summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/digest.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/digest.c')
-rw-r--r--source4/heimdal/kdc/digest.c214
1 files changed, 127 insertions, 87 deletions
diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c
index d13507fc1f..1a383fa205 100644
--- a/source4/heimdal/kdc/digest.c
+++ b/source4/heimdal/kdc/digest.c
@@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context,
}
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
- MD5_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char id;
@@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
- MD5_Init(&ctx);
- MD5_Update(&ctx, &id, 1);
- MD5_Update(&ctx, password, strlen(password));
- MD5_Update(&ctx, serverNonce.data, serverNonce.length);
- MD5_Final(md, &ctx);
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, &id, 1);
+ EVP_DigestUpdate(ctx, password, strlen(password));
+ EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
+ EVP_MD_CTX_destroy(ctx);
hex_encode(md, sizeof(md), &mdx);
if (mdx == NULL) {
@@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context,
}
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
- MD5_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char *A1, *A2;
@@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto failed;
- MD5_Init(&ctx);
- MD5_Update(&ctx, ireq.u.digestRequest.username,
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.username,
strlen(ireq.u.digestRequest.username));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.realm,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.realm,
strlen(*ireq.u.digestRequest.realm));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, password, strlen(password));
- MD5_Final(md, &ctx);
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, password, strlen(password));
+ EVP_DigestFinal_ex(ctx, md, NULL);
- MD5_Init(&ctx);
- MD5_Update(&ctx, md, sizeof(md));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, md, sizeof(md));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
if (ireq.u.digestRequest.authid) {
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.authid,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.authid,
strlen(*ireq.u.digestRequest.authid));
}
- MD5_Final(md, &ctx);
+ EVP_DigestFinal_ex(ctx, md, NULL);
hex_encode(md, sizeof(md), &A1);
if (A1 == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
+ EVP_MD_CTX_destroy(ctx);
goto failed;
}
- MD5_Init(&ctx);
- MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.uri,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx,
+ "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
- MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
+ EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
- MD5_Final(md, &ctx);
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
hex_encode(md, sizeof(md), &A2);
if (A2 == NULL) {
ret = ENOMEM;
@@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- MD5_Init(&ctx);
- MD5_Update(&ctx, A1, strlen(A2));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, A1, strlen(A2));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.clientNonce,
strlen(*ireq.u.digestRequest.clientNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.qop,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.qop,
strlen(*ireq.u.digestRequest.qop));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, A2, strlen(A2));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, A2, strlen(A2));
+
+ EVP_DigestFinal_ex(ctx, md, NULL);
- MD5_Final(md, &ctx);
+ EVP_MD_CTX_destroy(ctx);
free(A1);
free(A2);
@@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context,
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
- SHA_CTX ctx;
+ EVP_MD_CTX *ctx;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context,
else
username++;
+ ctx = EVP_MD_CTX_create();
+
/* ChallangeHash */
- SHA1_Init(&ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
{
ssize_t ssize;
krb5_data clientNonce;
@@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context,
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
+ krb5_set_error_message(context, ret,
+ "malloc: out of memory");
+ EVP_MD_CTX_destroy(ctx);
goto out;
}
@@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context,
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
+ EVP_MD_CTX_destroy(ctx);
goto out;
}
- SHA1_Update(&ctx, clientNonce.data, ssize);
+ EVP_DigestUpdate(ctx, clientNonce.data, ssize);
free(clientNonce.data);
}
- SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
- SHA1_Update(&ctx, username, strlen(username));
- SHA1_Final(challange, &ctx);
+ EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
+ EVP_DigestUpdate(ctx, username, strlen(username));
+
+ EVP_DigestFinal_ex(ctx, challange, NULL);
+
+ EVP_MD_CTX_destroy(ctx);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
@@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
+ EVP_MD_CTX *ctx;
+
+ ctx = EVP_MD_CTX_create();
/* hashhash */
{
- MD4_CTX hctx;
-
- MD4_Init(&hctx);
- MD4_Update(&hctx, key->key.keyvalue.data,
- key->key.keyvalue.length);
- MD4_Final(hashhash, &hctx);
+ EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+ EVP_DigestUpdate(ctx,
+ key->key.keyvalue.data,
+ key->key.keyvalue.length);
+ EVP_DigestFinal_ex(ctx, hashhash, NULL);
}
/* GenerateAuthenticatorResponse */
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, hashhash, sizeof(hashhash));
- SHA1_Update(&ctx, answer.data, answer.length);
- SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
- SHA1_Final(md, &ctx);
-
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, md, sizeof(md));
- SHA1_Update(&ctx, challange, 8);
- SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
- SHA1_Final(md, &ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
+ EVP_DigestUpdate(ctx, answer.data, answer.length);
+ EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
+ sizeof(ms_chap_v2_magic1));
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, md, sizeof(md));
+ EVP_DigestUpdate(ctx, challange, 8);
+ EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
+ sizeof(ms_chap_v2_magic2));
+ EVP_DigestFinal_ex(ctx, md, NULL);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
+ EVP_MD_CTX_destroy(ctx);
ret = ENOMEM;
goto out;
}
@@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
+ EVP_MD_CTX_destroy(ctx);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
- SHA1_Update(&ctx, answer.data, answer.length);
- SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
- SHA1_Final(md, &ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hashhash, 16);
+ EVP_DigestUpdate(ctx, answer.data, answer.length);
+ EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
+ sizeof(ms_rfc3079_magic1));
+ EVP_DigestFinal_ex(ctx, md, NULL);
free(answer.data);
+ EVP_MD_CTX_destroy(ctx);
+
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));
if (r.u.response.session_key == NULL) {
@@ -1237,7 +1265,7 @@ _kdc_do_digest(krb5_context context,
if (flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char sessionhash[MD5_DIGEST_LENGTH];
- MD5_CTX md5ctx;
+ EVP_MD_CTX *ctx;
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
@@ -1252,11 +1280,17 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- MD5_Init(&md5ctx);
- MD5_Update(&md5ctx, challange, sizeof(challange));
- MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
- MD5_Final(sessionhash, &md5ctx);
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+
+ EVP_DigestUpdate(ctx, challange, sizeof(challange));
+ EVP_DigestUpdate(ctx, ireq.u.ntlmRequest.lm.data, 8);
+ EVP_DigestFinal_ex(ctx, sessionhash, NULL);
memcpy(challange, sessionhash, sizeof(challange));
+
+ EVP_MD_CTX_destroy(ctx);
+
} else {
if ((config->digests_allowed & NTLM_V1) == 0) {
kdc_log(context, config, 0, "NTLM v1 not allowed");
@@ -1283,18 +1317,23 @@ _kdc_do_digest(krb5_context context,
free(answer.data);
{
- MD4_CTX ctx;
+ EVP_MD_CTX *ctx;
+
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+ EVP_DigestUpdate(ctx,
+ key->key.keyvalue.data,
+ key->key.keyvalue.length);
+ EVP_DigestFinal_ex(ctx, sessionkey, NULL);
- MD4_Init(&ctx);
- MD4_Update(&ctx,
- key->key.keyvalue.data, key->key.keyvalue.length);
- MD4_Final(sessionkey, &ctx);
+ EVP_MD_CTX_destroy(ctx);
}
}
if (ireq.u.ntlmRequest.sessionkey) {
unsigned char masterkey[MD4_DIGEST_LENGTH];
- RC4_KEY rc4;
+ EVP_CIPHER_CTX rc4;
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
@@ -1314,12 +1353,13 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- RC4_set_key(&rc4, sizeof(sessionkey), sessionkey);
-
- RC4(&rc4, sizeof(masterkey),
- ireq.u.ntlmRequest.sessionkey->data,
- masterkey);
- memset(&rc4, 0, sizeof(rc4));
+
+ EVP_CIPHER_CTX_init(&rc4);
+ EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
+ EVP_Cipher(&rc4,
+ masterkey, ireq.u.ntlmRequest.sessionkey->data,
+ sizeof(masterkey));
+ EVP_CIPHER_CTX_cleanup(&rc4);
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));