sha512 fixes

src/client/ns_turn_msg.c

@@ -1647,21 +1647,33 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu
 	switch(sarlen) {
 	case SHA256SIZEBYTES:
 		shasize = SHA256SIZEBYTES;
+		if(shatype > SHATYPE_SHA256) {
+			if(too_weak)
+				*too_weak = 1;
+				return -1;
+		}
 		if(shatype != SHATYPE_SHA256)
 			return -1;
 		break;
 	case SHA512SIZEBYTES:
 		shasize = SHA512SIZEBYTES;
+		if(shatype > SHATYPE_SHA512) {
+			if(too_weak)
+				*too_weak = 1;
+				return -1;
+		}
 		if(shatype != SHATYPE_SHA512)
 			return -1;
 		break;
 	case SHA1SIZEBYTES:
 		shasize = SHA1SIZEBYTES;
-		if(shatype != SHATYPE_SHA1) {
+		if(shatype > SHATYPE_SHA1) {
 			if(too_weak)
 				*too_weak = 1;
 			return -1;
 		}
+		if(shatype != SHATYPE_SHA1)
+			return -1;
 		break;
 	default:
 		return -1;

src/client/ns_turn_msg_defs_new.h

@@ -65,6 +65,7 @@ typedef enum _SHATYPE SHATYPE;
 #define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA512) ? "SHA512" : "SHA UNKNOWN")))
 
 #define SHA_TOO_WEAK_ERROR_CODE (426)
+#define SHA_TOO_WEAK_ERROR_REASON ((const u08bits*)("credentials too weak"))
 
 /* <<== SHA AGILITY */
 

src/server/ns_turn_server.c

@@ -3292,20 +3292,36 @@ static int check_stun_auth(turn_turnserver *server,
 
 	{
 		int sarlen = stun_attr_get_len(sar);
+
 		switch(sarlen) {
 		case SHA1SIZEBYTES:
-			if(server->shatype != SHATYPE_SHA1) {
+			if(server->shatype > SHATYPE_SHA1) {
 				*err_code = SHA_TOO_WEAK_ERROR_CODE;
+				*reason = SHA_TOO_WEAK_ERROR_REASON;
+				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
+			}
+			if(server->shatype != SHATYPE_SHA1) {
+				*err_code = 401;
 				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 			}
 			break;
 		case SHA256SIZEBYTES:
+			if(server->shatype > SHATYPE_SHA256) {
+				*err_code = SHA_TOO_WEAK_ERROR_CODE;
+				*reason = SHA_TOO_WEAK_ERROR_REASON;
+				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
+			}
 			if(server->shatype != SHATYPE_SHA256) {
 				*err_code = 401;
 				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 			}
 			break;
 		case SHA512SIZEBYTES:
+			if(server->shatype > SHATYPE_SHA512) {
+				*err_code = SHA_TOO_WEAK_ERROR_CODE;
+				*reason = SHA_TOO_WEAK_ERROR_REASON;
+				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
+			}
 			if(server->shatype != SHATYPE_SHA512) {
 				*err_code = 401;
 				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
@@ -3452,6 +3468,7 @@ static int check_stun_auth(turn_turnserver *server,
 							"%s: user %s credentials are incorrect: SHA function is too weak\n",
 									__FUNCTION__, (char*)usname);
 					*err_code = SHA_TOO_WEAK_ERROR_CODE;
+					*reason = SHA_TOO_WEAK_ERROR_REASON;
 					*reason = (const u08bits*)"Unauthorised: weak SHA function is used";
 					return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 		}