From a1ab57e2755df6c1a8fab95a0886fea368200b96 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Sat, 11 Oct 2003 12:16:13 +0000 Subject: [PATCH] Check all EVP_ function calls. --- src/meta.c | 9 +++++--- src/net_packet.c | 29 ++++++++++--------------- src/net_setup.c | 11 ++++++++-- src/protocol_auth.c | 52 +++++++++++++++++++++++++++++---------------- src/protocol_key.c | 12 +++++++++-- 5 files changed, 70 insertions(+), 43 deletions(-) diff --git a/src/meta.c b/src/meta.c index 5048e63b..bc0cda63 100644 --- a/src/meta.c +++ b/src/meta.c @@ -17,11 +17,12 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: meta.c,v 1.1.2.45 2003/10/10 16:24:24 guus Exp $ + $Id: meta.c,v 1.1.2.46 2003/10/11 12:16:12 guus Exp $ */ #include "system.h" +#include #include #include "avl_tree.h" @@ -48,7 +49,8 @@ bool send_meta(connection_t *c, const char *buffer, int length) if(c->status.encryptout) { result = EVP_EncryptUpdate(c->outctx, outbuf, &outlen, buffer, length); if(!result || outlen != length) { - logger(LOG_ERR, _("Error while encrypting metadata to %s (%s): %s"), ERR_error_string(ERR_get_error(), NULL)); + logger(LOG_ERR, _("Error while encrypting metadata to %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } bufp = outbuf; @@ -133,7 +135,8 @@ bool receive_meta(connection_t *c) if(c->status.decryptin && !decrypted) { result = EVP_DecryptUpdate(c->inctx, inbuf, &lenout, c->buffer + oldlen, lenin); if(!result || lenout != lenin) { - logger(LOG_ERR, _("Error while decrypting metadata from %s (%s): %s"), ERR_error_string(ERR_get_error(), NULL)); + logger(LOG_ERR, _("Error while decrypting metadata from %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } memcpy(c->buffer + oldlen, inbuf, lenin); diff --git a/src/net_packet.c b/src/net_packet.c index 00e36fc5..d64b6bf9 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -17,12 +17,13 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net_packet.c,v 1.1.2.42 2003/10/10 16:24:24 guus Exp $ + $Id: net_packet.c,v 1.1.2.43 2003/10/11 12:16:12 guus Exp $ */ #include "system.h" #include +#include #include #include #include @@ -114,7 +115,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) vpn_packet_t *outpkt = pkt[0]; int outlen, outpad; char hmac[EVP_MAX_MD_SIZE]; - int i, result; + int i; cp(); @@ -145,14 +146,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) if(myself->cipher) { outpkt = pkt[nextpkt++]; - EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL); - if(!EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len)) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); - return; - } - if(!EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL) + || !EVP_DecryptUpdate(&packet_ctx, (char *) &outpkt->seqno, &outlen, + (char *) &inpkt->seqno, inpkt->len) + || !EVP_DecryptFinal_ex(&packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; @@ -288,14 +285,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *inpkt) if(n->cipher) { outpkt = pkt[nextpkt++]; - EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL); - if(!EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen, - (char *) &inpkt->seqno, inpkt->len)) { - ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); - return; - } - if(!EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { + if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL) + || !EVP_EncryptUpdate(&n->packet_ctx, (char *) &outpkt->seqno, &outlen, + (char *) &inpkt->seqno, inpkt->len) + || !EVP_EncryptFinal_ex(&n->packet_ctx, (char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"), n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; diff --git a/src/net_setup.c b/src/net_setup.c index c3cfb0fc..3a027487 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: net_setup.c,v 1.1.2.44 2003/08/28 21:05:10 guus Exp $ + $Id: net_setup.c,v 1.1.2.45 2003/10/11 12:16:12 guus Exp $ */ #include "system.h" @@ -25,6 +25,8 @@ #include #include #include +#include +#include #include "avl_tree.h" #include "conf.h" @@ -372,7 +374,12 @@ bool setup_myself(void) if(myself->cipher) { EVP_CIPHER_CTX_init(&packet_ctx); - EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len); + if(!EVP_DecryptInit_ex(&packet_ctx, myself->cipher, NULL, myself->key, myself->key + myself->cipher->key_len)) { + logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), + myself->name, myself->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } + } /* Check if we want to use message authentication codes... */ diff --git a/src/protocol_auth.c b/src/protocol_auth.c index dafcc20c..86ba345d 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -17,13 +17,14 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol_auth.c,v 1.1.4.26 2003/08/28 21:05:11 guus Exp $ + $Id: protocol_auth.c,v 1.1.4.27 2003/10/11 12:16:13 guus Exp $ */ #include "system.h" #include #include +#include #include #include "avl_tree.h" @@ -141,7 +142,7 @@ bool send_metakey(connection_t *c) cp(); /* Copy random data to the buffer */ - RAND_bytes(c->outkey, len); + RAND_pseudo_bytes(c->outkey, len); /* The message we send must be smaller than the modulus of the RSA key. By definition, for a key of k bits, the following formula holds: @@ -190,10 +191,14 @@ bool send_metakey(connection_t *c) /* Further outgoing requests are encrypted with the key we just generated */ if(c->outcipher) { - EVP_EncryptInit(c->outctx, c->outcipher, - c->outkey + len - c->outcipher->key_len, - c->outkey + len - c->outcipher->key_len - - c->outcipher->iv_len); + if(!EVP_EncryptInit(c->outctx, c->outcipher, + c->outkey + len - c->outcipher->key_len, + c->outkey + len - c->outcipher->key_len - + c->outcipher->iv_len)) { + logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } c->status.encryptout = true; } @@ -262,10 +267,14 @@ bool metakey_h(connection_t *c) return false; } - EVP_DecryptInit(c->inctx, c->incipher, - c->inkey + len - c->incipher->key_len, - c->inkey + len - c->incipher->key_len - - c->incipher->iv_len); + if(!EVP_DecryptInit(c->inctx, c->incipher, + c->inkey + len - c->incipher->key_len, + c->inkey + len - c->incipher->key_len - + c->incipher->iv_len)) { + logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } c->status.decryptin = true; } else { @@ -315,7 +324,7 @@ bool send_challenge(connection_t *c) /* Copy random data to the buffer */ - RAND_bytes(c->hischallenge, len); + RAND_pseudo_bytes(c->hischallenge, len); /* Convert to hex */ @@ -375,10 +384,13 @@ bool send_chal_reply(connection_t *c) /* Calculate the hash from the challenge we received */ - EVP_DigestInit(&ctx, c->indigest); - EVP_DigestUpdate(&ctx, c->mychallenge, - RSA_size(myself->connection->rsa_key)); - EVP_DigestFinal(&ctx, hash, NULL); + if(!EVP_DigestInit(&ctx, c->indigest) + || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key) + || !EVP_DigestFinal(&ctx, hash, NULL))) { + logger(LOG_ERR, _("Error during calculation of response for %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } /* Convert the hash to a hexadecimal formatted string */ @@ -418,9 +430,13 @@ bool chal_reply_h(connection_t *c) /* Calculate the hash from the challenge we sent */ - EVP_DigestInit(&ctx, c->outdigest); - EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)); - EVP_DigestFinal(&ctx, myhash, NULL); + if(!EVP_DigestInit(&ctx, c->outdigest) + || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) + || !EVP_DigestFinal(&ctx, myhash, NULL)) { + logger(LOG_ERR, _("Error during calculation of response from %s (%s): %s"), + c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } /* Verify the incoming hash with the calculated hash */ diff --git a/src/protocol_key.c b/src/protocol_key.c index cb652c1e..f0c9bcc3 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -17,11 +17,14 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: protocol_key.c,v 1.1.4.22 2003/07/24 12:08:16 guus Exp $ + $Id: protocol_key.c,v 1.1.4.23 2003/10/11 12:16:13 guus Exp $ */ #include "system.h" +#include +#include + #include "avl_tree.h" #include "connection.h" #include "logger.h" @@ -251,7 +254,12 @@ bool ans_key_h(connection_t *c) from->compression = compression; if(from->cipher) - EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len); + if(!EVP_EncryptInit_ex(&from->packet_ctx, from->cipher, NULL, from->key, from->key + from->cipher->key_len)) { + logger(LOG_ERR, _("Error during initialisation of key from %s (%s): %s"), + from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); + return false; + } + flush_queue(from); -- 2.20.1