diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/sa/ikev1/keymat_v1.c | 3 | ||||
-rw-r--r-- | src/libsimaka/simaka_message.c | 6 | ||||
-rw-r--r-- | src/libstrongswan/crypto/aead.c | 3 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypters/crypter.h | 4 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypto_tester.c | 16 | ||||
-rw-r--r-- | src/libstrongswan/crypto/pkcs7.c | 6 | ||||
-rw-r--r-- | src/libstrongswan/plugins/aes/aes_crypter.c | 3 | ||||
-rw-r--r-- | src/libstrongswan/plugins/af_alg/af_alg_crypter.c | 3 | ||||
-rw-r--r-- | src/libstrongswan/plugins/blowfish/blowfish_crypter.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/plugins/des/des_crypter.c | 9 | ||||
-rw-r--r-- | src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c | 16 | ||||
-rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_crypter.c | 4 | ||||
-rw-r--r-- | src/libstrongswan/plugins/padlock/padlock_aes_crypter.c | 3 | ||||
-rw-r--r-- | src/libstrongswan/plugins/pem/pem_builder.c | 6 | ||||
-rw-r--r-- | src/libstrongswan/plugins/pkcs8/pkcs8_builder.c | 5 | ||||
-rw-r--r-- | src/libtls/tls_protection.c | 7 |
16 files changed, 66 insertions, 32 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 3c4da17c5..554bd56f7 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -174,8 +174,7 @@ METHOD(aead_t, decrypt, bool, private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, chunk_t *plain) { - this->crypter->decrypt(this->crypter, encrypted, iv, plain); - return TRUE; + return this->crypter->decrypt(this->crypter, encrypted, iv, plain); } METHOD(aead_t, get_block_size, size_t, diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index 1449ee267..aa36a0974 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -499,8 +499,10 @@ static bool decrypt(private_simaka_message_t *this) eap_type_names, this->hdr->type); return FALSE; } - - crypter->decrypt(crypter, this->encr, this->iv, &plain); + if (!crypter->decrypt(crypter, this->encr, this->iv, &plain)) + { + return FALSE; + } this->encrypted = TRUE; success = parse_attributes(this, plain); diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c index 0915cd1de..595b75f87 100644 --- a/src/libstrongswan/crypto/aead.c +++ b/src/libstrongswan/crypto/aead.c @@ -105,8 +105,7 @@ METHOD(aead_t, decrypt, bool, DBG1(DBG_LIB, "MAC verification failed"); return FALSE; } - this->crypter->decrypt(this->crypter, encrypted, iv, plain); - return TRUE; + return this->crypter->decrypt(this->crypter, encrypted, iv, plain); } METHOD(aead_t, get_block_size, size_t, diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index e5e942d6a..a615c0e22 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -106,8 +106,10 @@ struct crypter_t { * @param data data to decrypt * @param iv initializing vector * @param encrypted chunk to allocate decrypted data, or NULL + * @return TRUE if decryption successful */ - void (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv, + __attribute__((warn_unused_result)) + bool (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted); /** diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 287c12ced..812e94914 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -164,8 +164,10 @@ static u_int bench_crypter(private_crypto_tester_t *this, { runs++; } - crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL); - runs++; + if (crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL)) + { + runs++; + } } free(buf.ptr); crypter->destroy(crypter); @@ -226,7 +228,10 @@ METHOD(crypto_tester_t, test_crypter, bool, failed = TRUE; } /* inline decryption */ - crypter->decrypt(crypter, cipher, iv, NULL); + if (!crypter->decrypt(crypter, cipher, iv, NULL)) + { + failed = TRUE; + } if (!memeq(vector->plain, cipher.ptr, cipher.len)) { failed = TRUE; @@ -234,7 +239,10 @@ METHOD(crypto_tester_t, test_crypter, bool, free(cipher.ptr); /* allocated decryption */ cipher = chunk_create(vector->cipher, vector->len); - crypter->decrypt(crypter, cipher, iv, &plain); + if (!crypter->decrypt(crypter, cipher, iv, &plain)) + { + failed = TRUE; + } if (!memeq(vector->plain, plain.ptr, plain.len)) { failed = TRUE; diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index be4076f32..e422dae0e 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -639,7 +639,11 @@ end: /* decrypt the content */ crypter->set_key(crypter, symmetric_key); - crypter->decrypt(crypter, encrypted_content, iv, &this->data); + if (!crypter->decrypt(crypter, encrypted_content, iv, &this->data)) + { + success = FALSE; + goto failed; + } DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data); /* remove the padding */ diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c index a6757e2a9..03d3cdeda 100644 --- a/src/libstrongswan/plugins/aes/aes_crypter.c +++ b/src/libstrongswan/plugins/aes/aes_crypter.c @@ -1331,7 +1331,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char state_out(out_blk, b0); } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { int pos; @@ -1371,6 +1371,7 @@ METHOD(crypter_t, decrypt, void, out-=16; pos-=16; } + return TRUE; } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c index fb6a851ba..7fc0e59d8 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c @@ -131,7 +131,7 @@ static size_t lookup_alg(encryption_algorithm_t algo, char **name, return 0; } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { if (dst) @@ -143,6 +143,7 @@ METHOD(crypter_t, decrypt, void, { this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr); } + return TRUE; } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c index 0ae3022c0..18c8f48a9 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c @@ -87,7 +87,7 @@ struct private_blowfish_crypter_t { u_int32_t key_size; }; -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_blowfish_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { @@ -108,6 +108,8 @@ METHOD(crypter_t, decrypt, void, BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 0); free(iv.ptr); + + return TRUE; } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index 3c621e139..ca9ae8fc7 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -1416,7 +1416,7 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len tin[0]=tin[1]=0; } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { des_cblock ivb; @@ -1431,6 +1431,7 @@ METHOD(crypter_t, decrypt, void, memcpy(&ivb, iv.ptr, sizeof(des_cblock)); des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out, data.len, this->ks, &ivb, DES_DECRYPT); + return TRUE; } @@ -1452,7 +1453,7 @@ METHOD(crypter_t, encrypt, bool, return TRUE; } -METHOD(crypter_t, decrypt_ecb, void, +METHOD(crypter_t, decrypt_ecb, bool, private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { u_int8_t *out; @@ -1465,6 +1466,7 @@ METHOD(crypter_t, decrypt_ecb, void, } des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out, data.len, this->ks, DES_DECRYPT); + return TRUE; } METHOD(crypter_t, encrypt_ecb, bool, @@ -1483,7 +1485,7 @@ METHOD(crypter_t, encrypt_ecb, bool, return TRUE; } -METHOD(crypter_t, decrypt3, void, +METHOD(crypter_t, decrypt3, bool, private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted) { des_cblock ivb; @@ -1499,6 +1501,7 @@ METHOD(crypter_t, decrypt3, void, des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out, data.len, this->ks3[0], this->ks3[1], this->ks3[2], &ivb, DES_DECRYPT); + return TRUE; } METHOD(crypter_t, encrypt3, bool, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c index c1f2b65c5..3627c5064 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c @@ -70,20 +70,20 @@ static bool set_iv(private_gcrypt_crypter_t *this, chunk_t iv) return gcry_cipher_setiv(this->h, iv.ptr, iv.len) == 0; } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { - set_iv(this, iv); - - if (dst) + if (!set_iv(this, iv)) { - *dst = chunk_alloc(data.len); - gcry_cipher_decrypt(this->h, dst->ptr, dst->len, data.ptr, data.len); + return FALSE; } - else + if (dst) { - gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0); + *dst = chunk_alloc(data.len); + return gcry_cipher_decrypt(this->h, dst->ptr, dst->len, + data.ptr, data.len) == 0; } + return gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0) == 0; } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 66e964011..07799b1c7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -114,10 +114,10 @@ static bool crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv, EVP_CIPHER_CTX_cleanup(&ctx); } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { - crypt(this, data, iv, dst, 0); + return crypt(this, data, iv, dst, 0); } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c index 5f63401c9..b9d4eac7b 100644 --- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c +++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c @@ -109,10 +109,11 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv, memwipe(key_aligned, sizeof(key_aligned)); } -METHOD(crypter_t, decrypt, void, +METHOD(crypter_t, decrypt, bool, private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) { crypt(this, iv.ptr, data, dst, TRUE); + return TRUE; } METHOD(crypter_t, encrypt, bool, diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index c5d96be47..c1ce5c809 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -134,7 +134,11 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, DBG1(DBG_ASN, " data size is not multiple of block size"); return PARSE_ERROR; } - crypter->decrypt(crypter, *blob, iv, &decrypted); + if (!crypter->decrypt(crypter, *blob, iv, &decrypted)) + { + crypter->destroy(crypter); + return FAILED; + } crypter->destroy(crypter); memcpy(blob->ptr, decrypted.ptr, blob->len); chunk_free(&decrypted); diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index 3e0601ce2..f9bef7786 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -170,7 +170,10 @@ static private_key_t *decrypt_private_key(chunk_t blob, } crypter->set_key(crypter, key); - crypter->decrypt(crypter, blob, iv, &decrypted); + if (!crypter->decrypt(crypter, blob, iv, &decrypted)) + { + continue; + } if (verify_padding(&decrypted)) { private_key = parse_private_key(decrypted); diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c index abcc42064..8263728bb 100644 --- a/src/libtls/tls_protection.c +++ b/src/libtls/tls_protection.c @@ -150,7 +150,12 @@ METHOD(tls_protection_t, process, status_t, return NEED_MORE; } } - this->crypter_in->decrypt(this->crypter_in, data, iv, NULL); + if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL)) + { + free(next_iv.ptr); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); + return NEED_MORE; + } if (next_iv.len) { /* next record IV is last ciphertext block of this record */ |