From 21ef2f1372318ac207b79f2d26ab488fb1e25c10 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Sat, 19 Feb 2022 15:30:26 +0100 Subject: [PATCH] Fix HMAC calculation --- hmac-generator/main.go | 5 ++++- libadlin/students.go | 4 +++- pkg/login-validator/cmd/login.go | 5 ++++- pkg/login-validator/cmd/pxetpl.go | 3 ++- token-validator/handler.go | 9 +++++++-- 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/hmac-generator/main.go b/hmac-generator/main.go index ee68fcc..8a84b14 100644 --- a/hmac-generator/main.go +++ b/hmac-generator/main.go @@ -15,5 +15,8 @@ func main() { sharedSecret = os.Args[1] } - fmt.Println(base64.StdEncoding.EncodeToString(hmac.New(sha512.New, []byte(sharedSecret)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))))) + h := hmac.New(sha512.New, []byte(sharedSecret)) + h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))) + + fmt.Println(base64.StdEncoding.EncodeToString(h.Sum(nil))) } diff --git a/libadlin/students.go b/libadlin/students.go index 9903cc0..70711d1 100644 --- a/libadlin/students.go +++ b/libadlin/students.go @@ -68,7 +68,9 @@ func NewStudent(login string) (*Student, error) { } func (s *Student) GetPKey() []byte { - return hmac.New(sha512.New512_224, []byte(SharedSecret)).Sum([]byte(s.Login)) + h := hmac.New(sha512.New512_224, []byte(SharedSecret)) + h.Write([]byte(s.Login)) + return h.Sum(nil) } func (s *Student) Update() (int64, error) { diff --git a/pkg/login-validator/cmd/login.go b/pkg/login-validator/cmd/login.go index c95ceed..9126b51 100644 --- a/pkg/login-validator/cmd/login.go +++ b/pkg/login-validator/cmd/login.go @@ -143,7 +143,10 @@ func (l loginChecker) registerUser(username, remoteAddr string, ent ARPEntry) (n if err != nil { return nil, err } - req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(hmac.New(sha512.New, []byte(loginSalt)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))))) + + h := hmac.New(sha512.New, []byte(loginSalt)) + h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))) + req.Header.Add("X-ADLIN-Authentication", base64.StdEncoding.EncodeToString(h.Sum(nil))) req.Header.Set("Content-Type", "application/json") client := &http.Client{} diff --git a/pkg/login-validator/cmd/pxetpl.go b/pkg/login-validator/cmd/pxetpl.go index 9cf8882..b7674a1 100644 --- a/pkg/login-validator/cmd/pxetpl.go +++ b/pkg/login-validator/cmd/pxetpl.go @@ -36,6 +36,7 @@ func registerUser(tplPath string, filename string, username string, ip net.IP) e defer userfd.Close() pkey := hmac.New(sha512.New512_224, []byte(loginSalt)) + pkey.Write([]byte(username)) if len(ip.To4()) != 4 { return fmt.Errorf("Unable to assign a protected IP.") @@ -45,7 +46,7 @@ func registerUser(tplPath string, filename string, username string, ip net.IP) e return err } else if err := pxeTmpl.Execute(userfd, map[string]string{ "username": username, - "pkey": fmt.Sprintf("%x", pkey.Sum([]byte(username))), + "pkey": fmt.Sprintf("%x", pkey.Sum(nil)), "ip": ip.String(), }); err != nil { return err diff --git a/token-validator/handler.go b/token-validator/handler.go index 240224b..3648fce 100644 --- a/token-validator/handler.go +++ b/token-validator/handler.go @@ -28,8 +28,13 @@ type DispatchFunction func(httprouter.Params, []byte) (interface{}, error) func remoteValidatorHandler(f func(http.ResponseWriter, *http.Request, httprouter.Params)) func(http.ResponseWriter, *http.Request, httprouter.Params) { return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { - expectedMAC := hmac.New(sha512.New, []byte(adlin.SharedSecret)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))) - previousMAC := hmac.New(sha512.New, []byte(adlin.SharedSecret)).Sum([]byte(fmt.Sprintf("%d", time.Now().Unix()/10-1))) + h := hmac.New(sha512.New, []byte(adlin.SharedSecret)) + h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10))) + expectedMAC := h.Sum(nil) + + h = hmac.New(sha512.New, []byte(adlin.SharedSecret)) + h.Write([]byte(fmt.Sprintf("%d", time.Now().Unix()/10-1))) + previousMAC := h.Sum(nil) if aauth, err := base64.StdEncoding.DecodeString(r.Header.Get("X-ADLIN-Authentication")); err != nil { http.Error(w, fmt.Sprintf("{\"errmsg\":%q}\n", err), http.StatusUnauthorized)