Browse code

auth_ephemeral: fix sha256/384/512

- sha256/384/512 broken due to use of sha1 password length, change to check and use proper lengths for each
- sha384 mistakenly using sha256 method

Justin-lavelle authored on 04/12/2021 11:09:43 • Daniel-Constantin Mierla committed on 08/12/2021 08:30:07
Showing 1 changed files
... ...
@@ -69,11 +69,11 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
69 69
 			break;
70 70
 		case AUTHEPH_SHA384:
71 71
 			hmac_len = SHA384_DIGEST_LENGTH;
72
-			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
72
+			if (HMAC(EVP_sha384(), _secret->s, _secret->len,
73 73
 					(unsigned char *) _username->s,
74 74
 					_username->len, hmac_sha1, &hmac_len) == NULL)
75 75
 			{
76
-				LM_ERR("HMAC-SHA256 failed\n");
76
+				LM_ERR("HMAC-SHA384 failed\n");
77 77
 				return -1;
78 78
 			}
79 79
 			break;
... ...
@@ -88,7 +88,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
88 88
 			}
89 89
 			break;
90 90
 		default:
91
-			LM_ERR("Inavlid SHA Algorithm\n");
91
+			LM_ERR("Invalid SHA Algorithm\n");
92 92
 			return -1;
93 93
 
94 94
 	}
... ...
@@ -479,7 +479,26 @@ int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
479 479
 
480 480
 int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
481 481
 {
482
-	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
482
+	unsigned int hmac_len = SHA_DIGEST_LENGTH;
483
+	switch(autheph_sha_alg) {
484
+		case AUTHEPH_SHA1:
485
+			hmac_len = SHA_DIGEST_LENGTH;
486
+			break;
487
+		case AUTHEPH_SHA256:
488
+			hmac_len = SHA256_DIGEST_LENGTH;
489
+			break;
490
+		case AUTHEPH_SHA384:
491
+			hmac_len = SHA384_DIGEST_LENGTH;
492
+			break;
493
+		case AUTHEPH_SHA512:
494
+			hmac_len = SHA512_DIGEST_LENGTH;
495
+			break;
496
+		default:
497
+			LM_ERR("Invalid SHA Algorithm\n");
498
+			return AUTH_ERROR;
499
+	}
500
+
501
+	char generated_password[base64_enc_len(hmac_len)];
483 502
 	str sgenerated_password;
484 503
 	struct secret *secret_struct;
485 504
 
... ...
@@ -515,14 +534,17 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
515 534
 	secret_struct = secret_list;
516 535
 	while (secret_struct != NULL)
517 536
 	{
518
-		LM_DBG("trying secret: %.*s\n",
537
+		LM_DBG("trying secret: %.*s (%i)\n",
519 538
 			secret_struct->secret_key.len,
520
-			secret_struct->secret_key.s);
539
+			secret_struct->secret_key.s,
540
+			secret_struct->secret_key.len);
521 541
 		if (get_pass(susername, &secret_struct->secret_key,
522 542
 				&sgenerated_password) == 0)
523 543
 		{
524
-			LM_DBG("generated password: %.*s\n",
525
-				sgenerated_password.len, sgenerated_password.s);
544
+			LM_DBG("generated password: %.*s (%i)\n", 
545
+				sgenerated_password.len,
546
+				sgenerated_password.s,
547
+				sgenerated_password.len);
526 548
 			if (spassword->len == sgenerated_password.len
527 549
 					&& strncmp(spassword->s, sgenerated_password.s,
528 550
 						spassword->len) == 0)