Re: [CVS] OpenSSL: openssl/ssl kssl.c

Fri, 20 Dec 2002 06:53:20 -0800 

comments inline:

Lutz Jaenicke wrote:


 OpenSSL CVS Repository
 http://cvs.openssl.org/
 ____________________________________________________________________________

 Server: cvs.openssl.org                  Name:   Lutz Jaenicke
 Root:   /e/openssl/cvs                   Email:  [EMAIL PROTECTED]
 Module: openssl                          Date:   20-Dec-2002 13:47:16
 Branch: OpenSSL_0_9_7-stable             Handle: 2002122012471600

 Modified files:           (Branch: OpenSSL_0_9_7-stable)
   openssl/ssl             kssl.c

 Log:
   Fix Kerberos5/SSL interaction
   Submitted by: "Kenneth R. Robinette" <[EMAIL PROTECTED]>

 Summary:
   Revision    Changes     Path
   1.20.2.8    +17 -38     openssl/ssl/kssl.c
 ____________________________________________________________________________

 Index: openssl/ssl/kssl.c
 ============================================================
 $ cvs diff -u -r1.20.2.7 -r1.20.2.8 kssl.c
 --- openssl/ssl/kssl.c	28 Nov 2002 08:08:59 -0000	1.20.2.7
 +++ openssl/ssl/kssl.c	20 Dec 2002 12:47:16 -0000	1.20.2.8
 @@ -2029,44 +2029,23 @@
  		*/
  		goto err;
  		}
 -	if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv))
 -		{
 -		kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 -			"EVP_DecryptInit_ex error decrypting authenticator.\n");
 -		krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 -		goto err;
 -		}
 -	if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
 -			dec_authent->cipher->data, dec_authent->cipher->length))
 -		{
 -		kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 -			"EVP_DecryptUpdate error decrypting authenticator.\n");
 -		krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 -		goto err;
 -		}
 -	if (outl > unencbufsize)
 -		{
 -		kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 -                        "Buffer overflow decrypting authenticator.\n");
 -		krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 -		goto err;
 -		}
 -	if (!EVP_DecryptFinal_ex(&ciph_ctx, &(unenc_authent[outl]), &padl))
 -		{
 -		kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 -			"EVP_DecryptFinal_ex error decrypting authenticator.\n");
 -		krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 -		goto err;
 -		}
 -	outl += padl;
 -	if (outl > unencbufsize)
 -		{
 -		kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 -                        "Buffer overflow decrypting authenticator.\n");
 -		krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 -		goto err;
 -		}
 -	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 +
 +        if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
 +                {
 +                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 +                        "EVP_DecryptInit_ex error decrypting authenticator.\n");
This error message should be updated to describe the new function being called.

 +                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 +                goto err;
 +                }
 +        outl = dec_authent->cipher->length;
 +        if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
 +                {
 +                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
 +                        "EVP_Cipher error decrypting authenticator.\n");
 +                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 +                goto err;
 +                }
 +        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
The cleanup function is only being called on successful completion. Shouldn't we be calling it on error as well?

I suggest adding after the err: label:

if (ciph_ctx) EVP_CIPHER_CTX_cleanup(&ciph_ctx);



______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]

Reply via email to