--- a/modules/auth_ephemeral/authorize.c
+++ b/modules/auth_ephemeral/authorize.c
@@ -46,7 +46,6 @@ static inline int get_ha1(struct username* _username, str* _domain,
unsigned char password[base64_enc_len(hmac_len)];
str spassword;
- LM_INFO("using secret: %.*s\n", _secret->len, _secret->s);
if (HMAC(EVP_sha1(), _secret->s, _secret->len,
(unsigned char *) _username->whole.s,
_username->whole.len, hmac_sha1, &hmac_len) == NULL) {
@@ -57,11 +56,11 @@ static inline int get_ha1(struct username* _username, str* _domain,
spassword.len = base64_enc(hmac_sha1, hmac_len, password,
base64_enc_len(hmac_len));
spassword.s = (char *) password;
- LM_INFO("calculated password: %.*s\n", spassword.len, spassword.s);
+ LM_DBG("calculated password: %.*s\n", spassword.len, spassword.s);
eph_auth_api.calc_HA1(HA_MD5, &_username->whole, _domain, &spassword,
0, 0, _ha1);
- LM_INFO("HA1 string calculated: %s\n", _ha1);
+ LM_DBG("calculated HA1: %s\n", _ha1);
return 0;
}
@@ -73,6 +72,8 @@ static int do_auth(struct sip_msg* msg, struct hdr_field *h, str
*realm,
char ha1[256];
auth_body_t *cred = (auth_body_t*) h->parsed;
+ LM_DBG("secret: %.*s\n", secret->len, secret->s);
+
ret = get_ha1(&cred->digest.username, realm, secret, ha1);
if (ret < 0)
{
@@ -101,12 +102,10 @@ static int do_auth(struct sip_msg* msg, struct hdr_field *h, str
*realm,
static int verify_timestamp(str* username)
{
- int pos = 0;
+ int pos = 0, cur_time = (int) time(NULL);
unsigned int expires;
str time_str = {0, 0};
- LM_INFO("username: %.*s\n", username->len, username->s);
-
while (pos < username->len && username->s[pos] != ':')
pos++;
@@ -117,19 +116,19 @@ static int verify_timestamp(str* username)
}
else
{
- LM_ERR("unable to extract timestamp from username\n");
- return -1;
+ time_str.s = username->s;
+ time_str.len = username->len;
}
- LM_INFO("username timestamp: %.*s\n", time_str.len, time_str.s);
-
+ LM_DBG("username timestamp: %.*s\n", time_str.len, time_str.s);
if (str2int(&time_str, &expires) < 0)
{
LM_ERR("unable to convert timestamp to int\n");
return -1;
}
- if ((int) time(NULL) > expires)
+ LM_DBG("current time: %d\n", cur_time);
+ if (cur_time > expires)
{
LM_WARN("username has expired\n");
return -1;
@@ -144,6 +143,10 @@ static int digest_authenticate(struct sip_msg* msg, str *realm,
struct hdr_field* h;
int ret;
struct secret *secret_struct = secret_list;
+ str username;
+
+ LM_DBG("realm: %.*s\n", realm->len, realm->s);
+ LM_DBG("method: %.*s\n", method->len, method->s);
ret = eph_auth_api.pre_auth(msg, realm, hftype, &h, NULL);
switch(ret) {
@@ -175,8 +178,10 @@ static int digest_authenticate(struct sip_msg* msg, str *realm,
return AUTH_OK;
}
- if (verify_timestamp(&((auth_body_t*) h->parsed)->digest.username.whole)
- < 0)
+ username = ((auth_body_t *) h->parsed)->digest.username.whole;
+ LM_DBG("username: %.*s\n", username.len, username.s);
+
+ if (verify_timestamp(&username) < 0)
{
LM_ERR("invalid timestamp in username\n");
return AUTH_ERROR;
diff --git a/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
b/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
index 678320b..ba2c282 100644
--- a/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
+++ b/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
@@ -56,8 +56,8 @@
(msrp, sip, etc)</para>
</listitem>
<listitem>
- <para><emphasis>username</emphasis> - a user identifier for the
- service</para>
+ <para><emphasis>username</emphasis> - an optional user identifier for
+ the service</para>
</listitem>
<listitem>
<para><emphasis>ttl</emphasis> - an optional TTL request for the
@@ -77,9 +77,11 @@ GET /?service=sip&username=foobar;&ttl=86400;
The response should include the following parameters:
<itemizedlist>
<listitem>
- <para><emphasis>username</emphasis> - the username to use, which is a
- combination of the username parameter from the request, with a timestamp
- in time_t format, colon-separated.</para>
+ <para><emphasis>username</emphasis> - the username to use with the
+ service, which is a combination of the username parameter from the
+ request and a timestamp in time_t format, colon-separated. If a username
+ was not included in the request this parameter will just include the
+ timestamp.</para>
</listitem>
<listitem>
<para><emphasis>password</emphasis> - the password to use; this value
is