From 07753ebebceebb387d2f358a40a362290e655708 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Fri, 6 Feb 2015 07:41:29 +0000 Subject: [PATCH] sha512 fixes --- src/client/ns_turn_msg.c | 14 +++++++++++++- src/client/ns_turn_msg_defs_new.h | 1 + src/server/ns_turn_server.c | 19 ++++++++++++++++++- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index fd9004a..46f7200 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -1647,21 +1647,33 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu switch(sarlen) { case SHA256SIZEBYTES: shasize = SHA256SIZEBYTES; + if(shatype > SHATYPE_SHA256) { + if(too_weak) + *too_weak = 1; + return -1; + } if(shatype != SHATYPE_SHA256) return -1; break; case SHA512SIZEBYTES: shasize = SHA512SIZEBYTES; + if(shatype > SHATYPE_SHA512) { + if(too_weak) + *too_weak = 1; + return -1; + } if(shatype != SHATYPE_SHA512) return -1; break; case SHA1SIZEBYTES: shasize = SHA1SIZEBYTES; - if(shatype != SHATYPE_SHA1) { + if(shatype > SHATYPE_SHA1) { if(too_weak) *too_weak = 1; return -1; } + if(shatype != SHATYPE_SHA1) + return -1; break; default: return -1; diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index ae0b122..baa6f9d 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -65,6 +65,7 @@ typedef enum _SHATYPE SHATYPE; #define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA512) ? "SHA512" : "SHA UNKNOWN"))) #define SHA_TOO_WEAK_ERROR_CODE (426) +#define SHA_TOO_WEAK_ERROR_REASON ((const u08bits*)("credentials too weak")) /* <<== SHA AGILITY */ diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 53f22e2..71c7d2d 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -3292,20 +3292,36 @@ static int check_stun_auth(turn_turnserver *server, { int sarlen = stun_attr_get_len(sar); + switch(sarlen) { case SHA1SIZEBYTES: - if(server->shatype != SHATYPE_SHA1) { + if(server->shatype > SHATYPE_SHA1) { *err_code = SHA_TOO_WEAK_ERROR_CODE; + *reason = SHA_TOO_WEAK_ERROR_REASON; + return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); + } + if(server->shatype != SHATYPE_SHA1) { + *err_code = 401; return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); } break; case SHA256SIZEBYTES: + if(server->shatype > SHATYPE_SHA256) { + *err_code = SHA_TOO_WEAK_ERROR_CODE; + *reason = SHA_TOO_WEAK_ERROR_REASON; + return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); + } if(server->shatype != SHATYPE_SHA256) { *err_code = 401; return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); } break; case SHA512SIZEBYTES: + if(server->shatype > SHATYPE_SHA512) { + *err_code = SHA_TOO_WEAK_ERROR_CODE; + *reason = SHA_TOO_WEAK_ERROR_REASON; + return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); + } if(server->shatype != SHATYPE_SHA512) { *err_code = 401; return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); @@ -3452,6 +3468,7 @@ static int check_stun_auth(turn_turnserver *server, "%s: user %s credentials are incorrect: SHA function is too weak\n", __FUNCTION__, (char*)usname); *err_code = SHA_TOO_WEAK_ERROR_CODE; + *reason = SHA_TOO_WEAK_ERROR_REASON; *reason = (const u08bits*)"Unauthorised: weak SHA function is used"; return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method); }