summaryrefslogtreecommitdiffstats
path: root/src/lib/crypto/openssl
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2009-12-04 05:12:35 +0000
committerGreg Hudson <ghudson@mit.edu>2009-12-04 05:12:35 +0000
commit5ffa313d9f6b7c509aa0d7579273150d71ea0f95 (patch)
tree48f8d5606c919dd09d950c5cbf1609f312f2937d /src/lib/crypto/openssl
parentea6f77d42700352fcb2a06444d1dc00acf7c20fc (diff)
downloadkrb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.gz
krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.tar.xz
krb5-5ffa313d9f6b7c509aa0d7579273150d71ea0f95.zip
Consolidate the IOV and non-IOV encryption/decryption code paths, and
drop the _iov suffix from most encryption- and decryption-related functions. The enc_provider encrypt and decrypt functions take IOVs, as do the enctype entries in etypes.c, and there are no separate encrypt_iov or decrypt_iov functions. aead_provider is gone. Enctype functions now take pointers to the enctype entry instead of pointers to the enc/hash/aead providers; this allows dk_encrypt and dk_decrypt to be polymorphic in the length function they use now that AES and DES3 can't differentiate by aead provider. aes_string_to_key needed to be moved into the krb/ fold for this since it's an enctype function; it was duplicated between builtin/ and openssl/ before. This leaves openssl/aes empty; the build system currently demands that all modules have the same directory structure, so the directory and Makefile will stick around for now. Three separate copies of the derive_random logic are also now consolidated into one. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23444 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/crypto/openssl')
-rw-r--r--src/lib/crypto/openssl/Makefile.in12
-rw-r--r--src/lib/crypto/openssl/aes/Makefile.in13
-rw-r--r--src/lib/crypto/openssl/aes/aes_s2k.c92
-rw-r--r--src/lib/crypto/openssl/aes/aes_s2k.h10
-rw-r--r--src/lib/crypto/openssl/aes/deps15
-rw-r--r--src/lib/crypto/openssl/deps17
-rw-r--r--src/lib/crypto/openssl/enc_provider/aes.c355
-rw-r--r--src/lib/crypto/openssl/enc_provider/deps67
-rw-r--r--src/lib/crypto/openssl/enc_provider/des.c230
-rw-r--r--src/lib/crypto/openssl/enc_provider/des3.c241
-rw-r--r--src/lib/crypto/openssl/enc_provider/rc4.c52
-rw-r--r--src/lib/crypto/openssl/sha1/Makefile.in17
12 files changed, 205 insertions, 916 deletions
diff --git a/src/lib/crypto/openssl/Makefile.in b/src/lib/crypto/openssl/Makefile.in
index e95227340..a008d5727 100644
--- a/src/lib/crypto/openssl/Makefile.in
+++ b/src/lib/crypto/openssl/Makefile.in
@@ -53,18 +53,6 @@ includes:: depend
depend:: $(SRCS)
clean-unix:: clean-libobjs
-check-unix:: t_cf2
- $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
- diff t_cf2.output $(srcdir)/t_cf2.expected
-
-t_cf2$(EXEEXT): t_cf2.$(OBJEXT) $(SUPPORT_DEPLIB)
- $(CC_LINK) -o $@ t_cf2.$(OBJEXT) -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB)
-
-clean::
- $(RM) t_cf2 t_cf2.o t_cf2.output
-
-
-
all-windows::
cd ..\des
diff --git a/src/lib/crypto/openssl/aes/Makefile.in b/src/lib/crypto/openssl/aes/Makefile.in
index b1848d6f7..6352c3dc2 100644
--- a/src/lib/crypto/openssl/aes/Makefile.in
+++ b/src/lib/crypto/openssl/aes/Makefile.in
@@ -1,3 +1,7 @@
+# Nothing here! But we can't remove this directory as the build
+# system currently assumes that all modules have the same directory
+# structure.
+
mydir=lib/crypto/openssl/aes
BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk -I$(srcdir)/../../../../include
@@ -10,14 +14,11 @@ DEFS=
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-STLIBOBJS=\
- aes_s2k.o
+STLIBOBJS=
-OBJS=\
- $(OUTPRE)aes_s2k.$(OBJEXT)
+OBJS=
-SRCS=\
- $(srcdir)/aes_s2k.c
+SRCS=
##DOS##LIBOBJS = $(OBJS)
diff --git a/src/lib/crypto/openssl/aes/aes_s2k.c b/src/lib/crypto/openssl/aes/aes_s2k.c
deleted file mode 100644
index b2fa1f1d9..000000000
--- a/src/lib/crypto/openssl/aes/aes_s2k.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/openssl/aes/aes_s2k.c
- *
- * Copyright 2003, 2009 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * krb5int_aes_string_to_key
- */
-
-#include "k5-int.h"
-#include "dk.h"
-#include "aes_s2k.h"
-
-#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */
-#define MAX_ITERATION_COUNT 0x1000000L
-
-krb5_error_code
-krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
- const krb5_data *string,
- const krb5_data *salt,
- const krb5_data *params,
- krb5_keyblock *key)
-{
- unsigned long iter_count;
- krb5_data out;
- static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
- krb5_key tempkey = NULL;
- krb5_error_code err;
-
- if (params) {
- unsigned char *p = (unsigned char *) params->data;
- if (params->length != 4)
- return KRB5_ERR_BAD_S2K_PARAMS;
- /* The first two need casts in case 'int' is 16 bits. */
- iter_count = load_32_be(p);
- if (iter_count == 0) {
- iter_count = (1UL << 16) << 16;
- if (((iter_count >> 16) >> 16) != 1)
- return KRB5_ERR_BAD_S2K_PARAMS;
- }
- } else
- iter_count = DEFAULT_ITERATION_COUNT;
-
- /* This is not a protocol specification constraint; this is an
- implementation limit, which should eventually be controlled by
- a config file. */
- if (iter_count >= MAX_ITERATION_COUNT)
- return KRB5_ERR_BAD_S2K_PARAMS;
-
- /* Use the output keyblock contents for temporary space. */
- out.data = (char *) key->contents;
- out.length = key->length;
- if (out.length != 16 && out.length != 32)
- return KRB5_CRYPTO_INTERNAL;
-
- err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
- if (err)
- goto cleanup;
-
- err = krb5_k_create_key (NULL, key, &tempkey);
- if (err)
- goto cleanup;
-
- err = krb5int_derive_keyblock (enc, tempkey, key, &usage);
-
-cleanup:
- if (err)
- memset (out.data, 0, out.length);
- krb5_k_free_key (NULL, tempkey);
- return err;
-}
diff --git a/src/lib/crypto/openssl/aes/aes_s2k.h b/src/lib/crypto/openssl/aes/aes_s2k.h
deleted file mode 100644
index f9bb1fec1..000000000
--- a/src/lib/crypto/openssl/aes/aes_s2k.h
+++ /dev/null
@@ -1,10 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * lib/crypto/openssl/aes/aes_s2k.h
- */
-
-
-extern krb5_error_code
-krb5int_aes_string_to_key (const struct krb5_enc_provider *,
- const krb5_data *, const krb5_data *,
- const krb5_data *, krb5_keyblock *key);
diff --git a/src/lib/crypto/openssl/aes/deps b/src/lib/crypto/openssl/aes/deps
index 93ce8c90f..2feac3c9d 100644
--- a/src/lib/crypto/openssl/aes/deps
+++ b/src/lib/crypto/openssl/aes/deps
@@ -1,14 +1 @@
-#
-# Generated makefile dependencies follow.
-#
-aes_s2k.so aes_s2k.po $(OUTPRE)aes_s2k.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/dk/dk.h \
- $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
- $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
- $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- aes_s2k.c aes_s2k.h
+# No dependencies here.
diff --git a/src/lib/crypto/openssl/deps b/src/lib/crypto/openssl/deps
index 6cf7e30c9..dba4cf8b2 100644
--- a/src/lib/crypto/openssl/deps
+++ b/src/lib/crypto/openssl/deps
@@ -4,14 +4,15 @@
hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb/aead.h \
- $(srcdir)/../krb/cksumtypes.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h hmac.c
+ $(srcdir)/../krb/cksumtypes.h $(srcdir)/../krb/etypes.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ hmac.c
pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/hash_provider/hash_provider.h \
diff --git a/src/lib/crypto/openssl/enc_provider/aes.c b/src/lib/crypto/openssl/enc_provider/aes.c
index 519a1b54a..51bf5ce42 100644
--- a/src/lib/crypto/openssl/enc_provider/aes.c
+++ b/src/lib/crypto/openssl/enc_provider/aes.c
@@ -36,23 +36,17 @@
/* proto's */
static krb5_error_code
-cts_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data);
static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
+cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen);
static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
-static krb5_error_code
-cts_encr_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data, size_t dlen);
-static krb5_error_code
-cts_decr_iov(krb5_key key, const krb5_data *ivec,
- krb5_crypto_iov *data, size_t num_data, size_t dlen);
+cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen);
#define BLOCK_SIZE 16
#define NUM_BITS 8
@@ -69,194 +63,78 @@ map_mode(unsigned int len)
return NULL;
}
+/* Encrypt one block using CBC. */
static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
+ int ret, olen = BLOCK_SIZE;
+ unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
EVP_CIPHER_CTX ciph_ctx;
-
- tmp_len = input->length;
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf){
- return ENOMEM;
- }
+ struct iov_block_state input_pos, output_pos;
EVP_CIPHER_CTX_init(&ciph_ctx);
-
ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length),
NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (ret == 0)
+ return KRB5_CRYPTO_INTERNAL;
- if (ret == 1){
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+ krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos);
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE);
+ if (ret == 1) {
+ krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE,
+ &output_pos);
}
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- if (ret == 1){
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- } else {
- ret = KRB5_CRYPTO_INTERNAL;
- }
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
+ zap(iblock, BLOCK_SIZE);
+ zap(oblock, BLOCK_SIZE);
+ return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
}
+/* Decrypt one block using CBC. */
static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
+ int ret = 0, olen = BLOCK_SIZE;
+ unsigned char iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
EVP_CIPHER_CTX ciph_ctx;
-
- tmp_len = input->length;
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf){
- return ENOMEM;
- }
+ struct iov_block_state input_pos, output_pos;
EVP_CIPHER_CTX_init(&ciph_ctx);
-
ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->keyblock.length),
NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret == 1) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- if (ret == 1)
- ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ if (ret == 0)
+ return KRB5_CRYPTO_INTERNAL;
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
+ krb5int_c_iov_get_block(iblock, BLOCK_SIZE, data, num_data, &input_pos);
+ EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen, iblock, BLOCK_SIZE);
if (ret == 1) {
- output->length += tmp_len;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- } else {
- ret = KRB5_CRYPTO_INTERNAL;
- }
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
-}
-
-static krb5_error_code
-cts_enc(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- size_t size = 0;
- unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char *tmp_buf = NULL;
- AES_KEY enck;
-
- memset(iv_cts,0,sizeof(iv_cts));
- if (ivec && ivec->data){
- if (ivec->length != sizeof(iv_cts))
- return KRB5_CRYPTO_INTERNAL;
- memcpy(iv_cts, ivec->data,ivec->length);
- }
-
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf)
- return ENOMEM;
- tmp_len = input->length;
-
- AES_set_encrypt_key(key->keyblock.contents,
- NUM_BITS * key->keyblock.length, &enck);
-
- size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf,
- input->length, &enck,
- iv_cts, (cbc128_f)AES_cbc_encrypt);
- if (size <= 0 || output->length < size) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = size;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- }
-
- if (!ret && ivec && ivec->data)
- memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
-}
-
-static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- size_t size = 0;
- unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char *tmp_buf = NULL;
- AES_KEY deck;
-
- memset(iv_cts,0,sizeof(iv_cts));
- if (ivec && ivec->data){
- if (ivec->length != sizeof(iv_cts))
- return KRB5_CRYPTO_INTERNAL;
- memcpy(iv_cts, ivec->data,ivec->length);
+ krb5int_c_iov_put_block(data, num_data, oblock, BLOCK_SIZE,
+ &output_pos);
}
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- tmp_buf = OPENSSL_malloc(input->length);
- if (!tmp_buf)
- return ENOMEM;
- tmp_len = input->length;
-
- AES_set_decrypt_key(key->keyblock.contents,
- NUM_BITS * key->keyblock.length, &deck);
-
- size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf,
- input->length, &deck,
- iv_cts, (cbc128_f)AES_cbc_encrypt);
- if (size <= 0 || output->length < size) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = size + 16;
- memcpy(output->data, tmp_buf, output->length);
- ret = 0;
- }
-
- if (!ret && ivec && ivec->data)
- memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
- memset(tmp_buf, 0, input->length);
- OPENSSL_free(tmp_buf);
-
- return ret;
+ zap(iblock, BLOCK_SIZE);
+ zap(oblock, BLOCK_SIZE);
+ return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
}
static krb5_error_code
-cts_encr_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data, size_t dlen)
+cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen)
{
int ret = 0;
- int oblock_len = BLOCK_SIZE * num_data;
- size_t size = 0, tlen = 0;
+ size_t size = 0;
unsigned char *oblock = NULL, *dbuf = NULL;
unsigned char iv_cts[IV_CTS_BUF_SIZE];
- unsigned char iblock[BLOCK_SIZE];
struct iov_block_state input_pos, output_pos;
AES_KEY enck;
@@ -267,7 +145,7 @@ cts_encr_iov(krb5_key key,
memcpy(iv_cts, ivec->data,ivec->length);
}
- oblock = OPENSSL_malloc(oblock_len);
+ oblock = OPENSSL_malloc(dlen);
if (!oblock){
return ENOMEM;
}
@@ -277,26 +155,10 @@ cts_encr_iov(krb5_key key,
return ENOMEM;
}
- memset(oblock, 0, oblock_len);
- memset(dbuf, 0, dlen);
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- tlen = 0;
- for (;;) {
- if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE,
- data, num_data, &input_pos)){
- memcpy(dbuf+tlen,iblock, BLOCK_SIZE);
-
- tlen += BLOCK_SIZE;
- } else {
- memcpy(dbuf+tlen,iblock, dlen - tlen);
- break;
- }
-
- if (tlen > dlen) break;
- }
+ krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos);
AES_set_encrypt_key(key->keyblock.contents,
NUM_BITS * key->keyblock.length, &enck);
@@ -313,8 +175,8 @@ cts_encr_iov(krb5_key key,
if (!ret && ivec && ivec->data)
memcpy(ivec->data, iv_cts, sizeof(iv_cts));
- memset(oblock,0,oblock_len);
- memset(dbuf,0,dlen);
+ zap(oblock, dlen);
+ zap(dbuf, dlen);
OPENSSL_free(oblock);
OPENSSL_free(dbuf);
@@ -322,24 +184,20 @@ cts_encr_iov(krb5_key key,
}
static krb5_error_code
-cts_decr_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data, size_t dlen)
+cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data, size_t dlen)
{
int ret = 0;
- int oblock_len = BLOCK_SIZE*num_data;
- size_t size = 0, tlen = 0;
+ size_t size = 0;
unsigned char *oblock = NULL;
unsigned char *dbuf = NULL;
- unsigned char iblock[BLOCK_SIZE];
unsigned char iv_cts[IV_CTS_BUF_SIZE];
struct iov_block_state input_pos, output_pos;
AES_KEY deck;
memset(iv_cts,0,sizeof(iv_cts));
if (ivec && ivec->data){
- if (ivec->length <= sizeof(iv_cts))
+ if (ivec->length != sizeof(iv_cts))
return KRB5_CRYPTO_INTERNAL;
memcpy(iv_cts, ivec->data,ivec->length);
}
@@ -347,7 +205,7 @@ cts_decr_iov(krb5_key key,
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- oblock = OPENSSL_malloc(oblock_len);
+ oblock = OPENSSL_malloc(dlen);
if (!oblock)
return ENOMEM;
dbuf = OPENSSL_malloc(dlen);
@@ -356,26 +214,10 @@ cts_decr_iov(krb5_key key,
return ENOMEM;
}
- memset(oblock, 0, oblock_len);
- memset(dbuf, 0, dlen);
-
AES_set_decrypt_key(key->keyblock.contents,
NUM_BITS * key->keyblock.length, &deck);
- tlen = 0;
- for (;;) {
- if (krb5int_c_iov_get_block(iblock, BLOCK_SIZE,
- data, num_data, &input_pos)){
- memcpy(dbuf+tlen,iblock, BLOCK_SIZE);
-
- tlen += BLOCK_SIZE;
- } else {
- memcpy(dbuf+tlen,iblock, dlen - tlen);
- break;
- }
-
- if (tlen > dlen) break;
- }
+ krb5int_c_iov_get_block(dbuf, dlen, data, num_data, &input_pos);
size = CRYPTO_cts128_decrypt((unsigned char *)dbuf, oblock,
dlen, &deck,
@@ -389,8 +231,8 @@ cts_decr_iov(krb5_key key,
if (!ret && ivec && ivec->data)
memcpy(ivec->data, iv_cts, sizeof(iv_cts));
- memset(oblock,0,oblock_len);
- memset(dbuf,0,dlen);
+ zap(oblock, dlen);
+ zap(dbuf, dlen);
OPENSSL_free(oblock);
OPENSSL_free(dbuf);
@@ -399,43 +241,7 @@ cts_decr_iov(krb5_key key,
krb5_error_code
krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0;
-
- if (input->length <= BLOCK_SIZE){
- ret = cbc_enc(key, ivec, input, output);
- } else {
- ret = cts_enc(key, ivec, input, output);
- }
-
- return ret;
-}
-
-krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0;
- int nblocks = 0;
-
- if (input->length < BLOCK_SIZE)
- abort();
-
- if (input->length == BLOCK_SIZE){
- ret = cbc_decr(key, ivec, input, output);
- } else {
- ret = cts_decr(key, ivec, input, output);
- }
-
- return ret;
-}
-
-static krb5_error_code
-krb5int_aes_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+ krb5_crypto_iov *data, size_t num_data)
{
int ret = 0;
int nblocks = 0;
@@ -449,18 +255,20 @@ krb5int_aes_encrypt_iov(krb5_key key,
}
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
- assert(nblocks > 1);
-
- ret = cts_encr_iov(key, ivec, data, num_data, input_length);
+ if (nblocks == 1) {
+ if (input_length != BLOCK_SIZE)
+ return KRB5_BAD_MSIZE;
+ ret = cbc_enc(key, ivec, data, num_data);
+ } else if (nblocks > 1) {
+ ret = cts_encr(key, ivec, data, num_data, input_length);
+ }
return ret;
}
-static krb5_error_code
-krb5int_aes_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
+ krb5_crypto_iov *data, size_t num_data)
{
int ret = 0;
int nblocks = 0;
@@ -474,10 +282,13 @@ krb5int_aes_decrypt_iov(krb5_key key,
}
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
-
- ret = cts_decr_iov(key, ivec, data, num_data, input_length);
+ if (nblocks == 1) {
+ if (input_length != BLOCK_SIZE)
+ return KRB5_BAD_MSIZE;
+ ret = cbc_enc(key, ivec, data, num_data);
+ } else if (nblocks > 1) {
+ ret = cts_decr(key, ivec, data, num_data, input_length);
+ }
return ret;
}
@@ -500,9 +311,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = {
krb5int_aes_decrypt,
krb5int_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
+ krb5int_default_free_state
};
const struct krb5_enc_provider krb5int_enc_aes256 = {
@@ -512,7 +321,5 @@ const struct krb5_enc_provider krb5int_enc_aes256 = {
krb5int_aes_decrypt,
krb5int_aes_make_key,
krb5int_aes_init_state,
- krb5int_default_free_state,
- krb5int_aes_encrypt_iov,
- krb5int_aes_decrypt_iov
+ krb5int_default_free_state
};
diff --git a/src/lib/crypto/openssl/enc_provider/deps b/src/lib/crypto/openssl/enc_provider/deps
index 2254ccd51..739c8dd6b 100644
--- a/src/lib/crypto/openssl/enc_provider/deps
+++ b/src/lib/crypto/openssl/enc_provider/deps
@@ -4,43 +4,34 @@
des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des.c
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des.c
des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../des/des_int.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h des3.c
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../des/des_int.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ des3.c
aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
- $(srcdir)/../hash_provider/hash_provider.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
- $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h aes.c enc_provider.h
-rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
- $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(srcdir)/../hash_provider/hash_provider.h \
$(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
$(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
$(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
@@ -48,4 +39,16 @@ rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
$(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- rc4.c
+ aes.c enc_provider.h
+rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../krb/aead.h \
+ $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/etypes.h \
+ $(srcdir)/../../krb/rand2key/rand2key.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h rc4.c
diff --git a/src/lib/crypto/openssl/enc_provider/des.c b/src/lib/crypto/openssl/enc_provider/des.c
index 5881291c9..59030f8a4 100644
--- a/src/lib/crypto/openssl/enc_provider/des.c
+++ b/src/lib/crypto/openssl/enc_provider/des.c
@@ -61,24 +61,7 @@
static krb5_error_code
validate(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, const krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
- if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%8) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- return 0;
-}
-
-static krb5_error_code
-validate_iov(krb5_key key, const krb5_data *ivec,
- const krb5_crypto_iov *data, size_t num_data)
+ const krb5_crypto_iov *data, size_t num_data)
{
size_t i, input_length;
@@ -88,7 +71,7 @@ validate_iov(krb5_key key, const krb5_data *ivec,
input_length += iov->data.length;
}
- if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE)
+ if (key->keyblock.length != KRB5_MIT_DES_KEYSIZE)
return(KRB5_BAD_KEYSIZE);
if ((input_length%DES_BLOCK_SIZE) != 0)
return(KRB5_BAD_MSIZE);
@@ -99,215 +82,79 @@ validate_iov(krb5_key key, const krb5_data *ivec,
}
static krb5_error_code
-k5_des_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
+k5_des_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
- tmp_buf_len = output->length*2;
- tmp_buf=OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
- memset(tmp_buf,0,output->length);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf, 0, tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-}
-
-
-static krb5_error_code
-k5_des_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
-
- tmp_buf=OPENSSL_malloc(output->length);
- if (!tmp_buf)
- return ENOMEM;
- memset(tmp_buf,0,output->length);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (ret) {
- output->length = tmp_len;
- ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf,0,output->length);
- OPENSSL_free(tmp_buf);
-
- if ( ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-}
-
-static krb5_error_code
-k5_des_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
-{
- int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
-
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
+ EVP_CIPHER_CTX ciph_ctx;
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
key->keyblock.contents, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
for (;;) {
- if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+ if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data,
+ num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
- krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH,
+ &output_pos);
}
- if(ret)
- ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
- if ( ret != 1)
+ if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
return 0;
}
static krb5_error_code
-k5_des_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
-
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
+ EVP_CIPHER_CTX ciph_ctx;
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
@@ -317,27 +164,18 @@ k5_des_decrypt_iov(krb5_key key,
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
- break;
-
- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock,
- input_pos.data_pos);
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen,
+ iblock, MIT_DES_BLOCK_LENGTH);
if (!ret) break;
krb5int_c_iov_put_block(data, num_data, oblock,
MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret)
- ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
-
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
@@ -351,7 +189,5 @@ const struct krb5_enc_provider krb5int_enc_des = {
k5_des_decrypt,
krb5int_des_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des_encrypt_iov,
- k5_des_decrypt_iov
+ krb5int_default_free_state
};
diff --git a/src/lib/crypto/openssl/enc_provider/des3.c b/src/lib/crypto/openssl/enc_provider/des3.c
index b299d3c29..832eff915 100644
--- a/src/lib/crypto/openssl/enc_provider/des3.c
+++ b/src/lib/crypto/openssl/enc_provider/des3.c
@@ -60,25 +60,7 @@
static krb5_error_code
validate(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, const krb5_data *output)
-{
- /* key->keyblock.enctype was checked by the caller */
-
- if (key->keyblock.length != KRB5_MIT_DES3_KEYSIZE)
- return(KRB5_BAD_KEYSIZE);
- if ((input->length%DES_BLOCK_SIZE) != 0)
- return(KRB5_BAD_MSIZE);
- if (ivec && (ivec->length != 8))
- return(KRB5_BAD_MSIZE);
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- return 0;
-}
-
-static krb5_error_code
-validate_iov(krb5_key key, const krb5_data *ivec,
- const krb5_crypto_iov *data, size_t num_data)
+ const krb5_crypto_iov *data, size_t num_data)
{
size_t i, input_length;
@@ -99,144 +81,28 @@ validate_iov(krb5_key key, const krb5_data *ivec,
}
static krb5_error_code
-k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
- tmp_buf_len = output->length * 2;
- tmp_buf = OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data : NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf, 0, tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
-
- return 0;
-
-}
-
-static krb5_error_code
-k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned int tmp_buf_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- ret = validate(key, ivec, input, output);
- if (ret)
- return ret;
-
-
- tmp_buf_len = output->length;
- tmp_buf=OPENSSL_malloc(tmp_buf_len);
- if (!tmp_buf)
- return ENOMEM;
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, key->keyblock.contents,
- (ivec) ? (unsigned char*)ivec->data: NULL);
- if (ret) {
- EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
- ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- if (!ret || output->length < (unsigned int)tmp_len) {
- ret = KRB5_CRYPTO_INTERNAL;
- } else {
- output->length = tmp_len;
- ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret == 1)
- memcpy(output->data,tmp_buf, output->length);
-
- memset(tmp_buf,0,tmp_buf_len);
- OPENSSL_free(tmp_buf);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
- return 0;
-
-}
-
-static krb5_error_code
-k5_des3_encrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
@@ -246,29 +112,22 @@ k5_des3_encrypt_iov(krb5_key key,
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
krb5int_c_iov_put_block(data, num_data,
oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
}
- if(ret) {
- /*if (ivec != NULL && ivec->data)
- memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
- ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
- }
+ /*if (ivec != NULL && ivec->data)
+ memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
@@ -276,46 +135,28 @@ k5_des3_encrypt_iov(krb5_key key,
}
static krb5_error_code
-k5_des3_decrypt_iov(krb5_key key,
- const krb5_data *ivec,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
+ size_t num_data)
{
- int ret = 0;
- int tmp_len = MIT_DES_BLOCK_LENGTH;
- int oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
- unsigned char *iblock = NULL, *oblock = NULL;
+ int ret, olen = MIT_DES_BLOCK_LENGTH;
+ unsigned char iblock[MIT_DES_BLOCK_LENGTH], oblock[MIT_DES_BLOCK_LENGTH];
struct iov_block_state input_pos, output_pos;
- EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
- ret = validate_iov(key, ivec, data, num_data);
+ ret = validate(key, ivec, data, num_data);
if (ret)
return ret;
- iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
- if (!iblock)
- return ENOMEM;
- oblock = OPENSSL_malloc(oblock_len);
- if (!oblock){
- OPENSSL_free(iblock);
- return ENOMEM;
- }
-
IOV_BLOCK_STATE_INIT(&input_pos);
IOV_BLOCK_STATE_INIT(&output_pos);
- memset(oblock, 0, oblock_len);
-
EVP_CIPHER_CTX_init(&ciph_ctx);
ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
- key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
- if (!ret){
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ key->keyblock.contents,
+ (ivec) ? (unsigned char*)ivec->data : NULL);
+ if (!ret)
return KRB5_CRYPTO_INTERNAL;
- }
EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
@@ -325,30 +166,22 @@ k5_des3_decrypt_iov(krb5_key key,
data, num_data, &input_pos))
break;
- if (input_pos.iov_pos == num_data)
+ ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &olen,
+ (unsigned char *)iblock, MIT_DES_BLOCK_LENGTH);
+ if (!ret)
break;
- ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
- (unsigned char *)iblock, input_pos.data_pos);
- if (!ret) break;
-
- krb5int_c_iov_put_block(data, num_data,
- oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+ krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH,
+ &output_pos);
}
- if(ret) {
- /*if (ivec != NULL && ivec->data)
- memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
- ret = EVP_DecryptFinal_ex(&ciph_ctx,
- oblock + input_pos.data_pos, &tmp_len);
- }
+ /*if (ivec != NULL && ivec->data)
+ memcpy(ivec->data, oblock, MIT_DES_BLOCK_LENGTH); */
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- memset(iblock,0,sizeof(iblock));
- memset(oblock,0,sizeof(oblock));
- OPENSSL_free(iblock);
- OPENSSL_free(oblock);
+ zap(iblock, sizeof(iblock));
+ zap(oblock, sizeof(oblock));
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
@@ -362,7 +195,5 @@ const struct krb5_enc_provider krb5int_enc_des3 = {
k5_des3_decrypt,
krb5int_des3_make_key,
krb5int_des_init_state,
- krb5int_default_free_state,
- k5_des3_encrypt_iov,
- k5_des3_decrypt_iov
+ krb5int_default_free_state
};
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
index edfbb3218..51cd350f8 100644
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
@@ -61,9 +61,6 @@ typedef struct {
/* prototypes */
static krb5_error_code
-k5_arcfour_docrypt(krb5_key, const krb5_data *,
- const krb5_data *, krb5_data *);
-static krb5_error_code
k5_arcfour_free_state ( krb5_data *state);
static krb5_error_code
k5_arcfour_init_state (const krb5_keyblock *key,
@@ -73,51 +70,10 @@ k5_arcfour_init_state (const krb5_keyblock *key,
* this impliments the cipher
*/
-/* In-place rc4 crypto */
-static krb5_error_code
-k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
- const krb5_data *input, krb5_data *output)
-{
- int ret = 0, tmp_len = 0;
- unsigned char *tmp_buf = NULL;
- EVP_CIPHER_CTX ciph_ctx;
-
- if (key->keyblock.length != RC4_KEY_SIZE)
- return(KRB5_BAD_KEYSIZE);
-
- if (input->length != output->length)
- return(KRB5_BAD_MSIZE);
-
- EVP_CIPHER_CTX_init(&ciph_ctx);
-
- ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, key->keyblock.contents, NULL);
- if (ret) {
- tmp_buf=(unsigned char *)output->data;
- ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
- (unsigned char *)input->data, input->length);
- output->length = tmp_len;
- }
- if (ret) {
- tmp_buf += tmp_len;
- ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len);
- }
-
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
- if (ret != 1)
- return KRB5_CRYPTO_INTERNAL;
-
- output->length += tmp_len;
-
- return 0;
-}
-
/* In-place IOV crypto */
static krb5_error_code
-k5_arcfour_docrypt_iov(krb5_key key,
- const krb5_data *state,
- krb5_crypto_iov *data,
- size_t num_data)
+k5_arcfour_docrypt(krb5_key key,const krb5_data *state, krb5_crypto_iov *data,
+ size_t num_data)
{
size_t i;
int ret = 0, tmp_len = 0;
@@ -191,7 +147,5 @@ const struct krb5_enc_provider krb5int_enc_arcfour = {
k5_arcfour_docrypt,
krb5int_arcfour_make_key,
k5_arcfour_init_state, /*xxx not implemented */
- k5_arcfour_free_state, /*xxx not implemented */
- k5_arcfour_docrypt_iov,
- k5_arcfour_docrypt_iov
+ k5_arcfour_free_state /*xxx not implemented */
};
diff --git a/src/lib/crypto/openssl/sha1/Makefile.in b/src/lib/crypto/openssl/sha1/Makefile.in
index 4cef43a15..0ec25872e 100644
--- a/src/lib/crypto/openssl/sha1/Makefile.in
+++ b/src/lib/crypto/openssl/sha1/Makefile.in
@@ -22,25 +22,8 @@ all-unix:: all-libobjs
includes:: depend
depend:: $(SRCS)
-t_shs: t_shs.o shs.o $(SUPPORT_DEPLIB)
- $(CC_LINK) -o t_shs t_shs.o shs.o $(SUPPORT_LIB)
-
-$(OUTPRE)t_shs.exe: $(OUTPRE)t_shs.obj $(OUTPRE)shs.obj
- link -out:$@ $**
-
-t_shs3: t_shs3.o shs.o $(SUPPORT_DEPLIB)
- $(CC_LINK) -o t_shs3 t_shs3.o shs.o $(SUPPORT_LIB)
-
-check-unix:: t_shs t_shs3
- $(RUN_SETUP) $(VALGRIND) $(C)t_shs -x
- $(RUN_SETUP) $(VALGRIND) $(C)t_shs3
-
-check-windows:: $(OUTPRE)t_shs.exe $(OUTPRE)t_shs3.exe
- $(OUTPRE)$(C)t_shs.exe -x
- $(OUTPRE)$(C)t_shs3.exe
clean::
- $(RM) t_shs$(EXEEXT) t_shs.$(OBJEXT) t_shs3$(EXEEXT) t_shs3.$(OBJEXT)
clean-unix:: clean-libobjs
generated by cgit (git 2.34.1) at 2026-01-06 03:42:17 +0000