? openssl3-heimdal.diff ? x ? lib/hx509/o Index: include/crypto-headers.h =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/include/crypto-headers.h,v retrieving revision 1.3 diff -u -p -u -r1.3 crypto-headers.h --- include/crypto-headers.h 5 Feb 2018 16:00:52 -0000 1.3 +++ include/crypto-headers.h 1 Jun 2023 20:35:35 -0000 @@ -33,6 +33,9 @@ # define BN_set_negative(bn, flag) ((bn)->neg=(flag)?1:0) # define BN_is_negative(bn) ((bn)->neg != 0) # endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000UL +# define EVP_rc4() EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy") +#endif #endif #else /* !HAVE_HCRYPTO_W_OPENSSL */ Index: kdc/digest.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/kdc/digest.c,v retrieving revision 1.3 diff -u -p -u -r1.3 digest.c --- kdc/digest.c 5 Feb 2018 16:00:52 -0000 1.3 +++ kdc/digest.c 1 Jun 2023 20:35:35 -0000 @@ -1368,7 +1368,9 @@ _kdc_do_digest(krb5_context context, #else rc4 = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1); + if (!EVP_CipherInit_ex(rc4, EVP_rc4(), NULL, sessionkey, NULL, 1)) + krb5_set_error_message(context, EINVAL, + "RC4 cipher not supported"); EVP_Cipher(rc4, masterkey, ireq.u.ntlmRequest.sessionkey->data, sizeof(masterkey)); Index: lib/gssapi/krb5/arcfour.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/arcfour.c,v retrieving revision 1.4 diff -u -p -u -r1.4 arcfour.c --- lib/gssapi/krb5/arcfour.c 15 Dec 2019 22:50:47 -0000 1.4 +++ lib/gssapi/krb5/arcfour.c 1 Jun 2023 20:35:35 -0000 @@ -308,7 +308,11 @@ _gssapi_get_mic_arcfour(OM_uint32 * mino #else rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } + EVP_Cipher(rc4_key, p, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -393,7 +397,11 @@ _gssapi_verify_mic_arcfour(OM_uint32 * m rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, + 0)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, SND_SEQ, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -557,7 +565,10 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_s #endif EVP_CIPHER_CTX_init(rc4_key); - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8 + datalen); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -586,7 +597,10 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_s rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -696,7 +710,10 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, SND_SEQ, p0 + 8, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -753,7 +770,10 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint #else rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, Confounder, p0 + 24, 8); EVP_Cipher(rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen); #if OPENSSL_VERSION_NUMBER < 0x10100000UL @@ -1147,7 +1167,10 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *mino #else rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } /* Confounder */ EVP_Cipher(rc4_key, p0 + 24, p0 + 24, 8); @@ -1197,7 +1220,10 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *mino #else rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, p0 + 8, p0 + 8, 8); /* SND_SEQ */ #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -1344,7 +1370,10 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *mi #endif EVP_CIPHER_CTX_init(rc4_key); - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(rc4_key, snd_seq, p0 + 8, 8); /* SND_SEQ */ #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(rc4_key); @@ -1407,7 +1436,10 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *mi rc4_key = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1); + if (!EVP_CipherInit_ex(rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } /* Confounder */ EVP_Cipher(rc4_key, Confounder, p0 + 24, 8); Index: lib/gssapi/krb5/get_mic.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/get_mic.c,v retrieving revision 1.4 diff -u -p -u -r1.4 get_mic.c --- lib/gssapi/krb5/get_mic.c 15 Dec 2019 22:50:47 -0000 1.4 +++ lib/gssapi/krb5/get_mic.c 1 Jun 2023 20:35:35 -0000 @@ -122,7 +122,11 @@ mic_des des_ctx = EVP_CIPHER_CTX_new(); #endif EVP_CIPHER_CTX_init(des_ctx); - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, + p + 8, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); Index: lib/gssapi/krb5/unwrap.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/unwrap.c,v retrieving revision 1.3 diff -u -p -u -r1.3 unwrap.c --- lib/gssapi/krb5/unwrap.c 5 Feb 2018 16:00:52 -0000 1.3 +++ lib/gssapi/krb5/unwrap.c 1 Jun 2023 20:35:35 -0000 @@ -113,7 +113,10 @@ unwrap_des #else des_ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, input_message_buffer->length - len); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); @@ -163,7 +166,11 @@ unwrap_des #else des_ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, + 0)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); Index: lib/gssapi/krb5/verify_mic.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/verify_mic.c,v retrieving revision 1.5 diff -u -p -u -r1.5 verify_mic.c --- lib/gssapi/krb5/verify_mic.c 15 Dec 2019 22:50:47 -0000 1.5 +++ lib/gssapi/krb5/verify_mic.c 1 Jun 2023 20:35:35 -0000 @@ -109,7 +109,11 @@ verify_mic_des #else des_ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, + hash, 0)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); Index: lib/gssapi/krb5/wrap.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/gssapi/krb5/wrap.c,v retrieving revision 1.3 diff -u -p -u -r1.3 wrap.c --- lib/gssapi/krb5/wrap.c 5 Feb 2018 16:00:52 -0000 1.3 +++ lib/gssapi/krb5/wrap.c 1 Jun 2023 20:35:35 -0000 @@ -308,7 +308,11 @@ wrap_des #else des_ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, + p + 8, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); @@ -337,7 +341,10 @@ wrap_des #else des_ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1); + if (!EVP_CipherInit_ex(des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1)) { + *minor_status = EINVAL; + return GSS_S_FAILURE; + } EVP_Cipher(des_ctx, p, p, datalen); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(des_ctx); Index: lib/hcrypto/example_evp_cipher.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/hcrypto/example_evp_cipher.c,v retrieving revision 1.2 diff -u -p -u -r1.2 example_evp_cipher.c --- lib/hcrypto/example_evp_cipher.c 28 Jan 2017 21:31:47 -0000 1.2 +++ lib/hcrypto/example_evp_cipher.c 1 Jun 2023 20:35:35 -0000 @@ -137,7 +137,8 @@ main(int argc, char **argv) * ivec. */ EVP_CIPHER_CTX_init(&ctx); - EVP_CipherInit_ex(&ctx, c, NULL, key, ivec, encryptp); + if (!EVP_CipherInit_ex(&ctx, c, NULL, key, ivec, encryptp)) + errx(1, "EVP_CipherInit_ex failed"); /* read in buffer */ while ((ilen = fread(ibuf, 1, block_size, in)) > 0) { Index: lib/hx509/ks_file.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/hx509/ks_file.c,v retrieving revision 1.4 diff -u -p -u -r1.4 ks_file.c --- lib/hx509/ks_file.c 15 Dec 2019 22:50:50 -0000 1.4 +++ lib/hx509/ks_file.c 1 Jun 2023 20:35:35 -0000 @@ -122,7 +122,12 @@ try_decrypt(hx509_context context, #else ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx, c, NULL, key, ivdata, 0); + if (!EVP_CipherInit_ex(ctx, c, NULL, key, ivdata, 0)) { + hx509_set_error_string(context, 0, EINVAL, + "Cannot initialize cipher"); + ret = EINVAL; + goto out; + } EVP_Cipher(ctx, clear.data, cipher, len); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(ctx); Index: lib/krb5/crypto-aes-sha1.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-aes-sha1.c,v retrieving revision 1.3 diff -u -p -u -r1.3 crypto-aes-sha1.c --- lib/krb5/crypto-aes-sha1.c 5 Feb 2018 16:00:53 -0000 1.3 +++ lib/krb5/crypto-aes-sha1.c 1 Jun 2023 20:35:35 -0000 @@ -134,9 +134,12 @@ AES_SHA1_PRF(krb5_context context, #else ctx = EVP_CIPHER_CTX_new(); /* ivec all zero */ #endif - EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1); - EVP_Cipher(ctx, out->data, result.checksum.data, - crypto->et->blocksize); + if (EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1)) { + EVP_Cipher(ctx, out->data, result.checksum.data, + crypto->et->blocksize); + ret = EINVAL; + krb5_set_error_message(context, ret, "Cannot initialize cipher"); + } #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(ctx); #else Index: lib/krb5/crypto-arcfour.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-arcfour.c,v retrieving revision 1.4 diff -u -p -u -r1.4 crypto-arcfour.c --- lib/krb5/crypto-arcfour.c 15 Dec 2019 22:50:50 -0000 1.4 +++ lib/krb5/crypto-arcfour.c 1 Jun 2023 20:35:35 -0000 @@ -184,7 +184,8 @@ ARCFOUR_subencrypt(krb5_context context, ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1); + if (!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 1)) + krb5_abortx(context, "rc4 cipher not supported"); EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(ctx); @@ -251,7 +252,8 @@ ARCFOUR_subdecrypt(krb5_context context, #else ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0); + if (!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, k3_c.checksum.data, NULL, 0)) + krb5_abortx(context, "rc4 cipher not supported"); EVP_Cipher(ctx, cdata + 16, cdata + 16, len - 16); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(ctx); Index: lib/krb5/crypto-des-common.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des-common.c,v retrieving revision 1.4 diff -u -p -u -r1.4 crypto-des-common.c --- lib/krb5/crypto-des-common.c 15 Dec 2019 22:50:50 -0000 1.4 +++ lib/krb5/crypto-des-common.c 1 Jun 2023 20:35:35 -0000 @@ -88,7 +88,8 @@ _krb5_des_checksum(krb5_context context, ctx->ectx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1); + if (!EVP_CipherInit_ex(ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(ctx->ectx, p, p, 24); return 0; @@ -120,7 +121,8 @@ _krb5_des_verify(krb5_context context, #else ctx->dctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1); + if (!EVP_CipherInit_ex(ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(ctx->dctx, tmp, C->checksum.data, 24); EVP_DigestInit_ex(m, evp_md, NULL); Index: lib/krb5/crypto-des.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des.c,v retrieving revision 1.3 diff -u -p -u -r1.3 crypto-des.c --- lib/krb5/crypto-des.c 5 Feb 2018 16:00:53 -0000 1.3 +++ lib/krb5/crypto-des.c 1 Jun 2023 20:35:35 -0000 @@ -228,7 +228,8 @@ evp_des_encrypt_null_ivec(krb5_context c DES_cblock ivec; memset(&ivec, 0, sizeof(ivec)); c = encryptp ? ctx->ectx : ctx->dctx; - EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, data, data, len); return 0; } @@ -247,7 +248,8 @@ evp_des_encrypt_key_ivec(krb5_context co DES_cblock ivec; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); c = encryptp ? ctx->ectx : ctx->dctx; - EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, data, data, len); return 0; } Index: lib/krb5/crypto-des3.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-des3.c,v retrieving revision 1.5 diff -u -p -u -r1.5 crypto-des3.c --- lib/krb5/crypto-des3.c 5 Feb 2018 16:00:53 -0000 1.5 +++ lib/krb5/crypto-des3.c 1 Jun 2023 20:35:35 -0000 @@ -101,7 +101,8 @@ DES3_prf(krb5_context context, #else ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1); + if (!EVP_CipherInit_ex(ctx, c, NULL, derived->keyvalue.data, NULL, 1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(ctx, out->data, result.checksum.data, crypto->et->prf_length); #if OPENSSL_VERSION_NUMBER < 0x10100000UL Index: lib/krb5/crypto-evp.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/krb5/crypto-evp.c,v retrieving revision 1.3 diff -u -p -u -r1.3 crypto-evp.c --- lib/krb5/crypto-evp.c 5 Feb 2018 16:00:53 -0000 1.3 +++ lib/krb5/crypto-evp.c 1 Jun 2023 20:35:35 -0000 @@ -53,8 +53,10 @@ _krb5_evp_schedule(krb5_context context, key->dctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1); - EVP_CipherInit_ex(key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0); + if (!EVP_CipherInit_ex(key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1)) + krb5_abortx(context, "can't initialize cipher"); + if (!EVP_CipherInit_ex(key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0)) + krb5_abortx(context, "can't initialize cipher"); } void @@ -91,10 +93,12 @@ _krb5_evp_encrypt(krb5_context context, if (loiv == NULL) return krb5_enomem(context); memset(loiv, 0, len2); - EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1)) + krb5_abortx(context, "can't initialize cipher"); free(loiv); - } else - EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1); + } else if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); + EVP_Cipher(c, data, data, len); return 0; } @@ -111,6 +115,7 @@ _krb5_evp_encrypt_cts(krb5_context conte void *ivec) { size_t i, blocksize; + int ret; struct _krb5_evp_schedule *ctx = key->schedule->data; unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; EVP_CIPHER_CTX *c; @@ -125,15 +130,18 @@ _krb5_evp_encrypt_cts(krb5_context conte "message block too short"); return EINVAL; } else if (len == blocksize) { - EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, data, data, len); return 0; } if (ivec) - EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1); + ret = EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1); else - EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + ret = EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + if (!ret) + krb5_abortx(context, "can't initialize cipher"); if (encryptp) { @@ -149,7 +157,8 @@ _krb5_evp_encrypt_cts(krb5_context conte for (; i < blocksize; i++) tmp[i] = 0 ^ ivec2[i]; - EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, p, tmp, blocksize); memcpy(p + blocksize, ivec2, len); @@ -175,7 +184,8 @@ _krb5_evp_encrypt_cts(krb5_context conte } memcpy(tmp, p, blocksize); - EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, tmp2, p, blocksize); memcpy(tmp3, p + blocksize, len); @@ -184,7 +194,8 @@ _krb5_evp_encrypt_cts(krb5_context conte for (i = 0; i < len; i++) p[i + blocksize] = tmp2[i] ^ tmp3[i]; - EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1); + if (!EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1)) + krb5_abortx(context, "can't initialize cipher"); EVP_Cipher(c, p, tmp3, blocksize); for (i = 0; i < blocksize; i++) Index: lib/ntlm/ntlm.c =================================================================== RCS file: /cvsroot/src/crypto/external/bsd/heimdal/dist/lib/ntlm/ntlm.c,v retrieving revision 1.3 diff -u -p -u -r1.3 ntlm.c --- lib/ntlm/ntlm.c 15 Dec 2019 22:50:51 -0000 1.3 +++ lib/ntlm/ntlm.c 1 Jun 2023 20:35:35 -0000 @@ -1197,7 +1197,8 @@ splitandenc(unsigned char *hash, ctx = EVP_CIPHER_CTX_new(); #endif - EVP_CipherInit_ex(ctx, EVP_des_cbc(), NULL, key, NULL, 1); + if (!EVP_CipherInit_ex(ctx, EVP_des_cbc(), NULL, key, NULL, 1)) + abort(); EVP_Cipher(ctx, answer, challenge, 8); #if OPENSSL_VERSION_NUMBER < 0x10100000UL EVP_CIPHER_CTX_cleanup(ctx);