diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-09-30 10:34:57 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-09-30 10:34:57 +0000 |
| commit | 479a9f35119ca69a9780c6991040d7719d6d3264 (patch) | |
| tree | 7f7b7d5cf792b95a74e8a1f59b204082907815a0 /sbin | |
| parent | 4075c030239c03b8b0fac447a2392d567ffd0fc1 (diff) | |
disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.
kills a bunch of XXX's and an annoying error from openssl.
also, check a result from CipherUpdate while here.
ok reyk
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/iked/crypto.c | 12 | ||||
| -rw-r--r-- | sbin/iked/ikev2_msg.c | 20 |
2 files changed, 11 insertions, 21 deletions
diff --git a/sbin/iked/crypto.c b/sbin/iked/crypto.c index f66cc77b8dc..83d85934424 100644 --- a/sbin/iked/crypto.c +++ b/sbin/iked/crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.c,v 1.2 2010/06/14 16:31:29 reyk Exp $ */ +/* $OpenBSD: crypto.c,v 1.3 2010/09/30 10:34:56 mikeb Exp $ */ /* $vantronix: crypto.c,v 1.18 2010/05/28 15:34:35 reyk Exp $ */ /* @@ -307,7 +307,6 @@ cipher_new(u_int8_t type, u_int16_t id, u_int16_t id_length) } EVP_CIPHER_CTX_init(ctx); - EVP_CIPHER_CTX_set_padding(ctx, 0); encr->encr_ctx = ctx; return (encr); @@ -363,6 +362,7 @@ cipher_init(struct iked_cipher *encr, int enc) { EVP_CipherInit_ex(encr->encr_ctx, encr->encr_priv, NULL, ibuf_data(encr->encr_key), ibuf_data(encr->encr_iv), enc); + EVP_CIPHER_CTX_set_padding(encr->encr_ctx, 0); } void @@ -384,7 +384,11 @@ cipher_update(struct iked_cipher *encr, void *in, size_t inlen, int olen; olen = 0; - EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen); + if (!EVP_CipherUpdate(encr->encr_ctx, out, &olen, in, inlen)) { + ca_sslerror(); + *outlen = 0; + return; + } *outlen = (size_t)olen; } @@ -427,7 +431,7 @@ cipher_ivlength(struct iked_cipher *encr) size_t cipher_outlength(struct iked_cipher *encr, size_t inlen) { - return (inlen + encr->encr_length); + return (inlen + inlen % encr->encr_length); } struct iked_dsa * diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c index a47bb53a798..be4b5231ecd 100644 --- a/sbin/iked/ikev2_msg.c +++ b/sbin/iked/ikev2_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_msg.c,v 1.7 2010/06/27 01:03:22 reyk Exp $ */ +/* $OpenBSD: ikev2_msg.c,v 1.8 2010/09/30 10:34:56 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -333,11 +333,6 @@ ikev2_msg_encrypt(struct iked *env, struct iked_sa *sa, struct ibuf *src) if (outlen && ibuf_add(dst, ibuf_data(out), outlen) != 0) goto done; - outlen = cipher_outlength(sa->sa_encr, 0); - cipher_final(sa->sa_encr, out->buf, &outlen); - if (outlen) - ibuf_add(dst, out->buf, outlen); - if ((ptr = ibuf_advance(dst, integrlen)) == NULL) goto done; bzero(ptr, integrlen); @@ -498,19 +493,10 @@ ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, goto done; outlen = ibuf_length(out); - /* XXX why does it need encrlen + blocklen to work correctly? */ - cipher_update(sa->sa_encr, - ibuf_data(src) + encroff, encrlen + blocklen, + + cipher_update(sa->sa_encr, ibuf_data(src) + encroff, encrlen, ibuf_data(out), &outlen); - cipher_final(sa->sa_encr, ibuf_seek(out, outlen, blocklen), &tmplen); - if (tmplen) - outlen += tmplen; - /* - * XXX - * XXX the padding is wrong - * XXX - */ ptr = ibuf_seek(out, outlen - 1, 1); pad = *ptr; |