svn commit: r339198 - in projects/openssl111: crypto/heimdal/kdc crypto/heimdal/lib/gssapi/krb5 crypto/heimdal/lib/gssapi/ntlm crypto/heimdal/lib/hx509 crypto/heimdal/lib/krb5 crypto/heimdal/lib/nt...
John Baldwin
jhb at FreeBSD.org
Fri Oct 5 16:35:28 UTC 2018
Author: jhb
Date: Fri Oct 5 16:35:24 2018
New Revision: 339198
URL: https://svnweb.freebsd.org/changeset/base/339198
Log:
Update the existing heimdal implementation for OpenSSL 1.1.
Existing work is underway to import a newer version of heimdal, but
this patchset gets us to a fully working tree to enable more wide
spread testing of OpenSSL 1.1 for now.
I've also enabled WARNS=1 for kerberos (which is the reason for the
change in libroken). Having -Werror enabled was useful during the
1.1 updates and we probably should have warnings enabled by default
for kerberos anyway.
This passes make tinderbox, and I have also done some very light
runtime testing on amd64.
Reviewed by: bjk, jkim, emaste
Differential Revision: https://reviews.freebsd.org/D17276
Modified:
projects/openssl111/crypto/heimdal/kdc/digest.c
projects/openssl111/crypto/heimdal/kdc/kx509.c
projects/openssl111/crypto/heimdal/kdc/pkinit.c
projects/openssl111/crypto/heimdal/lib/gssapi/krb5/arcfour.c
projects/openssl111/crypto/heimdal/lib/gssapi/krb5/get_mic.c
projects/openssl111/crypto/heimdal/lib/gssapi/krb5/unwrap.c
projects/openssl111/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
projects/openssl111/crypto/heimdal/lib/gssapi/krb5/wrap.c
projects/openssl111/crypto/heimdal/lib/gssapi/ntlm/crypto.c
projects/openssl111/crypto/heimdal/lib/hx509/crypto.c
projects/openssl111/crypto/heimdal/lib/hx509/hxtool.c
projects/openssl111/crypto/heimdal/lib/hx509/ks_file.c
projects/openssl111/crypto/heimdal/lib/hx509/ks_p11.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-aes.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-arcfour.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-des-common.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-des.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-evp.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto-rand.c
projects/openssl111/crypto/heimdal/lib/krb5/crypto.h
projects/openssl111/crypto/heimdal/lib/krb5/pkinit.c
projects/openssl111/crypto/heimdal/lib/ntlm/heimntlm-protos.h
projects/openssl111/crypto/heimdal/lib/ntlm/ntlm.c
projects/openssl111/crypto/heimdal/lib/roken/snprintf.c
projects/openssl111/kerberos5/Makefile.inc
projects/openssl111/kerberos5/include/crypto-headers.h
Modified: projects/openssl111/crypto/heimdal/kdc/digest.c
==============================================================================
--- projects/openssl111/crypto/heimdal/kdc/digest.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/kdc/digest.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -375,8 +375,8 @@ _kdc_do_digest(krb5_context context,
case choice_DigestReqInner_init: {
unsigned char server_nonce[16], identifier;
- RAND_pseudo_bytes(&identifier, sizeof(identifier));
- RAND_pseudo_bytes(server_nonce, sizeof(server_nonce));
+ RAND_bytes(&identifier, sizeof(identifier));
+ RAND_bytes(server_nonce, sizeof(server_nonce));
server_nonce[0] = kdc_time & 0xff;
server_nonce[1] = (kdc_time >> 8) & 0xff;
@@ -1333,7 +1333,7 @@ _kdc_do_digest(krb5_context context,
if (ireq.u.ntlmRequest.sessionkey) {
unsigned char masterkey[MD4_DIGEST_LENGTH];
- EVP_CIPHER_CTX rc4;
+ EVP_CIPHER_CTX *rc4;
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
@@ -1354,12 +1354,18 @@ _kdc_do_digest(krb5_context context,
}
- EVP_CIPHER_CTX_init(&rc4);
- EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
- EVP_Cipher(&rc4,
+ rc4 = EVP_CIPHER_CTX_new();
+ if (rc4 == NULL) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret,
+ "NTLM failed to malloc cipher context");
+ goto failed;
+ }
+ EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
+ EVP_Cipher(rc4,
masterkey, ireq.u.ntlmRequest.sessionkey->data,
sizeof(masterkey));
- EVP_CIPHER_CTX_cleanup(&rc4);
+ EVP_CIPHER_CTX_free(rc4);
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
Modified: projects/openssl111/crypto/heimdal/kdc/kx509.c
==============================================================================
--- projects/openssl111/crypto/heimdal/kdc/kx509.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/kdc/kx509.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -64,7 +64,7 @@ verify_req_hash(krb5_context context,
krb5_keyblock *key)
{
unsigned char digest[SHA_DIGEST_LENGTH];
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
if (req->pk_hash.length != sizeof(digest)) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
@@ -73,16 +73,21 @@ verify_req_hash(krb5_context context,
return KRB5KDC_ERR_PREAUTH_FAILED;
}
- HMAC_CTX_init(&ctx);
- HMAC_Init_ex(&ctx,
+ ctx = HMAC_CTX_new();
+ if (ctx == NULL) {
+ krb5_set_error_message(context, ENOMEM,
+ "HMAC context malloc failed");
+ return ENOMEM;
+ }
+ HMAC_Init_ex(ctx,
key->keyvalue.data, key->keyvalue.length,
EVP_sha1(), NULL);
- if (sizeof(digest) != HMAC_size(&ctx))
+ if (sizeof(digest) != HMAC_size(ctx))
krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509");
- HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
- HMAC_Update(&ctx, req->pk_key.data, req->pk_key.length);
- HMAC_Final(&ctx, digest, 0);
- HMAC_CTX_cleanup(&ctx);
+ HMAC_Update(ctx, version_2_0, sizeof(version_2_0));
+ HMAC_Update(ctx, req->pk_key.data, req->pk_key.length);
+ HMAC_Final(ctx, digest, 0);
+ HMAC_CTX_free(ctx);
if (memcmp(req->pk_hash.data, digest, sizeof(digest)) != 0) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
@@ -98,35 +103,40 @@ calculate_reply_hash(krb5_context context,
Kx509Response *rep)
{
krb5_error_code ret;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
- HMAC_CTX_init(&ctx);
+ ctx = HMAC_CTX_new();
+ if (ctx == NULL) {
+ krb5_set_error_message(context, ENOMEM,
+ "HMAC context malloc failed");
+ return ENOMEM;
+ }
- HMAC_Init_ex(&ctx, key->keyvalue.data, key->keyvalue.length,
+ HMAC_Init_ex(ctx, key->keyvalue.data, key->keyvalue.length,
EVP_sha1(), NULL);
- ret = krb5_data_alloc(rep->hash, HMAC_size(&ctx));
+ ret = krb5_data_alloc(rep->hash, HMAC_size(ctx));
if (ret) {
- HMAC_CTX_cleanup(&ctx);
+ HMAC_CTX_free(ctx);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
- HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+ HMAC_Update(ctx, version_2_0, sizeof(version_2_0));
if (rep->error_code) {
int32_t t = *rep->error_code;
do {
unsigned char p = (t & 0xff);
- HMAC_Update(&ctx, &p, 1);
+ HMAC_Update(ctx, &p, 1);
t >>= 8;
} while (t);
}
if (rep->certificate)
- HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
+ HMAC_Update(ctx, rep->certificate->data, rep->certificate->length);
if (rep->e_text)
- HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
+ HMAC_Update(ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
- HMAC_Final(&ctx, rep->hash->data, 0);
- HMAC_CTX_cleanup(&ctx);
+ HMAC_Final(ctx, rep->hash->data, 0);
+ HMAC_CTX_free(ctx);
return 0;
}
Modified: projects/openssl111/crypto/heimdal/kdc/pkinit.c
==============================================================================
--- projects/openssl111/crypto/heimdal/kdc/pkinit.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/kdc/pkinit.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -331,6 +331,7 @@ get_dh_param(krb5_context context,
{
DomainParameters dhparam;
DH *dh = NULL;
+ BIGNUM *p, *q, *g;
krb5_error_code ret;
memset(&dhparam, 0, sizeof(dhparam));
@@ -375,15 +376,21 @@ get_dh_param(krb5_context context,
goto out;
}
ret = KRB5_BADMSGTYPE;
- dh->p = integer_to_BN(context, "DH prime", &dhparam.p);
- if (dh->p == NULL)
+ p = integer_to_BN(context, "DH prime", &dhparam.p);
+ g = integer_to_BN(context, "DH base", &dhparam.g);
+ q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
+ if (p == NULL || g == NULL || q == NULL) {
+ BN_free(p);
+ BN_free(g);
+ BN_free(q);
goto out;
- dh->g = integer_to_BN(context, "DH base", &dhparam.g);
- if (dh->g == NULL)
+ }
+ if (DH_set0_pqg(dh, p, g, q) != 1) {
+ BN_free(p);
+ BN_free(g);
+ BN_free(q);
goto out;
- dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
- if (dh->g == NULL)
- goto out;
+ }
{
heim_integer glue;
@@ -895,7 +902,7 @@ out:
*/
static krb5_error_code
-BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
+BN_to_integer(krb5_context context, const BIGNUM *bn, heim_integer *integer)
{
integer->length = BN_num_bytes(bn);
integer->data = malloc(integer->length);
@@ -1112,9 +1119,11 @@ pk_mk_pa_reply_dh(krb5_context context,
if (cp->keyex == USE_DH) {
DH *kdc_dh = cp->u.dh.key;
+ const BIGNUM *pub_key;
heim_integer i;
- ret = BN_to_integer(context, kdc_dh->pub_key, &i);
+ DH_get0_key(kdc_dh, &pub_key, NULL);
+ ret = BN_to_integer(context, pub_key, &i);
if (ret)
return ret;
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/krb5/arcfour.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/krb5/arcfour.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/krb5/arcfour.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -173,7 +173,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
int32_t seq_number;
size_t len, total_len;
u_char k6_data[16], *p0, *p;
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
_gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
@@ -235,11 +235,17 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
- EVP_Cipher(&rc4_key, p, p, 8);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ _gsskrb5_release_buffer(minor_status, message_token);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ EVP_Cipher(rc4_key, p, p, 8);
+ EVP_CIPHER_CTX_free(rc4_key);
+
memset(k6_data, 0, sizeof(k6_data));
*minor_status = 0;
@@ -308,12 +314,16 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
}
{
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
- EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
+ EVP_Cipher(rc4_key, SND_SEQ, p, 8);
+ EVP_CIPHER_CTX_free(rc4_key);
memset(k6_data, 0, sizeof(k6_data));
}
@@ -461,12 +471,17 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if(conf_req_flag) {
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
- EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen);
+ EVP_CIPHER_CTX_free(rc4_key);
}
memset(k6_data, 0, sizeof(k6_data));
@@ -480,12 +495,17 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
{
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
- EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
+ EVP_CIPHER_CTX_free(rc4_key);
memset(k6_data, 0, sizeof(k6_data));
}
@@ -580,12 +600,16 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_stat
}
{
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
- EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8);
+ EVP_CIPHER_CTX_free(rc4_key);
memset(k6_data, 0, sizeof(k6_data));
}
@@ -628,13 +652,18 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_stat
output_message_buffer->length = datalen;
if(conf_flag) {
- EVP_CIPHER_CTX rc4_key;
+ EVP_CIPHER_CTX *rc4_key;
- EVP_CIPHER_CTX_init(&rc4_key);
- EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
- EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);
- EVP_Cipher(&rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
- EVP_CIPHER_CTX_cleanup(&rc4_key);
+ rc4_key = EVP_CIPHER_CTX_new();
+ if (rc4_key == NULL) {
+ _gsskrb5_release_buffer(minor_status, output_message_buffer);
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);
+ EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
+ EVP_CIPHER_CTX_free(rc4_key);
} else {
memcpy(Confounder, p0 + 24, 8); /* Confounder */
memcpy(output_message_buffer->value,
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/krb5/get_mic.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/krb5/get_mic.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/krb5/get_mic.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -50,7 +50,7 @@ mic_des
EVP_MD_CTX *md5;
u_char hash[16];
DES_key_schedule schedule;
- EVP_CIPHER_CTX des_ctx;
+ EVP_CIPHER_CTX *des_ctx;
DES_cblock deskey;
DES_cblock zero;
int32_t seq_number;
@@ -96,6 +96,17 @@ mic_des
&schedule, &zero);
memcpy (p - 8, hash, 8); /* SGN_CKSUM */
+ des_ctx = EVP_CIPHER_CTX_new();
+ if (des_ctx == NULL) {
+ memset (deskey, 0, sizeof(deskey));
+ memset (&schedule, 0, sizeof(schedule));
+ free (message_token->value);
+ message_token->value = NULL;
+ message_token->length = 0;
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (context,
@@ -111,10 +122,9 @@ mic_des
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
- EVP_Cipher(&des_ctx, p, p, 8);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+ EVP_Cipher(des_ctx, p, p, 8);
+ EVP_CIPHER_CTX_free(des_ctx);
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/krb5/unwrap.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/krb5/unwrap.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/krb5/unwrap.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -50,7 +50,7 @@ unwrap_des
size_t len;
EVP_MD_CTX *md5;
u_char hash[16];
- EVP_CIPHER_CTX des_ctx;
+ EVP_CIPHER_CTX *des_ctx;
DES_key_schedule schedule;
DES_cblock deskey;
DES_cblock zero;
@@ -104,12 +104,17 @@ unwrap_des
deskey[i] ^= 0xf0;
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0);
- EVP_Cipher(&des_ctx, p, p, input_message_buffer->length - len);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ des_ctx = EVP_CIPHER_CTX_new();
+ if (des_ctx == NULL) {
+ memset (deskey, 0, sizeof(deskey));
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0);
+ EVP_Cipher(des_ctx, p, p, input_message_buffer->length - len);
+ EVP_CIPHER_CTX_free(des_ctx);
- memset (&schedule, 0, sizeof(schedule));
+ memset (deskey, 0, sizeof(deskey));
}
if (IS_DCE_STYLE(context_handle)) {
@@ -135,19 +140,29 @@ unwrap_des
DES_set_key_unchecked (&deskey, &schedule);
DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
&schedule, &zero);
- if (ct_memcmp (p - 8, hash, 8) != 0)
+ if (ct_memcmp (p - 8, hash, 8) != 0) {
+ memset (deskey, 0, sizeof(deskey));
+ memset (&schedule, 0, sizeof(schedule));
return GSS_S_BAD_MIC;
+ }
/* verify sequence number */
+ des_ctx = EVP_CIPHER_CTX_new();
+ if (des_ctx == NULL) {
+ memset (deskey, 0, sizeof(deskey));
+ memset (&schedule, 0, sizeof(schedule));
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
p -= 16;
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
- EVP_Cipher(&des_ctx, p, p, 8);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+ EVP_Cipher(des_ctx, p, p, 8);
+ EVP_CIPHER_CTX_free(des_ctx);
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/krb5/verify_mic.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/krb5/verify_mic.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -51,7 +51,7 @@ verify_mic_des
EVP_MD_CTX *md5;
u_char hash[16], *seq;
DES_key_schedule schedule;
- EVP_CIPHER_CTX des_ctx;
+ EVP_CIPHER_CTX *des_ctx;
DES_cblock zero;
DES_cblock deskey;
uint32_t seq_number;
@@ -96,14 +96,21 @@ verify_mic_des
/* verify sequence number */
+ des_ctx = EVP_CIPHER_CTX_new();
+ if (des_ctx == NULL) {
+ memset (deskey, 0, sizeof(deskey));
+ memset (&schedule, 0, sizeof(schedule));
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
p -= 16;
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
- EVP_Cipher(&des_ctx, p, p, 8);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+ EVP_Cipher(des_ctx, p, p, 8);
+ EVP_CIPHER_CTX_free(des_ctx);
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/krb5/wrap.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/krb5/wrap.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/krb5/wrap.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -211,7 +211,7 @@ wrap_des
EVP_MD_CTX *md5;
u_char hash[16];
DES_key_schedule schedule;
- EVP_CIPHER_CTX des_ctx;
+ EVP_CIPHER_CTX *des_ctx;
DES_cblock deskey;
DES_cblock zero;
size_t i;
@@ -283,6 +283,17 @@ wrap_des
&schedule, &zero);
memcpy (p - 8, hash, 8);
+ des_ctx = EVP_CIPHER_CTX_new();
+ if (des_ctx == NULL) {
+ memset (deskey, 0, sizeof(deskey));
+ memset (&schedule, 0, sizeof(schedule));
+ free(output_message_buffer->value);
+ output_message_buffer->value = NULL;
+ output_message_buffer->length = 0;
+ *minor_status = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
/* sequence number */
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (context,
@@ -298,10 +309,8 @@ wrap_des
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
- EVP_Cipher(&des_ctx, p, p, 8);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+ EVP_Cipher(des_ctx, p, p, 8);
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
@@ -317,11 +326,11 @@ wrap_des
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;
- EVP_CIPHER_CTX_init(&des_ctx);
- EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1);
- EVP_Cipher(&des_ctx, p, p, datalen);
- EVP_CIPHER_CTX_cleanup(&des_ctx);
+ EVP_CIPHER_CTX_reset(des_ctx);
+ EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1);
+ EVP_Cipher(des_ctx, p, p, datalen);
}
+ EVP_CIPHER_CTX_free(des_ctx);
memset (deskey, 0, sizeof(deskey));
memset (&schedule, 0, sizeof(schedule));
Modified: projects/openssl111/crypto/heimdal/lib/gssapi/ntlm/crypto.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/gssapi/ntlm/crypto.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/gssapi/ntlm/crypto.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -148,16 +148,18 @@ v2_sign_message(gss_buffer_t in,
{
unsigned char hmac[16];
unsigned int hmaclen;
- HMAC_CTX c;
+ HMAC_CTX *c;
- HMAC_CTX_init(&c);
- HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL);
+ c = HMAC_CTX_new();
+ if (c == NULL)
+ return GSS_S_FAILURE;
+ HMAC_Init_ex(c, signkey, 16, EVP_md5(), NULL);
encode_le_uint32(seq, hmac);
- HMAC_Update(&c, hmac, 4);
- HMAC_Update(&c, in->value, in->length);
- HMAC_Final(&c, hmac, &hmaclen);
- HMAC_CTX_cleanup(&c);
+ HMAC_Update(c, hmac, 4);
+ HMAC_Update(c, in->value, in->length);
+ HMAC_Final(c, hmac, &hmaclen);
+ HMAC_CTX_free(c);
encode_le_uint32(1, &out[0]);
if (sealkey)
Modified: projects/openssl111/crypto/heimdal/lib/hx509/crypto.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/hx509/crypto.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/hx509/crypto.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -226,7 +226,8 @@ heim_int2BN(const heim_integer *i)
BIGNUM *bn;
bn = BN_bin2bn(i->data, i->length, NULL);
- BN_set_negative(bn, i->negative);
+ if (bn != NULL)
+ BN_set_negative(bn, i->negative);
return bn;
}
@@ -899,12 +900,15 @@ rsa_get_internal(hx509_context context,
hx509_private_key key,
const char *type)
{
+ const BIGNUM *n;
+
if (strcasecmp(type, "rsa-modulus") == 0) {
- return BN_dup(key->private_key.rsa->n);
+ RSA_get0_key(key->private_key.rsa, &n, NULL, NULL);
} else if (strcasecmp(type, "rsa-exponent") == 0) {
- return BN_dup(key->private_key.rsa->e);
+ RSA_get0_key(key->private_key.rsa, NULL, &n, NULL);
} else
return NULL;
+ return BN_dup(n);
}
@@ -1045,6 +1049,7 @@ dsa_verify_signature(hx509_context context,
DSAPublicKey pk;
DSAParams param;
size_t size;
+ BIGNUM *key, *p, *q, *g;
DSA *dsa;
int ret;
@@ -1062,16 +1067,25 @@ dsa_verify_signature(hx509_context context,
if (ret)
goto out;
- dsa->pub_key = heim_int2BN(&pk);
+ key = heim_int2BN(&pk);
free_DSAPublicKey(&pk);
- if (dsa->pub_key == NULL) {
+ if (key == NULL) {
ret = ENOMEM;
hx509_set_error_string(context, 0, ret, "out of memory");
goto out;
}
+ ret = DSA_set0_key(dsa, key, NULL);
+
+ if (ret != 1) {
+ BN_free(key);
+ ret = EINVAL;
+ hx509_set_error_string(context, 0, ret, "failed to set DSA key");
+ goto out;
+ }
+
if (spi->algorithm.parameters == NULL) {
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
hx509_set_error_string(context, 0, ret, "DSA parameters missing");
@@ -1087,18 +1101,32 @@ dsa_verify_signature(hx509_context context,
goto out;
}
- dsa->p = heim_int2BN(¶m.p);
- dsa->q = heim_int2BN(¶m.q);
- dsa->g = heim_int2BN(¶m.g);
+ p = heim_int2BN(¶m.p);
+ q = heim_int2BN(¶m.q);
+ g = heim_int2BN(¶m.g);
free_DSAParams(¶m);
- if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
+ if (p == NULL || q == NULL || g == NULL) {
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
ret = ENOMEM;
hx509_set_error_string(context, 0, ret, "out of memory");
goto out;
}
+ ret = DSA_set0_pqg(dsa, p, q, g);
+
+ if (ret != 1) {
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ ret = EINVAL;
+ hx509_set_error_string(context, 0, ret, "failed to set DSA parameters");
+ goto out;
+ }
+
ret = DSA_verify(-1, data->data, data->length,
(unsigned char*)sig->data, sig->length,
dsa);
@@ -2562,7 +2590,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
const heim_octet_string *ivec,
heim_octet_string **ciphertext)
{
- EVP_CIPHER_CTX evp;
+ EVP_CIPHER_CTX *evp;
size_t padsize, bsize;
int ret;
@@ -2574,12 +2602,13 @@ hx509_crypto_encrypt(hx509_crypto crypto,
assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length);
- EVP_CIPHER_CTX_init(&evp);
+ evp = EVP_CIPHER_CTX_new();
+ if (evp == NULL)
+ return ENOMEM;
- ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
+ ret = EVP_CipherInit_ex(evp, crypto->c, NULL,
crypto->key.data, ivec->data, 1);
if (ret != 1) {
- EVP_CIPHER_CTX_cleanup(&evp);
ret = HX509_CRYPTO_INTERNAL_ERROR;
goto out;
}
@@ -2619,7 +2648,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
*p++ = padsize;
}
- ret = EVP_Cipher(&evp, (*ciphertext)->data,
+ ret = EVP_Cipher(evp, (*ciphertext)->data,
(*ciphertext)->data,
length + padsize);
if (ret != 1) {
@@ -2638,7 +2667,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
*ciphertext = NULL;
}
}
- EVP_CIPHER_CTX_cleanup(&evp);
+ EVP_CIPHER_CTX_free(evp);
return ret;
}
@@ -2650,7 +2679,7 @@ hx509_crypto_decrypt(hx509_crypto crypto,
heim_octet_string *ivec,
heim_octet_string *clear)
{
- EVP_CIPHER_CTX evp;
+ EVP_CIPHER_CTX *evp;
void *idata = NULL;
int ret;
@@ -2670,27 +2699,30 @@ hx509_crypto_decrypt(hx509_crypto crypto,
if (ivec)
idata = ivec->data;
- EVP_CIPHER_CTX_init(&evp);
+ evp = EVP_CIPHER_CTX_new();
+ if (evp == NULL)
+ return ENOMEM;
- ret = EVP_CipherInit_ex(&evp, crypto->c, NULL,
+ ret = EVP_CipherInit_ex(evp, crypto->c, NULL,
crypto->key.data, idata, 0);
if (ret != 1) {
- EVP_CIPHER_CTX_cleanup(&evp);
+ EVP_CIPHER_CTX_free(evp);
return HX509_CRYPTO_INTERNAL_ERROR;
}
clear->length = length;
clear->data = malloc(length);
if (clear->data == NULL) {
- EVP_CIPHER_CTX_cleanup(&evp);
+ EVP_CIPHER_CTX_free(evp);
clear->length = 0;
return ENOMEM;
}
- if (EVP_Cipher(&evp, clear->data, data, length) != 1) {
+ if (EVP_Cipher(evp, clear->data, data, length) != 1) {
+ EVP_CIPHER_CTX_free(evp);
return HX509_CRYPTO_INTERNAL_ERROR;
}
- EVP_CIPHER_CTX_cleanup(&evp);
+ EVP_CIPHER_CTX_free(evp);
if ((crypto->flags & PADDING_PKCS7) && EVP_CIPHER_block_size(crypto->c) > 1) {
int padsize;
@@ -2949,6 +2981,8 @@ match_keys_rsa(hx509_cert c, hx509_private_key private
const SubjectPublicKeyInfo *spi;
RSAPublicKey pk;
RSA *rsa;
+ const BIGNUM *d, *p, *q, *dmp1, *dmq1, *iqmp;
+ BIGNUM *new_d, *new_p, *new_q, *new_dmp1, *new_dmq1, *new_iqmp, *n, *e;
size_t size;
int ret;
@@ -2956,7 +2990,10 @@ match_keys_rsa(hx509_cert c, hx509_private_key private
return 0;
rsa = private_key->private_key.rsa;
- if (rsa->d == NULL || rsa->p == NULL || rsa->q == NULL)
+ RSA_get0_key(rsa, NULL, NULL, &d);
+ RSA_get0_factors(rsa, &p, &q);
+ RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+ if (d == NULL || p == NULL || q == NULL)
return 0;
cert = _hx509_get_cert(c);
@@ -2973,21 +3010,66 @@ match_keys_rsa(hx509_cert c, hx509_private_key private
RSA_free(rsa);
return 0;
}
- rsa->n = heim_int2BN(&pk.modulus);
- rsa->e = heim_int2BN(&pk.publicExponent);
+ n = heim_int2BN(&pk.modulus);
+ e = heim_int2BN(&pk.publicExponent);
free_RSAPublicKey(&pk);
- rsa->d = BN_dup(private_key->private_key.rsa->d);
- rsa->p = BN_dup(private_key->private_key.rsa->p);
- rsa->q = BN_dup(private_key->private_key.rsa->q);
- rsa->dmp1 = BN_dup(private_key->private_key.rsa->dmp1);
- rsa->dmq1 = BN_dup(private_key->private_key.rsa->dmq1);
- rsa->iqmp = BN_dup(private_key->private_key.rsa->iqmp);
+ new_d = BN_dup(d);
+ new_p = BN_dup(p);
+ new_q = BN_dup(q);
+ new_dmp1 = BN_dup(dmp1);
+ new_dmq1 = BN_dup(dmq1);
+ new_iqmp = BN_dup(iqmp);
- if (rsa->n == NULL || rsa->e == NULL ||
- rsa->d == NULL || rsa->p == NULL|| rsa->q == NULL ||
- rsa->dmp1 == NULL || rsa->dmq1 == NULL) {
+ if (n == NULL || e == NULL ||
+ new_d == NULL || new_p == NULL|| new_q == NULL ||
+ new_dmp1 == NULL || new_dmq1 == NULL || new_iqmp == NULL) {
+ BN_free(n);
+ BN_free(e);
+ BN_free(new_d);
+ BN_free(new_p);
+ BN_free(new_q);
+ BN_free(new_dmp1);
+ BN_free(new_dmq1);
+ BN_free(new_iqmp);
+ RSA_free(rsa);
+ return 0;
+ }
+
+ ret = RSA_set0_key(rsa, new_d, n, e);
+
+ if (ret != 1) {
+ BN_free(n);
+ BN_free(e);
+ BN_free(new_d);
+ BN_free(new_p);
+ BN_free(new_q);
+ BN_free(new_dmp1);
+ BN_free(new_dmq1);
+ BN_free(new_iqmp);
+ RSA_free(rsa);
+ return 0;
+ }
+
+ ret = RSA_set0_factors(rsa, new_p, new_q);
+
+ if (ret != 1) {
+ BN_free(new_p);
+ BN_free(new_q);
+ BN_free(new_dmp1);
+ BN_free(new_dmq1);
+ BN_free(new_iqmp);
+ RSA_free(rsa);
+ return 0;
+ }
+
+ ret = RSA_set0_crt_params(rsa, new_dmp1, new_dmq1, new_iqmp);
+
+ if (ret != 1) {
+ BN_free(new_dmp1);
+ BN_free(new_dmq1);
+ BN_free(new_iqmp);
RSA_free(rsa);
return 0;
}
Modified: projects/openssl111/crypto/heimdal/lib/hx509/hxtool.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/hx509/hxtool.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/hx509/hxtool.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -1387,12 +1387,12 @@ info(void *opt, int argc, char **argv)
{
const RSA_METHOD *m = RSA_get_default_method();
if (m != NULL)
- printf("rsa: %s\n", m->name);
+ printf("rsa: %s\n", RSA_meth_get0_name(m));
}
{
const DH_METHOD *m = DH_get_default_method();
if (m != NULL)
- printf("dh: %s\n", m->name);
+ printf("dh: %s\n", DH_meth_get0_name(m));
}
#ifdef HAVE_OPENSSL
{
Modified: projects/openssl111/crypto/heimdal/lib/hx509/ks_file.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/hx509/ks_file.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/hx509/ks_file.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -107,11 +107,18 @@ try_decrypt(hx509_context context,
clear.length = len;
{
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
- EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0);
- EVP_Cipher(&ctx, clear.data, cipher, len);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ hx509_set_error_string(context, 0, ENOMEM,
+ "Out of memory to decrypt for private key");
+ ret = ENOMEM;
+ goto out;
+ }
+ EVP_CipherInit_ex(ctx, c, NULL, key, ivdata, 0);
+ EVP_Cipher(ctx, clear.data, cipher, len);
+ EVP_CIPHER_CTX_free(ctx);
}
ret = _hx509_collector_private_key_add(context,
@@ -122,8 +129,8 @@ try_decrypt(hx509_context context,
NULL);
memset(clear.data, 0, clear.length);
- free(clear.data);
out:
+ free(clear.data);
memset(key, 0, keylen);
free(key);
return ret;
Modified: projects/openssl111/crypto/heimdal/lib/hx509/ks_p11.c
==============================================================================
--- projects/openssl111/crypto/heimdal/lib/hx509/ks_p11.c Fri Oct 5 16:05:59 2018 (r339197)
+++ projects/openssl111/crypto/heimdal/lib/hx509/ks_p11.c Fri Oct 5 16:35:24 2018 (r339198)
@@ -213,22 +213,48 @@ p11_rsa_finish(RSA *rsa)
return 1;
}
-static const RSA_METHOD p11_rsa_pkcs1_method = {
- "hx509 PKCS11 PKCS#1 RSA",
- p11_rsa_public_encrypt,
- p11_rsa_public_decrypt,
- p11_rsa_private_encrypt,
- p11_rsa_private_decrypt,
- NULL,
- NULL,
- p11_rsa_init,
- p11_rsa_finish,
- 0,
- NULL,
- NULL,
- NULL
-};
+static const RSA_METHOD *
+get_p11_rsa_pkcs1_method(void)
+{
+ static const RSA_METHOD *p11_rsa_pkcs1_method;
+ RSA_METHOD *new_method;
+ if (p11_rsa_pkcs1_method != NULL)
+ return p11_rsa_pkcs1_method;
+
+ new_method = RSA_meth_new("hx509 PKCS11 PKCS#1 RSA", 0);
+ if (new_method == NULL)
+ return NULL;
+
+ if (RSA_meth_set_pub_enc(new_method, p11_rsa_public_encrypt) != 1)
+ goto out;
+
+ if (RSA_meth_set_pub_dec(new_method, p11_rsa_public_decrypt) != 1)
+ goto out;
+
+ if (RSA_meth_set_priv_enc(new_method, p11_rsa_private_encrypt) != 1)
+ goto out;
+
+ if (RSA_meth_set_priv_dec(new_method, p11_rsa_private_decrypt) != 1)
+ goto out;
+
+ if (RSA_meth_set_init(new_method, p11_rsa_init) != 1)
+ goto out;
+
+ if (RSA_meth_set_finish(new_method, p11_rsa_finish) != 1)
+ goto out;
+
+ /*
+ * This might overwrite a previously-created method if multiple
+ * threads invoke this concurrently which will leak memory.
+ */
+ p11_rsa_pkcs1_method = new_method;
+ return p11_rsa_pkcs1_method;
+out:
+ RSA_meth_free(new_method);
+ return NULL;
+}
+
/*
*
*/
@@ -607,6 +633,8 @@ collect_private_key(hx509_context context,
hx509_private_key key;
heim_octet_string localKeyId;
int ret;
+ const RSA_METHOD *meth;
+ BIGNUM *n, *e;
RSA *rsa;
struct p11_rsa *p11rsa;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list