[Patch] use glib for digest calculations (was: Re: Sv: Balsa release?)

From: Albrecht Dreß <albrecht dress arcor de>
To: Pawel Salek <pawsa0 gmail com>, Balsa-Liste <balsa-list gnome org>
Subject: [Patch] use glib for digest calculations (was: Re: Sv: Balsa release?)
Date: Mon, 12 Dec 2016 10:00:17 +0100

Hi Pawel:

Am 10.12.16 21:31 schrieb(en) Pawel Salek:

BTW, I have just commited a fix for CRAM-MD5 authentication; I made also bada compile against openssl-1.1.0. 
You may wish to pull git to check if my balsa coding skill are not too rusty. :)


Oh - that's an interesting change compared to older OpenSSL versions.  I use (on Ubuntu) OpenSSL 1.0.2 which 
*does* work just fine with a static context!

Anyway, glib also has digest and hmac support (which links against gnutls afaik, but of course this doesn't make any 
difference), so we could simplify life by just using those functions.  A patch is attached.  Please note that I do not 
have access to a server using apop or cram-md5, so I just checked that the "extracted" functions provide the 
same results.  A real-life cross-check would be appreciated.

Cheers,
Albrecht.

diff --git a/libbalsa/imap/auth-cram.c b/libbalsa/imap/auth-cram.c
index c29d327..e129b68 100644
--- a/libbalsa/imap/auth-cram.c
+++ b/libbalsa/imap/auth-cram.c
@@ -25,7 +25,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <glib.h>
-#include <openssl/evp.h>
 
 #include "imap-auth.h"
 #include "util.h"
@@ -34,18 +33,11 @@
 
 #define LONG_STRING 1024
 
-#define MD5_DIGEST_LEN 16
-
-/* forward declarations */
-static void hmac_md5(const char* password, char* challenge,
-                     unsigned char* response);
-
 /* imap_auth_cram_md5: AUTH=CRAM-MD5 support. */
 ImapResult
 imap_auth_cram(ImapMboxHandle* handle)
 {
   char ibuf[LONG_STRING*2], obuf[LONG_STRING];
-  unsigned char hmac_response[MD5_DIGEST_LEN];
   unsigned cmdno;
   int len, rc, ok;
   char *user = NULL, *pass = NULL;
@@ -101,14 +93,8 @@ imap_auth_cram(ImapMboxHandle* handle)
    *   around them when the bug report comes in. Until then, we'll remain
    *   blissfully RFC-compliant.
    */
-  hmac_md5 (pass, obuf, hmac_response);
-  g_snprintf (obuf, sizeof (obuf),
-    "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-    user,
-    hmac_response[0], hmac_response[1], hmac_response[2], hmac_response[3],
-    hmac_response[4], hmac_response[5], hmac_response[6], hmac_response[7],
-    hmac_response[8], hmac_response[9], hmac_response[10], hmac_response[11],
-    hmac_response[12], hmac_response[13], hmac_response[14], hmac_response[15]);
+  g_snprintf (obuf, sizeof (obuf), "%s %s", user,
+       g_compute_hmac_for_string(G_CHECKSUM_MD5, (const guchar *) pass, strlen(pass), obuf, -1));
   /* XXX - ibuf must be long enough to store the base64 encoding of obuf, 
    * plus the additional debris
    */
@@ -124,53 +110,3 @@ imap_auth_cram(ImapMboxHandle* handle)
 
   return rc == IMR_OK ? IMAP_SUCCESS : IMAP_AUTH_FAILURE;
 }
-
-/* hmac_md5: produce CRAM-MD5 challenge response. */
-#define MD5_BLOCK_LEN  64
-static void
-hmac_md5 (const char* password, char* challenge,
-          unsigned char* response)
-{  
-  EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-  unsigned char ipad[MD5_BLOCK_LEN], opad[MD5_BLOCK_LEN];
-  unsigned char secret[MD5_BLOCK_LEN+1];
-  unsigned int secret_len, chal_len;
-  int i;
-
-  secret_len = strlen(password);
-  chal_len = strlen(challenge);
-
-  /* passwords longer than MD5_BLOCK_LEN bytes are substituted with their MD5
-   * digests */
-  if (secret_len > MD5_BLOCK_LEN) {
-       EVP_DigestInit(ctx, EVP_md5());
-       EVP_DigestUpdate(ctx, (const unsigned char*) password, secret_len);
-       EVP_DigestFinal(ctx, secret, &secret_len);
-  }
-  else
-    strncpy ((char *) secret, password, sizeof (secret));
-
-  memset (ipad, 0, sizeof(ipad));
-  memset (opad, 0, sizeof(opad));
-  memcpy (ipad, secret, secret_len);
-  memcpy (opad, secret, secret_len);
-
-  for (i=0; i<MD5_BLOCK_LEN; i++) {
-    ipad[i] ^= 0x36;
-    opad[i] ^= 0x5c;
-  }
-
-  /* inner hash: challenge and ipadded secret */
-  EVP_DigestInit(ctx, EVP_md5());
-  EVP_DigestUpdate(ctx, ipad, MD5_BLOCK_LEN);
-  EVP_DigestUpdate(ctx, (unsigned char*) challenge, chal_len);
-  EVP_DigestFinal(ctx, response, NULL);
-
-  /* outer hash: inner hash and opadded secret */
-  EVP_DigestInit(ctx, EVP_md5());
-  EVP_DigestUpdate(ctx, opad, MD5_BLOCK_LEN);
-  EVP_DigestUpdate(ctx, response, MD5_DIGEST_LEN);
-  EVP_DigestFinal(ctx, response, NULL);
-
-  EVP_MD_CTX_destroy(ctx);
-}
diff --git a/libbalsa/imap/pop3.c b/libbalsa/imap/pop3.c
index a72ce61..de52327 100644
--- a/libbalsa/imap/pop3.c
+++ b/libbalsa/imap/pop3.c
@@ -28,7 +28,6 @@
 #include <unistd.h>
 
 #include <openssl/ssl.h>
-#include <openssl/evp.h>
 #include <openssl/err.h>
 
 #include "pop3.h"
@@ -310,26 +309,13 @@ get_apop_stamp(const char *greeting, char *stamp)
 static void
 compute_auth_hash(char *stamp, char *hash, const char *passwd)
 {
-  EVP_MD_CTX* ctx = EVP_MD_CTX_create();
-  register unsigned char *dp;
-  register char *cp;
-  unsigned char *ep;
-  unsigned char digest[16];
-  
-  EVP_DigestInit(ctx, EVP_md5());
-  EVP_DigestUpdate(ctx, stamp, strlen(stamp));
-  EVP_DigestUpdate(ctx, passwd, strlen(passwd));
-  EVP_DigestFinal(ctx, digest, NULL);
-  EVP_MD_CTX_destroy(ctx);
-  
-  cp = hash;
-  dp = digest;
-  for(ep = dp + sizeof(digest)/sizeof(digest[0]); dp < ep; cp += 2) {
-    sprintf(cp, "%02x", *dp);
-    dp++;
-  }
-    
-  *cp = '\0';
+       GChecksum *ctx;
+
+       ctx = g_checksum_new(G_CHECKSUM_MD5);
+       g_checksum_update(ctx, (const guchar *) stamp, -1);
+       g_checksum_update(ctx, (const guchar *) passwd, -1);
+       strncpy(hash, g_checksum_get_string(ctx), POP_LINE_LEN);
+       g_checksum_free(ctx);
 }
 
 static ImapResult

Attachment: pgpAUss2323fB.pgp
Description: PGP signature

Follow-Ups:
- Re: [Patch] use glib for digest calculations (was: Re: Sv: Balsa release?)
  - From: Albrecht Dreß

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]