svn rev #22786: trunk/src/lib/crypto/openssl/enc_provider/

tsitkova@MIT.EDU tsitkova at MIT.EDU
Fri Sep 25 11:12:28 EDT 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=22786
Commit By: tsitkova
Log Message:
Crypto modularity proj: Updated IOV crypto.



Changed Files:
U   trunk/src/lib/crypto/openssl/enc_provider/des.c
U   trunk/src/lib/crypto/openssl/enc_provider/des3.c
U   trunk/src/lib/crypto/openssl/enc_provider/rc4.c
Modified: trunk/src/lib/crypto/openssl/enc_provider/des.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/des.c	2009-09-24 16:48:57 UTC (rev 22785)
+++ trunk/src/lib/crypto/openssl/enc_provider/des.c	2009-09-25 15:12:27 UTC (rev 22786)
@@ -1,34 +1,69 @@
-/*
+/* lib/crypto/openssl/enc_provider/des.c
  */
 
 #include "k5-int.h"
-#include "des_int.h"
-#include "enc_provider.h"
 #include <aead.h>
 #include <rand2key.h>
 #include <openssl/evp.h>
+#include "des_int.h"
 
 #define DES_BLOCK_SIZE  8
 #define DES_KEY_BYTES   7
 
 static krb5_error_code
+validate(const krb5_keyblock *key, const krb5_data *ivec,
+                      const krb5_data *input, const krb5_data *output)
+{
+    /* key->enctype was checked by the caller */
+    if (key->length != KRB5_MIT_DES_KEYSIZE)
+        return(KRB5_BAD_KEYSIZE);
+    if ((input->length%8) != 0)
+        return(KRB5_BAD_MSIZE);
+    if (ivec && (ivec->length != 8))
+        return(KRB5_BAD_MSIZE);
+    if (input->length != output->length)
+        return(KRB5_BAD_MSIZE);
+
+    return 0;
+}
+
+static krb5_error_code
+validate_iov(const krb5_keyblock *key, const krb5_data *ivec,
+                          const krb5_crypto_iov *data, size_t num_data)
+{
+    size_t i, input_length;
+
+    for (i = 0, input_length = 0; i < num_data; i++) {
+        const krb5_crypto_iov *iov = &data[i];
+
+        if (ENCRYPT_IOV(iov))
+            input_length += iov->data.length;
+    }
+
+    if (key->length != KRB5_MIT_DES3_KEYSIZE)
+        return(KRB5_BAD_KEYSIZE);
+    if ((input_length%DES_BLOCK_SIZE) != 0)
+        return(KRB5_BAD_MSIZE);
+    if (ivec && (ivec->length != 8))
+        return(KRB5_BAD_MSIZE);
+
+    return 0;
+}
+
+static krb5_error_code
 k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
            const krb5_data *input, krb5_data *output)
 {
     int ret = 0, tmp_len = 0;
-    EVP_CIPHER_CTX  ciph_ctx;
+    unsigned int tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX  ciph_ctx;
 
-    if (key->length != KRB5_MIT_DES_KEYSIZE)
-        return(KRB5_BAD_KEYSIZE);
-    if ((input->length%8) != 0)
-    return(KRB5_BAD_MSIZE);
-    if (ivec && (ivec->length != 8))
-    return(KRB5_BAD_MSIZE);
-    if (input->length != output->length)
-    return(KRB5_BAD_MSIZE);
+    ret = validate(key, ivec, input, output);
+    if (ret)
+        return ret;
 
     keybuf=key->contents;
     keybuf[key->length] = '\0';
@@ -38,7 +73,8 @@
         memcpy(iv,ivec->data,ivec->length);
     }
 
-    tmp_buf=OPENSSL_malloc(output->length);
+    tmp_buf_len = output->length*2;
+    tmp_buf=OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
         return ENOMEM;
     memset(tmp_buf,0,output->length);
@@ -51,7 +87,9 @@
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
                                 (unsigned char *)input->data, input->length);
-        if (ret) {
+        if (!ret || output->length < (unsigned int)tmp_len) {
+            return KRB5_CRYPTO_INTERNAL;
+        } else {
             output->length = tmp_len;
             ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
         }
@@ -62,7 +100,7 @@
     if (ret)
         memcpy(output->data,tmp_buf, output->length);
 
-    memset(tmp_buf,0,output->length);
+    memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
     if (!ret)
@@ -70,25 +108,21 @@
     return 0;
 }
 
+
 static krb5_error_code
 k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
            const krb5_data *input, krb5_data *output)
 {
     /* key->enctype was checked by the caller */
     int ret = 0, tmp_len = 0;
-    EVP_CIPHER_CTX  ciph_ctx;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX  ciph_ctx;
 
-    if (key->length != KRB5_MIT_DES_KEYSIZE)
-        return(KRB5_BAD_KEYSIZE);
-    if ((input->length%8) != 0)
-        return(KRB5_BAD_MSIZE);
-    if (ivec && (ivec->length != 8))
-        return(KRB5_BAD_MSIZE);
-    if (input->length != output->length)
-        return(KRB5_BAD_MSIZE);
+    ret = validate(key, ivec, input, output);
+    if (ret)
+        return ret;
 
     keybuf=key->contents;
     keybuf[key->length] = '\0';
@@ -97,7 +131,6 @@
         memset(iv,0,sizeof(iv));
         memcpy(iv,ivec->data,ivec->length);
     }
-
     tmp_buf=OPENSSL_malloc(output->length);
     if (!tmp_buf)
         return ENOMEM;
@@ -122,7 +155,7 @@
     if (ret)
         memcpy(output->data,tmp_buf, output->length);
 
-    memset(tmp_buf,0,output->length );
+    memset(tmp_buf,0,output->length);
     OPENSSL_free(tmp_buf);
 
     if (!ret)
@@ -136,19 +169,39 @@
             krb5_crypto_iov *data,
             size_t num_data)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int i = 0;
+    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
     EVP_CIPHER_CTX  ciph_ctx;
     unsigned char   *keybuf = NULL ;
-    krb5_crypto_iov *iov    = NULL;
-    unsigned char   *tmp_buf = NULL;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
 
-    if (ivec  && ivec->data){
+    struct iov_block_state input_pos, output_pos;
+    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char  *iblock, *oblock;
+
+    iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+    if (!iblock)
+        return ENOMEM;
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock)
+        return ENOMEM;
+
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    keybuf=key->contents;
+    keybuf[key->length] = '\0';
+
+    ret = validate_iov(key, ivec, data, num_data);
+    if (ret)
+        return ret;
+
+    if (ivec && ivec->data){
         memset(iv,0,sizeof(iv));
         memcpy(iv,ivec->data,ivec->length);
-     }
+    }
 
+    memset(oblock, 0, oblock_len);
+
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
@@ -156,31 +209,41 @@
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
 
-    for (i = 0; i < num_data; i++) {
-        iov = &data[i];
-        if (iov->data.length <= 0) break;
-        tmp_len = iov->data.length;
+    EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
-        if (ENCRYPT_DATA_IOV(iov)) {
-            tmp_buf=(unsigned char *)iov->data.data;
-            ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
-                                    (unsigned char *)iov->data.data, iov->data.length);
-            if (!ret) break;
-            iov->data.length = tmp_len;
-        }
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH, data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+
+        ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
+                                (unsigned char *)iblock, input_pos.data_pos);
+        if (!ret) break;
+
+        krb5int_c_iov_put_block(data, num_data, oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
     }
+
     if(ret)
-        ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
+        ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret)
-        iov->data.length += tmp_len;
+    if (ret) {
+        if (ivec != NULL)
+            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
+    }
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
+    memset(iblock,0,sizeof(iblock));
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(iblock);
+    OPENSSL_free(oblock);
+
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
-
 }
 
 static krb5_error_code
@@ -189,45 +252,81 @@
            krb5_crypto_iov *data,
            size_t num_data)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int i = 0;
+    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
     EVP_CIPHER_CTX  ciph_ctx;
     unsigned char   *keybuf = NULL ;
-    krb5_crypto_iov *iov    = NULL;
-    unsigned char   *tmp_buf = NULL;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
 
-    if (ivec  && ivec->data){
+    struct iov_block_state input_pos, output_pos;
+    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char  *iblock, *oblock;
+
+    iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+    if (!iblock)
+        return ENOMEM;
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock)
+        return ENOMEM;
+
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    keybuf=key->contents;
+    keybuf[key->length] = '\0';
+
+    ret = validate_iov(key, ivec, data, num_data);
+    if (ret)
+        return ret;
+
+    if (ivec && ivec->data){
         memset(iv,0,sizeof(iv));
         memcpy(iv,ivec->data,ivec->length);
-     }
+    }
 
+    memset(oblock, 0, oblock_len);
+
+    EVP_CIPHER_CTX_init(&ciph_ctx);
+
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
                              keybuf, (ivec && ivec->data) ? iv : NULL);
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
 
-    for (i = 0; i < num_data; i++) {
-        iov = &data[i];
-        if (iov->data.length <= 0) break;
-        tmp_len = iov->data.length;
+    EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
-        if (ENCRYPT_DATA_IOV(iov)) {
-            tmp_buf=(unsigned char *)iov->data.data;
-            ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
-                                    (unsigned char *)iov->data.data, iov->data.length);
-            if (!ret) break;
-            iov->data.length = tmp_len;
-        }
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+                                     data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+
+        ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
+                                (unsigned char *)iblock,
+                                input_pos.data_pos);
+        if (!ret) break;
+
+        krb5int_c_iov_put_block(data, num_data, oblock,
+                                MIT_DES_BLOCK_LENGTH, &output_pos);
     }
+
     if(ret)
-        ret = EVP_DecryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
+        ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret)
-        iov->data.length += tmp_len;
+    if (ret) {
+        if (ivec != NULL)
+            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
+    }
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
+    memset(iblock,0,sizeof(iblock));
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(iblock);
+    OPENSSL_free(oblock);
+
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
     return 0;

Modified: trunk/src/lib/crypto/openssl/enc_provider/des3.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/des3.c	2009-09-24 16:48:57 UTC (rev 22785)
+++ trunk/src/lib/crypto/openssl/enc_provider/des3.c	2009-09-25 15:12:27 UTC (rev 22786)
@@ -1,4 +1,4 @@
-/*
+/* lib/crypto/openssl/enc_provider/des3.c
  */
 
 #include "k5-int.h"
@@ -14,8 +14,6 @@
 validate(const krb5_keyblock *key, const krb5_data *ivec,
 		      const krb5_data *input, const krb5_data *output)
 {
-    mit_des3_key_schedule schedule;
-
     /* key->enctype was checked by the caller */
 
     if (key->length != KRB5_MIT_DES3_KEYSIZE)
@@ -27,13 +25,6 @@
     if (input->length != output->length)
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
-			       schedule)) {
-    case -1:
-	return(KRB5DES_BAD_KEYPAR);
-    case -2:
-	return(KRB5DES_WEAK_KEY);
-    }
     return 0;
 }
 
@@ -42,7 +33,6 @@
 			  const krb5_crypto_iov *data, size_t num_data)
 {
     size_t i, input_length;
-    mit_des3_key_schedule schedule;
 
     for (i = 0, input_length = 0; i < num_data; i++) {
 	const krb5_crypto_iov *iov = &data[i];
@@ -58,13 +48,6 @@
     if (ivec && (ivec->length != 8))
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
-			       schedule)) {
-    case -1:
-	return(KRB5DES_BAD_KEYPAR);
-    case -2:
-	return(KRB5DES_WEAK_KEY);
-    }
     return 0;
 }
 
@@ -72,12 +55,12 @@
 k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
-
     int ret = 0, tmp_len = 0;
-    EVP_CIPHER_CTX  ciph_ctx;
+    unsigned int  tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX  ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -87,11 +70,10 @@
     keybuf[key->length] = '\0';
 
     if (ivec && ivec->data) {
-        memset(iv,0,sizeof(iv));
         memcpy(iv,ivec->data,ivec->length);
     }
-
-    tmp_buf = OPENSSL_malloc(output->length);
+    tmp_buf_len = output->length * 2;
+    tmp_buf = OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
         return ENOMEM;
 
@@ -101,9 +83,11 @@
                              (ivec && ivec->data) ? iv : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
-        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
+        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
                                 (unsigned char *)input->data, input->length);
-        if (ret) {
+        if (!ret || output->length < (unsigned int)tmp_len) {
+            ret = KRB5_CRYPTO_INTERNAL;
+        } else {
             output->length = tmp_len;
             ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
         }
@@ -113,11 +97,12 @@
 
     if (ret)
         memcpy(output->data,tmp_buf, output->length);
-    memset(tmp_buf,0,output->length);
+    memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
+
     return 0;
 
 }
@@ -177,60 +162,43 @@
 }
 
 static krb5_error_code
-validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
-                          const krb5_crypto_iov *data, size_t num_data,
-                          mit_des3_key_schedule *schedule)
-{
-    size_t i, input_length;
-
-    for (i = 0, input_length = 0; i < num_data; i++) {
-        const krb5_crypto_iov *iov = &data[i];
-
-        if (ENCRYPT_IOV(iov))
-            input_length += iov->data.length;
-    }
-
-    if (key->length != 24)
-        return(KRB5_BAD_KEYSIZE);
-    if ((input_length%8) != 0)
-        return(KRB5_BAD_MSIZE);
-    if (ivec && (ivec->length != 8))
-        return(KRB5_BAD_MSIZE);
-
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
-                               *schedule)) {
-    case -1:
-        return(KRB5DES_BAD_KEYPAR);
-    case -2:
-        return(KRB5DES_WEAK_KEY);
-    }
-    return 0;
-}
-
-static krb5_error_code
 k5_des3_encrypt_iov(const krb5_keyblock *key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-#if 0
-    int ret = 0, tmp_len = 0;
-    unsigned int i = 0;
+    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
     EVP_CIPHER_CTX  ciph_ctx;
     unsigned char   *keybuf = NULL ;
-    krb5_crypto_iov *iov    = NULL;
-    unsigned char   *tmp_buf = NULL;
     unsigned char   iv[EVP_MAX_IV_LENGTH];
 
+    struct iov_block_state input_pos, output_pos;
+    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char  *iblock, *oblock;
+
     ret = validate_iov(key, ivec, data, num_data);
     if (ret)
-	return ret;
+        return ret;
 
+    iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+    if (!iblock)
+        return ENOMEM;
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock)
+        return ENOMEM;
+
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    keybuf=key->contents;
+    keybuf[key->length] = '\0';
+
     if (ivec && ivec->data){
         memset(iv,0,sizeof(iv));
         memcpy(iv,ivec->data,ivec->length);
     }
 
+    memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
@@ -239,48 +207,43 @@
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
 
-    for (i = 0; i < num_data; i++) {
-        iov = &data[i];
-        if (iov->data.length <= 0) break;
-        tmp_len = iov->data.length;
+    EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
-        if (ENCRYPT_IOV(iov)) {
-            tmp_buf=(unsigned char *)iov->data.data;
-            ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
-                                    (unsigned char *)iov->data.data, iov->data.length);
-            if (!ret) break;
-            iov->data.length = tmp_len;
-        }
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+                                     data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+
+        ret = EVP_EncryptUpdate(&ciph_ctx, oblock, &tmp_len,
+                                (unsigned char *)iblock, input_pos.data_pos);
+        if (!ret) break;
+
+        krb5int_c_iov_put_block(data, num_data,
+                                oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
     }
+
     if(ret)
-        ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
+        ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
 
-    if (ret)
-        iov->data.length += tmp_len;
+    if (ret) {
+        if (ivec != NULL)
+            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
+    }
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
+    memset(iblock,0,sizeof(iblock));
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(iblock);
+    OPENSSL_free(oblock);
+
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
-#endif
-
-//#if 0
-    mit_des3_key_schedule schedule;
-    krb5_error_code err;
-
-    err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
-    if (err)
-        return err;
-
-    /* this has a return value, but the code always returns zero */
-    krb5int_des3_cbc_encrypt_iov(data, num_data,
-			     schedule[0], schedule[1], schedule[2],
-			     ivec != NULL ? (unsigned char *) ivec->data : NULL);
-
-    zap(schedule, sizeof(schedule));
-    return(0);
-//#endif
 }
 
 static krb5_error_code
@@ -289,21 +252,84 @@
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-    mit_des3_key_schedule schedule;
-    krb5_error_code err;
+    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+    EVP_CIPHER_CTX  ciph_ctx;
+    unsigned char   *keybuf = NULL ;
+    unsigned char   iv[EVP_MAX_IV_LENGTH];
 
-    err = validate_and_schedule_iov(key, ivec, data, num_data, &schedule);
-    if (err)
-        return err;
+    struct iov_block_state input_pos, output_pos;
+    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char  *iblock, *oblock;
 
-    /* this has a return value, but the code always returns zero */
-    krb5int_des3_cbc_decrypt_iov(data, num_data,
-                                 schedule[0], schedule[1], schedule[2],
-                                 ivec != NULL ? (unsigned char *) ivec->data : NULL);
+    ret = validate_iov(key, ivec, data, num_data);
+    if (ret)
+        return ret;
 
-    zap(schedule, sizeof(schedule));
+    iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
+    if (!iblock)
+        return ENOMEM;
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock)
+        return ENOMEM;
 
-    return(0);
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    keybuf=key->contents;
+    keybuf[key->length] = '\0';
+
+    if (ivec && ivec->data){
+        memset(iv,0,sizeof(iv));
+        memcpy(iv,ivec->data,ivec->length);
+    }
+
+    memset(oblock, 0, oblock_len);
+
+    EVP_CIPHER_CTX_init(&ciph_ctx);
+
+    ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
+                             keybuf, (ivec && ivec->data) ? iv : NULL);
+    if (!ret)
+        return KRB5_CRYPTO_INTERNAL;
+
+    EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
+
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblock, MIT_DES_BLOCK_LENGTH,
+                                     data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+
+        ret = EVP_DecryptUpdate(&ciph_ctx, oblock, &tmp_len,
+                                (unsigned char *)iblock, input_pos.data_pos);
+        if (!ret) break;
+
+        krb5int_c_iov_put_block(data, num_data,
+                                oblock, MIT_DES_BLOCK_LENGTH, &output_pos);
+    }
+
+    if(ret)
+        ret = EVP_DecryptFinal_ex(&ciph_ctx,
+                                  oblock + input_pos.data_pos, &tmp_len);
+
+    if (ret) {
+        if (ivec != NULL)
+            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
+    }
+
+    EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+    memset(iblock,0,sizeof(iblock));
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(iblock);
+    OPENSSL_free(oblock);
+
+    if (!ret)
+        return KRB5_CRYPTO_INTERNAL;
+    return 0;
 }
 
 const struct krb5_enc_provider krb5int_enc_des3 = {

Modified: trunk/src/lib/crypto/openssl/enc_provider/rc4.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/rc4.c	2009-09-24 16:48:57 UTC (rev 22785)
+++ trunk/src/lib/crypto/openssl/enc_provider/rc4.c	2009-09-25 15:12:27 UTC (rev 22786)
@@ -1,11 +1,9 @@
-/* arcfour.c 
+/*  lib/crypto/openssl/enc_provider/rc4.c
  *
  * #include STD_DISCLAIMER
  */
 
 #include "k5-int.h"
-#include "arcfour-int.h"
-#include "enc_provider.h"
 #include <aead.h>
 #include <rand2key.h>
 #include <openssl/evp.h>
@@ -14,17 +12,22 @@
 #define RC4_BLOCK_SIZE 1 
 
 /* Interface layer to kerb5 crypto layer */
+
+/* prototypes */
 static krb5_error_code
 k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
            const krb5_data *, krb5_data *);
-
 static krb5_error_code 
 k5_arcfour_free_state ( krb5_data *state);
 static krb5_error_code
 k5_arcfour_init_state (const krb5_keyblock *key,
                krb5_keyusage keyusage, krb5_data *new_state);
 
-/* The workhorse of the arcfour system, this impliments the cipher */
+/* The workhorse of the arcfour system,
+ * this impliments the cipher
+ */
+
+/* In-place rc4 crypto */
 static krb5_error_code
 k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
            const krb5_data *input, krb5_data *output)
@@ -44,26 +47,30 @@
     keybuf[key->length] = '\0';
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
+
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL);
     if (ret) {
         tmp_buf=(unsigned char *)output->data;
-        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len, (unsigned char *)input->data, input->length);
+        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
+                                (unsigned char *)input->data, input->length);
         output->length = tmp_len;
     }
     if (ret) {
         tmp_buf += tmp_len;
         ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf, &tmp_len);
     }
+
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-    output->length += tmp_len;
 
     if (!ret)
         return KRB5_CRYPTO_INTERNAL;
+
+    output->length += tmp_len;
+
     return 0;
 }
 
-
-/* In-place decryption */
+/* In-place IOV crypto */
 static krb5_error_code
 k5_arcfour_docrypt_iov(const krb5_keyblock *key,
                const krb5_data *state,
@@ -72,10 +79,10 @@
 {
     size_t i;
     int ret = 0, tmp_len = 0;
+    unsigned char   *keybuf  = NULL ;
+    unsigned char   *tmp_buf = NULL;
+    krb5_crypto_iov *iov     = NULL;
     EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    krb5_crypto_iov *iov    = NULL;
-    unsigned char   *tmp_buf = NULL;
 
     keybuf=key->contents;
     keybuf[key->length] = '\0';
@@ -93,7 +100,7 @@
 
         if (ENCRYPT_IOV(iov)) {
             tmp_buf=(unsigned char *)iov->data.data;
-            ret = EVP_EncryptUpdate(&ciph_ctx, 
+            ret = EVP_EncryptUpdate(&ciph_ctx,
                       tmp_buf, &tmp_len,
                       (unsigned char *)iov->data.data, iov->data.length);
             if (!ret) break;
@@ -102,12 +109,14 @@
     }
     if(ret)
         ret = EVP_EncryptFinal_ex(&ciph_ctx, (unsigned char *)tmp_buf, &tmp_len);
-    if (ret) 
-        iov->data.length += tmp_len;
+
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     if (!ret) 
-        return -1;
+        return KRB5_CRYPTO_INTERNAL;
+
+    iov->data.length += tmp_len;
+
     return 0;
 }
 




More information about the cvs-krb5 mailing list