From 849179ba2739ab9a0ad079384b125d9c1745db5f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 26 Jun 2012 14:52:46 +0200 Subject: SSL cleanup: use crypto functions through the sslgen layer curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose. --- lib/curl_ntlm_msgs.c | 94 +++++----------------------------------------------- lib/gtls.c | 32 ++++++++++++++++++ lib/gtls.h | 12 ++++++- lib/nss.c | 20 +++++++++++ lib/nssg.h | 13 +++++++- lib/sslgen.c | 15 +++++++++ lib/sslgen.h | 12 +++++++ lib/ssluse.c | 20 +++++++++++ lib/ssluse.h | 10 +++++- 9 files changed, 139 insertions(+), 89 deletions(-) (limited to 'lib') diff --git a/lib/curl_ntlm_msgs.c b/lib/curl_ntlm_msgs.c index 4c4dcfde6..c17880bb4 100644 --- a/lib/curl_ntlm_msgs.c +++ b/lib/curl_ntlm_msgs.c @@ -33,56 +33,6 @@ #define DEBUG_ME 0 -#ifdef USE_SSLEAY - -# ifdef USE_OPENSSL -# include -# ifndef OPENSSL_NO_MD4 -# include -# endif -# include -# include -# include -# else -# include -# ifndef OPENSSL_NO_MD4 -# include -# endif -# include -# include -# include -# endif -# include "ssluse.h" - -#elif defined(USE_GNUTLS_NETTLE) - -# include -# include -# include -# define MD5_DIGEST_LENGTH 16 - -#elif defined(USE_GNUTLS) - -# include -# include "gtls.h" -# define MD5_DIGEST_LENGTH 16 -# define MD4_DIGEST_LENGTH 16 - -#elif defined(USE_NSS) - -# include -# include -# include -# include "nssg.h" -# include "curl_md4.h" -# define MD5_DIGEST_LENGTH MD5_LENGTH - -#elif defined(USE_WINDOWS_SSPI) -# include "curl_sspi.h" -#else -# error "Can't compile NTLM support without a crypto library." -#endif - #include "urldata.h" #include "non-ascii.h" #include "sendf.h" @@ -92,6 +42,12 @@ #include "curl_multibyte.h" #include "curl_memory.h" +#if defined(USE_WINDOWS_SSPI) +# include "curl_sspi.h" +#endif + +#include "sslgen.h" + #define BUILDING_CURL_NTLM_MSGS_C #include "curl_ntlm_msgs.h" @@ -727,23 +683,7 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, unsigned char entropy[8]; /* Need to create 8 bytes random data */ -#ifdef USE_SSLEAY - MD5_CTX MD5pw; - Curl_ossl_seed(data); /* Initiate the seed if not already done */ - RAND_bytes(entropy, 8); -#elif defined(USE_GNUTLS_NETTLE) - struct md5_ctx MD5pw; - gnutls_rnd(GNUTLS_RND_RANDOM, entropy, 8); -#elif defined(USE_GNUTLS) - gcry_md_hd_t MD5pw; - Curl_gtls_seed(data); /* Initiate the seed if not already done */ - gcry_randomize(entropy, 8, GCRY_STRONG_RANDOM); -#elif defined(USE_NSS) - PK11Context *MD5pw; - unsigned int MD5len; - Curl_nss_seed(data); /* Initiate the seed if not already done */ - PK11_GenerateRandom(entropy, 8); -#endif + Curl_ssl_random(data, entropy, sizeof(entropy)); /* 8 bytes random data as challenge in lmresp */ memcpy(lmresp, entropy, 8); @@ -755,25 +695,7 @@ CURLcode Curl_ntlm_create_type3_message(struct SessionHandle *data, memcpy(tmp, &ntlm->nonce[0], 8); memcpy(tmp + 8, entropy, 8); -#ifdef USE_SSLEAY - MD5_Init(&MD5pw); - MD5_Update(&MD5pw, tmp, 16); - MD5_Final(md5sum, &MD5pw); -#elif defined(USE_GNUTLS_NETTLE) - md5_init(&MD5pw); - md5_update(&MD5pw, 16, tmp); - md5_digest(&MD5pw, 16, md5sum); -#elif defined(USE_GNUTLS) - gcry_md_open(&MD5pw, GCRY_MD_MD5, 0); - gcry_md_write(MD5pw, tmp, MD5_DIGEST_LENGTH); - memcpy(md5sum, gcry_md_read (MD5pw, 0), MD5_DIGEST_LENGTH); - gcry_md_close(MD5pw); -#elif defined(USE_NSS) - MD5pw = PK11_CreateDigestContext(SEC_OID_MD5); - PK11_DigestOp(MD5pw, tmp, 16); - PK11_DigestFinal(MD5pw, md5sum, &MD5len, MD5_DIGEST_LENGTH); - PK11_DestroyContext(MD5pw, PR_TRUE); -#endif + Curl_ssl_md5sum(tmp, 16, md5sum, MD5_DIGEST_LENGTH); /* We shall only use the first 8 bytes of md5sum, but the des code in Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */ diff --git a/lib/gtls.c b/lib/gtls.c index f77bbc5fd..d981ef1eb 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -1060,4 +1060,36 @@ int Curl_gtls_seed(struct SessionHandle *data) return 0; } +void Curl_gtls_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length) +{ +#if defined(USE_GNUTLS_NETTLE) + (void)data; + gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length); +#elif defined(USE_GNUTLS) + Curl_gtls_seed(data); /* Initiate the seed if not already done */ + gcry_randomize(entropy, length, GCRY_STRONG_RANDOM); +#endif +} + +void Curl_gtls_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len) +{ +#if defined(USE_GNUTLS_NETTLE) + struct md5_ctx MD5pw; + md5_init(&MD5pw); + md5_update(&MD5pw, tmplen, tmp); + md5_digest(&MD5pw, md5len, md5sum); +#elif defined(USE_GNUTLS) + gcry_md_hd_t MD5pw; + gcry_md_open(&MD5pw, GCRY_MD_MD5, 0); + gcry_md_write(MD5pw, tmp, tmplen); + memcpy(md5sum, gcry_md_read (MD5pw, 0), md5len); + gcry_md_close(MD5pw); +#endif +} + #endif /* USE_GNUTLS */ diff --git a/lib/gtls.h b/lib/gtls.h index 733122e6c..45b755a0e 100644 --- a/lib/gtls.h +++ b/lib/gtls.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -47,6 +47,14 @@ size_t Curl_gtls_version(char *buffer, size_t size); int Curl_gtls_shutdown(struct connectdata *conn, int sockindex); int Curl_gtls_seed(struct SessionHandle *data); +void Curl_gtls_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length); +void Curl_gtls_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len); + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup @@ -62,6 +70,8 @@ int Curl_gtls_seed(struct SessionHandle *data); #define curlssl_version Curl_gtls_version #define curlssl_check_cxn(x) (x=x, -1) #define curlssl_data_pending(x,y) (x=x, y=y, 0) +#define curlssl_random(x,y,z) Curl_gtls_random(x,y,z) +#define curlssl_md5sum(a,b,c,d) Curl_gtls_md5sum(a,b,c,d) #endif /* USE_GNUTLS */ #endif /* HEADER_CURL_GTLS_H */ diff --git a/lib/nss.c b/lib/nss.c index d60b18479..cb742c1b0 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1533,4 +1533,24 @@ int Curl_nss_seed(struct SessionHandle *data) return 0; } +void Curl_nss_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length) +{ + Curl_nss_seed(data); /* Initiate the seed if not already done */ + PK11_GenerateRandom(entropy, length); +} + +void Curl_nss_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len) +{ + PK11Context *MD5pw = PK11_CreateDigestContext(SEC_OID_MD5); + unsigned int MD5out; + PK11_DigestOp(MD5pw, tmp, tmplen); + PK11_DigestFinal(MD5pw, md5sum, &MD5out, md5len); + PK11_DestroyContext(MD5pw, PR_TRUE); +} + #endif /* USE_NSS */ diff --git a/lib/nssg.h b/lib/nssg.h index 4d7df5efa..647b7bb28 100644 --- a/lib/nssg.h +++ b/lib/nssg.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -51,6 +51,15 @@ int Curl_nss_seed(struct SessionHandle *data); /* initialize NSS library if not already */ CURLcode Curl_nss_force_init(struct SessionHandle *data); +void Curl_nss_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length); + +void Curl_nss_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len); + /* API setup for NSS */ #define curlssl_init Curl_nss_init #define curlssl_cleanup Curl_nss_cleanup @@ -68,6 +77,8 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data); #define curlssl_version Curl_nss_version #define curlssl_check_cxn(x) Curl_nss_check_cxn(x) #define curlssl_data_pending(x,y) (x=x, y=y, 0) +#define curlssl_random(x,y,z) Curl_nss_random(x,y,z) +#define curlssl_md5sum(a,b,c,d) Curl_nss_md5sum(a,b,c,d) #endif /* USE_NSS */ #endif /* HEADER_CURL_NSSG_H */ diff --git a/lib/sslgen.c b/lib/sslgen.c index 8cf91f001..286c5ab23 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -521,4 +521,19 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) ci->num_of_certs = 0; } } + +void Curl_ssl_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length) +{ + curlssl_random(data, entropy, length); +} + +void Curl_ssl_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len) +{ + curlssl_md5sum(tmp, tmplen, md5sum, md5len); +} #endif /* USE_SSL */ diff --git a/lib/sslgen.h b/lib/sslgen.h index 1984a0d53..2369b552c 100644 --- a/lib/sslgen.h +++ b/lib/sslgen.h @@ -23,6 +23,10 @@ ***************************************************************************/ #include "setup.h" +#ifndef MD5_DIGEST_LENGTH +#define MD5_DIGEST_LENGTH 16 /* fixed size */ +#endif + bool Curl_ssl_config_matches(struct ssl_config_data* data, struct ssl_config_data* needle); bool Curl_clone_ssl_config(struct ssl_config_data* source, @@ -69,6 +73,14 @@ void Curl_ssl_kill_session(struct curl_ssl_session *session); /* delete a session from the cache */ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid); +/* get N random bytes into the buffer */ +void Curl_ssl_random(struct SessionHandle *data, unsigned char *buffer, + size_t length); +void Curl_ssl_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len); + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ #else diff --git a/lib/ssluse.c b/lib/ssluse.c index 7a9f3e084..75ed134c5 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -62,6 +62,7 @@ #include #include #include +#include #else #include #include @@ -2786,4 +2787,23 @@ size_t Curl_ossl_version(char *buffer, size_t size) #endif /* YASSL_VERSION */ } + +void Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy, + size_t length) +{ + Curl_ossl_seed(data); /* Initiate the seed if not already done */ + RAND_bytes(entropy, length); +} + +void Curl_ossl_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum /* output */, + size_t unused) +{ + MD5_CTX MD5pw; + (void)unused; + MD5_Init(&MD5pw); + MD5_Update(&MD5pw, tmp, tmplen); + MD5_Final(md5sum, &MD5pw); +} #endif /* USE_SSLEAY */ diff --git a/lib/ssluse.h b/lib/ssluse.h index 732ec7c72..5375a6a65 100644 --- a/lib/ssluse.h +++ b/lib/ssluse.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -66,6 +66,12 @@ int Curl_ossl_seed(struct SessionHandle *data); int Curl_ossl_shutdown(struct connectdata *conn, int sockindex); bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex); +void Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy, + size_t length); +void Curl_ossl_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum /* output */, + size_t unused); /* API setup for OpenSSL */ #define curlssl_init Curl_ossl_init @@ -82,6 +88,8 @@ bool Curl_ossl_data_pending(const struct connectdata *conn, #define curlssl_version Curl_ossl_version #define curlssl_check_cxn Curl_ossl_check_cxn #define curlssl_data_pending(x,y) Curl_ossl_data_pending(x,y) +#define curlssl_random(x,y,z) Curl_ossl_random(x,y,z) +#define curlssl_md5sum(a,b,c,d) Curl_ossl_md5sum(a,b,c,d) #endif /* USE_SSLEAY */ #endif /* HEADER_CURL_SSLUSE_H */ -- cgit v1.2.3