auth_ephemeral: fix sha256/384/512

- sha256/384/512 broken due to use of sha1 password length, change to check and use proper lengths for each - sha384 mistakenly using sha256 method (cherry picked from commit de2bee1)
kamailio · Dec 8, 2021 · 52a01e5 · 52a01e5
1 parent 84c08ac
commit 52a01e5
Showing 1 changed file with 30 additions and 8 deletions.
diff --git a/src/modules/auth_ephemeral/authorize.c b/src/modules/auth_ephemeral/authorize.c
@@ -69,11 +69,11 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
 			break;
 		case AUTHEPH_SHA384:
 			hmac_len = SHA384_DIGEST_LENGTH;
-			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
+			if (HMAC(EVP_sha384(), _secret->s, _secret->len,
 					(unsigned char *) _username->s,
 					_username->len, hmac_sha1, &hmac_len) == NULL)
 			{
-				LM_ERR("HMAC-SHA256 failed\n");
+				LM_ERR("HMAC-SHA384 failed\n");
 				return -1;
 			}
 			break;
@@ -88,7 +88,7 @@ static inline int get_pass(str *_username, str *_secret, str *_password)
 			}
 			break;
 		default:
-			LM_ERR("Inavlid SHA Algorithm\n");
+			LM_ERR("Invalid SHA Algorithm\n");
 			return -1;
 
 	}
@@ -479,7 +479,26 @@ int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
 
 int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
 {
-	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
+	unsigned int hmac_len = SHA_DIGEST_LENGTH;
+	switch(autheph_sha_alg) {
+		case AUTHEPH_SHA1:
+			hmac_len = SHA_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA256:
+			hmac_len = SHA256_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA384:
+			hmac_len = SHA384_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA512:
+			hmac_len = SHA512_DIGEST_LENGTH;
+			break;
+		default:
+			LM_ERR("Invalid SHA Algorithm\n");
+			return AUTH_ERROR;
+	}
+
+	char generated_password[base64_enc_len(hmac_len)];
 	str sgenerated_password;
 	struct secret *secret_struct;
 
@@ -515,14 +534,17 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
 	secret_struct = secret_list;
 	while (secret_struct != NULL)
 	{
-		LM_DBG("trying secret: %.*s\n",
+		LM_DBG("trying secret: %.*s (%i)\n",
 			secret_struct->secret_key.len,
-			secret_struct->secret_key.s);
+			secret_struct->secret_key.s,
+			secret_struct->secret_key.len);
 		if (get_pass(susername, &secret_struct->secret_key,
 				&sgenerated_password) == 0)
 		{
-			LM_DBG("generated password: %.*s\n",
-				sgenerated_password.len, sgenerated_password.s);
+			LM_DBG("generated password: %.*s (%i)\n", 
+				sgenerated_password.len,
+				sgenerated_password.s,
+				sgenerated_password.len);
 			if (spassword->len == sgenerated_password.len
 					&& strncmp(spassword->s, sgenerated_password.s,
 						spassword->len) == 0)