Hello, Jan!
I was trying to authenticate RRQ's from AudioCodes MP-112 Gateway using
H.235 via SQLPasswordsAuth policy, and after spending some time
investigating why it is not working, found an intriguing message inside
h235auth1.cxx from H323Plus sources. It says the following:
---
// H.235.0v4 clause 8.2 says generalID "should" be included, but
doesn't require it
// H.235.1v4 clause 14 says generalID "shall" be included in
ClearTokens, when the information is available
// AudioCodes 4.6 and Innovaphone v6-v9 don't include a generalID
---
I guess it means that generalID check may be skipped. Unfortunately I
haven't found the solution using standard GNUGK tools. That is why I
wrote a small patch which tells H.235.1 authenticator to skip checking
generalID while validating crypto tokens inside RRQ from AudioCodes
Gateways. Since I have 5.00A.046.014 software version in my MP-112 which
is the last available from manufacturer, I think that this "feature" is
relevant for all AudioCodes Gateways.
What would you say about including this workaround in GNUGK sources?
--- gkauth.h.orig 2015-03-24 13:14:44.000000000 +0500
+++ gkauth.h 2015-03-24 15:18:43.389587973 +0500
@@ -607,8 +607,7 @@
const H225_ArrayOf_AliasAddress* aliases = NULL,
/// Registration Auth data
RRQAuthData * authData = NULL
- )
- {
+ ) {
const RAS & req = request;
bool finalResult = false;
@@ -617,7 +616,7 @@
return GetDefaultStatus();
}
- for (PINDEX i = 0; i < m_h235Authenticators->GetSize(); i++) {
+ for (PINDEX i = 0; i < m_h235Authenticators->GetSize(); i++) {
H235Authenticator * authenticator = (H235Authenticator *)(*m_h235Authenticators)[i].Clone();
authenticator->SetLocalId(Toolkit::GKName());
@@ -625,8 +624,9 @@
for (PINDEX t = 0; t < req.m_tokens.GetSize(); t++) {
PString username;
PString password;
+
if (!ResolveUserName(req.m_tokens[t], username)) {
- PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
+ PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
continue; // skip to next token
}
if ((aliases == NULL) || (FindAlias(*aliases, username) == P_MAX_INDEX)) {
@@ -651,7 +651,7 @@
PString username;
PString password;
if (!ResolveUserName(req.m_cryptoTokens[t], aliases, username)) {
- PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
+ PTRACE(4, "GKAUTH\t" << GetName() << " No username resolved from tokens.");
continue; // skip to next token
}
if ((aliases == NULL) || (FindAlias(*aliases, username) == P_MAX_INDEX)) {
@@ -665,7 +665,7 @@
authenticator->SetRemoteId(username);
authenticator->SetPassword(password);
//authenticator->SetChallenge(challengeToken); // TODO: set challenge token from GCF
- result = authenticator->ValidateCryptoToken(req.m_cryptoTokens[t], request->m_rasPDU);
+ result = InternalValidateCryptoToken(req, authenticator, req.m_cryptoTokens[t], request->m_rasPDU);
if (result == H235Authenticator::e_OK) {
PTRACE(4, "GKAUTH\tAuthenticator " << authenticator->GetName() << " succeeded");
if (authData)
@@ -695,6 +695,47 @@
SimplePasswordAuth();
SimplePasswordAuth(const SimplePasswordAuth &);
SimplePasswordAuth & operator=(const SimplePasswordAuth &);
+
+ template<class RAS>
+ H235Authenticator::ValidationResult InternalValidateCryptoToken(
+ const RAS & req,
+ H235Authenticator* authenticator,
+ const H225_CryptoH323Token& token,
+ const PBYTEArray& rawPDU
+ ) {
+ return authenticator->ValidateCryptoToken(token, rawPDU);
+ }
+
+ H235Authenticator::ValidationResult InternalValidateCryptoToken(
+ const H225_RegistrationRequest& req,
+ H235Authenticator* authenticator,
+ const H225_CryptoH323Token& token,
+ const PBYTEArray& rawPDU
+ ) {
+ H235Authenticator::ValidationResult result;
+
+ // AudioCodes Gateways do not include generalId.
+ // We have to skip it's check.
+ // d.kochmashev@xxxxxxxxx
+
+ if (PString("H.235.1") == authenticator->GetName() &&
+ req.m_endpointVendor.m_vendor.m_t35CountryCode == 181 &&
+ req.m_endpointVendor.m_vendor.m_t35Extension == 0 &&
+ req.m_endpointVendor.m_vendor.m_manufacturerCode == 40 &&
+ req.m_endpointVendor.HasOptionalField(H225_VendorIdentifier::e_productId) &&
+ req.m_endpointVendor.m_productId.AsString() == "Gateway"
+ ) {
+ H2351_Authenticator* h2351Auth = dynamic_cast<H2351_Authenticator *>(authenticator);
+ if (h2351Auth != NULL) {
+ h2351Auth->RequireGeneralID(false);
+ PTRACE(4, "GKAUTH\tAuthenticator " << h2351Auth->GetName() << " detected AudioCodes Gateway, generalID check skipped");
+ result = authenticator->ValidateCryptoToken(token, rawPDU);
+ h2351Auth->RequireGeneralID(true);
+ return result;
+ }
+ }
+ return authenticator->ValidateCryptoToken(token, rawPDU);
+ }
private:
/// an encryption key used to decrypt passwords from the config file
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________________
Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx
Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/