Improve configuration file

+ work on authentication - not yet functionnal
2026-01-17 18:08:06 +00:00 · 2019-06-27 20:50:49 +07:00 · 2019-06-27 20:50:49 +07:00 · a6ab699fde
commit a6ab699fde
parent daa5e601ea
2 changed files with 73 additions and 25 deletions
--- a/src/authentication.php
+++ b/src/authentication.php
@ -1,13 +1,30 @@
 <?php

+// Nonce are one-time usage, in order to avoid storing them in a table
+// The nonce is built using:
+// - timestamp : nonce is valid for MIN_NONCE_VALIDITY_PERIOD seconds at minimum and twice it at maximum (our goal is one time usage anyway, typical value shall be 10 )
+// - request content : the response uses only the URI, enforce the content to be the same so the nonce is actually a one time usage
+// 		a replay is not devastating (it would just be an actual replay, not a different command to server)
+// - secret key : avoid an attacker to be able to generate a valid nonce
+function auth_get_valid_nonces() {
+	$request = file_get_contents('php://input');
+	$time = time();
+	$time -= $time%MIN_NONCE_VALIDITY_PERIOD; // our nonce will be valid at leat MIN_NONCE_VALIDITY_PERIOD seconds and max twice it, so floor the timestamp
+	return array(
+		hash_hmac("sha256", $time.':'.$request, AUTH_NONCE_KEY),
+		hash_hmac("sha256", $time-MIN_NONCE_VALIDITY_PERIOD.':'.$request, AUTH_NONCE_KEY));
+}
+
 function request_authentication($realm = "sip.example.org") {
 	header('HTTP/1.1 401 Unauthorized');
 	header('WWW-Authenticate: Digest realm="' . $realm.
-		'",qop="auth",nonce="' . uniqid() . '",opaque="' . md5($realm) . '"');
+		'",qop="auth",nonce="' . auth_get_valid_nonces()[0] . '",opaque="' . md5($realm) . '"');
+
 	exit();
 }

 function authenticate($auth_digest, $realm = "sip.example.org") {
+	mylog("[DEBUG] Authenticate : Digest ".(print_r($auth_digest, true))." realm " . $realm);
 	// Parse the client authentication data
 	$default = array('nounce', 'nc', 'cnounce', 'qop', 'username', 'uri', 'response');
 	preg_match_all('~(\w+)="?([^",]+)"?~', $auth_digest, $matches); # $_SERVER['PHP_AUTH_DIGEST']
--- a/src/xmlrpc.conf
+++ b/src/xmlrpc.conf
@ -18,13 +18,6 @@ define("REMOTE_PROVISIONING_OVERWRITE_ALL", False);
 */
 define("SIP_DOMAIN", "sip.linphone.org");

-/*
- * The domain to use for digest auth.
- *
- * Default value: sip.linphone.org
- */
-define("AUTH_REALM", "sip.linphone.org");
-
 /*
 * If true, when account is created, the password will be generated automatically (see below).
 * Otherwise it has to be given as the last parameter of the create_account method call.
@ -92,13 +85,6 @@ define('ALLOW_SAME_EMAILS_ON_MULTILPLE_ACCOUNTS', True);
 */
 define('RECOVER_ACCOUNT_IF_EXISTS', False);

-/*
- * If true, more features are available for test purposes
- *
- * Default value: False
- */
-define('ALLOW_TEST_ACCOUNTS', False);
-
 /* ### Logs configuration ### */

 /*
@ -112,19 +98,10 @@ define("LOGS_ENABLED", True);
 /*
 * The file in which to log calls.
 *
- * Default value: /var/opt/belledonne-communications/log/account-manager.log
+ * Default value: "/var/opt/belledonne-communications/log/account-manager.log"
 */
 define("LOG_FILE", "/var/opt/belledonne-communications/log/account-manager.log");

-/* ### Authentication configuration ### */
-
-/*
- * Realm used for digest authentication
- *
- * Default value: sip.example.org
- */
-define("AUTH_REALM", "sip.example.org");
-
 /* ### Database configuration ### */

 /*
@ -454,4 +431,58 @@ define("SMS_TIME_PERIOD", 86400000);
 * Default value: 3
 */
 define("SMS_COUNT_LIMIT_IN_PERIOD", 3);
+
+/* ### Tests configuration ### */
+
+/*
+ * If true, more features are available for test purposes
+ *
+ * Default value: False
+ */
+define('ALLOW_TEST_ACCOUNTS', False);
+
+/*
+ * Prefix used only by tests account to enable/disable some features
+ *
+ * Default value: "+1000555"
+ */
+define("TESTS_PHONE_PREFIX", "+1000555");
+
+/*
+ * Prefix used only by tests account to enable/disable some features
+ *
+ * Default value: "XXXTEST"
+ */
+define("TESTS_LOGIN_PREFIX", "xxxtest");
+
+/* ### Authentication configuration ### */
+
+/*
+ * The domain to use for digest auth.
+ *
+ * Default value: sip.example.org
+ */
+define("AUTH_REALM", "sip.example.org");
+
+/* Authentication SQL query
+ * this SQL query must retrieve a field password and a field algorithm and will bind a string holding the username into the ?
+ *
+ * Default value : "SELECT password as password, algorithm as algorithm FROM " . ACCOUNTS_ALGO_DB_TABLE . " WHERE account_id=(SELECT id FROM " . ACCOUNTS_DB_TABLE . " WHERE login=?) LIMIT 1;"
+ */
+define("AUTH_QUERY", "SELECT password as password, algorithm as algorithm FROM " . ACCOUNTS_ALGO_DB_TABLE . " WHERE account_id=(SELECT id FROM " . ACCOUNTS_DB_TABLE . " WHERE login=?) LIMIT 1;");
+
+/* Authentication Nonce Key
+ * This value must be a random string(12 characters minimum length) specific to each server and is PRIVATE
+ *
+ * Default value : The default is empty to force using a key different for each server
+ */
+define("AUTH_NONCE_KEY", "");
+
+/* Authentication Nonce Validity
+ * The authentication is aimed to provide a one time usage nonce, it is not strictly inforced by storing valid once, instead
+ * we use a short living period, the maximum validity period will be twice the minimum one, value is in seconds
+ *
+ * Default value : 10 seconds
+ */
+define("MIN_NONCE_VALIDITY_PERIOD", 10);
 ?>