Avoid openssl for md4 (#3594)

2025-05-24 09:53:54 +02:00 · 2025-05-04 07:16:40 +10:00 · 2025-05-04 07:16:40 +10:00 · 235e4d053a
parent 7a0c19e39b
commit 235e4d053a
4 changed files with 36 additions and 71 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -652,9 +652,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"

 [[package]]
 name = "cc"
-version = "1.2.20"
+version = "1.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04da6a0d40b948dfc4fa8f5bbf402b0fc1a64a28dbf7d12ffd683550f2c1b63a"
+checksum = "8691782945451c1c383942c4874dbe63814f61cb57ef773cda2972682b7bb3c0"
 dependencies = [
 "shlex",
 ]
@ -1750,7 +1750,7 @@ dependencies = [
 "gix-utils 0.2.0",
 "itoa",
 "thiserror 2.0.12",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -1806,7 +1806,7 @@ dependencies = [
 "smallvec",
 "thiserror 2.0.12",
 "unicode-bom",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -1996,7 +1996,7 @@ dependencies = [
 "itoa",
 "smallvec",
 "thiserror 2.0.12",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -2080,7 +2080,7 @@ dependencies = [
 "gix-utils 0.2.0",
 "maybe-async",
 "thiserror 2.0.12",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -2112,7 +2112,7 @@ dependencies = [
 "gix-validate 0.9.4",
 "memmap2",
 "thiserror 2.0.12",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -2918,9 +2918,9 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"

 [[package]]
 name = "jiff"
-version = "0.2.10"
+version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a064218214dc6a10fbae5ec5fa888d80c45d611aba169222fc272072bf7aef6"
+checksum = "27e77966151130221b079bcec80f1f34a9e414fa489d99152a201c07fd2182bc"
 dependencies = [
 "jiff-static",
 "jiff-tzdb-platform",
@ -2933,9 +2933,9 @@ dependencies = [

 [[package]]
 name = "jiff-static"
-version = "0.2.10"
+version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "199b7932d97e325aff3a7030e141eafe7f2c6268e1d1b24859b753a627f45254"
+checksum = "97265751f8a9a4228476f2fc17874a9e7e70e96b893368e42619880fe143b48a"
 dependencies = [
 "proc-macro2",
 "quote",
@ -3116,6 +3116,7 @@ dependencies = [
 "kanidm-hsm-crypto",
 "kanidm_proto",
 "md-5",
+ "md4",
 "openssl",
 "openssl-sys",
 "rand 0.9.1",
@ -3437,9 +3438,9 @@ dependencies = [

 [[package]]
 name = "lambert_w"
-version = "1.2.16"
+version = "1.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d3ad1e8c00546ab82e384e926bf0a645e1026e973a79b73fa9b3e97febf6105"
+checksum = "dc66ddcab7f8a3cc035052b0bb1f9f7f47ac92741b3fe78974bdd356fe023a40"
 dependencies = [
 "num-complex",
 "num-traits",
@ -3725,6 +3726,15 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "md4"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da5ac363534dce5fabf69949225e174fbf111a498bf0ff794c8ea1fba9f3dda"
+dependencies = [
+ "digest",
+]
+
 [[package]]
 name = "memchr"
 version = "2.7.4"
@ -6015,7 +6025,7 @@ dependencies = [
 "serde_spanned",
 "toml_datetime",
 "toml_write",
- "winnow 0.7.7",
+ "winnow 0.7.9",
 ]

 [[package]]
@ -7122,9 +7132,9 @@ dependencies = [

 [[package]]
 name = "winnow"
-version = "0.7.7"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6cb8234a863ea0e8cd7284fcdd4f145233eb00fee02bbdd9861aec44e6477bc5"
+checksum = "d9fb597c990f03753e08d3c29efbfcf2019a003b4bf4ba19225c158e1549f0f3"
 dependencies = [
 "memchr",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -213,6 +213,7 @@ libsqlite3-sys = "^0.25.2"
 lodepng = "3.11.0"
 lru = "0.14.0"
 mathru = "0.15.5"
+md4 = "0.10.2"
 md-5 = "0.10.6"
 mimalloc = "0.1.46"
 notify-debouncer-full = { version = "0.5" }
--- a/libs/crypto/Cargo.toml
+++ b/libs/crypto/Cargo.toml
@ -27,6 +27,7 @@ kanidm-hsm-crypto = { workspace = true }
 openssl-sys = { workspace = true }
 openssl = { workspace = true }
 rand = { workspace = true }
+md4 = { workspace = true }
 sha2 = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 tracing = { workspace = true }
--- a/libs/crypto/src/lib.rs
+++ b/libs/crypto/src/lib.rs
@ -17,9 +17,9 @@ use base64::{alphabet, Engine};
 use base64urlsafedata::Base64UrlSafeData;
 use kanidm_hsm_crypto::{HmacKey, Tpm};
 use kanidm_proto::internal::OperationError;
+use md4::{Digest, Md4};
 use openssl::error::ErrorStack as OpenSSLErrorStack;
-use openssl::hash::{self, MessageDigest};
-use openssl::nid::Nid;
+use openssl::hash::MessageDigest;
 use openssl::pkcs5::pbkdf2_hmac;
 use openssl::sha::{Sha1, Sha256, Sha512};
 use rand::Rng;
@ -1162,20 +1162,11 @@ impl Password {
                    .flat_map(|i| i.into_iter())
                    .collect();

-                let dgst = MessageDigest::from_nid(Nid::MD4).ok_or_else(|| {
-                    error!("Unable to access MD4 - fips mode may be enabled, or you may need to activate the legacy provider.");
-                    error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers");
-                    CryptoError::Md4Disabled
-                })?;
+                let mut hasher = Md4::new();
+                hasher.update(&clear_utf16le);
+                let chal_key = hasher.finalize();

-                hash::hash(dgst, &clear_utf16le)
-                    .map_err(|e| {
-                        debug!(?e);
-                        error!("Unable to digest MD4 - fips mode may be enabled, or you may need to activate the legacy provider.");
-                        error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers");
-                        CryptoError::Md4Disabled
-                    })
-                    .map(|chal_key| chal_key.as_ref() == key)
+                Ok(chal_key.as_slice() == key)
            }
            (Kdf::CRYPT_MD5 { s, h }, _) => {
                let chal_key = crypt_md5::do_md5_crypt(cleartext.as_bytes(), s);
@ -1481,21 +1472,6 @@ mod tests {
     * this for this test.
     */

-    /*
-    #[cfg(openssl3)]
-    fn setup_openssl_legacy_provider() -> openssl::lib_ctx::LibCtx {
-        let ctx = openssl::lib_ctx::LibCtx::new()
-            .expect("Failed to create new library context");
-
-        openssl::provider::Provider::load(Some(&ctx), "legacy")
-            .expect("Failed to setup provider.");
-
-        eprintln!("setup legacy provider maybe??");
-
-        ctx
-    }
-    */
-
    #[test]
    fn test_password_from_ipa_nt_hash() {
        sketching::test_init();
@ -1505,19 +1481,7 @@ mod tests {
        let r = Password::try_from(im_pw).expect("Failed to parse");
        assert!(r.requires_upgrade());

-        match r.verify(password) {
-            Ok(r) => assert!(r),
-            Err(_) =>
-            {
-                #[allow(clippy::panic)]
-                if cfg!(openssl3) {
-                    warn!("To run this test, enable the legacy provider.");
-                } else {
-                    panic!("openssl3 not enabled");
-                }
-            }
-        }
-
+        assert!(r.verify(password).expect("Failed to hash"));
        let im_pw = "ipaNTHash: pS43DjQLcUYhaNF_cd_Vhw==";
        Password::try_from(im_pw).expect("Failed to parse");
    }
@ -1530,18 +1494,7 @@ mod tests {
        let password = "password";
        let r = Password::try_from(im_pw).expect("Failed to parse");
        assert!(r.requires_upgrade());
-        match r.verify(password) {
-            Ok(r) => assert!(r),
-            Err(_) =>
-            {
-                #[allow(clippy::panic)]
-                if cfg!(openssl3) {
-                    warn!("To run this test, enable the legacy provider.");
-                } else {
-                    panic!("OpenSSL3 feature not enabled")
-                }
-            }
-        }
+        assert!(r.verify(password).expect("Failed to hash"));
    }

    #[test]