Module Name: src
Committed By: christos
Date: Thu Jun 1 20:40:19 UTC 2023
Modified Files:
src/crypto/external/bsd/heimdal/dist/include: crypto-headers.h
src/crypto/external/bsd/heimdal/dist/kdc: digest.c
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5: arcfour.c
get_mic.c unwrap.c verify_mic.c wrap.c
src/crypto/external/bsd/heimdal/dist/lib/hcrypto: example_evp_cipher.c
src/crypto/external/bsd/heimdal/dist/lib/hx509: ks_file.c
src/crypto/external/bsd/heimdal/dist/lib/krb5: crypto-aes-sha1.c
crypto-arcfour.c crypto-des-common.c crypto-des.c crypto-des3.c
crypto-evp.c
src/crypto/external/bsd/heimdal/dist/lib/ntlm: ntlm.c
Log Message:
Add checks to EVP_CipherInit_ex() where they were missing and add a cheesy
define to get the RC4 cipher from the legacy provider, since the legacy
provider is not loaded by default now.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/heimdal/dist/kdc/digest.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h
diff -u src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h:1.3 src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h:1.4
--- src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h:1.3 Mon Feb 5 11:00:52 2018
+++ src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-headers.h,v 1.3 2018/02/05 16:00:52 christos Exp $ */
+/* $NetBSD: crypto-headers.h,v 1.4 2023/06/01 20:40:18 christos Exp $ */
#ifndef __crypto_header__
#define __crypto_header__
@@ -33,6 +33,9 @@
# define BN_set_negative(bn, flag) ((bn)->neg=(flag)?1:0)
# define BN_is_negative(bn) ((bn)->neg != 0)
# endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+# define EVP_rc4() EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")
+#endif
#endif
#else /* !HAVE_HCRYPTO_W_OPENSSL */
Index: src/crypto/external/bsd/heimdal/dist/kdc/digest.c
diff -u src/crypto/external/bsd/heimdal/dist/kdc/digest.c:1.3 src/crypto/external/bsd/heimdal/dist/kdc/digest.c:1.4
--- src/crypto/external/bsd/heimdal/dist/kdc/digest.c:1.3 Mon Feb 5 11:00:52 2018
+++ src/crypto/external/bsd/heimdal/dist/kdc/digest.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: digest.c,v 1.3 2018/02/05 16:00:52 christos Exp $ */
+/* $NetBSD: digest.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
@@ -1368,7 +1368,9 @@ _kdc_do_digest(krb5_context context,
#else
rc4 = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1))
+ krb5_set_error_message(context, EINVAL,
+ "RC4 cipher not supported");
EVP_Cipher(rc4,
masterkey, ireq.u.ntlmRequest.sessionkey->data,
sizeof(masterkey));
Index: src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c:1.4 src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c:1.5
--- src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c:1.4 Sun Dec 15 17:50:47 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: arcfour.c,v 1.4 2019/12/15 22:50:47 christos Exp $ */
+/* $NetBSD: arcfour.c,v 1.5 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
@@ -308,7 +308,11 @@ _gssapi_get_mic_arcfour(OM_uint32 * mino
#else
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
EVP_Cipher(rc4_key, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -393,7 +397,11 @@ _gssapi_verify_mic_arcfour(OM_uint32 * m
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL,
+ 0)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, SND_SEQ, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -557,7 +565,10 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_s
#endif
EVP_CIPHER_CTX_init(rc4_key);
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -586,7 +597,10 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_s
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -696,7 +710,10 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -753,7 +770,10 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint
#else
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);
EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
@@ -1147,7 +1167,10 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *mino
#else
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
/* Confounder */
EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8);
@@ -1197,7 +1220,10 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *mino
#else
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, p0 + 8, p0 + 8, 8); /* SND_SEQ */
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -1344,7 +1370,10 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *mi
#endif
EVP_CIPHER_CTX_init(rc4_key);
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(rc4_key, snd_seq, p0 + 8, 8); /* SND_SEQ */
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(rc4_key);
@@ -1407,7 +1436,10 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *mi
rc4_key = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+ if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
/* Confounder */
EVP_Cipher(rc4_key, Confounder, p0 + 24, 8);
Index: src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c:1.4 src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c:1.5
--- src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c:1.4 Sun Dec 15 17:50:47 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: get_mic.c,v 1.4 2019/12/15 22:50:47 christos Exp $ */
+/* $NetBSD: get_mic.c,v 1.5 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
@@ -122,7 +122,11 @@ mic_des
des_ctx = EVP_CIPHER_CTX_new();
#endif
EVP_CIPHER_CTX_init(des_ctx);
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data,
+ p + 8, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c:1.3 Mon Feb 5 11:00:52 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: unwrap.c,v 1.3 2018/02/05 16:00:52 christos Exp $ */
+/* $NetBSD: unwrap.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
@@ -113,7 +113,10 @@ unwrap_des
#else
des_ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, input_message_buffer->length - len);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
@@ -163,7 +166,11 @@ unwrap_des
#else
des_ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash,
+ 0)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c:1.3 Mon Feb 5 11:00:52 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: wrap.c,v 1.3 2018/02/05 16:00:52 christos Exp $ */
+/* $NetBSD: wrap.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
@@ -308,7 +308,11 @@ wrap_des
#else
des_ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data,
+ p + 8, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
@@ -337,7 +341,10 @@ wrap_des
#else
des_ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, datalen);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c:1.5 src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c:1.6
--- src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c:1.5 Sun Dec 15 17:50:47 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: verify_mic.c,v 1.5 2019/12/15 22:50:47 christos Exp $ */
+/* $NetBSD: verify_mic.c,v 1.6 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
@@ -109,7 +109,11 @@ verify_mic_des
#else
des_ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+ if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data,
+ hash, 0)) {
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
EVP_Cipher(des_ctx, p, p, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(des_ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c:1.2 src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c:1.3
--- src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c:1.2 Sat Jan 28 16:31:47 2017
+++ src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: example_evp_cipher.c,v 1.2 2017/01/28 21:31:47 christos Exp $ */
+/* $NetBSD: example_evp_cipher.c,v 1.3 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 2008 Kungliga Tekniska Högskolan
@@ -137,7 +137,8 @@ main(int argc, char **argv)
* ivec.
*/
EVP_CIPHER_CTX_init(&ctx);
- EVP_CipherInit_ex(&ctx, c, NULL, key, ivec, encryptp);
+ if (!EVP_CipherInit_ex(&ctx, c, NULL, key, ivec, encryptp))
+ errx(1, "EVP_CipherInit_ex failed");
/* read in buffer */
while ((ilen = fread(ibuf, 1, block_size, in)) > 0) {
Index: src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c:1.4 src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c:1.5
--- src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c:1.4 Sun Dec 15 17:50:50 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: ks_file.c,v 1.4 2019/12/15 22:50:50 christos Exp $ */
+/* $NetBSD: ks_file.c,v 1.5 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
@@ -122,7 +122,12 @@ try_decrypt(hx509_context context,
#else
ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx, c, NULL, key, ivdata, 0);
+ if (!EVP_CipherInit_ex(ctx, c, NULL, key, ivdata, 0)) {
+ hx509_set_error_string(context, 0, EINVAL,
+ "Cannot initialize cipher");
+ ret = EINVAL;
+ goto out;
+ }
EVP_Cipher(ctx, clear.data, cipher, len);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c:1.3 Mon Feb 5 11:00:53 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-aes-sha1.c,v 1.3 2018/02/05 16:00:53 christos Exp $ */
+/* $NetBSD: crypto-aes-sha1.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -134,9 +134,12 @@ AES_SHA1_PRF(krb5_context context,
#else
ctx = EVP_CIPHER_CTX_new(); /* ivec all zero */
#endif
- EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1);
- EVP_Cipher(ctx, out->data, result.checksum.data,
- crypto->et->blocksize);
+ if (EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1)) {
+ EVP_Cipher(ctx, out->data, result.checksum.data,
+ crypto->et->blocksize);
+ ret = EINVAL;
+ krb5_set_error_message(context, ret, "Cannot initialize cipher");
+ }
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(ctx);
#else
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c:1.3 Mon Feb 5 11:00:53 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-des.c,v 1.3 2018/02/05 16:00:53 christos Exp $ */
+/* $NetBSD: crypto-des.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -228,7 +228,8 @@ evp_des_encrypt_null_ivec(krb5_context c
DES_cblock ivec;
memset(&ivec, 0, sizeof(ivec));
c = encryptp ? ctx->ectx : ctx->dctx;
- EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, data, data, len);
return 0;
}
@@ -247,7 +248,8 @@ evp_des_encrypt_key_ivec(krb5_context co
DES_cblock ivec;
memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
c = encryptp ? ctx->ectx : ctx->dctx;
- EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, data, data, len);
return 0;
}
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c:1.3 Mon Feb 5 11:00:53 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-evp.c,v 1.3 2018/02/05 16:00:53 christos Exp $ */
+/* $NetBSD: crypto-evp.c,v 1.4 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -53,8 +53,10 @@ _krb5_evp_schedule(krb5_context context,
key->dctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1);
- EVP_CipherInit_ex(key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0);
+ if (!EVP_CipherInit_ex(key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1))
+ krb5_abortx(context, "can't initialize cipher");
+ if (!EVP_CipherInit_ex(key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0))
+ krb5_abortx(context, "can't initialize cipher");
}
void
@@ -91,10 +93,12 @@ _krb5_evp_encrypt(krb5_context context,
if (loiv == NULL)
return krb5_enomem(context);
memset(loiv, 0, len2);
- EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1))
+ krb5_abortx(context, "can't initialize cipher");
free(loiv);
- } else
- EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ } else if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
+
EVP_Cipher(c, data, data, len);
return 0;
}
@@ -111,6 +115,7 @@ _krb5_evp_encrypt_cts(krb5_context conte
void *ivec)
{
size_t i, blocksize;
+ int ret;
struct _krb5_evp_schedule *ctx = key->schedule->data;
unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
EVP_CIPHER_CTX *c;
@@ -125,15 +130,18 @@ _krb5_evp_encrypt_cts(krb5_context conte
"message block too short");
return EINVAL;
} else if (len == blocksize) {
- EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, data, data, len);
return 0;
}
if (ivec)
- EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+ ret = EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
else
- EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ ret = EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ if (!ret)
+ krb5_abortx(context, "can't initialize cipher");
if (encryptp) {
@@ -149,7 +157,8 @@ _krb5_evp_encrypt_cts(krb5_context conte
for (; i < blocksize; i++)
tmp[i] = 0 ^ ivec2[i];
- EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, p, tmp, blocksize);
memcpy(p + blocksize, ivec2, len);
@@ -175,7 +184,8 @@ _krb5_evp_encrypt_cts(krb5_context conte
}
memcpy(tmp, p, blocksize);
- EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, tmp2, p, blocksize);
memcpy(tmp3, p + blocksize, len);
@@ -184,7 +194,8 @@ _krb5_evp_encrypt_cts(krb5_context conte
for (i = 0; i < len; i++)
p[i + blocksize] = tmp2[i] ^ tmp3[i];
- EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+ if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(c, p, tmp3, blocksize);
for (i = 0; i < blocksize; i++)
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c:1.4 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c:1.5
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c:1.4 Sun Dec 15 17:50:50 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-arcfour.c,v 1.4 2019/12/15 22:50:50 christos Exp $ */
+/* $NetBSD: crypto-arcfour.c,v 1.5 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -184,7 +184,8 @@ ARCFOUR_subencrypt(krb5_context context,
ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1);
+ if (!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1))
+ krb5_abortx(context, "rc4 cipher not supported");
EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(ctx);
@@ -251,7 +252,8 @@ ARCFOUR_subdecrypt(krb5_context context,
#else
ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0);
+ if (!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0))
+ krb5_abortx(context, "rc4 cipher not supported");
EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(ctx);
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c:1.4 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c:1.5
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c:1.4 Sun Dec 15 17:50:50 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-des-common.c,v 1.4 2019/12/15 22:50:50 christos Exp $ */
+/* $NetBSD: crypto-des-common.c,v 1.5 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -88,7 +88,8 @@ _krb5_des_checksum(krb5_context context,
ctx->ectx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1);
+ if (!EVP_CipherInit_ex(ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(ctx->ectx, p, p, 24);
return 0;
@@ -120,7 +121,8 @@ _krb5_des_verify(krb5_context context,
#else
ctx->dctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1);
+ if (!EVP_CipherInit_ex(ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(ctx->dctx, tmp, C->checksum.data, 24);
EVP_DigestInit_ex(m, evp_md, NULL);
Index: src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c:1.5 src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c:1.6
--- src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c:1.5 Mon Feb 5 11:00:53 2018
+++ src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c Thu Jun 1 16:40:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto-des3.c,v 1.5 2018/02/05 16:00:53 christos Exp $ */
+/* $NetBSD: crypto-des3.c,v 1.6 2023/06/01 20:40:18 christos Exp $ */
/*
* Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
@@ -101,7 +101,8 @@ DES3_prf(krb5_context context,
#else
ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1);
+ if (!EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1))
+ krb5_abortx(context, "can't initialize cipher");
EVP_Cipher(ctx, out->data, result.checksum.data,
crypto->et->prf_length);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
Index: src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c
diff -u src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c:1.3 src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c:1.4
--- src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c:1.3 Sun Dec 15 17:50:51 2019
+++ src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c Thu Jun 1 16:40:19 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: ntlm.c,v 1.3 2019/12/15 22:50:51 christos Exp $ */
+/* $NetBSD: ntlm.c,v 1.4 2023/06/01 20:40:19 christos Exp $ */
/*
* Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
@@ -1197,7 +1197,8 @@ splitandenc(unsigned char *hash,
ctx = EVP_CIPHER_CTX_new();
#endif
- EVP_CipherInit_ex(ctx, EVP_des_cbc(), NULL, key, NULL, 1);
+ if (!EVP_CipherInit_ex(ctx, EVP_des_cbc(), NULL, key, NULL, 1))
+ abort();
EVP_Cipher(ctx, answer, challenge, 8);
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
EVP_CIPHER_CTX_cleanup(ctx);
