Patches item #1690705, was opened at 2007-03-29 16:55 Message generated for change (Comment added) made by klaus_darilion You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1690705&group_id=139143
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: modules Group: ver devel Status: Open Resolution: Accepted Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Bogdan (bogdan_iancu) Summary: SIP Identity module Initial Comment: This module adds support for SIP Identity (RFC 4474). I have written it as part of my diploma thesis about SIP security. Regards Alexander Christ ---- Alexander Christ - student at Cologne University of Applied Sciences Alexander.Christ386_at_web.de ---- ---------------------------------------------------------------------- >Comment By: Klaus Darilion (klaus_darilion) Date: 2007-10-17 09:08 Message: Logged In: YES user_id=1318360 Originator: NO just a quick note: there might be problems when using the identity module and TLS as both use openssl which is not safe due to global variables (maybe it is safe if identity module only uses crypto functions without initialization of openssl and use of CTX contexts?). I saw that the ser guys use static linking against openssl in there auth_identity module to bypass these problem. ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-10-04 14:11 Message: Logged In: YES user_id=1275325 Originator: NO I suggest to keep the module on the tracker for after the 1.3 release and then we can re-evaluate what the options are. Now, in couple of days, there is no suitable solution to make it work correctly. regards, Bogdan ---------------------------------------------------------------------- Comment By: Klaus Darilion (klaus_darilion) Date: 2007-09-27 10:51 Message: Logged In: YES user_id=1318360 Originator: NO To really make use of it we need to change the signing to use the modified message, not the original received message. For example, just be fore the message is sent on the wire, reparse the message and sign it. ---------------------------------------------------------------------- Comment By: Henning Westerholt (henningw) Date: 2007-09-27 09:43 Message: Logged In: YES user_id=337916 Originator: NO Any new thoughs on this module? Should we merge this for 1.3? Cheers, Henning ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2007-06-05 13:46 Message: Logged In: NO Hi! I've made a quick review of the auth_identity module in ser CVs. It does sign the outgoing message, thus it applies lumps before signing using functions added to msg_translator: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/msg_translator.c.diff?r1=1.142&r2=1.143 ---------------------------------------------------------------------- Comment By: Henning Westerholt (henningw) Date: 2007-05-25 14:55 Message: Logged In: YES user_id=337916 Originator: NO This was discussed at devel in http://www.openser.org/pipermail/devel/2007-May/007564.html, unfortunally without a result. The original author don't want to maintain this code, and nobody other stepped up so far. There are also some issues with the functionality of the module, resulting of the internal structure of openser. ---------------------------------------------------------------------- Comment By: Henning Westerholt (henningw) Date: 2007-04-10 11:04 Message: Logged In: YES user_id=337916 Originator: NO Attached patches from Alexander Christ for the minor issues reported on 2007-03-30 10:49. * add GPL header and include guards to .h file * fix signess warnings, adapt to openssl 0.9.8 Henning --- identity.old/identity.h 2007-03-29 14:43:24.000000000 +0200 +++ identity.new/identity.h 2007-04-06 10:11:00.822818288 +0200 @@ -1,3 +1,33 @@ +/* Copyright (C) 2007 Alexander Christ, + * Cologne University of Applied Sciences + * + * This file is part of openser, a free SIP server. + * + * openser is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version + * + * openser is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * + * History: + * ------- + * 2007-03-29 initial version + * 2007-04-06 added GPL copyright, #ifndef ... ; changed MIN macro + * + */ + +#ifndef _IDENTITY_H_ +#define _IDENTITY_H_ + #define MAX_TIME 64 //max. length of timestamp #define DATE_FORMAT "%a, %d %b %Y %H:%M:%S GMT" #define MAXDATEDELTA_AUTH 600 //max. allowed | dateHF - now | for authentication service in seconds @@ -12,7 +42,7 @@ #define HOSTNAME_ILLCHAR "?[" //forbidden characters in certHostname #define L_IDENT 4 //log-level of verifications -#define MIN(a, b) ((a < b) ? a : b) +#define MIN(a, b) ((a) < (b) ? (a) : (b)) static int mod_init(void); static int child_init(int rank); @@ -55,3 +85,5 @@ static int add_hf_helper(struct sip_msg* msg, str *str1, str *str2, xl_elem_t *model, int mode, str *hfs); static int append_hf_1(struct sip_msg *msg, char *str1, char *str2 ); static int hname_fixup(void** param, int param_no); + +#endif --- identity.old/identity.c 2007-03-29 15:00:39.000000000 +0200 +++ identity.new/identity.c 2007-04-06 10:11:00.822818288 +0200 @@ -21,6 +21,7 @@ * History: * ------- * 2007-03-29 initial version + * 2007-04-06 changes regarding pointer types and signess * */ @@ -727,9 +728,9 @@ static int addIdentity(char * dateHF, struct sip_msg * msg) { EVP_MD_CTX ctx; - int siglen = 0; + unsigned int siglen = 0; int b64len = 0; - char * sig = NULL; + unsigned char * sig = NULL; char * b64str = NULL; char digestString[MAX_DIGEST] = "\0"; char buf[MAX_IDENTITY] = "Identity: \""; //String, der msg hinzugefuegt wird @@ -774,7 +775,7 @@ LOG(L_ERR, "identity: addIdentity: ERROR: error allocating memory\n"); return 0; } - EVP_EncodeBlock(b64str, sig, siglen); //Base64 encodierung von sig nach b64str + EVP_EncodeBlock((unsigned char *) b64str, sig, siglen); //Base64 encodierung von sig nach b64str b64str[b64len - 1] = '\0'; pkg_free(sig); @@ -1054,7 +1055,11 @@ char * extstr; X509V3_EXT_METHOD * meth; void * ext_str = NULL; + #if (OPENSSL_VERSION_NUMBER > 0x00908000L) + const unsigned char * data; + #else unsigned char * data; + #endif STACK_OF(CONF_VALUE) * val; CONF_VALUE * nval; @@ -1173,7 +1178,7 @@ EVP_PKEY * pubkey = NULL; char digestString[MAX_DIGEST] = "\0"; int siglen = -1; - char * sigbuf = NULL; + unsigned char * sigbuf = NULL; int b64len = 0; EVP_MD_CTX ctx; int result = 0; @@ -1207,7 +1212,7 @@ return 0; } - siglen = EVP_DecodeBlock(sigbuf, identityHF, b64len); //siglen = -1 im Fehlerfall + siglen = EVP_DecodeBlock(sigbuf, (unsigned char *) identityHF, b64len); //siglen = -1 im Fehlerfall if(siglen <= 1) { pkg_free(sigbuf); @@ -1315,7 +1320,7 @@ */ static time_t parseX509Date(ASN1_STRING * dateString) { - char * tmp = NULL; + unsigned char * tmp = NULL; struct tm tmDate; if(!dateString) ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-04-08 10:23 Message: Logged In: YES user_id=1275325 Originator: NO Hi Alexander, thanks for your contribution. shortly, it will be reviewed and uploaded on the SVN trunk. regards, bogdan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1690705&group_id=139143 _______________________________________________ Devel mailing list Devel@openser.org http://openser.org/cgi-bin/mailman/listinfo/devel
