diff options
author | Erik de Jong <erikdejong@gmail.com> | 2017-02-13 19:31:26 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2017-03-02 23:58:05 +0000 |
commit | f1c75cf6ef7e9f9de1ec7fd798df941b972ec71c (patch) | |
tree | 7d7c2f66bf7595e010026d6f4d3b3a53175af824 /epan/dissectors/packet-spnego.c | |
parent | 4bd3c4d44ddcdf8e98fdf08a425e3a68e9b18395 (diff) |
Rewrite dissectors to use Libgcrypt functions.
As discussed on the mailinglist, rewriting dissectors to use Libgcrypt
functions as Libgcrypt will be mandatory after change 20030.
Removal of following functions:
- crypt_md4
- crypt_rc4*
- aes_cmac_encrypt_*
- md5_*
- sha1_*
- sha256_*
Further candidates:
- aes_*
- rijndael_*
- ...
Added functions:
- ws_hmac_buffer
Added const macros:
- HASH_MD5_LENGTH
- HASH_SHA1_LENGTH
Changes on epan/crypt/* verified with captures from
https://wiki.wireshark.org/HowToDecrypt802.11
Changes on packet-snmp.c and packet-radius.c verified with captures from
https://wiki.wireshark.org/SampleCapture
Changes on packet-tacacs.c verified with capture from
http://ccie-in-3-months.blogspot.nl/2009/04/decoding-login-credentials-regardless.html
Change-Id: Iea6ba2bf207cf0f1bf2117068fb1abcfeaafaa46
Link: https://www.wireshark.org/lists/wireshark-dev/201702/msg00011.html
Reviewed-on: https://code.wireshark.org/review/20095
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'epan/dissectors/packet-spnego.c')
-rw-r--r-- | epan/dissectors/packet-spnego.c | 89 |
1 files changed, 56 insertions, 33 deletions
diff --git a/epan/dissectors/packet-spnego.c b/epan/dissectors/packet-spnego.c index 9c96f23fd4..df7e3ddf3f 100644 --- a/epan/dissectors/packet-spnego.c +++ b/epan/dissectors/packet-spnego.c @@ -44,7 +44,7 @@ #include <epan/asn1.h> #include <epan/conversation.h> #include <epan/proto_data.h> -#include <wsutil/rc4.h> +#include <wsutil/wsgcrypt.h> #include "packet-dcerpc.h" #include "packet-gssapi.h" #include "packet-kerberos.h" @@ -766,8 +766,6 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* d } #ifdef HAVE_KERBEROS -#include <wsutil/md5.h> - #ifndef KEYTYPE_ARCFOUR_56 # define KEYTYPE_ARCFOUR_56 24 #endif @@ -784,23 +782,25 @@ arcfour_mic_key(const guint8 *key_data, size_t key_size, int key_type, const guint8 *cksum_data, size_t cksum_size, guint8 *key6_data) { - guint8 k5_data[16]; - guint8 T[4]; - - memset(T, 0, 4); + guint8 k5_data[HASH_MD5_LENGTH]; + guint8 T[4] = { 0 }; if (key_type == KEYTYPE_ARCFOUR_56) { guint8 L40[14] = "fortybits"; - memcpy(L40 + 10, T, sizeof(T)); - md5_hmac(L40, 14, key_data, key_size, k5_data); + if (ws_hmac_buffer(GCRY_MD_MD5, k5_data, L40, 14, key_data, key_size)) { + return 0; + } memset(&k5_data[7], 0xAB, 9); } else { - md5_hmac(T, 4, key_data, key_size, k5_data); + if (ws_hmac_buffer(GCRY_MD_MD5, k5_data, T, 4, key_data, key_size)) { + return 0; + } } - md5_hmac(cksum_data, cksum_size, k5_data, 16, key6_data); - + if (ws_hmac_buffer(GCRY_MD_MD5, key6_data, cksum_data, cksum_size, k5_data, HASH_MD5_LENGTH)) { + return 0; + } return 0; } @@ -831,26 +831,35 @@ arcfour_mic_cksum(guint8 *key_data, int key_length, const guint8 *v3, size_t l3) { static const guint8 signature[] = "signaturekey"; - guint8 ksign_c[16]; + guint8 ksign_c[HASH_MD5_LENGTH]; guint8 t[4]; - md5_state_t ms; - guint8 digest[16]; + guint8 digest[HASH_MD5_LENGTH]; int rc4_usage; - guint8 cksum[16]; + guint8 cksum[HASH_MD5_LENGTH]; + gcry_md_hd_t md5_handle; rc4_usage=usage2arcfour(usage); - md5_hmac(signature, sizeof(signature), key_data, key_length, ksign_c); - md5_init(&ms); + if (ws_hmac_buffer(GCRY_MD_MD5, ksign_c, signature, sizeof(signature), key_data, key_length)) { + return 0; + } + + if (gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) { + return 0; + } t[0] = (rc4_usage >> 0) & 0xFF; t[1] = (rc4_usage >> 8) & 0xFF; t[2] = (rc4_usage >> 16) & 0xFF; t[3] = (rc4_usage >> 24) & 0xFF; - md5_append(&ms, t, 4); - md5_append(&ms, v1, l1); - md5_append(&ms, v2, l2); - md5_append(&ms, v3, l3); - md5_finish(&ms, digest); - md5_hmac(digest, 16, ksign_c, 16, cksum); + gcry_md_write(md5_handle, t, 4); + gcry_md_write(md5_handle, v1, l1); + gcry_md_write(md5_handle, v2, l2); + gcry_md_write(md5_handle, v3, l3); + memcpy(digest, gcry_md_read(md5_handle, 0), HASH_MD5_LENGTH); + gcry_md_close(md5_handle); + + if (ws_hmac_buffer(GCRY_MD_MD5, cksum, digest, HASH_MD5_LENGTH, ksign_c, HASH_MD5_LENGTH)) { + return 0; + } memcpy(sgn_cksum, cksum, 8); @@ -898,7 +907,7 @@ decrypt_arcfour(gssapi_encrypt_info_t* gssapi_encrypt, guint8 *input_message_buf int cmp; int conf_flag; int padlen = 0; - rc4_state_struct rc4_state; + gcry_cipher_hd_t rc4_handle; int i; datalen = tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb); @@ -923,9 +932,16 @@ decrypt_arcfour(gssapi_encrypt_info_t* gssapi_encrypt, guint8 *input_message_buf return -5; } - crypt_rc4_init(&rc4_state, k6_data, sizeof(k6_data)); tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, SND_SEQ, 8, 8); - crypt_rc4(&rc4_state, (guint8 *)SND_SEQ, 8); + if (gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) { + return -12; + } + if (gcry_cipher_setkey(rc4_handle, k6_data, sizeof(k6_data))) { + gcry_cipher_close(rc4_handle); + return -13; + } + gcry_cipher_decrypt(rc4_handle, (guint8 *)SND_SEQ, 8, NULL, 0); + gcry_cipher_close(rc4_handle); memset(k6_data, 0, sizeof(k6_data)); @@ -949,11 +965,18 @@ decrypt_arcfour(gssapi_encrypt_info_t* gssapi_encrypt, guint8 *input_message_buf if(conf_flag) { - crypt_rc4_init(&rc4_state, k6_data, sizeof(k6_data)); tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, Confounder, 24, 8); - crypt_rc4(&rc4_state, Confounder, 8); - memcpy(output_message_buffer, input_message_buffer, datalen); - crypt_rc4(&rc4_state, output_message_buffer, datalen); + if (gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) { + return -14; + } + if (gcry_cipher_setkey(rc4_handle, k6_data, sizeof(k6_data))) { + gcry_cipher_close(rc4_handle); + return -15; + } + + gcry_cipher_decrypt(rc4_handle, Confounder, 8, NULL, 0); + gcry_cipher_decrypt(rc4_handle, output_message_buffer, datalen, input_message_buffer, datalen); + gcry_cipher_close(rc4_handle); } else { tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, Confounder, 24, 8); memcpy(output_message_buffer, input_message_buffer, datalen); @@ -1913,7 +1936,7 @@ void proto_register_spnego(void) { NULL, HFILL }}, /*--- End of included file: packet-spnego-hfarr.c ---*/ -#line 1368 "./asn1/spnego/packet-spnego-template.c" +#line 1391 "./asn1/spnego/packet-spnego-template.c" }; /* List of subtrees */ @@ -1936,7 +1959,7 @@ void proto_register_spnego(void) { &ett_spnego_InitialContextToken_U, /*--- End of included file: packet-spnego-ettarr.c ---*/ -#line 1378 "./asn1/spnego/packet-spnego-template.c" +#line 1401 "./asn1/spnego/packet-spnego-template.c" }; static ei_register_info ei[] = { |