From 765562b289d6dd37f4b11a71cc296d1cb6f0cbb2 Mon Sep 17 00:00:00 2001
From: Carsten Bock <carsten@ng-voice.com>
Date: Wed, 1 Feb 2017 09:53:45 +0100
Subject: [PATCH] auth_ephemeral: Support for stronger hashing algorithms

---
 .../auth_ephemeral/auth_ephemeral_mod.c       |  5 +++
 .../auth_ephemeral/auth_ephemeral_mod.h       |  8 ++++
 src/modules/auth_ephemeral/authorize.c        | 39 ++++++++++++++++---
 .../auth_ephemeral/doc/auth_ephemeral.xml     | 10 +++++
 .../doc/auth_ephemeral_admin.xml              | 31 +++++++++++++++
 5 files changed, 87 insertions(+), 6 deletions(-)

diff --git a/src/modules/auth_ephemeral/auth_ephemeral_mod.c b/src/modules/auth_ephemeral/auth_ephemeral_mod.c
index 948cb5347ff..e4fe5e9ac34 100644
--- a/src/modules/auth_ephemeral/auth_ephemeral_mod.c
+++ b/src/modules/auth_ephemeral/auth_ephemeral_mod.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2013 Crocodile RCS Ltd
+ * Copyright (C) 2017 ng-voice GmbH
  *
  * This file is part of Kamailio, a free SIP server.
  *
@@ -49,6 +50,8 @@ gen_lock_t *autheph_secret_lock = NULL;
 
 autheph_username_format_t autheph_username_format = AUTHEPH_USERNAME_IETF;
 
+autheph_sha_alg_t autheph_sha_alg = AUTHEPH_SHA1;
+
 auth_api_s_t eph_auth_api;
 
 static cmd_export_t cmds[]=
@@ -92,6 +95,8 @@ static param_export_t params[]=
 	  (void *) secret_param },
 	{ "username_format",	INT_PARAM,
 	  &autheph_username_format },
+	{ "sha_algorithm",	INT_PARAM,
+	  &autheph_sha_alg },
 	{0, 0, 0}
 };
 
diff --git a/src/modules/auth_ephemeral/auth_ephemeral_mod.h b/src/modules/auth_ephemeral/auth_ephemeral_mod.h
index 19c1035284a..e701613b9d2 100644
--- a/src/modules/auth_ephemeral/auth_ephemeral_mod.h
+++ b/src/modules/auth_ephemeral/auth_ephemeral_mod.h
@@ -2,6 +2,7 @@
  * $Id$
  *
  * Copyright (C) 2013 Crocodile RCS Ltd
+ * Copyright (C) 2017 ng-voice GmbH
  *
  * This file is part of Kamailio, a free SIP server.
  *
@@ -46,6 +47,13 @@ typedef enum {
 } autheph_username_format_t;
 extern autheph_username_format_t autheph_username_format;
 
+typedef enum {
+	AUTHEPH_SHA1	= 0,
+	AUTHEPH_SHA256	= 1,
+	AUTHEPH_SHA512	= 2,
+} autheph_sha_alg_t;
+extern autheph_sha_alg_t autheph_sha_alg;
+
 extern auth_api_s_t eph_auth_api;
 
 extern gen_lock_t *autheph_secret_lock;
diff --git a/src/modules/auth_ephemeral/authorize.c b/src/modules/auth_ephemeral/authorize.c
index b7ca0c8269f..e8720784e6b 100644
--- a/src/modules/auth_ephemeral/authorize.c
+++ b/src/modules/auth_ephemeral/authorize.c
@@ -2,6 +2,7 @@
  * $Id$
  *
  * Copyright (C) 2013 Crocodile RCS Ltd
+ * Copyright (C) 2017 ng-voice GmbH
  *
  * This file is part of Kamailio, a free SIP server.
  *
@@ -45,12 +46,38 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
 	unsigned int hmac_len = SHA_DIGEST_LENGTH;
 	unsigned char hmac_sha1[hmac_len];
 
-	if (HMAC(EVP_sha1(), _secret->s, _secret->len,
-			(unsigned char *) _username->s,
-			_username->len, hmac_sha1, &hmac_len) == NULL)
-	{
-		LM_ERR("HMAC-SHA1 failed\n");
-		return -1;
+	switch(autheph_sha_alg) {
+		case AUTHEPH_SHA1:
+			if (HMAC(EVP_sha1(), _secret->s, _secret->len,
+					(unsigned char *) _username->s,
+					_username->len, hmac_sha1, &hmac_len) == NULL)
+			{
+				LM_ERR("HMAC-SHA1 failed\n");
+				return -1;
+			}
+			break;
+		case AUTHEPH_SHA256:
+			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
+					(unsigned char *) _username->s,
+					_username->len, hmac_sha1, &hmac_len) == NULL)
+			{
+				LM_ERR("HMAC-SHA256 failed\n");
+				return -1;
+			}
+			break;
+		case AUTHEPH_SHA512:
+			if (HMAC(EVP_sha512(), _secret->s, _secret->len,
+					(unsigned char *) _username->s,
+					_username->len, hmac_sha1, &hmac_len) == NULL)
+			{
+				LM_ERR("HMAC-SHA512 failed\n");
+				return -1;
+			}
+			break;
+		default:
+			LM_ERR("Inavlid SHA Algorithm\n");
+			return -1;
+
 	}
 
 	_password->len = base64_enc(hmac_sha1, hmac_len,
diff --git a/src/modules/auth_ephemeral/doc/auth_ephemeral.xml b/src/modules/auth_ephemeral/doc/auth_ephemeral.xml
index ec2651d7ae4..8f64214b62c 100644
--- a/src/modules/auth_ephemeral/doc/auth_ephemeral.xml
+++ b/src/modules/auth_ephemeral/doc/auth_ephemeral.xml
@@ -18,11 +18,21 @@
 		<affiliation><orgname>Crocodile RCS Ltd</orgname></affiliation>
 		<email>peter.dunkley@crocodile-rcs.com</email>
 		</author>
+		<author>
+		<firstname>Carsten</firstname>
+		<surname>Bock</surname>
+		<affiliation><orgname>ng-voice GmbH</orgname></affiliation>
+		<email>carsten@ng-voice.com</email>
+		</author>
 	</authorgroup>
 	<copyright>
 		<year>2013</year>
 		<holder>Crocodile RCS Ltd</holder>
 	</copyright>
+	<copyright>
+		<year>2017</year>
+		<holder>ng-voice GmbH</holder>
+	</copyright>
 	</bookinfo>
 	<toc></toc>
 
diff --git a/src/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml b/src/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
index 10e2a52b45b..f57bd2f964b 100644
--- a/src/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
+++ b/src/modules/auth_ephemeral/doc/auth_ephemeral_admin.xml
@@ -195,6 +195,37 @@ modparam("auth_ephemeral", "username_format", 0)
 </programlisting>
 		</example>
 	</section>
+
+
+	<section id="auth_eph.p.sha_algorithm">
+		<title><varname>sha_algorithm</varname> (integer)</title>
+		<para>
+		The SHA algorhithm to be used for the Hash.
+		</para>
+		<para>
+		<itemizedlist>
+		<listitem>
+			<para>0 - SHA1 (default, as per IETF/RFC)</para>
+		</listitem>
+		<listitem>
+			<para>1 - SHA256</para>
+		</listitem>
+		<listitem>
+			<para>2 - SHA512</para>
+		</listitem>
+		</itemizedlist>
+		</para>
+		<example>
+		<title><varname>sha_algorithm</varname> parameter
+		usage</title>
+		<programlisting format="linespecific">
+...
+modparam("auth_ephemeral", "sha_algorithm", 2)
+...
+</programlisting>
+		</example>
+	</section>
+
 	</section>
 
 	<section id="auth_eph.functions">