unsigned char *hkey;
};
-apr_status_t SEAL_KEY_CREATE(struct seal_key **skey)
+apr_status_t SEAL_KEY_CREATE(apr_pool_t *p, struct seal_key **skey,
+ struct databuf *keys)
{
struct seal_key *n;
+ int keylen;
int ret;
- n = calloc(1, sizeof(*n));
+ n = apr_pcalloc(p, sizeof(*n));
if (!n) return ENOMEM;
n->cipher = EVP_aes_128_cbc();
if (!n->cipher) {
- free(n);
- return EFAULT;
+ ret = EFAULT;
+ goto done;
}
+ keylen = n->cipher->key_len;
+
n->md = EVP_sha256();
if (!n->md) {
- free(n);
- return EFAULT;
+ ret = EFAULT;
+ goto done;
}
- n->ekey = malloc(n->cipher->key_len);
+ n->ekey = apr_palloc(p, keylen);
if (!n->ekey) {
- free(n);
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
- n->hkey = malloc(n->cipher->key_len);
+ n->hkey = apr_palloc(p, keylen);
if (!n->hkey) {
- free(n);
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
- ret = RAND_bytes(n->ekey, n->cipher->key_len);
- if (ret == 0) {
- free(n->ekey);
- free(n->hkey);
- free(n);
- return EFAULT;
+ if (keys) {
+ if (keys->length != (keylen * 2)) {
+ ret = EINVAL;
+ goto done;
+ }
+ memcpy(n->ekey, keys->value, keylen);
+ memcpy(n->hkey, keys->value + keylen, keylen);
+ } else {
+ ret = RAND_bytes(n->ekey, keylen);
+ if (ret == 0) {
+ ret = EFAULT;
+ goto done;
+ }
+
+ ret = RAND_bytes(n->hkey, keylen);
+ if (ret == 0) {
+ ret = EFAULT;
+ goto done;
+ }
}
- ret = RAND_bytes(n->hkey, n->cipher->key_len);
- if (ret == 0) {
+ ret = 0;
+done:
+ if (ret) {
free(n->ekey);
free(n->hkey);
free(n);
- return EFAULT;
+ } else {
+ *skey = n;
}
-
- *skey = n;
- return 0;
+ return ret;
}
apr_status_t SEAL_BUFFER(apr_pool_t *p, struct seal_key *skey,
struct databuf *plain, struct databuf *cipher)
{
+ int blksz = skey->cipher->block_size;
apr_status_t err = EFAULT;
EVP_CIPHER_CTX ctx = { 0 };
HMAC_CTX hmac_ctx = { 0 };
- uint8_t rbuf[16];
+ uint8_t rbuf[blksz];
unsigned int len;
int outlen, totlen;
int ret;
/* confounder to avoid exposing random numbers directly to clients
* as IVs */
- ret = RAND_bytes(rbuf, 16);
+ ret = RAND_bytes(rbuf, sizeof(rbuf));
if (ret == 0) goto done;
if (cipher->length == 0) {
/* add space for confounder and padding and MAC */
- cipher->length = (plain->length / 16 + 2) * 16;
+ cipher->length = (plain->length / blksz + 2) * blksz;
cipher->value = apr_palloc(p, cipher->length + skey->md->md_size);
if (!cipher->value) {
err = ENOMEM;
totlen = 0;
outlen = cipher->length;
- ret = EVP_EncryptUpdate(&ctx, cipher->value, &outlen, rbuf, 16);
+ ret = EVP_EncryptUpdate(&ctx, cipher->value, &outlen, rbuf, sizeof(rbuf));
if (ret == 0) goto done;
totlen += outlen;
totlen += outlen;
/* now remove the confounder */
- totlen -= 16;
- memmove(plain->value, plain->value + 16, totlen);
+ totlen -= skey->cipher->block_size;
+ memmove(plain->value, plain->value + skey->cipher->block_size, totlen);
plain->length = totlen;
err = 0;
projects / mod_auth_gssapi.git / blobdiff