From: Jean-Marc Pigeon (Delson) Date: Tue, 8 Jul 2025 23:17:19 +0000 (-0400) Subject: Problem with disgest-md5 and data-base hash code X-Git-Tag: tag-0.13~14 X-Git-Url: https://jmp-git.ovh.safe.ca/?a=commitdiff_plain;h=70fa7d539b0b37c07f3226379f2c2469f4eb62f0;p=jmp%2Fmailleur Problem with disgest-md5 and data-base hash code --- diff --git a/lib/lvleml.c b/lib/lvleml.c index cc82cb0..84c56a8 100644 --- a/lib/lvleml.c +++ b/lib/lvleml.c @@ -653,18 +653,18 @@ static void get_auth_digest_md5(CONTYP *contact,char **rmtpass) { #define OPEP "lvleml.c:get_auth_digest_md5," -char *tmppass; char *challenge; RSPTYP *resp; char answer[300]; +char hash[20]; int phase; _Bool proceed; -tmppass=(char *)0; *rmtpass=strdup("$1(ukn as digest_md5)"); challenge=(char *)0; resp=(RSPTYP *)0; (void) memset(answer,'\000',sizeof(answer)); +(void) memset(hash,'\000',sizeof(hash)); phase=0; proceed=true; while (proceed==true) { @@ -719,17 +719,21 @@ while (proceed==true) { contact->authname=rou_freestr(contact->authname); contact->authname=strdup(resp->username); if (sql_mngusr(contact->sqlptr,sql_select,resp->username,&usr)==true) { - if (usr->passwd!=(char *)0) - tmppass=strdup(usr->passwd); + if (usr->hash!=(char *)0) + (void) strncpy(hash,usr->hash,sizeof(hash)-1); usr=sql_freeusr(usr); } + if (strlen(hash)==0) { + (void) rou_alert(0,"%s user <%s> missing hash value!",OPEP,resp->username); + phase=999; //No need to go further + } } break; case 6 : { //sending the rspauth sequence. char *HAS; char *rspauth; char *b64; - if ((HAS=dig_hashresp(resp,"",tmppass))==(char *)0) { + if ((HAS=dig_hashresp(resp,"",hash))==(char *)0) { (void) rou_alert(0,"%s Unable to get the hash rspauth (Bug!)",OPEP); break; } @@ -756,7 +760,7 @@ while (proceed==true) { case 8 : { //comparing result. char *HA0; - if ((HA0=dig_hashresp(resp,"AUTHENTICATE",tmppass))==(char *)0) { + if ((HA0=dig_hashresp(resp,"AUTHENTICATE",hash))==(char *)0) { (void) rou_alert(0,"%s Unable to get the hash response (Bug!)",OPEP); break; } @@ -770,7 +774,6 @@ while (proceed==true) { } phase++; } -tmppass=rou_freestr(tmppass); resp=dig_freeresp(resp); challenge=rou_freestr(challenge); diff --git a/lib/unidig.c b/lib/unidig.c index c327a5e..0eed6eb 100644 --- a/lib/unidig.c +++ b/lib/unidig.c @@ -423,12 +423,15 @@ return challenge; /* reponse available within RSPTYP record. */ /* */ /********************************************************/ -PUBLIC char *dig_hashresp(RSPTYP *resp,char *mode,char *secret) +PUBLIC char *dig_hashresp(RSPTYP *resp,char *mode,char *hash) { +#define OPEP "unidig.c:dig_hashresp," + char *HA0; char *HA1; char *HA2; +MD5TYP *A1; char seq[400]; int phase; _Bool proceed; @@ -442,13 +445,17 @@ phase=0; proceed=(resp!=(RSPTYP *)0); while (proceed==true) { switch (phase) { - case 0 : { //computing hash HA1 - MD5TYP *A1; + case 0 : //computing A1 from data-base contents + A1=dig_get_plain_md5(hash); + if (A1==(MD5TYP *)0) { + (void) rou_alert(0,"%s Unable to convert hash=<%s>",OPEP,hash); + phase=999; //trouble trouble + } + break; + case 1 : { //computing hash HA1 char *ptr; int max; - (void) snprintf(seq,sizeof(seq),"%s:%s:%s",resp->username,resp->realm,secret); - A1=dig_hashmd5((unsigned char *)seq,strlen(seq)); //starting algorithm value is "MD5-sess" (void) memset(seq,'\000',sizeof(seq)); (void) memmove(seq,(char *)A1,sizeof(MD5TYP)); @@ -462,7 +469,7 @@ while (proceed==true) { (void) free(A1); } break; - case 1 : { //computing HA2 + case 2 : { //computing HA2 MD5TYP *A2; (void) snprintf(seq,sizeof(seq),"%s:%s",mode,resp->digesturi); @@ -471,7 +478,7 @@ while (proceed==true) { (void) free(A2); } break; - case 2 : { //computing response + case 3 : { //computing response MD5TYP *A0; (void) snprintf(seq,sizeof(seq),"%s:%s:%08lx:%s:%s:%s", @@ -491,4 +498,6 @@ while (proceed==true) { HA2=rou_freestr(HA2); HA1=rou_freestr(HA1); return HA0; + +#undef OPEP } diff --git a/lib/unidig.h b/lib/unidig.h index d742a85..8b1856c 100644 --- a/lib/unidig.h +++ b/lib/unidig.h @@ -46,6 +46,6 @@ extern char *dig_getchallenge(); //Procedure to compute local response to challenge and //check if the remote session is the same -extern char *dig_hashresp(RSPTYP *resp,char *mode,char *secret); +extern char *dig_hashresp(RSPTYP *resp,char *mode,char *hash); #endif