diff -Naur mod_auth_xradius-0.4.6.old/configure.ac mod_auth_xradius-0.4.6/configure.ac
--- mod_auth_xradius-0.4.6.old/configure.ac 2012-07-13 16:14:18.597720284 +0200
+++ mod_auth_xradius-0.4.6/configure.ac 2012-07-13 16:15:15.348824052 +0200
@@ -35,6 +35,17 @@
MODULE_CFLAGS="${LIBRADIUS_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
MODULE_LIBS="${APR_MEMCACHE_LIBS}"
+dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent
+dnl collisions on NSS initialization/shutdown with other libraries
+LIBS="$LIBS -lnss3"
+AC_CHECK_FUNC(NSS_InitContext,
+[
+ AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function])
+ AC_SUBST(HAVE_NSS_INITCONTEXT, [1])
+],
+AC_MSG_ERROR([Missing NSS_InitContext]))
+
+
AC_SUBST(MODULE_CFLAGS)
AC_SUBST(MODULE_LIBS)
diff -Naur mod_auth_xradius-0.4.6.old/libradius/porting.h mod_auth_xradius-0.4.6/libradius/porting.h
--- mod_auth_xradius-0.4.6.old/libradius/porting.h 2012-07-13 16:14:18.599720322 +0200
+++ mod_auth_xradius-0.4.6/libradius/porting.h 2012-07-13 16:14:36.172062002 +0200
@@ -15,7 +15,7 @@
#else
-#include "md5.h"
+#include "sechash.h"
#define MD5_DIGEST_LENGTH 16
#define MD5Final xrad_MD5Final
#define MD5Init xrad_MD5Init
diff -Naur mod_auth_xradius-0.4.6.old/libradius/radlib.c mod_auth_xradius-0.4.6/libradius/radlib.c
--- mod_auth_xradius-0.4.6.old/libradius/radlib.c 2012-07-13 16:14:18.599720322 +0200
+++ mod_auth_xradius-0.4.6/libradius/radlib.c 2012-07-13 16:15:15.349824040 +0200
@@ -40,6 +40,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <nss3/nss.h>
#include "porting.h"
#include "radlib_private.h"
@@ -87,6 +88,24 @@
}
#endif
+static NSSInitContext *xrad_nss_init(void)
+{
+ NSSInitContext *nctx = NULL;
+ NSSInitParameters initparams;
+
+ memset((void *) &initparams, '\0', sizeof(initparams));
+ initparams.length = sizeof(initparams);
+
+ return NSS_InitContext("", "", "", "", &initparams,
+ NSS_INIT_READONLY
+ | NSS_INIT_NOCERTDB
+ | NSS_INIT_NOMODDB
+ | NSS_INIT_FORCEOPEN
+ | NSS_INIT_NOROOTINIT
+ | NSS_INIT_OPTIMIZESPACE
+ | NSS_INIT_PK11RELOAD);
+}
+
static void
clear_password(struct xrad_handle *h)
{
@@ -110,24 +129,32 @@
static void
insert_scrambled_password(struct xrad_handle *h, int srv)
{
- MD5_CTX ctx;
+ NSSInitContext *nctx;
+ HASHContext *md5_ctx;
unsigned char md5[MD5_DIGEST_LENGTH];
const struct xrad_server *srvp;
int padded_len;
int pos;
+ unsigned int len;
srvp = &h->servers[srv];
padded_len = h->pass_len == 0 ? 16 : (h->pass_len+15) & ~0xf;
+ nctx = xrad_nss_init();
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+
memcpy(md5, &h->request[POS_AUTH], LEN_AUTH);
for (pos = 0; pos < padded_len; pos += 16) {
int i;
/* Calculate the new scrambler */
- MD5Init(&ctx);
- MD5Update(&ctx, srvp->secret, strlen(srvp->secret));
- MD5Update(&ctx, md5, 16);
- MD5Final(md5, &ctx);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx,
+ (const unsigned char *)srvp->secret,
+ strlen(srvp->secret));
+ HASH_Update(md5_ctx, md5, 16);
+ HASH_End(md5_ctx, md5, &len, sizeof(md5));
+
/*
* Mix in the current chunk of the password, and copy
@@ -139,24 +166,43 @@
h->request[h->pass_pos + pos + i] =
md5[i] ^= h->pass[pos + i];
}
+
+ HASH_Destroy(md5_ctx);
+
+ NSS_ShutdownContext(nctx);
}
static void
insert_request_authenticator(struct xrad_handle *h, int srv)
{
- MD5_CTX ctx;
+ NSSInitContext *nctx;
+ HASHContext *md5_ctx;
const struct xrad_server *srvp;
+ unsigned int len;
srvp = &h->servers[srv];
/* Create the request authenticator */
- MD5Init(&ctx);
- MD5Update(&ctx, &h->request[POS_CODE], POS_AUTH - POS_CODE);
- apr_generate_random_bytes(&h->request[POS_AUTH], LEN_AUTH);
- MD5Update(&ctx, &h->request[POS_AUTH], LEN_AUTH);
- MD5Update(&ctx, &h->request[POS_ATTRS], h->req_len - POS_ATTRS);
- MD5Update(&ctx, srvp->secret, strlen(srvp->secret));
- MD5Final(&h->request[POS_AUTH], &ctx);
+ nctx = xrad_nss_init();
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, &h->request[POS_CODE], POS_AUTH - POS_CODE);
+ apr_generate_random_bytes(&h->request[POS_AUTH], LEN_AUTH);
+ HASH_Update(md5_ctx,
+ (const unsigned char *)&h->request[POS_AUTH],
+ LEN_AUTH);
+ HASH_Update(md5_ctx,
+ (const unsigned char *)&h->request[POS_ATTRS],
+ h->req_len - POS_ATTRS);
+ HASH_Update(md5_ctx,
+ (const unsigned char *)srvp->secret,
+ strlen(srvp->secret));
+ HASH_End(md5_ctx, &h->request[POS_AUTH], &len, sizeof(h->request[POS_AUTH]));
+
+ HASH_Destroy(md5_ctx);
+
+ NSS_ShutdownContext(nctx);
}
static void
@@ -192,10 +238,12 @@
is_valid_response(struct xrad_handle *h, int srv,
const struct sockaddr_in *from)
{
- MD5_CTX ctx;
+ NSSInitContext *nctx;
+ HASHContext *md5_ctx;
unsigned char md5[MD5_DIGEST_LENGTH];
const struct xrad_server *srvp;
int len;
+ unsigned int hash_len;
#ifdef WITH_SSL
HMAC_CTX hctx;
u_char resp[MSGSIZE], md[EVP_MAX_MD_SIZE];
@@ -218,12 +266,19 @@
return 0;
/* Check the response authenticator */
- MD5Init(&ctx);
- MD5Update(&ctx, &h->response[POS_CODE], POS_AUTH - POS_CODE);
- MD5Update(&ctx, &h->request[POS_AUTH], LEN_AUTH);
- MD5Update(&ctx, &h->response[POS_ATTRS], len - POS_ATTRS);
- MD5Update(&ctx, srvp->secret, strlen(srvp->secret));
- MD5Final(md5, &ctx);
+ nctx = xrad_nss_init();
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, &h->response[POS_CODE], POS_AUTH - POS_CODE);
+ HASH_Update(md5_ctx, &h->request[POS_AUTH], LEN_AUTH);
+ HASH_Update(md5_ctx, &h->response[POS_ATTRS], len - POS_ATTRS);
+ HASH_Update(md5_ctx,
+ (const unsigned char *)srvp->secret,
+ strlen(srvp->secret));
+ HASH_End(md5_ctx, md5, &hash_len, sizeof(md5));
+ HASH_Destroy(md5_ctx);
+ NSS_ShutdownContext(nctx);
+
if (memcmp(&h->response[POS_AUTH], md5, sizeof md5) != 0)
return 0;
@@ -1128,7 +1183,9 @@
char R[LEN_AUTH];
const char *S;
int i, Ppos;
- MD5_CTX Context;
+ int hash_len;
+ NSSInitContext *nctx;
+ HASHContext *md5_ctx;
u_char b[MD5_DIGEST_LENGTH], *C, *demangled;
if ((mlen % 16 != 0) || mlen > 128) {
@@ -1152,10 +1209,14 @@
if (!demangled)
return NULL;
- MD5Init(&Context);
- MD5Update(&Context, S, strlen(S));
- MD5Update(&Context, R, LEN_AUTH);
- MD5Final(b, &Context);
+ nctx = xrad_nss_init();
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, S, strlen(S));
+ HASH_Update(md5_ctx, R, LEN_AUTH);
+ HASH_End(md5_ctx, b, &hash_len, sizeof(b));
+ HASH_Destroy(md5_ctx);
+
Ppos = 0;
while (mlen) {
@@ -1164,15 +1225,19 @@
demangled[Ppos++] = C[i] ^ b[i];
if (mlen) {
- MD5Init(&Context);
- MD5Update(&Context, S, strlen(S));
- MD5Update(&Context, C, 16);
- MD5Final(b, &Context);
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, S, strlen(S));
+ HASH_Update(md5_ctx, C, 16);
+ HASH_End(md5_ctx, b, &hash_len, sizeof(b));
+ HASH_Destroy(md5_ctx);
}
C += 16;
}
+ NSS_ShutdownContext(nctx);
+
return demangled;
}
@@ -1184,9 +1249,11 @@
const char *S;
u_char b[MD5_DIGEST_LENGTH], *demangled;
const u_char *A, *C;
- MD5_CTX Context;
+ NSSInitContext *nctx;
+ HASHContext *md5_ctx;
int Slen, i, Clen, Ppos;
u_char *P;
+ unsigned int hash_len;
if (mlen % 16 != SALT_LEN) {
generr(h, "Cannot interpret mangled data of length %lu",
@@ -1207,11 +1274,15 @@
Slen = strlen(S);
P = alloca(Clen); /* We derive our plaintext */
- MD5Init(&Context);
- MD5Update(&Context, S, Slen);
- MD5Update(&Context, R, LEN_AUTH);
- MD5Update(&Context, A, SALT_LEN);
- MD5Final(b, &Context);
+ nctx = xrad_nss_init();
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, S, Slen);
+ HASH_Update(md5_ctx, R, LEN_AUTH);
+ HASH_Update(md5_ctx, A, SALT_LEN);
+ HASH_End(md5_ctx, b, &hash_len, sizeof(b));
+ HASH_Destroy(md5_ctx);
+
Ppos = 0;
while (Clen) {
@@ -1221,15 +1292,20 @@
P[Ppos++] = C[i] ^ b[i];
if (Clen) {
- MD5Init(&Context);
- MD5Update(&Context, S, Slen);
- MD5Update(&Context, C, 16);
- MD5Final(b, &Context);
+ md5_ctx = HASH_Create(HASH_AlgMD5);
+ HASH_Begin(md5_ctx);
+ HASH_Update(md5_ctx, S, Slen);
+ HASH_Update(md5_ctx, C, 16);
+ HASH_Update(md5_ctx, A, SALT_LEN);
+ HASH_End(md5_ctx, b, &hash_len, sizeof(b));
+ HASH_Destroy(md5_ctx);
}
C += 16;
}
+ NSS_ShutdownContext(nctx);
+
/*
* The resulting plain text consists of a one-byte length, the text and
* maybe some padding.
diff -Naur mod_auth_xradius-0.4.6.old/Makefile.am mod_auth_xradius-0.4.6/Makefile.am
--- mod_auth_xradius-0.4.6.old/Makefile.am 2012-07-13 16:14:18.598720303 +0200
+++ mod_auth_xradius-0.4.6/Makefile.am 2012-07-13 16:14:36.179062137 +0200
@@ -24,12 +24,11 @@
apachemoddir=${AP_LIBEXECDIR}
lib_LTLIBRARIES = libxradius.la
-libxradius_la_SOURCES = libradius/radlib.c libradius/md5c.c
-libxradius_la_CFLAGS = ${MODULE_CFLAGS}
-libxradius_la_LDFLAGS = ${MODULE_LIBS}
+libxradius_la_SOURCES = libradius/radlib.c
+libxradius_la_CFLAGS = ${MODULE_CFLAGS} -I${includedir}/nss3 -I${includedir}/nspr4
+libxradius_la_LDFLAGS = ${MODULE_LIBS} -lnss3 -lnspr4
include_HEADERS = \
- libradius/md5.h \
libradius/porting.h \
libradius/radlib.h \
libradius/radlib_private.h \