mirror of
https://gitlab.linphone.org/BC/public/linphone-iphone.git
synced 2026-01-22 13:48:09 +00:00
refine management of ha1 vs clear text passwords.
if store_ha1_password option is set, then never store clear text password. Also whenever realm is known, compute the ha1 and drop the clear text password.
This commit is contained in:
Simon Morlat
parent
63be4691c2
commit
096b71cd7e
4 changed files with 80 additions and 6 deletions
|
|
@ -141,13 +141,16 @@ void linphone_auth_info_destroy(LinphoneAuthInfo *obj){
|
|||
void linphone_auth_info_write_config(LpConfig *config, LinphoneAuthInfo *obj, int pos)
|
||||
{
|
||||
char key[50];
|
||||
bool_t store_ha1_passwd = lp_config_get_int(config, "sip", "store_ha1_passwd", 1);
|
||||
|
||||
|
||||
sprintf(key,"auth_info_%i",pos);
|
||||
lp_config_clean_section(config,key);
|
||||
|
||||
if (obj==NULL || lp_config_get_int(config, "sip", "store_auth_info", 1) == 0){
|
||||
return;
|
||||
}
|
||||
if (!obj->ha1 && obj->realm && obj->passwd && (obj->username||obj->userid) && lp_config_get_int(config, "sip", "store_ha1_passwd", 1) == 1) {
|
||||
if (!obj->ha1 && obj->realm && obj->passwd && (obj->username||obj->userid) && store_ha1_passwd) {
|
||||
/*compute ha1 to avoid storing clear text password*/
|
||||
obj->ha1=ms_malloc(33);
|
||||
sal_auth_compute_ha1(obj->userid?obj->userid:obj->username,obj->realm,obj->passwd,obj->ha1);
|
||||
|
|
@ -160,8 +163,17 @@ void linphone_auth_info_write_config(LpConfig *config, LinphoneAuthInfo *obj, in
|
|||
}
|
||||
if (obj->ha1!=NULL){
|
||||
lp_config_set_string(config,key,"ha1",obj->ha1);
|
||||
} else if (obj->passwd!=NULL){ /*only write passwd if no ha1*/
|
||||
lp_config_set_string(config,key,"passwd",obj->passwd);
|
||||
}
|
||||
if (obj->passwd != NULL){
|
||||
if (store_ha1_passwd){
|
||||
if (obj->ha1){
|
||||
/*if we have our ha1 and store_ha1_passwd set to TRUE, then drop the clear text password for security*/
|
||||
linphone_auth_info_set_passwd(obj, NULL);
|
||||
}
|
||||
}else{
|
||||
/*we store clear text password only if store_ha1_passwd is FALSE*/
|
||||
lp_config_set_string(config,key,"passwd",obj->passwd);
|
||||
}
|
||||
}
|
||||
if (obj->realm!=NULL){
|
||||
lp_config_set_string(config,key,"realm",obj->realm);
|
||||
|
|
@ -275,11 +287,26 @@ const LinphoneAuthInfo *linphone_core_find_auth_info(LinphoneCore *lc, const cha
|
|||
return ai;
|
||||
}
|
||||
|
||||
/*the auth info is expected to be in the core's list*/
|
||||
void linphone_core_write_auth_info(LinphoneCore *lc, LinphoneAuthInfo *ai){
|
||||
int i;
|
||||
MSList *elem = lc->auth_info;
|
||||
|
||||
if (!lc->sip_conf.save_auth_info) return;
|
||||
|
||||
for (i=0; elem != NULL; elem = elem->next, i++){
|
||||
if (ai == elem->data){
|
||||
linphone_auth_info_write_config(lc->config, ai, i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void write_auth_infos(LinphoneCore *lc){
|
||||
MSList *elem;
|
||||
int i;
|
||||
|
||||
if (!linphone_core_ready(lc)) return;
|
||||
if (!lc->sip_conf.save_auth_info) return;
|
||||
for(elem=lc->auth_info,i=0;elem!=NULL;elem=ms_list_next(elem),i++){
|
||||
LinphoneAuthInfo *ai=(LinphoneAuthInfo*)(elem->data);
|
||||
linphone_auth_info_write_config(lc->config,ai,i);
|
||||
|
|
@ -353,7 +380,7 @@ void linphone_core_add_auth_info(LinphoneCore *lc, const LinphoneAuthInfo *info)
|
|||
info->domain ? info->domain : "");
|
||||
}
|
||||
ms_list_free(l);
|
||||
if(lc->sip_conf.save_auth_info) write_auth_infos(lc);
|
||||
write_auth_infos(lc);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -373,7 +400,7 @@ void linphone_core_remove_auth_info(LinphoneCore *lc, const LinphoneAuthInfo *in
|
|||
if (r){
|
||||
lc->auth_info=ms_list_remove(lc->auth_info,r);
|
||||
linphone_auth_info_destroy(r);
|
||||
if(lc->sip_conf.save_auth_info) write_auth_infos(lc);
|
||||
write_auth_infos(lc);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1177,6 +1177,11 @@ static bool_t fill_auth_info(LinphoneCore *lc, SalAuthInfo* sai) {
|
|||
sai->userid=ms_strdup(ai->userid?ai->userid:ai->username);
|
||||
sai->password=ai->passwd?ms_strdup(ai->passwd):NULL;
|
||||
sai->ha1=ai->ha1?ms_strdup(ai->ha1):NULL;
|
||||
if (sai->realm && !ai->realm){
|
||||
/*if realm was not known, then set it so that ha1 may eventually be calculated and clear text password dropped*/
|
||||
linphone_auth_info_set_realm(ai, sai->realm);
|
||||
linphone_core_write_auth_info(lc, ai);
|
||||
}
|
||||
return TRUE;
|
||||
} else {
|
||||
return FALSE;
|
||||
|
|
|
|||
|
|
@ -337,6 +337,7 @@ SalStreamDir get_audio_dir_from_call_params(const LinphoneCallParams *params);
|
|||
SalStreamDir get_video_dir_from_call_params(const LinphoneCallParams *params);
|
||||
|
||||
void linphone_auth_info_write_config(struct _LpConfig *config, LinphoneAuthInfo *obj, int pos);
|
||||
void linphone_core_write_auth_info(LinphoneCore *lc, LinphoneAuthInfo *ai);
|
||||
|
||||
void linphone_core_update_proxy_register(LinphoneCore *lc);
|
||||
void linphone_core_refresh_subscribes(LinphoneCore *lc);
|
||||
|
|
|
|||
|
|
@ -358,8 +358,8 @@ static void authenticated_register_with_no_initial_credentials(){
|
|||
static void authenticated_register_with_late_credentials(){
|
||||
LinphoneCoreManager *lcm;
|
||||
stats* counters;
|
||||
LCSipTransports transport = {5070,5070,0,5071};
|
||||
char route[256];
|
||||
LCSipTransports transport = {5070,5070,0,5071};
|
||||
|
||||
sprintf(route,"sip:%s",test_route);
|
||||
|
||||
|
|
@ -371,6 +371,46 @@ static void authenticated_register_with_late_credentials(){
|
|||
linphone_core_manager_destroy(lcm);
|
||||
}
|
||||
|
||||
static void authenticated_register_with_provided_credentials(){
|
||||
LinphoneCoreManager *lcm;
|
||||
stats* counters;
|
||||
LinphoneProxyConfig *cfg;
|
||||
char route[256];
|
||||
LinphoneAddress *from;
|
||||
char *addr;
|
||||
LinphoneAuthInfo *ai;
|
||||
|
||||
sprintf(route,"sip:%s",test_route);
|
||||
|
||||
lcm = linphone_core_manager_new(NULL);
|
||||
|
||||
counters = get_stats(lcm->lc);
|
||||
cfg = linphone_core_create_proxy_config(lcm->lc);
|
||||
from = create_linphone_address(auth_domain);
|
||||
|
||||
linphone_proxy_config_set_identity(cfg, addr=linphone_address_as_string(from));
|
||||
ms_free(addr);
|
||||
|
||||
linphone_proxy_config_enable_register(cfg,TRUE);
|
||||
linphone_proxy_config_set_expires(cfg,1);
|
||||
linphone_proxy_config_set_route(cfg, test_route);
|
||||
linphone_proxy_config_set_server_addr(cfg,test_route);
|
||||
linphone_address_destroy(from);
|
||||
|
||||
ai = linphone_auth_info_new(test_username, NULL, test_password, NULL, NULL, NULL);
|
||||
linphone_core_add_auth_info(lcm->lc, ai);
|
||||
|
||||
linphone_core_add_proxy_config(lcm->lc, cfg);
|
||||
|
||||
BC_ASSERT_TRUE(wait_for(lcm->lc,lcm->lc,&counters->number_of_LinphoneRegistrationOk,1));
|
||||
BC_ASSERT_EQUAL(counters->number_of_auth_info_requested,0, int, "%d");
|
||||
|
||||
BC_ASSERT_PTR_NULL(lp_config_get_string(lcm->lc->config, "auth_info_0", "passwd", NULL));
|
||||
BC_ASSERT_PTR_NOT_NULL(lp_config_get_string(lcm->lc->config, "auth_info_0", "ha1", NULL));
|
||||
|
||||
linphone_core_manager_destroy(lcm);
|
||||
}
|
||||
|
||||
static void authenticated_register_with_wrong_late_credentials(){
|
||||
LinphoneCoreManager *lcm;
|
||||
stats* counters;
|
||||
|
|
@ -877,6 +917,7 @@ test_t register_tests[] = {
|
|||
{ "Digest auth with wrong credentials without 403", authenticated_register_with_wrong_credentials_without_403},
|
||||
{ "Authenticated register with wrong late credentials", authenticated_register_with_wrong_late_credentials},
|
||||
{ "Authenticated register with late credentials", authenticated_register_with_late_credentials },
|
||||
{ "Authenticated register with provided credentials", authenticated_register_with_provided_credentials },
|
||||
{ "Register with refresh", simple_register_with_refresh },
|
||||
{ "Authenticated register with refresh", simple_auth_register_with_refresh },
|
||||
{ "Register with refresh and send error", register_with_refresh_with_send_error },
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue