From: Ryan Tandy Date: Mon, 30 Jun 2014 18:02:15 +0000 (-0700) Subject: ITS#7877 use nettle instead of gcrypt X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=829027945f0d6b03283e55530443d55272763838;p=openldap ITS#7877 use nettle instead of gcrypt --- diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c index 075ce88801..459ce0ce9f 100644 --- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c +++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c @@ -66,7 +66,8 @@ static ObjectClass *oc_krb5KDCEntry; #ifdef DO_SAMBA #ifdef HAVE_GNUTLS -#include +#include +#include typedef unsigned char DES_cblock[8]; #elif HAVE_OPENSSL #include @@ -193,11 +194,7 @@ static void lmhash( #ifdef HAVE_OPENSSL DES_key_schedule schedule; #elif defined(HAVE_GNUTLS) - gcry_cipher_hd_t h = NULL; - gcry_error_t err; - - err = gcry_cipher_open( &h, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0 ); - if ( err ) return; + struct des_ctx ctx; #endif strncpy( UcasePassword, passwd->bv_val, 14 ); @@ -206,19 +203,12 @@ static void lmhash( lmPasswd_to_key( UcasePassword, &key ); #ifdef HAVE_GNUTLS - err = gcry_cipher_setkey( h, &key, sizeof(key) ); - if ( err == 0 ) { - err = gcry_cipher_encrypt( h, &hbuf[0], sizeof(key), &StdText, sizeof(key) ); - if ( err == 0 ) { - gcry_cipher_reset( h ); - lmPasswd_to_key( &UcasePassword[7], &key ); - err = gcry_cipher_setkey( h, &key, sizeof(key) ); - if ( err == 0 ) { - err = gcry_cipher_encrypt( h, &hbuf[1], sizeof(key), &StdText, sizeof(key) ); - } - } - gcry_cipher_close( h ); - } + des_set_key( &ctx, &key ); + des_encrypt( &ctx, sizeof(key), &hbuf[0], &StdText ); + + lmPasswd_to_key( &UcasePassword[7], &key ); + des_set_key( &ctx, &key ); + des_encrypt( &ctx, sizeof(key), &hbuf[1], &StdText ); #elif defined(HAVE_OPENSSL) des_set_key_unchecked( &key, schedule ); des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT ); @@ -243,6 +233,8 @@ static void nthash( char hbuf[HASHLEN]; #ifdef HAVE_OPENSSL MD4_CTX ctx; +#elif defined(HAVE_GNUTLS) + struct md4_ctx ctx; #endif if (passwd->bv_len > MAX_PWLEN*2) @@ -253,7 +245,9 @@ static void nthash( MD4_Update( &ctx, passwd->bv_val, passwd->bv_len ); MD4_Final( (unsigned char *)hbuf, &ctx ); #elif defined(HAVE_GNUTLS) - gcry_md_hash_buffer(GCRY_MD_MD4, hbuf, passwd->bv_val, passwd->bv_len ); + md4_init( &ctx ); + md4_update( &ctx, passwd->bv_len, passwd->bv_val ); + md4_digest( &ctx, sizeof(hbuf), (unsigned char *)hbuf ); #endif hexify( hbuf, hash ); diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index ee83b5cd44..4ee683c436 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -43,19 +43,11 @@ #include #include -#include #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 #define HAVE_CIPHERSUITES 1 -/* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x - * but that dependency isn't reflected in their configure script, resulting in - * build errors on older gcrypt. So, if they have a working build environment, - * assume gcrypt is new enough. - */ -#define HAVE_GCRYPT_RAND 1 #else #undef HAVE_CIPHERSUITES -#undef HAVE_GCRYPT_RAND #endif #ifndef HAVE_CIPHERSUITES @@ -143,20 +135,13 @@ tlsg_mutex_unlock( void **lock ) return ldap_pvt_thread_mutex_unlock( *lock ); } -static struct gcry_thread_cbs tlsg_thread_cbs = { - GCRY_THREAD_OPTION_USER, - NULL, - tlsg_mutex_init, - tlsg_mutex_destroy, - tlsg_mutex_lock, - tlsg_mutex_unlock, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL -}; - static void tlsg_thr_init( void ) { - gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs); + gnutls_global_set_mutex (tlsg_mutex_init, + tlsg_mutex_destroy, + tlsg_mutex_lock, + tlsg_mutex_unlock); } #endif /* LDAP_R_COMPILE */ @@ -166,17 +151,6 @@ tlsg_thr_init( void ) static int tlsg_init( void ) { -#ifdef HAVE_GCRYPT_RAND - struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); - if ( lo->ldo_tls_randfile && - gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) { - Debug( LDAP_DEBUG_ANY, - "TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n", - 0, 0, 0); - return -1; - } -#endif - gnutls_global_init(); #ifndef HAVE_CIPHERSUITES