Fixed missing padding when calculating MESSAGE-INTEGRITY in STUN

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@1265 74dad513-b988-da41-8d7b-12977e46ad98

6 files changed, 189 insertions, 48 deletions

diff --git a/pjlib-util/include/pjlib-util/hmac_md5.h b/pjlib-util/include/pjlib-util/hmac_md5.h
index 5fefab51..f9bdca1a 100644
--- a/pjlib-util/include/pjlib-util/hmac_md5.h
+++ b/pjlib-util/include/pjlib-util/hmac_md5.h
@@ -29,6 +29,7 @@
  */
 
 #include <pj/types.h>
+#include <pjlib-util/md5.h>
 
 PJ_BEGIN_DECL
 
@@ -41,6 +42,15 @@ PJ_BEGIN_DECL
  * for Message Authentication, as described in RFC 2104
  */
 
+/**
+ * The HMAC-MD5 context used in the incremental HMAC calculation.
+ */
+typedef struct pj_hmac_md5_context
+{
+    pj_md5_context  context;	/**< MD5 context	    */
+    pj_uint8_t	    k_opad[64];	/**< opad xor-ed with key   */
+} pj_hmac_md5_context;
+
 
 /**
  * Calculate HMAC MD5 digest for the specified input and key.
@@ -57,6 +67,36 @@ PJ_DECL(void) pj_hmac_md5(const pj_uint8_t *input, unsigned input_len,
 
 
 /**
+ * Initiate HMAC-MD5 context for incremental hashing.
+ *
+ * @param hctx		HMAC-MD5 context.
+ * @param key		Pointer to the authentication key.
+ * @param key_len	Length of the authentication key.
+ */
+PJ_DECL(void) pj_hmac_md5_init(pj_hmac_md5_context *hctx, 
+			       const pj_uint8_t *key, unsigned key_len);
+
+/**
+ * Append string to the message.
+ *
+ * @param hctx		HMAC-MD5 context.
+ * @param input		Pointer to the input stream.
+ * @param input_len	Length of input stream in bytes.
+ */
+PJ_DECL(void) pj_hmac_md5_update(pj_hmac_md5_context *hctx,
+				 const pj_uint8_t *input, 
+				 unsigned input_len);
+
+/**
+ * Finish the message and return the digest. 
+ *
+ * @param hctx		HMAC-MD5 context.
+ * @param digest	Buffer to be filled with HMAC MD5 digest.
+ */
+PJ_DECL(void) pj_hmac_md5_final(pj_hmac_md5_context *hctx,
+				pj_uint8_t digest[16]);
+
+/**
  * @}
  */
 
diff --git a/pjlib-util/include/pjlib-util/hmac_sha1.h b/pjlib-util/include/pjlib-util/hmac_sha1.h
index 6fe4b6ad..70984c53 100644
--- a/pjlib-util/include/pjlib-util/hmac_sha1.h
+++ b/pjlib-util/include/pjlib-util/hmac_sha1.h
@@ -25,6 +25,7 @@
  */
 
 #include <pj/types.h>
+#include <pjlib-util/sha1.h>
 
 PJ_BEGIN_DECL
 
@@ -34,12 +35,22 @@ PJ_BEGIN_DECL
  * @{
  *
  * This module contains the implementation of HMAC: Keyed-Hashing 
- * for Message Authentication, as described in RFC 2104
+ * for Message Authentication, as described in RFC 2104.
  */
 
+/**
+ * The HMAC-SHA1 context used in the incremental HMAC calculation.
+ */
+typedef struct pj_hmac_sha1_context
+{
+    pj_sha1_context context;	/**< SHA1 context	    */
+    pj_uint8_t	    k_opad[64];	/**< opad xor-ed with key   */
+} pj_hmac_sha1_context;
+
 
 /**
- * Calculate HMAC SHA1 digest for the specified input and key.
+ * Calculate HMAC-SHA1 digest for the specified input and key with this
+ * single function call.
  *
  * @param input		Pointer to the input stream.
  * @param input_len	Length of input stream in bytes.
@@ -53,6 +64,37 @@ PJ_DECL(void) pj_hmac_sha1(const pj_uint8_t *input, unsigned input_len,
 
 
 /**
+ * Initiate HMAC-SHA1 context for incremental hashing.
+ *
+ * @param hctx		HMAC-SHA1 context.
+ * @param key		Pointer to the authentication key.
+ * @param key_len	Length of the authentication key.
+ */
+PJ_DECL(void) pj_hmac_sha1_init(pj_hmac_sha1_context *hctx, 
+			        const pj_uint8_t *key, unsigned key_len);
+
+/**
+ * Append string to the message.
+ *
+ * @param hctx		HMAC-SHA1 context.
+ * @param input		Pointer to the input stream.
+ * @param input_len	Length of input stream in bytes.
+ */
+PJ_DECL(void) pj_hmac_sha1_update(pj_hmac_sha1_context *hctx,
+				  const pj_uint8_t *input, 
+				  unsigned input_len);
+
+/**
+ * Finish the message and return the digest. 
+ *
+ * @param hctx		HMAC-SHA1 context.
+ * @param digest	Buffer to be filled with HMAC SHA1 digest.
+ */
+PJ_DECL(void) pj_hmac_sha1_final(pj_hmac_sha1_context *hctx,
+				 pj_uint8_t digest[20]);
+
+
+/**
  * @}
  */
 
diff --git a/pjlib-util/src/pjlib-util/hmac_md5.c b/pjlib-util/src/pjlib-util/hmac_md5.c
index d9c4e466..5ce36c2c 100644
--- a/pjlib-util/src/pjlib-util/hmac_md5.c
+++ b/pjlib-util/src/pjlib-util/hmac_md5.c
@@ -16,20 +16,14 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA 
  */
-#include <pjlib-util/md5.h>
+#include <pjlib-util/hmac_md5.h>
 #include <pj/string.h>
 
 
-/* This code is taken from RFC 2104 */
-
-
-PJ_DEF(void) pj_hmac_md5( const pj_uint8_t *input, unsigned input_len, 
-			  const pj_uint8_t *key, unsigned key_len, 
-			  pj_uint8_t digest[16] )
+PJ_DEF(void) pj_hmac_md5_init(pj_hmac_md5_context *hctx, 
+			      const pj_uint8_t *key, unsigned key_len)
 {
-    pj_md5_context context;
-    pj_uint8_t k_ipad[65];
-    pj_uint8_t k_opad[65];
+    pj_uint8_t k_ipad[64];
     pj_uint8_t tk[16];
     int i;
 
@@ -45,31 +39,58 @@ PJ_DEF(void) pj_hmac_md5( const pj_uint8_t *input, unsigned input_len,
         key_len = 16;
     }
 
+    /*
+     * HMAC = H(K XOR opad, H(K XOR ipad, text))
+     */
+
     /* start out by storing key in pads */
     pj_bzero( k_ipad, sizeof(k_ipad));
-    pj_bzero( k_opad, sizeof(k_opad));
+    pj_bzero( hctx->k_opad, sizeof(hctx->k_opad));
     pj_memcpy( k_ipad, key, key_len);
-    pj_memcpy( k_opad, key, key_len);
+    pj_memcpy( hctx->k_opad, key, key_len);
 
     /* XOR key with ipad and opad values */
     for (i=0; i<64; i++) {
         k_ipad[i] ^= 0x36;
-        k_opad[i] ^= 0x5c;
+        hctx->k_opad[i] ^= 0x5c;
     }
     /*
      * perform inner MD5
      */
-    pj_md5_init(&context);
-    pj_md5_update(&context, k_ipad, 64);
-    pj_md5_update(&context, input, input_len);
-    pj_md5_final(&context, digest);
+    pj_md5_init(&hctx->context);
+    pj_md5_update(&hctx->context, k_ipad, 64);
+
+}
+
+PJ_DEF(void) pj_hmac_md5_update(pj_hmac_md5_context *hctx,
+				 const pj_uint8_t *input, 
+				 unsigned input_len)
+{
+    pj_md5_update(&hctx->context, input, input_len);
+}
+
+PJ_DEF(void) pj_hmac_md5_final(pj_hmac_md5_context *hctx,
+				pj_uint8_t digest[16])
+{
+    pj_md5_final(&hctx->context, digest);
 
     /*
      * perform outer MD5
      */
-    pj_md5_init(&context);
-    pj_md5_update(&context, k_opad, 64);
-    pj_md5_update(&context, digest, 16);
-    pj_md5_final(&context, digest);
+    pj_md5_init(&hctx->context);
+    pj_md5_update(&hctx->context, hctx->k_opad, 64);
+    pj_md5_update(&hctx->context, digest, 16);
+    pj_md5_final(&hctx->context, digest);
+}
+
+PJ_DEF(void) pj_hmac_md5( const pj_uint8_t *input, unsigned input_len, 
+			  const pj_uint8_t *key, unsigned key_len, 
+			  pj_uint8_t digest[16] )
+{
+    pj_hmac_md5_context ctx;
+
+    pj_hmac_md5_init(&ctx, key, key_len);
+    pj_hmac_md5_update(&ctx, input, input_len);
+    pj_hmac_md5_final(&ctx, digest);
 }
 
diff --git a/pjlib-util/src/pjlib-util/hmac_sha1.c b/pjlib-util/src/pjlib-util/hmac_sha1.c
index 127434b7..b921febc 100644
--- a/pjlib-util/src/pjlib-util/hmac_sha1.c
+++ b/pjlib-util/src/pjlib-util/hmac_sha1.c
@@ -17,19 +17,15 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA 
  */
 #include <pjlib-util/hmac_sha1.h>
-#include <pjlib-util/sha1.h>
 #include <pj/string.h>
 
 
-PJ_DEF(void) pj_hmac_sha1(const pj_uint8_t *input, unsigned input_len, 
-			  const pj_uint8_t *key, unsigned key_len, 
-			  pj_uint8_t digest[20] )
+PJ_DEF(void) pj_hmac_sha1_init(pj_hmac_sha1_context *hctx, 
+			       const pj_uint8_t *key, unsigned key_len)
 {
-    pj_sha1_context context;
-    pj_uint8_t k_ipad[65];
-    pj_uint8_t k_opad[65];
+    pj_uint8_t k_ipad[64];
     pj_uint8_t tk[20];
-    int i;
+    unsigned i;
 
     /* if key is longer than 64 bytes reset it to key=SHA1(key) */
     if (key_len > 64) {
@@ -43,32 +39,56 @@ PJ_DEF(void) pj_hmac_sha1(const pj_uint8_t *input, unsigned input_len,
         key_len = 20;
     }
 
+    /*
+     * HMAC = H(K XOR opad, H(K XOR ipad, text))
+     */
+
     /* start out by storing key in pads */
     pj_bzero( k_ipad, sizeof(k_ipad));
-    pj_bzero( k_opad, sizeof(k_opad));
+    pj_bzero( hctx->k_opad, sizeof(hctx->k_opad));
     pj_memcpy( k_ipad, key, key_len);
-    pj_memcpy( k_opad, key, key_len);
+    pj_memcpy( hctx->k_opad, key, key_len);
 
     /* XOR key with ipad and opad values */
     for (i=0; i<64; i++) {
         k_ipad[i] ^= 0x36;
-        k_opad[i] ^= 0x5c;
+        hctx->k_opad[i] ^= 0x5c;
     }
     /*
      * perform inner SHA1
      */
-    pj_sha1_init(&context);
-    pj_sha1_update(&context, k_ipad, 64);
-    pj_sha1_update(&context, input, input_len);
-    pj_sha1_final(&context, digest);
+    pj_sha1_init(&hctx->context);
+    pj_sha1_update(&hctx->context, k_ipad, 64);
+}
+
+PJ_DEF(void) pj_hmac_sha1_update(pj_hmac_sha1_context *hctx,
+				 const pj_uint8_t *input, unsigned input_len)
+{
+    pj_sha1_update(&hctx->context, input, input_len);
+}
+
+PJ_DEF(void) pj_hmac_sha1_final(pj_hmac_sha1_context *hctx,
+				pj_uint8_t digest[20])
+{
+    pj_sha1_final(&hctx->context, digest);
 
     /*
      * perform outer SHA1
      */
-    pj_sha1_init(&context);
-    pj_sha1_update(&context, k_opad, 64);
-    pj_sha1_update(&context, digest, 20);
-    pj_sha1_final(&context, digest);
+    pj_sha1_init(&hctx->context);
+    pj_sha1_update(&hctx->context, hctx->k_opad, 64);
+    pj_sha1_update(&hctx->context, digest, 20);
+    pj_sha1_final(&hctx->context, digest);
 }
 
+PJ_DEF(void) pj_hmac_sha1(const pj_uint8_t *input, unsigned input_len, 
+			  const pj_uint8_t *key, unsigned key_len, 
+			  pj_uint8_t digest[20] )
+{
+    pj_hmac_sha1_context ctx;
+
+    pj_hmac_sha1_init(&ctx, key, key_len);
+    pj_hmac_sha1_update(&ctx, input, input_len);
+    pj_hmac_sha1_final(&ctx, digest);
+}
 
diff --git a/pjnath/src/pjnath/stun_auth.c b/pjnath/src/pjnath/stun_auth.c
index 3f5a77a5..d49b4fa2 100644
--- a/pjnath/src/pjnath/stun_auth.c
+++ b/pjnath/src/pjnath/stun_auth.c
@@ -119,6 +119,7 @@ PJ_DEF(pj_status_t) pj_stun_verify_credential( const pj_uint8_t *pkt,
     pj_bool_t username_ok;
     const pj_stun_realm_attr *arealm;
     const pj_stun_realm_attr *anonce;
+    pj_hmac_sha1_context ctx;
     pj_uint8_t digest[PJ_SHA1_DIGEST_SIZE];
     pj_uint8_t md5_digest[16];
     pj_str_t key;
@@ -327,8 +328,17 @@ PJ_DEF(pj_status_t) pj_stun_verify_credential( const pj_uint8_t *pkt,
 	key = password;
     }
 
-    /* Now calculate HMAC of the message */
-    pj_hmac_sha1(pkt, amsgi_pos, (pj_uint8_t*)key.ptr, key.slen, digest);
+    /* Now calculate HMAC of the message, adding zero padding if necessary
+     * to make the input 64 bytes aligned.
+     */
+    pj_hmac_sha1_init(&ctx, (pj_uint8_t*)key.ptr, key.slen);
+    pj_hmac_sha1_update(&ctx, pkt, amsgi_pos);
+    if (amsgi_pos & 0x3F) {
+	pj_uint8_t zeroes[64];
+	pj_bzero(zeroes, sizeof(zeroes));
+	pj_hmac_sha1_update(&ctx, zeroes, 64-(amsgi_pos & 0x3F));
+    }
+    pj_hmac_sha1_final(&ctx, digest);
 
     /* Compare HMACs */
     if (pj_memcmp(amsgi->hmac, digest, 20)) {
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index e0092f26..357a74b5 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -2139,6 +2139,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_encode(pj_stun_msg *msg,
     if (amsgint != NULL) {
 
 	pj_uint8_t md5_key_buf[16];
+	pj_hmac_sha1_context ctx;
 	pj_str_t key;
 
 	/* MESSAGE-INTEGRITY must be the last attribute in the message, or
@@ -2181,10 +2182,17 @@ PJ_DEF(pj_status_t) pj_stun_msg_encode(pj_stun_msg *msg,
 	    key.slen = 16;
 	}
 
-	/* Calculate HMAC-SHA1 digest */
-	pj_hmac_sha1((pj_uint8_t*)start, buf-start, 
-		     (pj_uint8_t*)key.ptr, key.slen,
-		     amsgint->hmac);
+	/* Calculate HMAC-SHA1 digest, add zero padding to input
+	 * if necessary to make the input 64 bytes aligned.
+	 */
+	pj_hmac_sha1_init(&ctx, (pj_uint8_t*)key.ptr, key.slen);
+	pj_hmac_sha1_update(&ctx, (pj_uint8_t*)start, buf-start);
+	if ((buf-start) & 0x3F) {
+	    pj_uint8_t zeroes[64];
+	    pj_bzero(zeroes, sizeof(zeroes));
+	    pj_hmac_sha1_update(&ctx, zeroes, 64-((buf-start) & 0x3F));
+	}
+	pj_hmac_sha1_final(&ctx, amsgint->hmac);
 
 	/* Put this attribute in the message */
 	status = encode_msgint_attr(amsgint, buf, buf_size,