diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2018-10-05 16:35:24 +0000 |
|---|---|---|
| committer | John Baldwin <jhb@FreeBSD.org> | 2018-10-05 16:35:24 +0000 |
| commit | e4456411a8c2d4a9bfbccd60f2cf914fd402f817 (patch) | |
| tree | dce7f78e67f8c8ebba326fc90c0cb96e54ffe9ce /crypto/heimdal/lib/gssapi/krb5/unwrap.c | |
| parent | 4b6d416b3218ec9278480ac18e457fe7b1f5db20 (diff) | |
| download | src-test2-e4456411a8c2d4a9bfbccd60f2cf914fd402f817.tar.gz src-test2-e4456411a8c2d4a9bfbccd60f2cf914fd402f817.zip | |
Update the existing heimdal implementation for OpenSSL 1.1.
Existing work is underway to import a newer version of heimdal, but
this patchset gets us to a fully working tree to enable more wide
spread testing of OpenSSL 1.1 for now.
I've also enabled WARNS=1 for kerberos (which is the reason for the
change in libroken). Having -Werror enabled was useful during the
1.1 updates and we probably should have warnings enabled by default
for kerberos anyway.
This passes make tinderbox, and I have also done some very light
runtime testing on amd64.
Reviewed by: bjk, jkim, emaste
Differential Revision: https://reviews.freebsd.org/D17276
Notes
Notes:
svn path=/projects/openssl111/; revision=339198
Diffstat (limited to 'crypto/heimdal/lib/gssapi/krb5/unwrap.c')
| -rw-r--r-- | crypto/heimdal/lib/gssapi/krb5/unwrap.c | 37 |
1 files changed, 26 insertions, 11 deletions
diff --git a/crypto/heimdal/lib/gssapi/krb5/unwrap.c b/crypto/heimdal/lib/gssapi/krb5/unwrap.c index d6bc20477787..5a003815a0f3 100644 --- a/crypto/heimdal/lib/gssapi/krb5/unwrap.c +++ b/crypto/heimdal/lib/gssapi/krb5/unwrap.c @@ -50,7 +50,7 @@ unwrap_des size_t len; EVP_MD_CTX *md5; u_char hash[16]; - EVP_CIPHER_CTX des_ctx; + EVP_CIPHER_CTX *des_ctx; DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; @@ -104,12 +104,17 @@ unwrap_des deskey[i] ^= 0xf0; - EVP_CIPHER_CTX_init(&des_ctx); - EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0); - EVP_Cipher(&des_ctx, p, p, input_message_buffer->length - len); - EVP_CIPHER_CTX_cleanup(&des_ctx); + des_ctx = EVP_CIPHER_CTX_new(); + if (des_ctx == NULL) { + memset (deskey, 0, sizeof(deskey)); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0); + EVP_Cipher(des_ctx, p, p, input_message_buffer->length - len); + EVP_CIPHER_CTX_free(des_ctx); - memset (&schedule, 0, sizeof(schedule)); + memset (deskey, 0, sizeof(deskey)); } if (IS_DCE_STYLE(context_handle)) { @@ -135,19 +140,29 @@ unwrap_des DES_set_key_unchecked (&deskey, &schedule); DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), &schedule, &zero); - if (ct_memcmp (p - 8, hash, 8) != 0) + if (ct_memcmp (p - 8, hash, 8) != 0) { + memset (deskey, 0, sizeof(deskey)); + memset (&schedule, 0, sizeof(schedule)); return GSS_S_BAD_MIC; + } /* verify sequence number */ + des_ctx = EVP_CIPHER_CTX_new(); + if (des_ctx == NULL) { + memset (deskey, 0, sizeof(deskey)); + memset (&schedule, 0, sizeof(schedule)); + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); p -= 16; - EVP_CIPHER_CTX_init(&des_ctx); - EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); - EVP_Cipher(&des_ctx, p, p, 8); - EVP_CIPHER_CTX_cleanup(&des_ctx); + EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); + EVP_Cipher(des_ctx, p, p, 8); + EVP_CIPHER_CTX_free(des_ctx); memset (deskey, 0, sizeof(deskey)); memset (&schedule, 0, sizeof(schedule)); |