aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c3
-rw-r--r--src/libsimaka/simaka_message.c6
-rw-r--r--src/libstrongswan/crypto/aead.c3
-rw-r--r--src/libstrongswan/crypto/crypters/crypter.h4
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c16
-rw-r--r--src/libstrongswan/crypto/pkcs7.c6
-rw-r--r--src/libstrongswan/plugins/aes/aes_crypter.c3
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_crypter.c3
-rw-r--r--src/libstrongswan/plugins/blowfish/blowfish_crypter.c4
-rw-r--r--src/libstrongswan/plugins/des/des_crypter.c9
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c16
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crypter.c4
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_aes_crypter.c3
-rw-r--r--src/libstrongswan/plugins/pem/pem_builder.c6
-rw-r--r--src/libstrongswan/plugins/pkcs8/pkcs8_builder.c5
-rw-r--r--src/libtls/tls_protection.c7
16 files changed, 66 insertions, 32 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 3c4da17c5..554bd56f7 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -174,8 +174,7 @@ METHOD(aead_t, decrypt, bool,
private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
chunk_t *plain)
{
- this->crypter->decrypt(this->crypter, encrypted, iv, plain);
- return TRUE;
+ return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
}
METHOD(aead_t, get_block_size, size_t,
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 1449ee267..aa36a0974 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -499,8 +499,10 @@ static bool decrypt(private_simaka_message_t *this)
eap_type_names, this->hdr->type);
return FALSE;
}
-
- crypter->decrypt(crypter, this->encr, this->iv, &plain);
+ if (!crypter->decrypt(crypter, this->encr, this->iv, &plain))
+ {
+ return FALSE;
+ }
this->encrypted = TRUE;
success = parse_attributes(this, plain);
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
index 0915cd1de..595b75f87 100644
--- a/src/libstrongswan/crypto/aead.c
+++ b/src/libstrongswan/crypto/aead.c
@@ -105,8 +105,7 @@ METHOD(aead_t, decrypt, bool,
DBG1(DBG_LIB, "MAC verification failed");
return FALSE;
}
- this->crypter->decrypt(this->crypter, encrypted, iv, plain);
- return TRUE;
+ return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
}
METHOD(aead_t, get_block_size, size_t,
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index e5e942d6a..a615c0e22 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -106,8 +106,10 @@ struct crypter_t {
* @param data data to decrypt
* @param iv initializing vector
* @param encrypted chunk to allocate decrypted data, or NULL
+ * @return TRUE if decryption successful
*/
- void (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv,
+ __attribute__((warn_unused_result))
+ bool (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv,
chunk_t *decrypted);
/**
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 287c12ced..812e94914 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -164,8 +164,10 @@ static u_int bench_crypter(private_crypto_tester_t *this,
{
runs++;
}
- crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL);
- runs++;
+ if (crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL))
+ {
+ runs++;
+ }
}
free(buf.ptr);
crypter->destroy(crypter);
@@ -226,7 +228,10 @@ METHOD(crypto_tester_t, test_crypter, bool,
failed = TRUE;
}
/* inline decryption */
- crypter->decrypt(crypter, cipher, iv, NULL);
+ if (!crypter->decrypt(crypter, cipher, iv, NULL))
+ {
+ failed = TRUE;
+ }
if (!memeq(vector->plain, cipher.ptr, cipher.len))
{
failed = TRUE;
@@ -234,7 +239,10 @@ METHOD(crypto_tester_t, test_crypter, bool,
free(cipher.ptr);
/* allocated decryption */
cipher = chunk_create(vector->cipher, vector->len);
- crypter->decrypt(crypter, cipher, iv, &plain);
+ if (!crypter->decrypt(crypter, cipher, iv, &plain))
+ {
+ failed = TRUE;
+ }
if (!memeq(vector->plain, plain.ptr, plain.len))
{
failed = TRUE;
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
index be4076f32..e422dae0e 100644
--- a/src/libstrongswan/crypto/pkcs7.c
+++ b/src/libstrongswan/crypto/pkcs7.c
@@ -639,7 +639,11 @@ end:
/* decrypt the content */
crypter->set_key(crypter, symmetric_key);
- crypter->decrypt(crypter, encrypted_content, iv, &this->data);
+ if (!crypter->decrypt(crypter, encrypted_content, iv, &this->data))
+ {
+ success = FALSE;
+ goto failed;
+ }
DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data);
/* remove the padding */
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index a6757e2a9..03d3cdeda 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1331,7 +1331,7 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
state_out(out_blk, b0);
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
{
int pos;
@@ -1371,6 +1371,7 @@ METHOD(crypter_t, decrypt, void,
out-=16;
pos-=16;
}
+ return TRUE;
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
index fb6a851ba..7fc0e59d8 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c
@@ -131,7 +131,7 @@ static size_t lookup_alg(encryption_algorithm_t algo, char **name,
return 0;
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
{
if (dst)
@@ -143,6 +143,7 @@ METHOD(crypter_t, decrypt, void,
{
this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr);
}
+ return TRUE;
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index 0ae3022c0..18c8f48a9 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -87,7 +87,7 @@ struct private_blowfish_crypter_t {
u_int32_t key_size;
};
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
chunk_t *decrypted)
{
@@ -108,6 +108,8 @@ METHOD(crypter_t, decrypt, void,
BF_cbc_encrypt(in, out, data.len, &this->schedule, iv.ptr, 0);
free(iv.ptr);
+
+ return TRUE;
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 3c621e139..ca9ae8fc7 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1416,7 +1416,7 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
tin[0]=tin[1]=0;
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
{
des_cblock ivb;
@@ -1431,6 +1431,7 @@ METHOD(crypter_t, decrypt, void,
memcpy(&ivb, iv.ptr, sizeof(des_cblock));
des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
data.len, this->ks, &ivb, DES_DECRYPT);
+ return TRUE;
}
@@ -1452,7 +1453,7 @@ METHOD(crypter_t, encrypt, bool,
return TRUE;
}
-METHOD(crypter_t, decrypt_ecb, void,
+METHOD(crypter_t, decrypt_ecb, bool,
private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
{
u_int8_t *out;
@@ -1465,6 +1466,7 @@ METHOD(crypter_t, decrypt_ecb, void,
}
des_ecb_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
data.len, this->ks, DES_DECRYPT);
+ return TRUE;
}
METHOD(crypter_t, encrypt_ecb, bool,
@@ -1483,7 +1485,7 @@ METHOD(crypter_t, encrypt_ecb, bool,
return TRUE;
}
-METHOD(crypter_t, decrypt3, void,
+METHOD(crypter_t, decrypt3, bool,
private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
{
des_cblock ivb;
@@ -1499,6 +1501,7 @@ METHOD(crypter_t, decrypt3, void,
des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)out,
data.len, this->ks3[0], this->ks3[1], this->ks3[2],
&ivb, DES_DECRYPT);
+ return TRUE;
}
METHOD(crypter_t, encrypt3, bool,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index c1f2b65c5..3627c5064 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -70,20 +70,20 @@ static bool set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
return gcry_cipher_setiv(this->h, iv.ptr, iv.len) == 0;
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
{
- set_iv(this, iv);
-
- if (dst)
+ if (!set_iv(this, iv))
{
- *dst = chunk_alloc(data.len);
- gcry_cipher_decrypt(this->h, dst->ptr, dst->len, data.ptr, data.len);
+ return FALSE;
}
- else
+ if (dst)
{
- gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0);
+ *dst = chunk_alloc(data.len);
+ return gcry_cipher_decrypt(this->h, dst->ptr, dst->len,
+ data.ptr, data.len) == 0;
}
+ return gcry_cipher_decrypt(this->h, data.ptr, data.len, NULL, 0) == 0;
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 66e964011..07799b1c7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -114,10 +114,10 @@ static bool crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
EVP_CIPHER_CTX_cleanup(&ctx);
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
{
- crypt(this, data, iv, dst, 0);
+ return crypt(this, data, iv, dst, 0);
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 5f63401c9..b9d4eac7b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -109,10 +109,11 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
memwipe(key_aligned, sizeof(key_aligned));
}
-METHOD(crypter_t, decrypt, void,
+METHOD(crypter_t, decrypt, bool,
private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
{
crypt(this, iv.ptr, data, dst, TRUE);
+ return TRUE;
}
METHOD(crypter_t, encrypt, bool,
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index c5d96be47..c1ce5c809 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -134,7 +134,11 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
DBG1(DBG_ASN, " data size is not multiple of block size");
return PARSE_ERROR;
}
- crypter->decrypt(crypter, *blob, iv, &decrypted);
+ if (!crypter->decrypt(crypter, *blob, iv, &decrypted))
+ {
+ crypter->destroy(crypter);
+ return FAILED;
+ }
crypter->destroy(crypter);
memcpy(blob->ptr, decrypted.ptr, blob->len);
chunk_free(&decrypted);
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index 3e0601ce2..f9bef7786 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -170,7 +170,10 @@ static private_key_t *decrypt_private_key(chunk_t blob,
}
crypter->set_key(crypter, key);
- crypter->decrypt(crypter, blob, iv, &decrypted);
+ if (!crypter->decrypt(crypter, blob, iv, &decrypted))
+ {
+ continue;
+ }
if (verify_padding(&decrypted))
{
private_key = parse_private_key(decrypted);
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index abcc42064..8263728bb 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -150,7 +150,12 @@ METHOD(tls_protection_t, process, status_t,
return NEED_MORE;
}
}
- this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+ if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
+ {
+ free(next_iv.ptr);
+ this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+ return NEED_MORE;
+ }
if (next_iv.len)
{ /* next record IV is last ciphertext block of this record */
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-05 17:18:24 +0000