Merge pull request #32228 from rangaran/fix-sipcon

Fix the SIP container

Author: rangaran

dev/com.ibm.ws.sipcontainer/src/com/ibm/ws/sip/security/auth/AuthHeader.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2008, 2009 IBM Corporation and others.
+ * Copyright (c) 2008, 2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -23,6 +23,7 @@
 import com.ibm.sip.util.log.Log;
 import com.ibm.sip.util.log.LogMgr;
 import com.ibm.sip.util.log.Situation;
+import com.ibm.ws.common.crypto.CryptoUtils;
 import com.ibm.ws.sip.container.servlets.SipServletMessageImpl;
 import com.ibm.ws.sip.container.servlets.SipServletRequestImpl;
 import com.ibm.ws.sip.container.servlets.SipServletResponseImpl;
@@ -259,6 +260,7 @@ private byte[] getBody(SipServletMessageImpl message) {
 	 * @param uri The request URI
 	 * @param algorithm The algorithm requested in the challange 
 	 * (either 'MD5' or 'MD5-SESS').
+	 * (either 'SHA256' or 'SHA256-SESS') for fips
 	 * @param opaque An opaque value from the challange response, to be embeded 
 	 * in the header. null for none.
 	 * @param body The message body. Only needed if qop="auth-int"
@@ -301,7 +303,8 @@ private String createHeaderString(String sipMethod, String nonce,
 	 * @param cnonce The client-side nonce
 	 * @param uri The request URI
 	 * @param algorithm The algorithm requested in the challange 
-	 * (either 'MD5' or 'MD5-SESS').
+	 * (either 'MD5' or 'MD5-SESS') 
+	 * (either 'SHA256' or 'SHA256-SESS') for fips
 	 * @param opaque An opaque value from the challange response, to be embeded 
 	 * in the header. null for none.
 	 * @param body The message body. Only needed if qop="auth-int"
@@ -325,7 +328,16 @@ private String getAuthParamString(String sipMethod, String nonce,
 		addParam(header, DigestConstants.PROPERTY_USER_NAME, _username, true);
 		addParam(header, DigestConstants.PROPERTY_URI, uri, true);
 		addParam(header, DigestConstants.PROPERTY_NONCE, nonce, true);
-		algorithm = (algorithm == null ? DigestConstants.ALG_MD5 : algorithm);
+
+		//Based on whether fips is enabled or not
+		if (CryptoUtils.isFips140_3EnabledWithBetaGuard()){
+		algorithm = (algorithm == null ? DigestConstants.ALG_SHA256 : algorithm);
+		}
+		else{
+			algorithm = (algorithm == null ? DigestConstants.ALG_MD5 : algorithm);
+		}
+
+
 		addParam(header, DigestConstants.PROPERTY_ALGORITHM, algorithm, true);
 		if (qop != null) {
 			addParam(header, DigestConstants.PROPERTY_QOP, qop, true);
@@ -357,6 +369,7 @@ private String getAuthParamString(String sipMethod, String nonce,
 	 * @param uri The request URI
 	 * @param algorithm The algorithm requested in the challange 
 	 * (either 'MD5' or 'MD5-SESS').
+	 * (either 'SHA256' or 'SHA256-SESS') for fips
 	 * @param body The message body. Only needed if qop="auth-int"
 	 * @return the calculated digest
 	 */

dev/com.ibm.ws.sipcontainer/src/com/ibm/ws/sip/security/auth/DigestConstants.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2003,2004 IBM Corporation and others.
+ * Copyright (c) 2003,2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -14,12 +14,14 @@
 
 import com.ibm.ws.common.crypto.CryptoUtils;
 
-public interface DigestConstants {
+public interface DigestConstants{
 	public static final short DIGEST_LENGTH=6;
 	public static final String DIGEST = "Digest";
 	public static final String DIGEST_REALM = "realm=";
 	public static final String DIGEST_FIRST_REQUEST = "Digest qop=\"auth\",charset=utf-8,algorithm=md5,nonce=";
+	public static final String DIGEST_FIRST_REQUEST_SHA256 = "Digest qop=\"auth\",charset=utf-8,algorithm=sha256,nonce=";
 	public static final String DIGEST_FIRST_REQUEST_WITH_AUTH_INT = "Digest qop=\"auth-int\",charset=utf-8,algorithm=md5,nonce=";
+	public static final String DIGEST_FIRST_REQUEST_WITH_AUTH_INT_SHA256 = "Digest qop=\"auth-int\",charset=utf-8,algorithm=sha256,nonce=";
 	public static final String DIGEST_AUTH_INFO_RESPONSE = "qop=\"auth\",nextnonce=";
 
 	public static final String PROPERTY_USER_NAME = "username";
@@ -37,6 +39,8 @@ public interface DigestConstants {
 	public static final String QOP_AUTH = "auth";
 	public static final String QOP_AUTH_INT = "auth-int";
 	public static final String ALG_MD5 = CryptoUtils.MESSAGE_DIGEST_ALGORITHM_MD5;
+	public static final String ALG_SHA256 = CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA_256;
 	public static final String ALG_MD5_SESS = "MD5-sess";
+	public static final String ALG_SHA256_SESS = "SHA256-sess";
 	public static final String METHOD_DEFAULT="AUTHENTICATE";
 }

dev/com.ibm.ws.sipcontainer/src/com/ibm/ws/sip/security/auth/DigestUtils.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2008, 2009 IBM Corporation and others.
+ * Copyright (c) 2008, 2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -16,6 +16,7 @@
 
 import com.ibm.sip.util.log.Log;
 import com.ibm.sip.util.log.LogMgr;
+import com.ibm.ws.common.crypto.CryptoUtils;
 
 /**
  * Digest-generation utilities for the digest code. This class contains code
@@ -68,7 +69,7 @@ private static String toHexString(byte b[]) {
 	}
 
 	/**
-	 * Caculate the MD5 digest of the given byte array. 
+	 * Caculate the MD5 or SHA256 digest (based on whether fips is enabled) of the given byte array. 
 	 * @param msg The message to hash
 	 * @param digester The digester object to use.
 	 * @return A hashed representation of the message.
@@ -119,14 +120,15 @@ private static String textDigest(byte[] textBytes, MessageDigest digester)
 
 	/**
 	 * Calculate the A1 (username-realm-password) value for the digest.
-	 * This is the 'plain md5' version, as opposed to the 'md5-sess' value,
-	 * calculated by the method createA1MD5Sess.
+	 * This is the 'plain md5'/'sha256' version, as opposed to the 'md5-sess'/'sha256-sess' value (based on whether fips is enabled),
+	 * calculated by the method createA1MD5Sess/createA1SHA256Sess.
 	 * 
 	 * @param user The username
 	 * @param realm The authentication realm.
 	 * @param passwd The user password.
 	 * @return A1 value as a string.
 	 * @see #createA1MD5Sess(String, String, String, String, String, 
+	 * MessageDigest)/#createA1SHA256Sess(String, String, String, String, String, 
 	 * MessageDigest)
 	 */
 	public static String createHashedA1(String user, String realm, 
@@ -187,6 +189,40 @@ private static String createA1MD5Sess(String ha1, String nonce,
 		}
 		return  hexHash;
 	}
+
+	/**
+	 * Calculate the A1 (username-realm-password) value for the digest.
+	 * This is the 'SHA256-sess' version, which hashes the value username and
+	 * password along with the server and client nonces
+	 *
+	 * @param ha1 The non-sha256-sess value for a1 (hashed once)
+	 * @param nonce The server-side nonce.
+	 * @param cnonce The client-side nonce.
+	 * @param digester The digester to use for hashing.
+	 * 
+	 * @return A1 value as a string.
+	 * @see #createA1(String, String, String)
+	 */
+	private static String createA1SHA256Sess(String ha1, String nonce, 
+			String cnonce, MessageDigest digester)
+	{
+		if (c_logger.isTraceEntryExitEnabled()) {
+			c_logger.traceEntry(null, "createA1SHA256Sess", 
+					new Object[] {ha1, nonce, cnonce, digester});        	
+		}
+		StringBuffer buff = new StringBuffer(BUFFER_INITIAL_SIZE);
+		buff.append(ha1);
+		buff.append(":");
+		buff.append(nonce);
+		buff.append(":");
+		buff.append(cnonce);
+		String hexHash = buff.toString(); 
+
+		if (c_logger.isTraceEntryExitEnabled()) {
+			c_logger.traceExit(null, "createA1SHA256Sess", hexHash);
+		}
+		return  hexHash;
+	}
 
 	/**
 	 * Create an A2 value for use with the auth-int QOP value. I.e. one that
@@ -307,7 +343,7 @@ private static String createKD(String HA1, String nonce, String nc,
 	 * @param cnonce The client-side nonce
 	 * @param uri The request URI
 	 * @param algorithm The algorithm to use. Could be either 'MD5' or 
-	 * 'MD5-sess'
+	 * 'MD5-sess' / 'SHA256' or 'SHA256-sess'
 	 * @param sipMethod The sip method of the client request.
 	 * @param body The message body to authenticate. Only needed if 
 	 * qop="auth-int"
@@ -355,7 +391,7 @@ public static String createDigestFromAuthParams(String username,
 	 * @param cnonce The client-side nonce
 	 * @param uri The request URI
 	 * @param algorithm The algorithm to use. Could be either 'MD5' or 
-	 * 'MD5-sess'
+	 * 'MD5-sess'/ 'SHA256' or 'SHA256-sess'
 	 * @param sipMethod The sip method of the client request.
 	 * @param body The message body to authenticate. Only needed if 
 	 * qop="auth-int"
@@ -371,11 +407,14 @@ public static String createDigestFromAuthParams(String ha1, String nonce,
 					cnonce, uri, algorithm, sipMethod, body});        	
 		}
         MessageDigest digester = ThreadLocalStorage.getMessageDigest();
-        if (algorithm != null && algorithm.equals(DigestConstants.ALG_MD5_SESS)) {
-        	String A1 = createA1MD5Sess(ha1, nonce, cnonce, digester);
-			ha1 = textDigest(A1, digester);
+        String A1 = createA1MD5Sess(ha1, nonce, cnonce, digester);	
+
+		//if fips is enabled
+		if (CryptoUtils.isFips140_3EnabledWithBetaGuard() && algorithm != null && algorithm.equals(DigestConstants.ALG_SHA256_SESS)) {
+        	A1 = createA1SHA256Sess(ha1, nonce, cnonce, digester);
 		}
 
+		ha1 = textDigest(A1, digester);
 		String A2 = null;
 		if (sipMethod == null)
 			sipMethod = DigestConstants.METHOD_DEFAULT;

dev/com.ibm.ws.sipcontainer/src/com/ibm/ws/sip/security/auth/ThreadLocalStorage.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2003 IBM Corporation and others.
+ * Copyright (c) 2003,2025 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -32,7 +32,8 @@ public class ThreadLocalStorage
 	private static MessageDigest createMsgDigest(){
 		MessageDigest digester = null;
 		try {
-			digester = MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_MD5);
+			//Based on whether fips is enabled or not
+			digester = CryptoUtils.isFips140_3EnabledWithBetaGuard() ? MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_SHA256) : MessageDigest.getInstance(CryptoUtils.MESSAGE_DIGEST_ALGORITHM_MD5);
 			_msgDigest.set( digester);
 		} catch (NoSuchAlgorithmException e) {
 			e.printStackTrace();