Switch to EVP_MD digest
This commit is contained in:
Love Hornquist Astrand
166
kdc/digest.c
166
kdc/digest.c
@@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
|
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
|
||||||
MD5_CTX ctx;
|
EVP_MD_CTX ctx;
|
||||||
unsigned char md[MD5_DIGEST_LENGTH];
|
unsigned char md[MD5_DIGEST_LENGTH];
|
||||||
char *mdx;
|
char *mdx;
|
||||||
char id;
|
char id;
|
||||||
@@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context,
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
MD5_Init(&ctx);
|
EVP_MD_CTX_init(&ctx);
|
||||||
MD5_Update(&ctx, &id, 1);
|
|
||||||
MD5_Update(&ctx, password, strlen(password));
|
EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
|
||||||
MD5_Update(&ctx, serverNonce.data, serverNonce.length);
|
EVP_DigestUpdate(&ctx, &id, 1);
|
||||||
MD5_Final(md, &ctx);
|
EVP_DigestUpdate(&ctx, password, strlen(password));
|
||||||
|
EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length);
|
||||||
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
|
|
||||||
hex_encode(md, sizeof(md), &mdx);
|
hex_encode(md, sizeof(md), &mdx);
|
||||||
if (mdx == NULL) {
|
if (mdx == NULL) {
|
||||||
@@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
|
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
|
||||||
MD5_CTX ctx;
|
EVP_MD_CTX ctx;
|
||||||
unsigned char md[MD5_DIGEST_LENGTH];
|
unsigned char md[MD5_DIGEST_LENGTH];
|
||||||
char *mdx;
|
char *mdx;
|
||||||
char *A1, *A2;
|
char *A1, *A2;
|
||||||
@@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context,
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto failed;
|
goto failed;
|
||||||
|
|
||||||
MD5_Init(&ctx);
|
EVP_MD_CTX_init(&ctx);
|
||||||
MD5_Update(&ctx, ireq.u.digestRequest.username,
|
|
||||||
|
EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
|
||||||
|
EVP_DigestUpdate(&ctx, ireq.u.digestRequest.username,
|
||||||
strlen(ireq.u.digestRequest.username));
|
strlen(ireq.u.digestRequest.username));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.realm,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.realm,
|
||||||
strlen(*ireq.u.digestRequest.realm));
|
strlen(*ireq.u.digestRequest.realm));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, password, strlen(password));
|
EVP_DigestUpdate(&ctx, password, strlen(password));
|
||||||
MD5_Final(md, &ctx);
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
MD5_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
|
||||||
MD5_Update(&ctx, md, sizeof(md));
|
EVP_DigestUpdate(&ctx, md, sizeof(md));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
|
EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce,
|
||||||
strlen(ireq.u.digestRequest.serverNonce));
|
strlen(ireq.u.digestRequest.serverNonce));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount,
|
||||||
strlen(*ireq.u.digestRequest.nonceCount));
|
strlen(*ireq.u.digestRequest.nonceCount));
|
||||||
if (ireq.u.digestRequest.authid) {
|
if (ireq.u.digestRequest.authid) {
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.authid,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.authid,
|
||||||
strlen(*ireq.u.digestRequest.authid));
|
strlen(*ireq.u.digestRequest.authid));
|
||||||
}
|
}
|
||||||
MD5_Final(md, &ctx);
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
hex_encode(md, sizeof(md), &A1);
|
hex_encode(md, sizeof(md), &A1);
|
||||||
if (A1 == NULL) {
|
if (A1 == NULL) {
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
krb5_set_error_message(context, ret, "malloc: out of memory");
|
krb5_set_error_message(context, ret, "malloc: out of memory");
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
goto failed;
|
goto failed;
|
||||||
}
|
}
|
||||||
|
|
||||||
MD5_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
|
||||||
MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
|
EVP_DigestUpdate(&ctx,
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.uri,
|
"AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
|
||||||
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.uri,
|
||||||
strlen(*ireq.u.digestRequest.uri));
|
strlen(*ireq.u.digestRequest.uri));
|
||||||
|
|
||||||
/* conf|int */
|
/* conf|int */
|
||||||
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
|
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
|
||||||
static char conf_zeros[] = ":00000000000000000000000000000000";
|
static char conf_zeros[] = ":00000000000000000000000000000000";
|
||||||
MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
|
EVP_DigestUpdate(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
MD5_Final(md, &ctx);
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
hex_encode(md, sizeof(md), &A2);
|
hex_encode(md, sizeof(md), &A2);
|
||||||
if (A2 == NULL) {
|
if (A2 == NULL) {
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
@@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context,
|
|||||||
goto failed;
|
goto failed;
|
||||||
}
|
}
|
||||||
|
|
||||||
MD5_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
|
||||||
MD5_Update(&ctx, A1, strlen(A2));
|
EVP_DigestUpdate(&ctx, A1, strlen(A2));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
|
EVP_DigestUpdate(&ctx, ireq.u.digestRequest.serverNonce,
|
||||||
strlen(ireq.u.digestRequest.serverNonce));
|
strlen(ireq.u.digestRequest.serverNonce));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.nonceCount,
|
||||||
strlen(*ireq.u.digestRequest.nonceCount));
|
strlen(*ireq.u.digestRequest.nonceCount));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.clientNonce,
|
||||||
strlen(*ireq.u.digestRequest.clientNonce));
|
strlen(*ireq.u.digestRequest.clientNonce));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, *ireq.u.digestRequest.qop,
|
EVP_DigestUpdate(&ctx, *ireq.u.digestRequest.qop,
|
||||||
strlen(*ireq.u.digestRequest.qop));
|
strlen(*ireq.u.digestRequest.qop));
|
||||||
MD5_Update(&ctx, ":", 1);
|
EVP_DigestUpdate(&ctx, ":", 1);
|
||||||
MD5_Update(&ctx, A2, strlen(A2));
|
EVP_DigestUpdate(&ctx, A2, strlen(A2));
|
||||||
|
|
||||||
MD5_Final(md, &ctx);
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
|
|
||||||
free(A1);
|
free(A1);
|
||||||
free(A2);
|
free(A2);
|
||||||
@@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context,
|
|||||||
const char *username;
|
const char *username;
|
||||||
struct ntlm_buf answer;
|
struct ntlm_buf answer;
|
||||||
Key *key = NULL;
|
Key *key = NULL;
|
||||||
SHA_CTX ctx;
|
EVP_MD_CTX ctx;
|
||||||
|
|
||||||
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
|
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
|
||||||
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
|
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
|
||||||
@@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context,
|
|||||||
else
|
else
|
||||||
username++;
|
username++;
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&ctx);
|
||||||
|
|
||||||
/* ChallangeHash */
|
/* ChallangeHash */
|
||||||
SHA1_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
|
||||||
{
|
{
|
||||||
ssize_t ssize;
|
ssize_t ssize;
|
||||||
krb5_data clientNonce;
|
krb5_data clientNonce;
|
||||||
@@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context,
|
|||||||
clientNonce.data = malloc(clientNonce.length);
|
clientNonce.data = malloc(clientNonce.length);
|
||||||
if (clientNonce.data == NULL) {
|
if (clientNonce.data == NULL) {
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
krb5_set_error_message(context, ret, "malloc: out of memory");
|
krb5_set_error_message(context, ret,
|
||||||
|
"malloc: out of memory");
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context,
|
|||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(context, ret,
|
||||||
"Failed to decode clientNonce");
|
"Failed to decode clientNonce");
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
SHA1_Update(&ctx, clientNonce.data, ssize);
|
EVP_DigestUpdate(&ctx, clientNonce.data, ssize);
|
||||||
free(clientNonce.data);
|
free(clientNonce.data);
|
||||||
}
|
}
|
||||||
SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
|
EVP_DigestUpdate(&ctx, serverNonce.data, serverNonce.length);
|
||||||
SHA1_Update(&ctx, username, strlen(username));
|
EVP_DigestUpdate(&ctx, username, strlen(username));
|
||||||
SHA1_Final(challange, &ctx);
|
|
||||||
|
EVP_DigestFinal_ex(&ctx, challange, NULL);
|
||||||
|
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
|
|
||||||
/* NtPasswordHash */
|
/* NtPasswordHash */
|
||||||
ret = krb5_parse_name(context, username, &clientprincipal);
|
ret = krb5_parse_name(context, username, &clientprincipal);
|
||||||
@@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context,
|
|||||||
|
|
||||||
if (r.u.response.success) {
|
if (r.u.response.success) {
|
||||||
unsigned char hashhash[MD4_DIGEST_LENGTH];
|
unsigned char hashhash[MD4_DIGEST_LENGTH];
|
||||||
|
EVP_MD_CTX ctx;
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&ctx);
|
||||||
|
|
||||||
/* hashhash */
|
/* hashhash */
|
||||||
{
|
{
|
||||||
MD4_CTX hctx;
|
EVP_DigestInit_ex(&ctx, EVP_md4(), NULL);
|
||||||
|
EVP_DigestUpdate(&ctx,
|
||||||
MD4_Init(&hctx);
|
key->key.keyvalue.data,
|
||||||
MD4_Update(&hctx, key->key.keyvalue.data,
|
key->key.keyvalue.length);
|
||||||
key->key.keyvalue.length);
|
EVP_DigestFinal_ex(&ctx, hashhash, NULL);
|
||||||
MD4_Final(hashhash, &hctx);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* GenerateAuthenticatorResponse */
|
/* GenerateAuthenticatorResponse */
|
||||||
SHA1_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
|
||||||
SHA1_Update(&ctx, hashhash, sizeof(hashhash));
|
EVP_DigestUpdate(&ctx, hashhash, sizeof(hashhash));
|
||||||
SHA1_Update(&ctx, answer.data, answer.length);
|
EVP_DigestUpdate(&ctx, answer.data, answer.length);
|
||||||
SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
|
EVP_DigestUpdate(&ctx, ms_chap_v2_magic1,
|
||||||
SHA1_Final(md, &ctx);
|
sizeof(ms_chap_v2_magic1));
|
||||||
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
SHA1_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
|
||||||
SHA1_Update(&ctx, md, sizeof(md));
|
EVP_DigestUpdate(&ctx, md, sizeof(md));
|
||||||
SHA1_Update(&ctx, challange, 8);
|
EVP_DigestUpdate(&ctx, challange, 8);
|
||||||
SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
|
EVP_DigestUpdate(&ctx, ms_chap_v2_magic2,
|
||||||
SHA1_Final(md, &ctx);
|
sizeof(ms_chap_v2_magic2));
|
||||||
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
|
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
|
||||||
if (r.u.response.rsp == NULL) {
|
if (r.u.response.rsp == NULL) {
|
||||||
free(answer.data);
|
free(answer.data);
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(context);
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context,
|
|||||||
if (r.u.response.rsp == NULL) {
|
if (r.u.response.rsp == NULL) {
|
||||||
free(answer.data);
|
free(answer.data);
|
||||||
krb5_clear_error_message(context);
|
krb5_clear_error_message(context);
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* get_master, rfc 3079 3.4 */
|
/* get_master, rfc 3079 3.4 */
|
||||||
SHA1_Init(&ctx);
|
EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL);
|
||||||
SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
|
EVP_DigestUpdate(&ctx, hashhash, 16);
|
||||||
SHA1_Update(&ctx, answer.data, answer.length);
|
EVP_DigestUpdate(&ctx, answer.data, answer.length);
|
||||||
SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
|
EVP_DigestUpdate(&ctx, ms_rfc3079_magic1,
|
||||||
SHA1_Final(md, &ctx);
|
sizeof(ms_rfc3079_magic1));
|
||||||
|
EVP_DigestFinal_ex(&ctx, md, NULL);
|
||||||
|
|
||||||
free(answer.data);
|
free(answer.data);
|
||||||
|
|
||||||
|
EVP_MD_CTX_cleanup(&ctx);
|
||||||
|
|
||||||
r.u.response.session_key =
|
r.u.response.session_key =
|
||||||
calloc(1, sizeof(*r.u.response.session_key));
|
calloc(1, sizeof(*r.u.response.session_key));
|
||||||
if (r.u.response.session_key == NULL) {
|
if (r.u.response.session_key == NULL) {
|
||||||
|
|||||||
Reference in New Issue
Block a user