AudioCodes and H.235

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, Jan!

I was trying to authenticate RRQ's from AudioCodes MP-112 Gateway using H.235 via SQLPasswordsAuth policy, and after spending some time investigating why it is not working, found an intriguing message inside h235auth1.cxx from H323Plus sources. It says the following:
---
// H.235.0v4 clause 8.2 says generalID "should" be included, but doesn't require it // H.235.1v4 clause 14 says generalID "shall" be included in ClearTokens, when the information is available
       // AudioCodes 4.6 and Innovaphone v6-v9 don't include a generalID
---
I guess it means that generalID check may be skipped. Unfortunately I haven't found the solution using standard GNUGK tools. That is why I wrote a small patch which tells H.235.1 authenticator to skip checking generalID while validating crypto tokens inside RRQ from AudioCodes Gateways. Since I have 5.00A.046.014 software version in my MP-112 which is the last available from manufacturer, I think that this "feature" is relevant for all AudioCodes Gateways.

What would you say about including this workaround in GNUGK sources?

--- gkauth.h.orig	2015-03-24 13:14:44.000000000 +0500
+++ gkauth.h	2015-03-24 15:18:43.389587973 +0500
@@ -607,8 +607,7 @@
 		const H225_ArrayOf_AliasAddress* aliases = NULL,
 		/// Registration Auth data
 		RRQAuthData * authData = NULL
-		)
-	{
+	) {
 		const RAS & req = request;
 		bool finalResult = false;
 
@@ -617,7 +616,7 @@
 			return GetDefaultStatus();
 		}
 
-        for (PINDEX i = 0; i < m_h235Authenticators->GetSize();  i++) {
+		for (PINDEX i = 0; i < m_h235Authenticators->GetSize();  i++) {
 			H235Authenticator * authenticator = (H235Authenticator *)(*m_h235Authenticators)[i].Clone();
 			authenticator->SetLocalId(Toolkit::GKName());
 
@@ -625,8 +624,9 @@
 			for (PINDEX t = 0; t < req.m_tokens.GetSize(); t++) {
 				PString username;
 				PString password;
+
 				if (!ResolveUserName(req.m_tokens[t], username)) {
-		            PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
+					PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
 					continue;	// skip to next token
 				}
 				if ((aliases == NULL) || (FindAlias(*aliases, username) == P_MAX_INDEX)) {
@@ -651,7 +651,7 @@
 				PString username;
 				PString password;
 				if (!ResolveUserName(req.m_cryptoTokens[t], aliases, username)) {
-		            PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
+					PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
 					continue;	// skip to next token
 				}
 				if ((aliases == NULL) || (FindAlias(*aliases, username) == P_MAX_INDEX)) {
@@ -665,7 +665,7 @@
 				authenticator->SetRemoteId(username);
 				authenticator->SetPassword(password);
 				//authenticator->SetChallenge(challengeToken);	// TODO: set challenge token from GCF
-				result = authenticator->ValidateCryptoToken(req.m_cryptoTokens[t], request->m_rasPDU);
+				result = InternalValidateCryptoToken(req, authenticator, req.m_cryptoTokens[t], request->m_rasPDU);
 				if (result == H235Authenticator::e_OK) {
 					PTRACE(4, "GKAUTH\tAuthenticator " << authenticator->GetName() << " succeeded");
 					if (authData)
@@ -695,6 +695,47 @@
 	SimplePasswordAuth();
 	SimplePasswordAuth(const SimplePasswordAuth &);
 	SimplePasswordAuth & operator=(const SimplePasswordAuth &);
+
+	template<class RAS>
+	H235Authenticator::ValidationResult InternalValidateCryptoToken(
+		const RAS & req,
+		H235Authenticator* authenticator,
+		const H225_CryptoH323Token& token,
+		const PBYTEArray& rawPDU
+	) {
+		return authenticator->ValidateCryptoToken(token, rawPDU);
+	}
+
+	H235Authenticator::ValidationResult InternalValidateCryptoToken(
+		const H225_RegistrationRequest& req,
+		H235Authenticator* authenticator,
+		const H225_CryptoH323Token& token,
+		const PBYTEArray& rawPDU
+	) {
+		H235Authenticator::ValidationResult result;
+
+		// AudioCodes Gateways do not include generalId.
+		// We have to skip it's check.
+		// d.kochmashev@xxxxxxxxx
+
+		if (PString("H.235.1") == authenticator->GetName() &&
+			req.m_endpointVendor.m_vendor.m_t35CountryCode == 181 &&
+			req.m_endpointVendor.m_vendor.m_t35Extension == 0 &&
+			req.m_endpointVendor.m_vendor.m_manufacturerCode == 40 &&
+			req.m_endpointVendor.HasOptionalField(H225_VendorIdentifier::e_productId) &&
+			req.m_endpointVendor.m_productId.AsString() == "Gateway"
+		) {
+			H2351_Authenticator* h2351Auth = dynamic_cast<H2351_Authenticator *>(authenticator);
+			if (h2351Auth != NULL) {
+				h2351Auth->RequireGeneralID(false);
+				PTRACE(4, "GKAUTH\tAuthenticator " << h2351Auth->GetName() << " detected AudioCodes Gateway, generalID check skipped");
+				result = authenticator->ValidateCryptoToken(token, rawPDU);
+				h2351Auth->RequireGeneralID(true);
+				return result;
+			}
+		}
+		return authenticator->ValidateCryptoToken(token, rawPDU);
+	}
 	
 private:
 	/// an encryption key used to decrypt passwords from the config file
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________________

Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/

[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux