Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#70 SIP Identity module

ver devel
open
nobody
modules (140)
5
2009-02-11
2007-03-29
Anonymous
No

This module adds support for SIP Identity (RFC 4474).

I have written it as part of my diploma thesis about SIP security.

Regards
Alexander Christ

----
Alexander Christ - student at Cologne University of Applied Sciences
Alexander.Christ386_at_web.de
----

Discussion

  • Identity module

     
    Attachments
    • assigned_to: nobody --> bogdan_iancu
    • status: open --> open-accepted
     
  • Logged In: YES
    user_id=1275325
    Originator: NO

    Hi Alexander,

    thanks for your contribution. shortly, it will be reviewed and uploaded on the SVN trunk.

    regards,
    bogdan

     
  • Logged In: YES
    user_id=337916
    Originator: NO

    Attached patches from Alexander Christ for the minor issues reported on 2007-03-30 10:49.

    * add GPL header and include guards to .h file
    * fix signess warnings, adapt to openssl 0.9.8

    Henning

    --- identity.old/identity.h 2007-03-29 14:43:24.000000000 +0200
    +++ identity.new/identity.h 2007-04-06 10:11:00.822818288 +0200
    @@ -1,3 +1,33 @@
    +/* Copyright (C) 2007 Alexander Christ,
    + * Cologne University of Applied Sciences
    + *
    + * This file is part of openser, a free SIP server.
    + *
    + * openser is free software; you can redistribute it and/or modify
    + * it under the terms of the GNU General Public License as published by
    + * the Free Software Foundation; either version 2 of the License, or
    + * (at your option) any later version
    + *
    + * openser is distributed in the hope that it will be useful,
    + * but WITHOUT ANY WARRANTY; without even the implied warranty of
    + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    + * GNU General Public License for more details.
    + *
    + * You should have received a copy of the GNU General Public License
    + * along with this program; if not, write to the Free Software
    + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
    + *
    + *
    + * History:
    + * -------
    + * 2007-03-29 initial version
    + * 2007-04-06 added GPL copyright, #ifndef ... ; changed MIN macro
    + *
    + */
    +
    +#ifndef _IDENTITY_H_
    +#define _IDENTITY_H_
    +
    #define MAX_TIME 64 //max. length of timestamp
    #define DATE_FORMAT "%a, %d %b %Y %H:%M:%S GMT"
    #define MAXDATEDELTA_AUTH 600 //max. allowed | dateHF - now | for authentication service in seconds
    @@ -12,7 +42,7 @@
    #define HOSTNAME_ILLCHAR "?[" //forbidden characters in certHostname
    #define L_IDENT 4 //log-level of verifications

    -#define MIN(a, b) ((a < b) ? a : b)
    +#define MIN(a, b) ((a) < (b) ? (a) : (b))

    static int mod_init(void);
    static int child_init(int rank);
    @@ -55,3 +85,5 @@
    static int add_hf_helper(struct sip_msg* msg, str *str1, str *str2, xl_elem_t *model, int mode, str *hfs);
    static int append_hf_1(struct sip_msg *msg, char *str1, char *str2 );
    static int hname_fixup(void** param, int param_no);
    +
    +#endif
    --- identity.old/identity.c 2007-03-29 15:00:39.000000000 +0200
    +++ identity.new/identity.c 2007-04-06 10:11:00.822818288 +0200
    @@ -21,6 +21,7 @@
    * History:
    * -------
    * 2007-03-29 initial version
    + * 2007-04-06 changes regarding pointer types and signess
    *
    */

    @@ -727,9 +728,9 @@
    static int addIdentity(char * dateHF, struct sip_msg * msg)
    {
    EVP_MD_CTX ctx;
    - int siglen = 0;
    + unsigned int siglen = 0;
    int b64len = 0;
    - char * sig = NULL;
    + unsigned char * sig = NULL;
    char * b64str = NULL;
    char digestString[MAX_DIGEST] = "\0";
    char buf[MAX_IDENTITY] = "Identity: \""; //String, der msg hinzugefuegt wird
    @@ -774,7 +775,7 @@
    LOG(L_ERR, "identity: addIdentity: ERROR: error allocating memory\n");
    return 0;
    }
    - EVP_EncodeBlock(b64str, sig, siglen); //Base64 encodierung von sig nach b64str
    + EVP_EncodeBlock((unsigned char *) b64str, sig, siglen); //Base64 encodierung von sig nach b64str
    b64str[b64len - 1] = '\0';

    pkg_free(sig);
    @@ -1054,7 +1055,11 @@
    char * extstr;
    X509V3_EXT_METHOD * meth;
    void * ext_str = NULL;
    + #if (OPENSSL_VERSION_NUMBER > 0x00908000L)
    + const unsigned char * data;
    + #else
    unsigned char * data;
    + #endif
    STACK_OF(CONF_VALUE) * val;
    CONF_VALUE * nval;

    @@ -1173,7 +1178,7 @@
    EVP_PKEY * pubkey = NULL;
    char digestString[MAX_DIGEST] = "\0";
    int siglen = -1;
    - char * sigbuf = NULL;
    + unsigned char * sigbuf = NULL;
    int b64len = 0;
    EVP_MD_CTX ctx;
    int result = 0;
    @@ -1207,7 +1212,7 @@
    return 0;
    }

    - siglen = EVP_DecodeBlock(sigbuf, identityHF, b64len); //siglen = -1 im Fehlerfall
    + siglen = EVP_DecodeBlock(sigbuf, (unsigned char *) identityHF, b64len); //siglen = -1 im Fehlerfall
    if(siglen <= 1)
    {
    pkg_free(sigbuf);
    @@ -1315,7 +1320,7 @@
    */
    static time_t parseX509Date(ASN1_STRING * dateString)
    {
    - char * tmp = NULL;
    + unsigned char * tmp = NULL;
    struct tm tmDate;

    if(!dateString)

     
  • Logged In: YES
    user_id=337916
    Originator: NO

    This was discussed at devel in http://www.openser.org/pipermail/devel/2007-May/007564.html, unfortunally without a result. The original author don't want to maintain this code, and nobody other stepped up so far. There are also some issues with the functionality of the module, resulting of the internal structure of openser.

     
  • Logged In: YES
    user_id=337916
    Originator: NO

    Any new thoughs on this module? Should we merge this for 1.3?

    Cheers,

    Henning

     
  • Klaus Darilion
    Klaus Darilion
    2007-09-27

    Logged In: YES
    user_id=1318360
    Originator: NO

    To really make use of it we need to change the signing to use the modified message, not the original received message. For example, just be fore the message is sent on the wire, reparse the message and sign it.

     
  • Logged In: YES
    user_id=1275325
    Originator: NO

    I suggest to keep the module on the tracker for after the 1.3 release and then we can re-evaluate what the options are. Now, in couple of days, there is no suitable solution to make it work correctly.

    regards,
    Bogdan

     
  • Klaus Darilion
    Klaus Darilion
    2007-10-17

    Logged In: YES
    user_id=1318360
    Originator: NO

    just a quick note: there might be problems when using the identity module and TLS as both use openssl which is not safe due to global variables (maybe it is safe if identity module only uses crypto functions without initialization of openssl and use of CTX contexts?). I saw that the ser guys use static linking against openssl in there auth_identity module to bypass these problem.

     
  • This is now available in opensips, with some small improvements. Given the fact that nobody bothered to fix this issues for two years, i think that the interest on this module is probably not that huge.

     
    • assigned_to: bogdan_iancu --> nobody
    • status: open-accepted --> open
     
  • SER has it from quite some time by now, we will get it via sip-router.org project. It is why I haven't invested any time in it. As you said, nobody else showed interest.