summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2016-09-01 16:09:09 +0200
committerLinus Nordberg <linus@nordu.net>2016-09-21 13:15:11 +0200
commit759018a92fea0efc8d897dbd2e112044d19ff15b (patch)
tree81b0f3a826f72a2bb92508c073fa574d09ec42ba
parent0a522fd74cf10a86749d85dde3086ee575a56efe (diff)
EVP_MD_CTX and HMAC_CTX are now pointers.
NOTE: pwdcrypt(), msmppencrypt(), msmppdecrypt(), _checkmsgauth(), _validauth() _createmessageauth() and _radsign() all become slightly more expensive since we're now allocating and freeing an EVP_MD_CTX or HMAC_CTX on each invocation.
-rw-r--r--radmsg.c97
-rw-r--r--radsecproxy.c115
2 files changed, 106 insertions, 106 deletions
diff --git a/radmsg.c b/radmsg.c
index cd01861..514d5d3 100644
--- a/radmsg.c
+++ b/radmsg.c
@@ -122,116 +122,115 @@ int radmsg_copy_attrs(struct radmsg *dst,
}
int _checkmsgauth(unsigned char *rad, uint8_t *authattr, uint8_t *secret) {
+ int result = 0; /* Fail. */
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static HMAC_CTX hmacctx;
+ HMAC_CTX *hmacctx = NULL;
unsigned int md_len;
uint8_t auth[16], hash[EVP_MAX_MD_SIZE];
pthread_mutex_lock(&lock);
- if (first) {
- HMAC_CTX_init(&hmacctx);
- first = 0;
- }
memcpy(auth, authattr, 16);
memset(authattr, 0, 16);
md_len = 0;
- HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL);
- HMAC_Update(&hmacctx, rad, RADLEN(rad));
- HMAC_Final(&hmacctx, hash, &md_len);
+ hmacctx = HMAC_CTX_new();
+ if (!hmacctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
+ HMAC_Init_ex(hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL);
+ HMAC_Update(hmacctx, rad, RADLEN(rad));
+ HMAC_Final(hmacctx, hash, &md_len);
memcpy(authattr, auth, 16);
if (md_len != 16) {
debug(DBG_WARN, "message auth computation failed");
- pthread_mutex_unlock(&lock);
- return 0;
+ goto out;
}
if (memcmp(auth, hash, 16)) {
debug(DBG_WARN, "message authenticator, wrong value");
- pthread_mutex_unlock(&lock);
- return 0;
+ goto out;
}
+ result = 1;
+out:
+ HMAC_CTX_free(hmacctx);
pthread_mutex_unlock(&lock);
- return 1;
+ return result;
}
int _validauth(unsigned char *rad, unsigned char *reqauth, unsigned char *sec) {
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int len;
int result;
pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
len = RADLEN(rad);
- result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) &&
- EVP_DigestUpdate(&mdctx, rad, 4) &&
- EVP_DigestUpdate(&mdctx, reqauth, 16) &&
- (len <= 20 || EVP_DigestUpdate(&mdctx, rad + 20, len - 20)) &&
- EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) &&
- EVP_DigestFinal_ex(&mdctx, hash, &len) &&
+ result = (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) &&
+ EVP_DigestUpdate(mdctx, rad, 4) &&
+ EVP_DigestUpdate(mdctx, reqauth, 16) &&
+ (len <= 20 || EVP_DigestUpdate(mdctx, rad + 20, len - 20)) &&
+ EVP_DigestUpdate(mdctx, sec, strlen((char *)sec)) &&
+ EVP_DigestFinal_ex(mdctx, hash, &len) &&
len == 16 &&
!memcmp(hash, rad + 4, 16));
+ EVP_MD_CTX_free(mdctx);
pthread_mutex_unlock(&lock);
return result;
}
int _createmessageauth(unsigned char *rad, unsigned char *authattrval, uint8_t *secret) {
+ int result = 0; /* Fail. */
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static HMAC_CTX hmacctx;
+ static HMAC_CTX *hmacctx = NULL;
unsigned int md_len;
if (!authattrval)
return 1;
pthread_mutex_lock(&lock);
- if (first) {
- HMAC_CTX_init(&hmacctx);
- first = 0;
- }
+ hmacctx = HMAC_CTX_new();
+ if (!hmacctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
memset(authattrval, 0, 16);
md_len = 0;
- HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL);
- HMAC_Update(&hmacctx, rad, RADLEN(rad));
- HMAC_Final(&hmacctx, authattrval, &md_len);
+ HMAC_Init_ex(hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL);
+ HMAC_Update(hmacctx, rad, RADLEN(rad));
+ HMAC_Final(hmacctx, authattrval, &md_len);
if (md_len != 16) {
debug(DBG_WARN, "message auth computation failed");
- pthread_mutex_unlock(&lock);
- return 0;
+ goto out;
}
+ result = 1;
+out:
+ HMAC_CTX_free(hmacctx);
pthread_mutex_unlock(&lock);
- return 1;
+ return result;
}
int _radsign(unsigned char *rad, unsigned char *sec) {
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
unsigned int md_len;
int result;
pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
-
- result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) &&
- EVP_DigestUpdate(&mdctx, rad, RADLEN(rad)) &&
- EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) &&
- EVP_DigestFinal_ex(&mdctx, rad + 4, &md_len) &&
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
+
+ result = (EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) &&
+ EVP_DigestUpdate(mdctx, rad, RADLEN(rad)) &&
+ EVP_DigestUpdate(mdctx, sec, strlen((char *)sec)) &&
+ EVP_DigestFinal_ex(mdctx, rad + 4, &md_len) &&
md_len == 16);
+ EVP_MD_CTX_free(mdctx);
pthread_mutex_unlock(&lock);
return result;
}
diff --git a/radsecproxy.c b/radsecproxy.c
index e97feae..cbf3cdf 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -544,30 +544,28 @@ void sendreply(struct request *rq) {
pthread_mutex_unlock(&to->replyq->mutex);
}
-int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) {
+static int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) {
+ int result = 0; /* Fail. */
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE], *input;
unsigned int md_len;
uint8_t i, offset = 0, out[128];
pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
input = auth;
for (;;) {
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, (uint8_t *)shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, input, 16) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len) ||
+ if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) ||
+ !EVP_DigestUpdate(mdctx, (uint8_t *)shared, sharedlen) ||
+ !EVP_DigestUpdate(mdctx, input, 16) ||
+ !EVP_DigestFinal_ex(mdctx, hash, &md_len) ||
md_len != 16) {
- pthread_mutex_unlock(&lock);
- return 0;
- }
+ goto out;
+ }
for (i = 0; i < 16; i++)
out[offset + i] = hash[i] ^ in[offset + i];
if (encrypt_flag)
@@ -579,23 +577,25 @@ int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t
break;
}
memcpy(in, out, len);
+ result = 1;
+out:
+ EVP_MD_CTX_free(mdctx);
pthread_mutex_unlock(&lock);
- return 1;
+ return result;
}
-int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) {
+static int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) {
+ int result = 0; /* Fail. */
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int md_len;
uint8_t i, offset;
pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
+ mdctx = EVP_MD_CTX_new();
+ if (!mdctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
#if 0
printfchars(NULL, "msppencrypt auth in", "%02x ", auth, 16);
@@ -603,13 +603,12 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
printfchars(NULL, "msppencrypt in", "%02x ", text, len);
#endif
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, auth, 16) ||
- !EVP_DigestUpdate(&mdctx, salt, 2) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) {
- pthread_mutex_unlock(&lock);
- return 0;
+ if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) ||
+ !EVP_DigestUpdate(mdctx, shared, sharedlen) ||
+ !EVP_DigestUpdate(mdctx, auth, 16) ||
+ !EVP_DigestUpdate(mdctx, salt, 2) ||
+ !EVP_DigestFinal_ex(mdctx, hash, &md_len)) {
+ goto out;
}
#if 0
@@ -624,13 +623,12 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
printf("text + offset - 16 c(%d): ", offset / 16);
printfchars(NULL, NULL, "%02x ", text + offset - 16, 16);
#endif
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len) ||
+ if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) ||
+ !EVP_DigestUpdate(mdctx, shared, sharedlen) ||
+ !EVP_DigestUpdate(mdctx, text + offset - 16, 16) ||
+ !EVP_DigestFinal_ex(mdctx, hash, &md_len) ||
md_len != 16) {
- pthread_mutex_unlock(&lock);
- return 0;
+ goto out;
}
#if 0
printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16);
@@ -639,29 +637,31 @@ int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
for (i = 0; i < 16; i++)
text[offset + i] ^= hash[i];
}
+ result = 1;
#if 0
printfchars(NULL, "msppencrypt out", "%02x ", text, len);
#endif
+out:
+ EVP_MD_CTX_free(mdctx);
pthread_mutex_unlock(&lock);
- return 1;
+ return result;
}
-int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) {
+static int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) {
+ int result = 0; /* Fail. */
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE];
unsigned int md_len;
uint8_t i, offset;
char plain[255];
pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
+ mdctx= EVP_MD_CTX_new();
+ if (!mdctx)
+ debugx(1, DBG_ERR, "%s: malloc failed", __func__);
#if 0
printfchars(NULL, "msppdecrypt auth in", "%02x ", auth, 16);
@@ -669,13 +669,12 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
printfchars(NULL, "msppdecrypt in", "%02x ", text, len);
#endif
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, auth, 16) ||
- !EVP_DigestUpdate(&mdctx, salt, 2) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) {
- pthread_mutex_unlock(&lock);
- return 0;
+ if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) ||
+ !EVP_DigestUpdate(mdctx, shared, sharedlen) ||
+ !EVP_DigestUpdate(mdctx, auth, 16) ||
+ !EVP_DigestUpdate(mdctx, salt, 2) ||
+ !EVP_DigestFinal_ex(mdctx, hash, &md_len)) {
+ goto out;
}
#if 0
@@ -690,13 +689,12 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
printf("text + offset - 16 c(%d): ", offset / 16);
printfchars(NULL, NULL, "%02x ", text + offset - 16, 16);
#endif
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len) ||
+ if (!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL) ||
+ !EVP_DigestUpdate(mdctx, shared, sharedlen) ||
+ !EVP_DigestUpdate(mdctx, text + offset - 16, 16) ||
+ !EVP_DigestFinal_ex(mdctx, hash, &md_len) ||
md_len != 16) {
- pthread_mutex_unlock(&lock);
- return 0;
+ goto out;
}
#if 0
printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16);
@@ -707,12 +705,15 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
}
memcpy(text, plain, len);
+ result = 1;
#if 0
printfchars(NULL, "msppdecrypt out", "%02x ", text, len);
#endif
+out:
+ EVP_MD_CTX_free(mdctx);
pthread_mutex_unlock(&lock);
- return 1;
+ return result;
}
struct realm *newrealmref(struct realm *r) {