mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-05-24 09:53:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Avoid openssl for md4

Browse source 
Since we are in the process of dropping openssl, we are no longer
limited by it. In this case, the issue is that openssl demands the
legacy provider be enabled for FreeIPA sync due to it's weak
cryptography.

The issue however is that with the changes to the scratch container
base, we no longer have the legacy module, and working to include it
isn't worth the effort since we can just swap to rust crypto instead.
This commit is contained in:
William Brown 2025-05-03 15:48:25 +10:00
parent 7a0c19e39b
commit 3e84e0d9df
3 changed files with 10 additions and 55 deletions

1
Cargo.toml
View file

@ -213,6 +213,7 @@ libsqlite3-sys = "^0.25.2"
lodepng = "3.11.0"
lru = "0.14.0"
mathru = "0.15.5"
md4 = "0.10.2"
md-5 = "0.10.6"
mimalloc = "0.1.46"
notify-debouncer-full = { version = "0.5" }

1
libs/crypto/Cargo.toml
View file

@ -27,6 +27,7 @@ kanidm-hsm-crypto = { workspace = true }
openssl-sys = { workspace = true }
openssl = { workspace = true }
rand = { workspace = true }
md4 = { workspace = true }
sha2 = { workspace = true }
serde = { workspace = true, features = ["derive"] }
tracing = { workspace = true }

63
libs/crypto/src/lib.rs
View file

@ -17,9 +17,9 @@ use base64::{alphabet, Engine};
use base64urlsafedata::Base64UrlSafeData;
use kanidm_hsm_crypto::{HmacKey, Tpm};
use kanidm_proto::internal::OperationError;
use md4::{Digest, Md4};
use openssl::error::ErrorStack as OpenSSLErrorStack;
use openssl::hash::{self, MessageDigest};
use openssl::nid::Nid;
use openssl::hash::MessageDigest;
use openssl::pkcs5::pbkdf2_hmac;
use openssl::sha::{Sha1, Sha256, Sha512};
use rand::Rng;
@ -1162,20 +1162,11 @@ impl Password {
.flat_map(|i| i.into_iter())
.collect();
let dgst = MessageDigest::from_nid(Nid::MD4).ok_or_else(|| {
error!("Unable to access MD4 - fips mode may be enabled, or you may need to activate the legacy provider.");
error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers");
CryptoError::Md4Disabled
})?;
let mut hasher = Md4::new();
hasher.update(&clear_utf16le);
let chal_key = hasher.finalize();
hash::hash(dgst, &clear_utf16le)
.map_err(|e| {
debug!(?e);
error!("Unable to digest MD4 - fips mode may be enabled, or you may need to activate the legacy provider.");
error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers");
CryptoError::Md4Disabled
})
.map(|chal_key| chal_key.as_ref() == key)
Ok(chal_key.as_slice() == key)
}
(Kdf::CRYPT_MD5 { s, h }, _) => {
let chal_key = crypt_md5::do_md5_crypt(cleartext.as_bytes(), s);
@ -1481,21 +1472,6 @@ mod tests {
* this for this test.
*/
/*
#[cfg(openssl3)]
fn setup_openssl_legacy_provider() -> openssl::lib_ctx::LibCtx {
let ctx = openssl::lib_ctx::LibCtx::new()
.expect("Failed to create new library context");
openssl::provider::Provider::load(Some(&ctx), "legacy")
.expect("Failed to setup provider.");
eprintln!("setup legacy provider maybe??");
ctx
}
*/
#[test]
fn test_password_from_ipa_nt_hash() {
sketching::test_init();
@ -1505,19 +1481,7 @@ mod tests {
let r = Password::try_from(im_pw).expect("Failed to parse");
assert!(r.requires_upgrade());
match r.verify(password) {
Ok(r) => assert!(r),
Err(_) =>
{
#[allow(clippy::panic)]
if cfg!(openssl3) {
warn!("To run this test, enable the legacy provider.");
} else {
panic!("openssl3 not enabled");
}
}
}
assert!(r.verify(password).expect("Failed to hash"));
let im_pw = "ipaNTHash: pS43DjQLcUYhaNF_cd_Vhw==";
Password::try_from(im_pw).expect("Failed to parse");
}
@ -1530,18 +1494,7 @@ mod tests {
let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse");
assert!(r.requires_upgrade());
match r.verify(password) {
Ok(r) => assert!(r),
Err(_) =>
{
#[allow(clippy::panic)]
if cfg!(openssl3) {
warn!("To run this test, enable the legacy provider.");
} else {
panic!("OpenSSL3 feature not enabled")
}
}
}
assert!(r.verify(password).expect("Failed to hash"));
}
#[test]