From 4378f084efaf68710817d59910c0482e07913832 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 16 Aug 2009 11:58:03 +0200 Subject: [PATCH] Switch to EVP_MD digest --- kdc/digest.c | 166 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 97 insertions(+), 69 deletions(-) diff --git a/kdc/digest.c b/kdc/digest.c index d13507fc1..091dee089 100644 --- a/kdc/digest.c +++ b/kdc/digest.c @@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context, } if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) { - MD5_CTX ctx; + EVP_MD_CTX ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; char id; @@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context, if (ret) goto out; - MD5_Init(&ctx); - MD5_Update(&ctx, &id, 1); - MD5_Update(&ctx, password, strlen(password)); - MD5_Update(&ctx, serverNonce.data, serverNonce.length); - MD5_Final(md, &ctx); + EVP_MD_CTX_init(&ctx); + + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx, &id, 1); + EVP_DigestUpdate(&ctx, password, strlen(password)); + EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length); + EVP_DigestFinal_ex(&ctx, md, NULL); + + EVP_MD_CTX_cleanup(&ctx); hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { @@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context, } } else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) { - MD5_CTX ctx; + EVP_MD_CTX ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; char *A1, *A2; @@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context, if (ret) goto failed; - MD5_Init(&ctx); - MD5_Update(&ctx, ireq.u.digestRequest.username, + EVP_MD_CTX_init(&ctx); + + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx, ireq.u.digestRequest.username, strlen(ireq.u.digestRequest.username)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.realm, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.realm, strlen(*ireq.u.digestRequest.realm)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, password, strlen(password)); - MD5_Final(md, &ctx); + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, password, strlen(password)); + EVP_DigestFinal_ex(&ctx, md, NULL); - MD5_Init(&ctx); - MD5_Update(&ctx, md, sizeof(md)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx, md, sizeof(md)); + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce, strlen(ireq.u.digestRequest.serverNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount, strlen(*ireq.u.digestRequest.nonceCount)); if (ireq.u.digestRequest.authid) { - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.authid, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.authid, strlen(*ireq.u.digestRequest.authid)); } - MD5_Final(md, &ctx); + EVP_DigestFinal_ex(&ctx, md, NULL); hex_encode(md, sizeof(md), &A1); if (A1 == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); + EVP_MD_CTX_cleanup(&ctx); goto failed; } - MD5_Init(&ctx); - MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); - MD5_Update(&ctx, *ireq.u.digestRequest.uri, + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx, + "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.uri, strlen(*ireq.u.digestRequest.uri)); /* conf|int */ if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) { static char conf_zeros[] = ":00000000000000000000000000000000"; - MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); + EVP_DigestUpdate(&ctx, conf_zeros, sizeof(conf_zeros) - 1); } - MD5_Final(md, &ctx); + EVP_DigestFinal_ex(&ctx, md, NULL); + hex_encode(md, sizeof(md), &A2); if (A2 == NULL) { ret = ENOMEM; @@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context, goto failed; } - MD5_Init(&ctx); - MD5_Update(&ctx, A1, strlen(A2)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx, A1, strlen(A2)); + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce, strlen(ireq.u.digestRequest.serverNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount, strlen(*ireq.u.digestRequest.nonceCount)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.clientNonce, strlen(*ireq.u.digestRequest.clientNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.qop, + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.qop, strlen(*ireq.u.digestRequest.qop)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, A2, strlen(A2)); + EVP_DigestUpdate(&ctx, ":", 1); + EVP_DigestUpdate(&ctx, A2, strlen(A2)); - MD5_Final(md, &ctx); + EVP_DigestFinal_ex(&ctx, md, NULL); + + EVP_MD_CTX_cleanup(&ctx); free(A1); free(A2); @@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context, const char *username; struct ntlm_buf answer; Key *key = NULL; - SHA_CTX ctx; + EVP_MD_CTX ctx; if ((config->digests_allowed & MS_CHAP_V2) == 0) { kdc_log(context, config, 0, "MS-CHAP-V2 not allowed"); @@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context, else username++; + EVP_MD_CTX_init(&ctx); + /* ChallangeHash */ - SHA1_Init(&ctx); + EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); { ssize_t ssize; krb5_data clientNonce; @@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context, clientNonce.data = malloc(clientNonce.length); if (clientNonce.data == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); + krb5_set_error_message(context, ret, + "malloc: out of memory"); + EVP_MD_CTX_cleanup(&ctx); goto out; } @@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context, ret = ENOMEM; krb5_set_error_message(context, ret, "Failed to decode clientNonce"); + EVP_MD_CTX_cleanup(&ctx); goto out; } - SHA1_Update(&ctx, clientNonce.data, ssize); + EVP_DigestUpdate(&ctx, clientNonce.data, ssize); free(clientNonce.data); } - SHA1_Update(&ctx, serverNonce.data, serverNonce.length); - SHA1_Update(&ctx, username, strlen(username)); - SHA1_Final(challange, &ctx); + EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length); + EVP_DigestUpdate(&ctx, username, strlen(username)); + + EVP_DigestFinal_ex(&ctx, challange, NULL); + + EVP_MD_CTX_cleanup(&ctx); /* NtPasswordHash */ ret = krb5_parse_name(context, username, &clientprincipal); @@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context, if (r.u.response.success) { unsigned char hashhash[MD4_DIGEST_LENGTH]; + EVP_MD_CTX ctx; + + EVP_MD_CTX_init(&ctx); /* hashhash */ { - MD4_CTX hctx; - - MD4_Init(&hctx); - MD4_Update(&hctx, key->key.keyvalue.data, - key->key.keyvalue.length); - MD4_Final(hashhash, &hctx); + EVP_DigestInit_ex(&ctx, EVP_md4(), NULL); + EVP_DigestUpdate(&ctx, + key->key.keyvalue.data, + key->key.keyvalue.length); + EVP_DigestFinal_ex(&ctx, hashhash, NULL); } /* GenerateAuthenticatorResponse */ - SHA1_Init(&ctx); - SHA1_Update(&ctx, hashhash, sizeof(hashhash)); - SHA1_Update(&ctx, answer.data, answer.length); - SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1)); - SHA1_Final(md, &ctx); + EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(&ctx, hashhash, sizeof(hashhash)); + EVP_DigestUpdate(&ctx, answer.data, answer.length); + EVP_DigestUpdate(&ctx, ms_chap_v2_magic1, + sizeof(ms_chap_v2_magic1)); + EVP_DigestFinal_ex(&ctx, md, NULL); - SHA1_Init(&ctx); - SHA1_Update(&ctx, md, sizeof(md)); - SHA1_Update(&ctx, challange, 8); - SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2)); - SHA1_Final(md, &ctx); + EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(&ctx, md, sizeof(md)); + EVP_DigestUpdate(&ctx, challange, 8); + EVP_DigestUpdate(&ctx, ms_chap_v2_magic2, + sizeof(ms_chap_v2_magic2)); + EVP_DigestFinal_ex(&ctx, md, NULL); r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); + EVP_MD_CTX_cleanup(&ctx); ret = ENOMEM; goto out; } @@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context, if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); + EVP_MD_CTX_cleanup(&ctx); ret = ENOMEM; goto out; } /* get_master, rfc 3079 3.4 */ - SHA1_Init(&ctx); - SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */ - SHA1_Update(&ctx, answer.data, answer.length); - SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1)); - SHA1_Final(md, &ctx); + EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(&ctx, hashhash, 16); + EVP_DigestUpdate(&ctx, answer.data, answer.length); + EVP_DigestUpdate(&ctx, ms_rfc3079_magic1, + sizeof(ms_rfc3079_magic1)); + EVP_DigestFinal_ex(&ctx, md, NULL); free(answer.data); + EVP_MD_CTX_cleanup(&ctx); + r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); if (r.u.response.session_key == NULL) {