use OpenSSL for MD5 and random numbers

kravietz · May 3, 2016 · 789cf4a · 789cf4a
1 parent eba8d70
commit 789cf4a
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 15 deletions.
diff --git a/configure.ac b/configure.ac
@@ -14,7 +14,7 @@ AC_PREREQ(2.59)
 AC_COPYRIGHT([
 See the included file: COPYING for copyright information.
 ])
-AC_INIT(pam_tacplus, 1.3.9, [jeroen@jeroennijhof.nl,pawel.krawczyk@hush.com])
+AC_INIT(pam_tacplus, 1.4.0, [jeroen@jeroennijhof.nl,pawel.krawczyk@hush.com])
 
 AC_CONFIG_AUX_DIR(config)
 AM_INIT_AUTOMAKE([foreign])
@@ -35,6 +35,8 @@ dnl --------------------------------------------------------------------
 dnl Checks for libraries.
 AC_CHECK_LIB(pam, pam_start)
 AC_CHECK_LIB(tac, tac_connect)
+AC_CHECK_LIB(crypto, MD5_Init)
+AC_CHECK_LIB(crypto, RAND_pseudo_bytes)
 
 case "$host" in
 	sparc-* | sparc64-*)
@@ -44,7 +46,7 @@ esac
 dnl --------------------------------------------------------------------
 dnl Checks for header files.
 AC_HEADER_STDC
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h syslog.h unistd.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h syslog.h unistd.h openssl/md5.h openssl/rand.h])
 AC_CHECK_HEADER(security/pam_appl.h, [], [AC_MSG_ERROR([PAM libraries missing. Install with "yum install pam-devel" or "apt-get install libpam-dev".])] )
 
 dnl --------------------------------------------------------------------

diff --git a/libtac/lib/crypt.c b/libtac/lib/crypt.c
@@ -21,7 +21,16 @@
 
 #include "libtac.h"
 #include "xalloc.h"
-#include "md5.h"
+
+#ifdef HAVE_CONFIG_H
+  #include "config.h"
+#endif
+
+#if defined(HAVE_OPENSSL_MD5_H) && defined(HAVE_LIBCRYPTO)
+# include <openssl/md5.h>
+#else
+# include "md5.h"
+#endif
 
 /* Produce MD5 pseudo-random pad for TACACS+ encryption.
    Use data from packet header and secret, which
@@ -37,9 +46,9 @@ u_char *_tac_md5_pad(int len, HDR *hdr)  {
     /* make pseudo pad */
     n = (int)(len/16)+1;  /* number of MD5 runs */
     bufsize = sizeof(hdr->session_id) + strlen(tac_secret) + sizeof(hdr->version)
-        + sizeof(hdr->seq_no) + MD5_LEN + 10;
+        + sizeof(hdr->seq_no) + MD5_LBLOCK + 10;
     buf = (u_char *) xcalloc(1, bufsize);
-    pad = (u_char *) xcalloc(n, MD5_LEN);
+    pad = (u_char *) xcalloc(n, MD5_LBLOCK);
 
     for (i=0; i<n; i++) {
         /* MD5_1 = MD5{session_id, secret, version, seq_no}
@@ -58,15 +67,15 @@ u_char *_tac_md5_pad(int len, HDR *hdr)  {
 
         /* append previous pad if this is not the first run */
         if (i) {
-            bcopy(pad+((i-1)*MD5_LEN), buf+bp, MD5_LEN);
-            bp+=MD5_LEN;
+            bcopy(pad+((i-1)*MD5_LBLOCK), buf+bp, MD5_LBLOCK);
+            bp+=MD5_LBLOCK;
         }
 
-        MD5Init(&mdcontext);
-        MD5Update(&mdcontext, buf, bp);
-        MD5Final(pad+pp, &mdcontext);
+        MD5_Init(&mdcontext);
+        MD5_Update(&mdcontext, buf, bp);
+        MD5_Final(pad+pp, &mdcontext);
 
-        pp += MD5_LEN;
+        pp += MD5_LBLOCK;
     }
 
     free(buf);

diff --git a/libtac/lib/header.c b/libtac/lib/header.c
@@ -21,7 +21,16 @@
 
 #include "libtac.h"
 #include "xalloc.h"
-#include "magic.h"
+
+#ifdef HAVE_CONFIG_H
+  #include "config.h"
+#endif
+
+#if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
+# include <openssl/rand.h>
+#else
+# include "magic.h"
+#endif
 
 /* Miscellaneous variables that are global, because we need
  * store their values between different functions and connections.
@@ -72,8 +81,13 @@ HDR *_tac_req_header(u_char type, int cont_session) {
     th->encryption=TAC_PLUS_ENCRYPTED_FLAG;
 
     /* make session_id from pseudo-random number */
-    if (!cont_session)
+    if (!cont_session) {
+#if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
+        RAND_pseudo_bytes((unsigned char *) &session_id, sizeof(session_id));
+#else
         session_id = magic();
+#endif
+    }
     th->session_id = htonl(session_id);
 
     return th;

diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c
@@ -18,6 +18,13 @@
  * See `CHANGES' file for revision history.
  */
 
+#ifdef HAVE_CONFIG_H
+  #include "config.h"
+#endif
+
+/* if OpenSSL library is available this legacy code will not be compiled in */
+#if !defined(HAVE_OPENSSL_RAND_H) && !defined(HAVE_LIBCRYPTO)
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
@@ -77,3 +84,4 @@ magic()
     return (u_int32_t)random();
 }
 
+#endif
diff --git a/libtac/lib/md5.c b/libtac/lib/md5.c
@@ -18,6 +18,13 @@
  * See `CHANGES' file for revision history.
  */
 
+#ifdef HAVE_CONFIG_H
+  #include "config.h"
+#endif
+
+/* if OpenSSL library is available this legacy code will not be compiled in */
+#if !defined(HAVE_OPENSSL_MD5_H) && !defined(HAVE_LIBCRYPTO)
+
 #include <string.h>
 #include "md5.h"
 
@@ -263,3 +270,4 @@ static void Transform ( UINT4 *buf, UINT4 *in) {
     buf[3] += d;
 }
 
+#endif
diff --git a/libtac/lib/version.c b/libtac/lib/version.c
@@ -20,5 +20,5 @@
  */
 
 int tac_ver_major = 1;
-int tac_ver_minor = 8;
-int tac_ver_patch = 1; /* patchlevel */
+int tac_ver_minor = 9;
+int tac_ver_patch = 0; /* patchlevel */