void HTTPDigestCredentials::createAuthParams(const HTTPRequest& request, const HTTPAuthenticationParams& responseAuthParams)
{
// Not implemented: "domain" auth parameter and integrity protection.
if (!responseAuthParams.has(NONCE_PARAM) || !responseAuthParams.has(REALM_PARAM))
throw InvalidArgumentException("Invalid HTTP authentication parameters");
const std::string& algorithm = responseAuthParams.get(ALGORITHM_PARAM, DEFAULT_ALGORITHM);
if (icompare(algorithm, DEFAULT_ALGORITHM) != 0)
throw NotImplementedException("Unsupported digest algorithm", algorithm);
const std::string& nonce = responseAuthParams.get(NONCE_PARAM);
const std::string& qop = responseAuthParams.get(QOP_PARAM, DEFAULT_QOP);
const std::string& realm = responseAuthParams.getRealm();
_requestAuthParams.clear();
_requestAuthParams.set(USERNAME_PARAM, _username);
_requestAuthParams.set(NONCE_PARAM, nonce);
_requestAuthParams.setRealm(realm);
if (responseAuthParams.has(OPAQUE_PARAM))
{
_requestAuthParams.set(OPAQUE_PARAM, responseAuthParams.get(OPAQUE_PARAM));
}
if (qop.empty())
{
updateAuthParams(request);
}
else
{
Poco::StringTokenizer tok(qop, ",", Poco::StringTokenizer::TOK_TRIM);
bool qopSupported = false;
for (Poco::StringTokenizer::Iterator it = tok.begin(); it != tok.end(); ++it)
{
if (icompare(*it, AUTH_PARAM) == 0)
{
qopSupported = true;
_requestAuthParams.set(CNONCE_PARAM, createNonce());
_requestAuthParams.set(QOP_PARAM, *it);
updateAuthParams(request);
break;
}
}
if (!qopSupported)
throw NotImplementedException("Unsupported QoP requested", qop);
}
}
int main(int argc, char* argv[]){
if(argc > 1){
printf("Arg detected\n");
}
char* hostIP = getIPAddress(INTERFACE);
printf("Host Interface (%s) Address: [%s]\n", INTERFACE, hostIP);
//Part of this is Recycled/Modified Code from cs4516
printf("Elevation Handler Started.\n");
int packet_socket = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
printf("FD: [%d]\n", packet_socket);
if(packet_socket == -1){
printf("Error [%s]\n", strerror(errno));
exit(1);
}
struct sockaddr_ll saddr;
unsigned int interface = if_nametoindex(INTERFACE);
printf("IF: [%u]\n", interface);
if(interface == 0){
printf("Interface not found./n");
exit(1);
}
saddr.sll_protocol = htons(ETH_P_ALL);
saddr.sll_ifindex = interface;
saddr.sll_family = AF_PACKET;
int bindInt = bind(packet_socket, (struct sockaddr*) &saddr, sizeof(saddr));
printf("BIND: [%d]\n", bindInt);
if(bindInt == -1){
printf("Error [%s]\n", strerror(errno));
exit(1);
}
char buffer[2000];
AttackList* attackList = NULL;
while(1){
int count = recv(packet_socket, buffer, 1500, 0);
buffer[count] = '\n';
buffer[count + 1] = '\0';
char srcIP[33];
inet_ntop(AF_INET, buffer+12, srcIP, INET_ADDRSTRLEN);
srcIP[32] = '\0';
char destIP[33];
inet_ntop(AF_INET, buffer+16, destIP, INET_ADDRSTRLEN);
destIP[32] = '\0';
int protocol = (int) buffer[9];
if(protocol == 17 && strcmp(hostIP, destIP) == 0){
AttackList** entry = (AttackList**) calloc(sizeof(AttackList*), 1);
attackList = updateAttackCount(attackList, srcIP, entry);
printf("UDP Packet Size: [%d]\n", count);
printf("UDP Packet Src: [%s]\n", srcIP);
printf("UDP Packet Dest: [%s]\n", destIP);
printf("Attack Count: [%d]\n\n", (*entry)->count);
if((*entry)->count > ATTACK_COUNT_THRESHOLD){
printf("Attack Threshold Met for [%s] - Reporting and resetting!\n\n", srcIP);
//Complain to Victim Gateway Here
//Create Flow struct based on received Route Record first
//TODO below: temporary implementation
RouteRecord* tempRR = readRouteRecord(buffer + 20);
struct in_addr* victimAddr = getInAddr(destIP);
struct in_addr* attackerAddr = getInAddr(srcIP);
Flow* flow = createFlowStruct(victimAddr, attackerAddr, tempRR, createNonce(victimAddr, attackerAddr), 0, AITF_BLOCKING_REQUEST);
sendFlow(VICTIM_GATEWAY_IP, TCP_SENDING_PORT, flow);
//Wait T-temp here
waitMilliseconds(T_TEMP);
(*entry)->count = 0;
}
}
}
}
AuthenticateResult SCRAMAuthenticator::authenticate(const Credentials& creds, Poco::UInt32 conversationID)
{
if (conversationID == 0)
{
conversationID = newConversationID();
Conversation::Ptr pConv = new Conversation;
pConv->username = creds.getAttribute(Credentials::ATTR_USERNAME);
pConv->clientNonce = creds.getAttribute(Credentials::ATTR_NONCE);
pConv->serverNonce = createNonce();
pConv->salt = saltForUser(pConv->username, pConv->iterations);
if (!pConv->salt.empty())
{
Credentials serverCreds;
serverCreds.setAttribute(Credentials::ATTR_NONCE, pConv->serverNonce);
serverCreds.setAttribute(Credentials::ATTR_SALT, pConv->salt);
serverCreds.setAttribute(Credentials::ATTR_ITERATIONS, Poco::NumberFormatter::format(pConv->iterations));
_conversations.add(conversationID, pConv);
pConv->state = STATE_START;
return AuthenticateResult(AuthenticateResult::AUTH_CONTINUE, serverCreds, conversationID);
}
}
else
{
Conversation::Ptr pConv = _conversations.get(conversationID);
if (pConv)
{
if (pConv->state == STATE_START)
{
const std::string receivedServerNonce = creds.getAttribute(Credentials::ATTR_NONCE);
const std::string receivedClientProof = creds.getAttribute(Credentials::ATTR_PASSWORD);
const std::string saltedPassword = hashForUser(pConv->username);
std::string clientAuthMessage;
const std::string computedClientProof = computeClientProof(pConv->username, pConv->clientNonce, pConv->salt, pConv->iterations, saltedPassword, pConv->serverNonce, clientAuthMessage);
if (computedClientProof == receivedClientProof && pConv->serverNonce == receivedServerNonce)
{
std::string serverSignature = computeServerSignature(saltedPassword, clientAuthMessage);
Credentials serverCreds;
serverCreds.setAttribute(Credentials::ATTR_SIGNATURE, serverSignature);
pConv->state = STATE_CLIENT_AUTH;
return AuthenticateResult(AuthenticateResult::AUTH_CONTINUE, serverCreds, conversationID);
}
else
{
_conversations.remove(conversationID);
}
}
else if (pConv->state == STATE_CLIENT_AUTH)
{
_conversations.remove(conversationID);
Credentials serverCreds;
serverCreds.setAttribute(Credentials::ATTR_USERNAME, pConv->username);
return AuthenticateResult(AuthenticateResult::AUTH_DONE, serverCreds, conversationID);
}
}
}
return AuthenticateResult();
}
