[sr-dev] git:5.4:e04db74d: auth_ephemeral: fix sha256/384/512
Daniel-Constantin Mierla
miconda at gmail.com
Wed Dec 8 09:32:05 CET 2021
Module: kamailio
Branch: 5.4
Commit: e04db74dc1e1706f4f3c8c2b6fcd3dba98534f04
URL: https://github.com/kamailio/kamailio/commit/e04db74dc1e1706f4f3c8c2b6fcd3dba98534f04
Author: Justin-lavelle <justinl at broadvoice.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2021-12-08T09:31:41+01:00
auth_ephemeral: fix sha256/384/512
- sha256/384/512 broken due to use of sha1 password length, change to check and use proper lengths for each
- sha384 mistakenly using sha256 method
(cherry picked from commit de2bee1805c2c89565e9b28afb50fac375d0b5ba)
(cherry picked from commit 52a01e54483c5e50fedec649689e5f142c16315a)
---
Modified: src/modules/auth_ephemeral/authorize.c
---
Diff: https://github.com/kamailio/kamailio/commit/e04db74dc1e1706f4f3c8c2b6fcd3dba98534f04.diff
Patch: https://github.com/kamailio/kamailio/commit/e04db74dc1e1706f4f3c8c2b6fcd3dba98534f04.patch
---
diff --git a/src/modules/auth_ephemeral/authorize.c b/src/modules/auth_ephemeral/authorize.c
index bb92a4a2190..ff5012ade51 100644
--- a/src/modules/auth_ephemeral/authorize.c
+++ b/src/modules/auth_ephemeral/authorize.c
@@ -69,11 +69,11 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
break;
case AUTHEPH_SHA384:
hmac_len = SHA384_DIGEST_LENGTH;
- if (HMAC(EVP_sha256(), _secret->s, _secret->len,
+ if (HMAC(EVP_sha384(), _secret->s, _secret->len,
(unsigned char *) _username->s,
_username->len, hmac_sha1, &hmac_len) == NULL)
{
- LM_ERR("HMAC-SHA256 failed\n");
+ LM_ERR("HMAC-SHA384 failed\n");
return -1;
}
break;
@@ -88,7 +88,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
}
break;
default:
- LM_ERR("Inavlid SHA Algorithm\n");
+ LM_ERR("Invalid SHA Algorithm\n");
return -1;
}
@@ -479,7 +479,26 @@ int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
{
- char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
+ unsigned int hmac_len = SHA_DIGEST_LENGTH;
+ switch(autheph_sha_alg) {
+ case AUTHEPH_SHA1:
+ hmac_len = SHA_DIGEST_LENGTH;
+ break;
+ case AUTHEPH_SHA256:
+ hmac_len = SHA256_DIGEST_LENGTH;
+ break;
+ case AUTHEPH_SHA384:
+ hmac_len = SHA384_DIGEST_LENGTH;
+ break;
+ case AUTHEPH_SHA512:
+ hmac_len = SHA512_DIGEST_LENGTH;
+ break;
+ default:
+ LM_ERR("Invalid SHA Algorithm\n");
+ return AUTH_ERROR;
+ }
+
+ char generated_password[base64_enc_len(hmac_len)];
str sgenerated_password;
struct secret *secret_struct;
@@ -515,14 +534,17 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
secret_struct = secret_list;
while (secret_struct != NULL)
{
- LM_DBG("trying secret: %.*s\n",
+ LM_DBG("trying secret: %.*s (%i)\n",
secret_struct->secret_key.len,
- secret_struct->secret_key.s);
+ secret_struct->secret_key.s,
+ secret_struct->secret_key.len);
if (get_pass(susername, &secret_struct->secret_key,
&sgenerated_password) == 0)
{
- LM_DBG("generated password: %.*s\n",
- sgenerated_password.len, sgenerated_password.s);
+ LM_DBG("generated password: %.*s (%i)\n",
+ sgenerated_password.len,
+ sgenerated_password.s,
+ sgenerated_password.len);
if (spassword->len == sgenerated_password.len
&& strncmp(spassword->s, sgenerated_password.s,
spassword->len) == 0)
More information about the sr-dev
mailing list