diff options
author | Linus Nordberg <linus@nordu.net> | 2016-09-01 16:09:09 +0200 |
---|---|---|
committer | Linus Nordberg <linus@nordu.net> | 2016-09-01 16:09:09 +0200 |
commit | 79758ca15e0e83634a522750e44c5b5b1ae224a4 (patch) | |
tree | 0c30338f8b41426ea05e16c6f0b21c90aeeb807d | |
parent | 0c5009cc0c9abd008b494e805ca74cecfc7d153c (diff) |
EVP_MD_CTX and HMAC_CTX are now pointers.
NOTE: pwdcrypt(), msmppencrypt(), msmppdecrypt(), _checkmsgauth(),
_validauth() _createmessageauth() and _radsign() all become slightly
more expensive since we're now allocating and freeing an EVP_MD_CTX or
HMAC_CTX on each invocation.
-rw-r--r-- | radmsg.c | 97 | ||||
-rw-r--r-- | radsecproxy.c | 115 |
2 files changed, 106 insertions, 106 deletions
@@ -122,116 +122,115 @@ int radmsg_copy_attrs(struct radmsg *dst, } int _checkmsgauth(unsigned char *rad, uint8_t *authattr, uint8_t *secret) { + int result = 0; /* Fail. */ static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static HMAC_CTX hmacctx; + HMAC_CTX *hmacctx = NULL; unsigned int md_len; uint8_t auth[16], hash[EVP_MAX_MD_SIZE]; pthread_mutex_lock(&lock); - if (first) { - HMAC_CTX_init(&hmacctx); - first = 0; - } memcpy(auth, authattr, 16); memset(authattr, 0, 16); md_len = 0; - HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); - HMAC_Update(&hmacctx, rad, RADLEN(rad)); - HMAC_Final(&hmacctx, hash, &md_len); + hmacctx = HMAC_CTX_new(); + if (!hmacctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); + HMAC_Init_ex(hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); + HMAC_Update(hmacctx, rad, RADLEN(rad)); + HMAC_Final(hmacctx, hash, &md_len); memcpy(authattr, auth, 16); if (md_len != 16) { debug(DBG_WARN, "message auth computation failed"); - pthread_mutex_unlock(&lock); - return 0; + goto out; } if (memcmp(auth, hash, 16)) { debug(DBG_WARN, "message authenticator, wrong value"); - pthread_mutex_unlock(&lock); - return 0; + goto out; } + result = 1; +out: + HMAC_CTX_free(hmacctx); pthread_mutex_unlock(&lock); - return 1; + return result; } int _validauth(unsigned char *rad, unsigned char *reqauth, unsigned char *sec) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int len; int result; pthread_mutex_lock(&lock); - if (first) { - EVP_MD_CTX_init(&mdctx); - first = 0; - } + mdctx = EVP_MD_CTX_new(); + if (!mdctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); len = RADLEN(rad); - result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) && - EVP_DigestUpdate(&mdctx, rad, 4) && - EVP_DigestUpdate(&mdctx, reqauth, 16) && - (len <= 20 || EVP_DigestUpdate(&mdctx, rad + 20, len - 20)) && - EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) && - EVP_DigestFinal_ex(&mdctx, hash, &len) && + result = (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) && + EVP_DigestUpdate(mdctx, rad, 4) && + EVP_DigestUpdate(mdctx, reqauth, 16) && + (len <= 20 || EVP_DigestUpdate(mdctx, rad + 20, len - 20)) && + EVP_DigestUpdate(mdctx, sec, strlen((char *)sec)) && + EVP_DigestFinal_ex(mdctx, hash, &len) && len == 16 && !memcmp(hash, rad + 4, 16)); + EVP_MD_CTX_free(mdctx); pthread_mutex_unlock(&lock); return result; } int _createmessageauth(unsigned char *rad, unsigned char *authattrval, uint8_t *secret) { + int result = 0; /* Fail. */ static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static HMAC_CTX hmacctx; + static HMAC_CTX *hmacctx = NULL; unsigned int md_len; if (!authattrval) return 1; pthread_mutex_lock(&lock); - if (first) { - HMAC_CTX_init(&hmacctx); - first = 0; - } + hmacctx = HMAC_CTX_new(); + if (!hmacctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); memset(authattrval, 0, 16); md_len = 0; - HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); - HMAC_Update(&hmacctx, rad, RADLEN(rad)); - HMAC_Final(&hmacctx, authattrval, &md_len); + HMAC_Init_ex(hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); + HMAC_Update(hmacctx, rad, RADLEN(rad)); + HMAC_Final(hmacctx, authattrval, &md_len); if (md_len != 16) { debug(DBG_WARN, "message auth computation failed"); - pthread_mutex_unlock(&lock); - return 0; + goto out; } + result = 1; +out: + HMAC_CTX_free(hmacctx); pthread_mutex_unlock(&lock); - return 1; + return result; } int _radsign(unsigned char *rad, unsigned char *sec) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx = NULL; unsigned int md_len; int result; pthread_mutex_lock(&lock); - if (first) { - EVP_MD_CTX_init(&mdctx); - first = 0; - } - - result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) && - EVP_DigestUpdate(&mdctx, rad, RADLEN(rad)) && - EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) && - EVP_DigestFinal_ex(&mdctx, rad + 4, &md_len) && + mdctx = EVP_MD_CTX_new(); + if (!mdctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); + + result = (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) && + EVP_DigestUpdate(mdctx, rad, RADLEN(rad)) && + EVP_DigestUpdate(mdctx, sec, strlen((char *)sec)) && + EVP_DigestFinal_ex(mdctx, rad + 4, &md_len) && md_len == 16); + EVP_MD_CTX_free(mdctx); pthread_mutex_unlock(&lock); return result; } diff --git a/radsecproxy.c b/radsecproxy.c index e97feae..cbf3cdf 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -544,30 +544,28 @@ void sendreply(struct request *rq) { pthread_mutex_unlock(&to->replyq->mutex); } -int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) { +static int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) { + int result = 0; /* Fail. */ static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE], *input; unsigned int md_len; uint8_t i, offset = 0, out[128]; pthread_mutex_lock(&lock); - if (first) { - EVP_MD_CTX_init(&mdctx); - first = 0; - } + mdctx = EVP_MD_CTX_new(); + if (!mdctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); input = auth; for (;;) { - if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || - !EVP_DigestUpdate(&mdctx, (uint8_t *)shared, sharedlen) || - !EVP_DigestUpdate(&mdctx, input, 16) || - !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || + if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) || + !EVP_DigestUpdate(mdctx, (uint8_t *)shared, sharedlen) || + !EVP_DigestUpdate(mdctx, input, 16) || + !EVP_DigestFinal_ex(mdctx, hash, &md_len) || md_len != 16) { - pthread_mutex_unlock(&lock); - return 0; - } + goto out; + } for (i = 0; i < 16; i++) out[offset + i] = hash[i] ^ in[offset + i]; if (encrypt_flag) @@ -579,23 +577,25 @@ int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t break; } memcpy(in, out, len); + result = 1; +out: + EVP_MD_CTX_free(mdctx); pthread_mutex_unlock(&lock); - return 1; + return result; } -int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { +static int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { + int result = 0; /* Fail. */ static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int md_len; uint8_t i, offset; pthread_mutex_lock(&lock); - if (first) { - EVP_MD_CTX_init(&mdctx); - first = 0; - } + mdctx = EVP_MD_CTX_new(); + if (!mdctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); #if 0 printfchars(NULL, "msppencrypt auth in", "%02x ", auth, 16); @@ -603,13 +603,12 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, printfchars(NULL, "msppencrypt in", "%02x ", text, len); #endif - if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || - !EVP_DigestUpdate(&mdctx, shared, sharedlen) || - !EVP_DigestUpdate(&mdctx, auth, 16) || - !EVP_DigestUpdate(&mdctx, salt, 2) || - !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) { - pthread_mutex_unlock(&lock); - return 0; + if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) || + !EVP_DigestUpdate(mdctx, shared, sharedlen) || + !EVP_DigestUpdate(mdctx, auth, 16) || + !EVP_DigestUpdate(mdctx, salt, 2) || + !EVP_DigestFinal_ex(mdctx, hash, &md_len)) { + goto out; } #if 0 @@ -624,13 +623,12 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, printf("text + offset - 16 c(%d): ", offset / 16); printfchars(NULL, NULL, "%02x ", text + offset - 16, 16); #endif - if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || - !EVP_DigestUpdate(&mdctx, shared, sharedlen) || - !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) || - !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || + if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) || + !EVP_DigestUpdate(mdctx, shared, sharedlen) || + !EVP_DigestUpdate(mdctx, text + offset - 16, 16) || + !EVP_DigestFinal_ex(mdctx, hash, &md_len) || md_len != 16) { - pthread_mutex_unlock(&lock); - return 0; + goto out; } #if 0 printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16); @@ -639,29 +637,31 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, for (i = 0; i < 16; i++) text[offset + i] ^= hash[i]; } + result = 1; #if 0 printfchars(NULL, "msppencrypt out", "%02x ", text, len); #endif +out: + EVP_MD_CTX_free(mdctx); pthread_mutex_unlock(&lock); - return 1; + return result; } -int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { +static int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { + int result = 0; /* Fail. */ static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - static unsigned char first = 1; - static EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int md_len; uint8_t i, offset; char plain[255]; pthread_mutex_lock(&lock); - if (first) { - EVP_MD_CTX_init(&mdctx); - first = 0; - } + mdctx= EVP_MD_CTX_new(); + if (!mdctx) + debugx(1, DBG_ERR, "%s: malloc failed", __func__); #if 0 printfchars(NULL, "msppdecrypt auth in", "%02x ", auth, 16); @@ -669,13 +669,12 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, printfchars(NULL, "msppdecrypt in", "%02x ", text, len); #endif - if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || - !EVP_DigestUpdate(&mdctx, shared, sharedlen) || - !EVP_DigestUpdate(&mdctx, auth, 16) || - !EVP_DigestUpdate(&mdctx, salt, 2) || - !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) { - pthread_mutex_unlock(&lock); - return 0; + if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) || + !EVP_DigestUpdate(mdctx, shared, sharedlen) || + !EVP_DigestUpdate(mdctx, auth, 16) || + !EVP_DigestUpdate(mdctx, salt, 2) || + !EVP_DigestFinal_ex(mdctx, hash, &md_len)) { + goto out; } #if 0 @@ -690,13 +689,12 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, printf("text + offset - 16 c(%d): ", offset / 16); printfchars(NULL, NULL, "%02x ", text + offset - 16, 16); #endif - if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || - !EVP_DigestUpdate(&mdctx, shared, sharedlen) || - !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) || - !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || + if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) || + !EVP_DigestUpdate(mdctx, shared, sharedlen) || + !EVP_DigestUpdate(mdctx, text + offset - 16, 16) || + !EVP_DigestFinal_ex(mdctx, hash, &md_len) || md_len != 16) { - pthread_mutex_unlock(&lock); - return 0; + goto out; } #if 0 printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16); @@ -707,12 +705,15 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, } memcpy(text, plain, len); + result = 1; #if 0 printfchars(NULL, "msppdecrypt out", "%02x ", text, len); #endif +out: + EVP_MD_CTX_free(mdctx); pthread_mutex_unlock(&lock); - return 1; + return result; } struct realm *newrealmref(struct realm *r) { |