mirrors
/
FreeRDP
mirror of https://github.com/FreeRDP/FreeRDP
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make the new winpr_Digest*MD5_Allow_FIPS functions more generic to no longer be MD5 specific in design. This way the FIPS override 

could easily be extended to more digests in the future. For now, an attempt to use these functions with anything other than MD5 will
not work.
This commit is contained in:
Brent Collins 2017-04-12 14:03:20 -05:00 committed by Armin Novak
parent e21f9e359b
commit 9ca9df1ead
4 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libfreerdp/core/license.c
View File

@ -427,7 +427,7 @@ BOOL license_generate_hwid(rdpLicense* license)
/* Allow FIPS override for use of MD5 here, really this does not have to be MD5 as we are just taking a MD5 hash of the 6 bytes of 0's(macAddress) */
/* and filling in the Data1-Data4 fields of the CLIENT_HARDWARE_ID structure(from MS-RDPELE section 2.2.2.3.1). This is for RDP licensing packets */
/* which will already be encrypted under FIPS, so the use of MD5 here is not for sensitive data protection. */
if (!winpr_Digest_MD5_Allow_FIPS(macAddress, sizeof(macAddress), &license->HardwareId[HWID_PLATFORM_ID_LENGTH], WINPR_MD5_DIGEST_LENGTH))
if (!winpr_Digest_Allow_FIPS(WINPR_MD_MD5, macAddress, sizeof(macAddress), &license->HardwareId[HWID_PLATFORM_ID_LENGTH], WINPR_MD5_DIGEST_LENGTH))
return FALSE;
return TRUE;

6
libfreerdp/core/security.c
View File

@ -156,7 +156,7 @@ static BOOL security_salted_hash(const BYTE* salt, const BYTE* input, int length
/* Allow FIPS override for use of MD5 here, this is used for creating hashes of the premaster_secret and master_secret */
/* used for RDP licensing as described in MS-RDPELE. This is for RDP licensing packets */
/* which will already be encrypted under FIPS, so the use of MD5 here is not for sensitive data protection. */
if (!winpr_Digest_Init_MD5_Allow_FIPS(md5))
if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
goto out;
if (!winpr_Digest_Update(md5, salt, 48)) /* Salt (48 bytes) */
goto out;
@ -242,7 +242,7 @@ BOOL security_md5_16_32_32_Allow_FIPS(const BYTE* in0, const BYTE* in1, const BY
if (!(md5 = winpr_Digest_New()))
return FALSE;
if (!winpr_Digest_Init_MD5_Allow_FIPS(md5))
if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
goto out;
if (!winpr_Digest_Update(md5, in0, 16))
goto out;
@ -312,7 +312,7 @@ BOOL security_mac_data(const BYTE* mac_salt_key, const BYTE* data, UINT32 length
/* Allow FIPS override for use of MD5 here, this is only used for creating the MACData field of the */
/* Client Platform Challenge Response packet (from MS-RDPELE section 2.2.2.5). This is for RDP licensing packets */
/* which will already be encrypted under FIPS, so the use of MD5 here is not for sensitive data protection. */
if (!winpr_Digest_Init_MD5_Allow_FIPS(md5))
if (!winpr_Digest_Init_Allow_FIPS(md5, WINPR_MD_MD5))
goto out;
if (!winpr_Digest_Update(md5, mac_salt_key, 16)) /* MacSaltKey */
goto out;

4
winpr/include/winpr/crypto.h
View File

@ -665,12 +665,12 @@ extern "C" {
#endif
WINPR_API WINPR_DIGEST_CTX* winpr_Digest_New(void);
WINPR_API BOOL winpr_Digest_Init_MD5_Allow_FIPS(WINPR_DIGEST_CTX* ctx);
WINPR_API BOOL winpr_Digest_Init_Allow_FIPS(WINPR_DIGEST_CTX* ctx, WINPR_MD_TYPE md);
WINPR_API BOOL winpr_Digest_Init(WINPR_DIGEST_CTX* ctx, WINPR_MD_TYPE md);
WINPR_API BOOL winpr_Digest_Update(WINPR_DIGEST_CTX* ctx, const BYTE* input, size_t ilen);
WINPR_API BOOL winpr_Digest_Final(WINPR_DIGEST_CTX* ctx, BYTE* output, size_t ilen);
WINPR_API void winpr_Digest_Free(WINPR_DIGEST_CTX* ctx);
WINPR_API BOOL winpr_Digest_MD5_Allow_FIPS(const BYTE* input, size_t ilen, BYTE* output, size_t olen);
WINPR_API BOOL winpr_Digest_Allow_FIPS(int md, const BYTE* input, size_t ilen, BYTE* output, size_t olen);
WINPR_API BOOL winpr_Digest(int md, const BYTE* input, size_t ilen, BYTE* output, size_t olen);
#ifdef __cplusplus

19
winpr/libwinpr/crypto/hash.c
View File

@ -374,15 +374,22 @@ BOOL winpr_Digest_Init_Internal(WINPR_DIGEST_CTX* ctx, WINPR_MD_TYPE md)
}
#endif
BOOL winpr_Digest_Init_MD5_Allow_FIPS(WINPR_DIGEST_CTX* ctx)
BOOL winpr_Digest_Init_Allow_FIPS(WINPR_DIGEST_CTX* ctx, WINPR_MD_TYPE md)
{
#if defined(WITH_OPENSSL)
EVP_MD_CTX* mdctx = (EVP_MD_CTX*) ctx;
const EVP_MD* evp = EVP_md5();
const EVP_MD* evp = winpr_openssl_get_evp_md(md);
/* Only MD5 is supported for FIPS allow override */
if (md != WINPR_MD_MD5)
return FALSE;
EVP_MD_CTX_set_flags(mdctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
return winpr_Digest_Init_Internal(ctx, WINPR_MD_MD5, evp);
return winpr_Digest_Init_Internal(ctx, md, evp);
#elif defined(WITH_MBEDTLS)
return winpr_Digest_Init_Internal(ctx, WINPR_MD_MD5);
/* Only MD5 is supported for FIPS allow override */
if (md != WINPR_MD_MD5)
return FALSE;
return winpr_Digest_Init_Internal(ctx, md);
#endif
}
@ -449,7 +456,7 @@ void winpr_Digest_Free(WINPR_DIGEST_CTX* ctx)
#endif
}
BOOL winpr_Digest_MD5_Allow_FIPS(const BYTE* input, size_t ilen, BYTE* output, size_t olen)
BOOL winpr_Digest_Allow_FIPS(int md, const BYTE* input, size_t ilen, BYTE* output, size_t olen)
{
BOOL result = FALSE;
WINPR_DIGEST_CTX *ctx = winpr_Digest_New();
@ -457,7 +464,7 @@ BOOL winpr_Digest_MD5_Allow_FIPS(const BYTE* input, size_t ilen, BYTE* output, s
if (!ctx)
return FALSE;
if (!winpr_Digest_Init_MD5_Allow_FIPS(ctx))
if (!winpr_Digest_Init_Allow_FIPS(ctx, md))
goto out;
if (!winpr_Digest_Update(ctx, input, ilen))
goto out;