git:5.3:76c052b2: auth_ephemeral: fix sha256/384/512 - sr-dev

8 Dec 2021

Module: kamailio
Branch: 5.3
Commit: 76c052b2dc86856e854c2ba1aad39a891bfb121e
URL: https://github.com/kamailio/kamailio/commit/76c052b2dc86856e854c2ba1aad39a8…

Author: Justin-lavelle &lt;justinl(a)broadvoice.com&gt;
Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt;
Date: 2021-12-08T09:32:20+01:00

auth_ephemeral: fix sha256/384/512

- sha256/384/512 broken due to use of sha1 password length, change to check and use proper
lengths for each
- sha384 mistakenly using sha256 method

(cherry picked from commit de2bee1805c2c89565e9b28afb50fac375d0b5ba)
(cherry picked from commit 52a01e54483c5e50fedec649689e5f142c16315a)
(cherry picked from commit e04db74dc1e1706f4f3c8c2b6fcd3dba98534f04)

---

Modified: src/modules/auth_ephemeral/authorize.c

---

Diff: 
https://github.com/kamailio/kamailio/commit/76c052b2dc86856e854c2ba1aad39a8…
Patch:
https://github.com/kamailio/kamailio/commit/76c052b2dc86856e854c2ba1aad39a8…

---

diff --git a/src/modules/auth_ephemeral/authorize.c
b/src/modules/auth_ephemeral/authorize.c
index bb92a4a2190..ff5012ade51 100644
--- a/src/modules/auth_ephemeral/authorize.c
+++ b/src/modules/auth_ephemeral/authorize.c
@@ -69,11 +69,11 @@ static inline int get_pass(str *_username, str *_secret, str
*_password)
 			break;
 		case AUTHEPH_SHA384:
 			hmac_len = SHA384_DIGEST_LENGTH;
-			if (HMAC(EVP_sha256(), _secret->s, _secret->len,
+			if (HMAC(EVP_sha384(), _secret->s, _secret->len,
 					(unsigned char *) _username->s,
 					_username->len, hmac_sha1, &hmac_len) == NULL)
 			{
-				LM_ERR("HMAC-SHA256 failed\n");
+				LM_ERR("HMAC-SHA384 failed\n");
 				return -1;
 			}
 			break;
@@ -88,7 +88,7 @@ static inline int get_pass(str *_username, str *_secret, str
*_password)
 			}
 			break;
 		default:
-			LM_ERR("Inavlid SHA Algorithm\n");
+			LM_ERR("Invalid SHA Algorithm\n");
 			return -1;
 
 	}
@@ -479,7 +479,26 @@ int autheph_proxy(struct sip_msg *_m, char *_realm, char *_p2)
 
 int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
 {
-	char generated_password[base64_enc_len(SHA_DIGEST_LENGTH)];
+	unsigned int hmac_len = SHA_DIGEST_LENGTH;
+	switch(autheph_sha_alg) {
+		case AUTHEPH_SHA1:
+			hmac_len = SHA_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA256:
+			hmac_len = SHA256_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA384:
+			hmac_len = SHA384_DIGEST_LENGTH;
+			break;
+		case AUTHEPH_SHA512:
+			hmac_len = SHA512_DIGEST_LENGTH;
+			break;
+		default:
+			LM_ERR("Invalid SHA Algorithm\n");
+			return AUTH_ERROR;
+	}
+
+	char generated_password[base64_enc_len(hmac_len)];
 	str sgenerated_password;
 	struct secret *secret_struct;
 
@@ -515,14 +534,17 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str
*spassword)
 	secret_struct = secret_list;
 	while (secret_struct != NULL)
 	{
-		LM_DBG("trying secret: %.*s\n",
+		LM_DBG("trying secret: %.*s (%i)\n",
 			secret_struct->secret_key.len,
-			secret_struct->secret_key.s);
+			secret_struct->secret_key.s,
+			secret_struct->secret_key.len);
 		if (get_pass(susername, &secret_struct->secret_key,
 				&sgenerated_password) == 0)
 		{
-			LM_DBG("generated password: %.*s\n",
-				sgenerated_password.len, sgenerated_password.s);
+			LM_DBG("generated password: %.*s (%i)\n", 
+				sgenerated_password.len,
+				sgenerated_password.s,
+				sgenerated_password.len);
 			if (spassword->len == sgenerated_password.len
 					&& strncmp(spassword->s, sgenerated_password.s,
 						spassword->len) == 0)



    