Switch to EVP_MD digest

2009-08-16 11:58:03 +02:00
parent b39e108bd8
commit 4378f084ef
1 changed files with 97 additions and 69 deletions
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context,
 	}

 	if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
-	    MD5_CTX ctx;
+	    EVP_MD_CTX ctx;
 	    unsigned char md[MD5_DIGEST_LENGTH];
 	    char *mdx;
 	    char id;
@@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context,
 	    if (ret)
 		goto out;

-	    MD5_Init(&ctx);
-	    MD5_Update(&ctx, &id, 1);
-	    MD5_Update(&ctx, password, strlen(password));
-	    MD5_Update(&ctx, serverNonce.data, serverNonce.length);
-	    MD5_Final(md, &ctx);
+	    EVP_MD_CTX_init(&ctx);
+
+	    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	    EVP_DigestUpdate(&ctx, &id, 1);
+	    EVP_DigestUpdate(&ctx, password, strlen(password));
+	    EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length);
+	    EVP_DigestFinal_ex(&ctx, md, NULL);
+
+	    EVP_MD_CTX_cleanup(&ctx);

 	    hex_encode(md, sizeof(md), &mdx);
 	    if (mdx == NULL) {
@@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context,
 	    }

 	} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
-	    MD5_CTX ctx;
+	    EVP_MD_CTX ctx;
 	    unsigned char md[MD5_DIGEST_LENGTH];
 	    char *mdx;
 	    char *A1, *A2;
@@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context,
 	    if (ret)
 		goto failed;

-	    MD5_Init(&ctx);
-	    MD5_Update(&ctx, ireq.u.digestRequest.username,
+	    EVP_MD_CTX_init(&ctx);
+
+	    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	    EVP_DigestUpdate(&ctx, ireq.u.digestRequest.username,
 		       strlen(ireq.u.digestRequest.username));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.realm,
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.realm,
 		       strlen(*ireq.u.digestRequest.realm));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, password, strlen(password));
-	    MD5_Final(md, &ctx);
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, password, strlen(password));
+	    EVP_DigestFinal_ex(&ctx, md, NULL);
 	
-	    MD5_Init(&ctx);
-	    MD5_Update(&ctx, md, sizeof(md));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+	    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	    EVP_DigestUpdate(&ctx, md, sizeof(md));
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce,
 		       strlen(ireq.u.digestRequest.serverNonce));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount,
 		       strlen(*ireq.u.digestRequest.nonceCount));
 	    if (ireq.u.digestRequest.authid) {
-		MD5_Update(&ctx, ":", 1);
-		MD5_Update(&ctx, *ireq.u.digestRequest.authid,
+		EVP_DigestUpdate(&ctx, ":", 1);
+		EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.authid,
 			   strlen(*ireq.u.digestRequest.authid));
 	    }
-	    MD5_Final(md, &ctx);
+	    EVP_DigestFinal_ex(&ctx, md, NULL);
 	    hex_encode(md, sizeof(md), &A1);
 	    if (A1 == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret, "malloc: out of memory");
+		EVP_MD_CTX_cleanup(&ctx);
 		goto failed;
 	    }
 	
-	    MD5_Init(&ctx);
-	    MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.uri,
+	    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	    EVP_DigestUpdate(&ctx,
+			     "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.uri,
 		       strlen(*ireq.u.digestRequest.uri));
 	
 	    /* conf|int */
 	    if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
 		static char conf_zeros[] = ":00000000000000000000000000000000";
-		MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
+		EVP_DigestUpdate(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
 	    }
 	
-	    MD5_Final(md, &ctx);
+	    EVP_DigestFinal_ex(&ctx, md, NULL);
+
 	    hex_encode(md, sizeof(md), &A2);
 	    if (A2 == NULL) {
 		ret = ENOMEM;
@@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context,
 		goto failed;
 	    }

-	    MD5_Init(&ctx);
-	    MD5_Update(&ctx, A1, strlen(A2));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+	    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+	    EVP_DigestUpdate(&ctx, A1, strlen(A2));
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce,
 		       strlen(ireq.u.digestRequest.serverNonce));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount,
 		       strlen(*ireq.u.digestRequest.nonceCount));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.clientNonce,
 		       strlen(*ireq.u.digestRequest.clientNonce));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, *ireq.u.digestRequest.qop,
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.qop,
 		       strlen(*ireq.u.digestRequest.qop));
-	    MD5_Update(&ctx, ":", 1);
-	    MD5_Update(&ctx, A2, strlen(A2));
+	    EVP_DigestUpdate(&ctx, ":", 1);
+	    EVP_DigestUpdate(&ctx, A2, strlen(A2));

-	    MD5_Final(md, &ctx);
+	    EVP_DigestFinal_ex(&ctx, md, NULL);
+
+	    EVP_MD_CTX_cleanup(&ctx);

 	    free(A1);
 	    free(A2);
@@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context,
 	    const char *username;
 	    struct ntlm_buf answer;
 	    Key *key = NULL;
-	    SHA_CTX ctx;
+	    EVP_MD_CTX ctx;

 	    if ((config->digests_allowed & MS_CHAP_V2) == 0) {
 		kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context,
 	    else
 		username++;

+	    EVP_MD_CTX_init(&ctx);
+
 	    /* ChallangeHash */
-	    SHA1_Init(&ctx);
+	    EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
 	    {
 		ssize_t ssize;
 		krb5_data clientNonce;
@@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context,
 		clientNonce.data = malloc(clientNonce.length);
 		if (clientNonce.data == NULL) {
 		    ret = ENOMEM;
-		    krb5_set_error_message(context, ret, "malloc: out of memory");
+		    krb5_set_error_message(context, ret,
+					   "malloc: out of memory");
+		    EVP_MD_CTX_cleanup(&ctx);
 		    goto out;
 		}

@@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context,
 		    ret = ENOMEM;
 		    krb5_set_error_message(context, ret,
 					   "Failed to decode clientNonce");
+		    EVP_MD_CTX_cleanup(&ctx);
 		    goto out;
 		}
-		SHA1_Update(&ctx, clientNonce.data, ssize);
+		EVP_DigestUpdate(&ctx, clientNonce.data, ssize);
 		free(clientNonce.data);
 	    }
-	    SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
-	    SHA1_Update(&ctx, username, strlen(username));
-	    SHA1_Final(challange, &ctx);
+	    EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length);
+	    EVP_DigestUpdate(&ctx, username, strlen(username));
+
+	    EVP_DigestFinal_ex(&ctx, challange, NULL);
+
+	    EVP_MD_CTX_cleanup(&ctx);

 	    /* NtPasswordHash */
 	    ret = krb5_parse_name(context, username, &clientprincipal);
@@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context,

 	    if (r.u.response.success) {
 		unsigned char hashhash[MD4_DIGEST_LENGTH];
+		EVP_MD_CTX ctx;
+
+		EVP_MD_CTX_init(&ctx);

 		/* hashhash */
 		{
-		    MD4_CTX hctx;
-
-		    MD4_Init(&hctx);
-		    MD4_Update(&hctx, key->key.keyvalue.data,
-			       key->key.keyvalue.length);
-		    MD4_Final(hashhash, &hctx);
+		    EVP_DigestInit_ex(&ctx, EVP_md4(), NULL);
+		    EVP_DigestUpdate(&ctx,
+				     key->key.keyvalue.data,
+				     key->key.keyvalue.length);
+		    EVP_DigestFinal_ex(&ctx, hashhash, NULL);
 		}

 		/* GenerateAuthenticatorResponse */
-		SHA1_Init(&ctx);
-		SHA1_Update(&ctx, hashhash, sizeof(hashhash));
-		SHA1_Update(&ctx, answer.data, answer.length);
-		SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
-		SHA1_Final(md, &ctx);
+		EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
+		EVP_DigestUpdate(&ctx, hashhash, sizeof(hashhash));
+		EVP_DigestUpdate(&ctx, answer.data, answer.length);
+		EVP_DigestUpdate(&ctx, ms_chap_v2_magic1,
+				 sizeof(ms_chap_v2_magic1));
+		EVP_DigestFinal_ex(&ctx, md, NULL);

-		SHA1_Init(&ctx);
-		SHA1_Update(&ctx, md, sizeof(md));
-		SHA1_Update(&ctx, challange, 8);
-		SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
-		SHA1_Final(md, &ctx);
+		EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
+		EVP_DigestUpdate(&ctx, md, sizeof(md));
+		EVP_DigestUpdate(&ctx, challange, 8);
+		EVP_DigestUpdate(&ctx, ms_chap_v2_magic2,
+				 sizeof(ms_chap_v2_magic2));
+		EVP_DigestFinal_ex(&ctx, md, NULL);

 		r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
 		if (r.u.response.rsp == NULL) {
 		    free(answer.data);
 		    krb5_clear_error_message(context);
+		    EVP_MD_CTX_cleanup(&ctx);
 		    ret = ENOMEM;
 		    goto out;
 		}
@@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context,
 		if (r.u.response.rsp == NULL) {
 		    free(answer.data);
 		    krb5_clear_error_message(context);
+		    EVP_MD_CTX_cleanup(&ctx);
 		    ret = ENOMEM;
 		    goto out;
 		}

 		/* get_master, rfc 3079 3.4 */
-		SHA1_Init(&ctx);
-		SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
-		SHA1_Update(&ctx, answer.data, answer.length);
-		SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
-		SHA1_Final(md, &ctx);
+		EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
+		EVP_DigestUpdate(&ctx, hashhash, 16);
+		EVP_DigestUpdate(&ctx, answer.data, answer.length);
+		EVP_DigestUpdate(&ctx, ms_rfc3079_magic1,
+				 sizeof(ms_rfc3079_magic1));
+		EVP_DigestFinal_ex(&ctx, md, NULL);

 		free(answer.data);

+		EVP_MD_CTX_cleanup(&ctx);
+
 		r.u.response.session_key =
 		    calloc(1, sizeof(*r.u.response.session_key));
 		if (r.u.response.session_key == NULL) {