diff options
Diffstat (limited to 'source4/heimdal/kdc/digest.c')
-rw-r--r-- | source4/heimdal/kdc/digest.c | 214 |
1 files changed, 127 insertions, 87 deletions
diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index d13507fc1f..1a383fa205 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context, } if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) { - MD5_CTX ctx; + EVP_MD_CTX *ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; char id; @@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context, if (ret) goto out; - MD5_Init(&ctx); - MD5_Update(&ctx, &id, 1); - MD5_Update(&ctx, password, strlen(password)); - MD5_Update(&ctx, serverNonce.data, serverNonce.length); - MD5_Final(md, &ctx); + ctx = EVP_MD_CTX_create(); + + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + EVP_DigestUpdate(ctx, &id, 1); + EVP_DigestUpdate(ctx, password, strlen(password)); + EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); + EVP_DigestFinal_ex(ctx, md, NULL); + + EVP_MD_CTX_destroy(ctx); hex_encode(md, sizeof(md), &mdx); if (mdx == NULL) { @@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context, } } else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) { - MD5_CTX ctx; + EVP_MD_CTX *ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; char *A1, *A2; @@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context, if (ret) goto failed; - MD5_Init(&ctx); - MD5_Update(&ctx, ireq.u.digestRequest.username, + ctx = EVP_MD_CTX_create(); + + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + EVP_DigestUpdate(ctx, ireq.u.digestRequest.username, strlen(ireq.u.digestRequest.username)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.realm, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.realm, strlen(*ireq.u.digestRequest.realm)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, password, strlen(password)); - MD5_Final(md, &ctx); + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, password, strlen(password)); + EVP_DigestFinal_ex(ctx, md, NULL); - MD5_Init(&ctx); - MD5_Update(&ctx, md, sizeof(md)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + EVP_DigestUpdate(ctx, md, sizeof(md)); + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce, strlen(ireq.u.digestRequest.serverNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount, strlen(*ireq.u.digestRequest.nonceCount)); if (ireq.u.digestRequest.authid) { - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.authid, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.authid, strlen(*ireq.u.digestRequest.authid)); } - MD5_Final(md, &ctx); + EVP_DigestFinal_ex(ctx, md, NULL); hex_encode(md, sizeof(md), &A1); if (A1 == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); + EVP_MD_CTX_destroy(ctx); goto failed; } - MD5_Init(&ctx); - MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); - MD5_Update(&ctx, *ireq.u.digestRequest.uri, + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + EVP_DigestUpdate(ctx, + "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri, strlen(*ireq.u.digestRequest.uri)); /* conf|int */ if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) { static char conf_zeros[] = ":00000000000000000000000000000000"; - MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1); + EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1); } - MD5_Final(md, &ctx); + EVP_DigestFinal_ex(ctx, md, NULL); + hex_encode(md, sizeof(md), &A2); if (A2 == NULL) { ret = ENOMEM; @@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context, goto failed; } - MD5_Init(&ctx); - MD5_Update(&ctx, A1, strlen(A2)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, ireq.u.digestRequest.serverNonce, + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + EVP_DigestUpdate(ctx, A1, strlen(A2)); + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce, strlen(ireq.u.digestRequest.serverNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount, strlen(*ireq.u.digestRequest.nonceCount)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.clientNonce, strlen(*ireq.u.digestRequest.clientNonce)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, *ireq.u.digestRequest.qop, + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, *ireq.u.digestRequest.qop, strlen(*ireq.u.digestRequest.qop)); - MD5_Update(&ctx, ":", 1); - MD5_Update(&ctx, A2, strlen(A2)); + EVP_DigestUpdate(ctx, ":", 1); + EVP_DigestUpdate(ctx, A2, strlen(A2)); + + EVP_DigestFinal_ex(ctx, md, NULL); - MD5_Final(md, &ctx); + EVP_MD_CTX_destroy(ctx); free(A1); free(A2); @@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context, const char *username; struct ntlm_buf answer; Key *key = NULL; - SHA_CTX ctx; + EVP_MD_CTX *ctx; if ((config->digests_allowed & MS_CHAP_V2) == 0) { kdc_log(context, config, 0, "MS-CHAP-V2 not allowed"); @@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context, else username++; + ctx = EVP_MD_CTX_create(); + /* ChallangeHash */ - SHA1_Init(&ctx); + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); { ssize_t ssize; krb5_data clientNonce; @@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context, clientNonce.data = malloc(clientNonce.length); if (clientNonce.data == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); + krb5_set_error_message(context, ret, + "malloc: out of memory"); + EVP_MD_CTX_destroy(ctx); goto out; } @@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context, ret = ENOMEM; krb5_set_error_message(context, ret, "Failed to decode clientNonce"); + EVP_MD_CTX_destroy(ctx); goto out; } - SHA1_Update(&ctx, clientNonce.data, ssize); + EVP_DigestUpdate(ctx, clientNonce.data, ssize); free(clientNonce.data); } - SHA1_Update(&ctx, serverNonce.data, serverNonce.length); - SHA1_Update(&ctx, username, strlen(username)); - SHA1_Final(challange, &ctx); + EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); + EVP_DigestUpdate(ctx, username, strlen(username)); + + EVP_DigestFinal_ex(ctx, challange, NULL); + + EVP_MD_CTX_destroy(ctx); /* NtPasswordHash */ ret = krb5_parse_name(context, username, &clientprincipal); @@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context, if (r.u.response.success) { unsigned char hashhash[MD4_DIGEST_LENGTH]; + EVP_MD_CTX *ctx; + + ctx = EVP_MD_CTX_create(); /* hashhash */ { - MD4_CTX hctx; - - MD4_Init(&hctx); - MD4_Update(&hctx, key->key.keyvalue.data, - key->key.keyvalue.length); - MD4_Final(hashhash, &hctx); + EVP_DigestInit_ex(ctx, EVP_md4(), NULL); + EVP_DigestUpdate(ctx, + key->key.keyvalue.data, + key->key.keyvalue.length); + EVP_DigestFinal_ex(ctx, hashhash, NULL); } /* GenerateAuthenticatorResponse */ - SHA1_Init(&ctx); - SHA1_Update(&ctx, hashhash, sizeof(hashhash)); - SHA1_Update(&ctx, answer.data, answer.length); - SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1)); - SHA1_Final(md, &ctx); - - SHA1_Init(&ctx); - SHA1_Update(&ctx, md, sizeof(md)); - SHA1_Update(&ctx, challange, 8); - SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2)); - SHA1_Final(md, &ctx); + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash)); + EVP_DigestUpdate(ctx, answer.data, answer.length); + EVP_DigestUpdate(ctx, ms_chap_v2_magic1, + sizeof(ms_chap_v2_magic1)); + EVP_DigestFinal_ex(ctx, md, NULL); + + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(ctx, md, sizeof(md)); + EVP_DigestUpdate(ctx, challange, 8); + EVP_DigestUpdate(ctx, ms_chap_v2_magic2, + sizeof(ms_chap_v2_magic2)); + EVP_DigestFinal_ex(ctx, md, NULL); r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); + EVP_MD_CTX_destroy(ctx); ret = ENOMEM; goto out; } @@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context, if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); + EVP_MD_CTX_destroy(ctx); ret = ENOMEM; goto out; } /* get_master, rfc 3079 3.4 */ - SHA1_Init(&ctx); - SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */ - SHA1_Update(&ctx, answer.data, answer.length); - SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1)); - SHA1_Final(md, &ctx); + EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestUpdate(ctx, hashhash, 16); + EVP_DigestUpdate(ctx, answer.data, answer.length); + EVP_DigestUpdate(ctx, ms_rfc3079_magic1, + sizeof(ms_rfc3079_magic1)); + EVP_DigestFinal_ex(ctx, md, NULL); free(answer.data); + EVP_MD_CTX_destroy(ctx); + r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); if (r.u.response.session_key == NULL) { @@ -1237,7 +1265,7 @@ _kdc_do_digest(krb5_context context, if (flags & NTLM_NEG_NTLM2_SESSION) { unsigned char sessionhash[MD5_DIGEST_LENGTH]; - MD5_CTX md5ctx; + EVP_MD_CTX *ctx; if ((config->digests_allowed & NTLM_V1_SESSION) == 0) { kdc_log(context, config, 0, "NTLM v1-session not allowed"); @@ -1252,11 +1280,17 @@ _kdc_do_digest(krb5_context context, goto failed; } - MD5_Init(&md5ctx); - MD5_Update(&md5ctx, challange, sizeof(challange)); - MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8); - MD5_Final(sessionhash, &md5ctx); + ctx = EVP_MD_CTX_create(); + + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); + + EVP_DigestUpdate(ctx, challange, sizeof(challange)); + EVP_DigestUpdate(ctx, ireq.u.ntlmRequest.lm.data, 8); + EVP_DigestFinal_ex(ctx, sessionhash, NULL); memcpy(challange, sessionhash, sizeof(challange)); + + EVP_MD_CTX_destroy(ctx); + } else { if ((config->digests_allowed & NTLM_V1) == 0) { kdc_log(context, config, 0, "NTLM v1 not allowed"); @@ -1283,18 +1317,23 @@ _kdc_do_digest(krb5_context context, free(answer.data); { - MD4_CTX ctx; + EVP_MD_CTX *ctx; + + ctx = EVP_MD_CTX_create(); + + EVP_DigestInit_ex(ctx, EVP_md4(), NULL); + EVP_DigestUpdate(ctx, + key->key.keyvalue.data, + key->key.keyvalue.length); + EVP_DigestFinal_ex(ctx, sessionkey, NULL); - MD4_Init(&ctx); - MD4_Update(&ctx, - key->key.keyvalue.data, key->key.keyvalue.length); - MD4_Final(sessionkey, &ctx); + EVP_MD_CTX_destroy(ctx); } } if (ireq.u.ntlmRequest.sessionkey) { unsigned char masterkey[MD4_DIGEST_LENGTH]; - RC4_KEY rc4; + EVP_CIPHER_CTX rc4; size_t len; if ((flags & NTLM_NEG_KEYEX) == 0) { @@ -1314,12 +1353,13 @@ _kdc_do_digest(krb5_context context, goto failed; } - RC4_set_key(&rc4, sizeof(sessionkey), sessionkey); - - RC4(&rc4, sizeof(masterkey), - ireq.u.ntlmRequest.sessionkey->data, - masterkey); - memset(&rc4, 0, sizeof(rc4)); + + EVP_CIPHER_CTX_init(&rc4); + EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1); + EVP_Cipher(&rc4, + masterkey, ireq.u.ntlmRequest.sessionkey->data, + sizeof(masterkey)); + EVP_CIPHER_CTX_cleanup(&rc4); r.u.ntlmResponse.sessionkey = malloc(sizeof(*r.u.ntlmResponse.sessionkey)); |