Summary: | ASTERISK-11218: [patch] AMI challenge/response authentication uses user supplied secret to calculate hash | ||
Reporter: | Stefan Reuter (srt) | Labels: | |
Date Opened: | 2008-01-12 09:40:42.000-0600 | Date Closed: | 2008-01-14 14:00:16.000-0600 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Core/ManagerInterface |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20080112__bug11749.diff.txt ( 1) 20080112_bug11749-1.diff ( 2) ami-md5-auth-r98514.patch | |
Description: | When using challenge/reponse authentication with AMI the "Login" action uses the secret supplied with the "Login" action instead of the one from manager.conf to calculate the MD5 hash. This has two effects: 1. Login with "AuthType: MD5" and "Key:" but without a "Secret:" always fails 2. Anybody who knows a valid username can login without knowing the secret configured in manager.conf | ||
Comments: | By: Tilghman Lesher (tilghman) 2008-01-12 12:06:24.000-0600 Since I can't see your patch yet (license not yet approved), I'm uploading the patch that I'm going to apply, based upon your description. By: Digium Subversion (svnbot) 2008-01-12 12:10:48.000-0600 Repository: asterisk Revision: 98536 U trunk/main/manager.c ------------------------------------------------------------------------ r98536 | tilghman | 2008-01-12 12:10:46 -0600 (Sat, 12 Jan 2008) | 3 lines Conversion to load manager.conf into memory did not convert the password functions correctly. (Closes issue ASTERISK-11218) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=98536 By: Stefan Reuter (srt) 2008-01-12 12:19:09.000-0600 You should not remove the "!ast_strlen_zero(password)" but replace it by "!ast_strlen_zero(user->secret)" otherwise you get a core dump when the secret is unset in manager.conf. my patch is here: http://www.reucon.com/~srt/ami-md5-auth-r98514.patch By: Michiel van Baak (mvanbaak) 2008-01-12 16:33:18.000-0600 uploaded patch against current trunk to prevent the segfault srt mentioned. Without the patch I indeed get a segfault and this patch fixes it. Thanks a lot for finding this one srt By: Tilghman Lesher (tilghman) 2008-01-12 23:26:24.000-0600 Actually, I think we could simply ask if (user->secret), because a blank secret should also be valid (as would be the case without MD5 hashing). By: Michiel van Baak (mvanbaak) 2008-01-13 05:10:15.000-0600 I think you are right. By: Digium Subversion (svnbot) 2008-01-14 14:00:13.000-0600 Repository: asterisk Revision: 98830 U trunk/main/manager.c ------------------------------------------------------------------------ r98830 | file | 2008-01-14 14:00:11 -0600 (Mon, 14 Jan 2008) | 4 lines Make sure the user's manager secret exists, even if it is blank. (closes issue ASTERISK-11218) Reported by: srt ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=98830 |