Summary:ASTERISK-11218: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash
Reporter:Stefan Reuter (srt)Labels:
Date Opened:2008-01-12 09:40:42.000-0600Date Closed:2008-01-14 14:00:16.000-0600
Versions:Frequency of
Environment:Attachments:( 0) 20080112__bug11749.diff.txt
( 1) 20080112_bug11749-1.diff
( 2) ami-md5-auth-r98514.patch
Description:When using challenge/reponse authentication with AMI the "Login" action uses the secret supplied with the "Login" action instead of the one from manager.conf to calculate the MD5 hash.
This has two effects:
1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always fails
2. Anybody who knows a valid username can login without knowing the secret configured in manager.conf
Comments:By: Tilghman Lesher (tilghman) 2008-01-12 12:06:24.000-0600

Since I can't see your patch yet (license not yet approved), I'm uploading the patch that I'm going to apply, based upon your description.

By: Digium Subversion (svnbot) 2008-01-12 12:10:48.000-0600

Repository: asterisk
Revision: 98536

U   trunk/main/manager.c

r98536 | tilghman | 2008-01-12 12:10:46 -0600 (Sat, 12 Jan 2008) | 3 lines

Conversion to load manager.conf into memory did not convert the password
functions correctly.  (Closes issue ASTERISK-11218)



By: Stefan Reuter (srt) 2008-01-12 12:19:09.000-0600

You should not remove the "!ast_strlen_zero(password)" but replace it by "!ast_strlen_zero(user->secret)" otherwise you get a core dump when the secret is unset in manager.conf.

my patch is here: http://www.reucon.com/~srt/ami-md5-auth-r98514.patch

By: Michiel van Baak (mvanbaak) 2008-01-12 16:33:18.000-0600

uploaded patch against current trunk to prevent the segfault srt mentioned.
Without the patch I indeed get a segfault and this patch fixes it.

Thanks a lot for finding this one srt

By: Tilghman Lesher (tilghman) 2008-01-12 23:26:24.000-0600

Actually, I think we could simply ask if (user->secret), because a blank secret should also be valid (as would be the case without MD5 hashing).

By: Michiel van Baak (mvanbaak) 2008-01-13 05:10:15.000-0600

I think you are right.

By: Digium Subversion (svnbot) 2008-01-14 14:00:13.000-0600

Repository: asterisk
Revision: 98830

U   trunk/main/manager.c

r98830 | file | 2008-01-14 14:00:11 -0600 (Mon, 14 Jan 2008) | 4 lines

Make sure the user's manager secret exists, even if it is blank.
(closes issue ASTERISK-11218)
Reported by: srt