diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index c5c531e31..dd6f56fd9 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -339,8 +339,8 @@ static status_t ChallengeResponse(chunk_t challenge_hash, chunk_t password_hash, chunk_t expanded, encrypted; expanded = ExpandDESKey(keys[i]); - crypter->set_key(crypter, expanded); - if (!crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted)) + if (!crypter->set_key(crypter, expanded) || + !crypter->encrypt(crypter, challenge_hash, chunk_empty, &encrypted)) { chunk_clear(&expanded); crypter->destroy(crypter); diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 554bd56f7..9540075d6 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -205,8 +205,7 @@ METHOD(aead_t, get_key_size, size_t, METHOD(aead_t, set_key, bool, private_aead_t *this, chunk_t key) { - this->crypter->set_key(this->crypter, key); - return TRUE; + return this->crypter->set_key(this->crypter, key); } METHOD(aead_t, aead_destroy, void, @@ -291,7 +290,11 @@ static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e) return NULL; } DBG4(DBG_IKE, "encryption key Ka %B", &ka); - crypter->set_key(crypter, ka); + if (!crypter->set_key(crypter, ka)) + { + chunk_clear(&ka); + return NULL; + } chunk_clear(&ka); INIT(this, diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index f25d0bd0e..91f001bdb 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -225,7 +225,14 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, return FALSE; } DBG4(DBG_IKE, "Sk_ei secret %B", &key); - crypter_i->set_key(crypter_i, key); + if (!crypter_i->set_key(crypter_i, key)) + { + crypter_i->destroy(crypter_i); + crypter_r->destroy(crypter_r); + signer_i->destroy(signer_i); + signer_r->destroy(signer_r); + return FALSE; + } chunk_clear(&key); if (!prf_plus->allocate_bytes(prf_plus, key_size, &key)) @@ -237,7 +244,14 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg, return FALSE; } DBG4(DBG_IKE, "Sk_er secret %B", &key); - crypter_r->set_key(crypter_r, key); + if (!crypter_r->set_key(crypter_r, key)) + { + crypter_i->destroy(crypter_i); + crypter_r->destroy(crypter_r); + signer_i->destroy(signer_i); + signer_r->destroy(signer_r); + return FALSE; + } chunk_clear(&key); if (this->initiator) diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c index cdb314068..91aad95ca 100644 --- a/src/libsimaka/simaka_crypto.c +++ b/src/libsimaka/simaka_crypto.c @@ -148,12 +148,12 @@ METHOD(simaka_crypto_t, derive_keys_full, bool, k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN); DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk); - if (!this->signer->set_key(this->signer, k_auth)) + if (!this->signer->set_key(this->signer, k_auth) || + !this->crypter->set_key(this->crypter, k_encr)) { chunk_clear(mk); return FALSE; } - this->crypter->set_key(this->crypter, k_encr); *msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN); @@ -187,11 +187,11 @@ METHOD(simaka_crypto_t, derive_keys_reauth, bool, k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN); DBG3(DBG_LIB, "K_encr %B\nK_auth %B", &k_encr, &k_auth); - if (!this->signer->set_key(this->signer, k_auth)) + if (!this->signer->set_key(this->signer, k_auth) || + !this->crypter->set_key(this->crypter, k_encr)) { return FALSE; } - this->crypter->set_key(this->crypter, k_encr); call_hook(this, k_encr, k_auth); diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c index 595b75f87..02fb8d50a 100644 --- a/src/libstrongswan/crypto/aead.c +++ b/src/libstrongswan/crypto/aead.c @@ -141,13 +141,8 @@ METHOD(aead_t, set_key, bool, chunk_split(key, "mm", this->signer->get_key_size(this->signer), &sig, this->crypter->get_key_size(this->crypter), &enc); - if (!this->signer->set_key(this->signer, sig)) - { - return FALSE; - } - this->crypter->set_key(this->crypter, enc); - - return TRUE; + return this->signer->set_key(this->signer, sig) && + this->crypter->set_key(this->crypter, enc); } METHOD(aead_t, destroy, void, diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index a615c0e22..4c273059b 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -147,8 +147,10 @@ struct crypter_t { * The length of the key must match get_key_size(). * * @param key key to set + * @return TRUE if key set successfully */ - void (*set_key) (crypter_t *this, chunk_t key); + __attribute__((warn_unused_result)) + bool (*set_key) (crypter_t *this, chunk_t key); /** * Destroys a crypter_t object. diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 812e94914..4e5e840b5 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -151,7 +151,10 @@ static u_int bench_crypter(private_crypto_tester_t *this, memset(iv, 0x56, sizeof(iv)); memset(key, 0x12, sizeof(key)); - crypter->set_key(crypter, chunk_from_thing(key)); + if (!crypter->set_key(crypter, chunk_from_thing(key))) + { + return 0; + } buf = chunk_alloc(this->bench_size); memset(buf.ptr, 0x34, buf.len); @@ -214,7 +217,10 @@ METHOD(crypto_tester_t, test_crypter, bool, tested++; key = chunk_create(vector->key, crypter->get_key_size(crypter)); - crypter->set_key(crypter, key); + if (!crypter->set_key(crypter, key)) + { + failed = TRUE; + } iv = chunk_create(vector->iv, crypter->get_iv_size(crypter)); /* allocated encryption */ diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index e422dae0e..ded388181 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -638,8 +638,8 @@ end: success = FALSE; /* decrypt the content */ - crypter->set_key(crypter, symmetric_key); - if (!crypter->decrypt(crypter, encrypted_content, iv, &this->data)) + if (!crypter->set_key(crypter, symmetric_key) || + !crypter->decrypt(crypter, encrypted_content, iv, &this->data)) { success = FALSE; goto failed; @@ -834,8 +834,8 @@ METHOD(pkcs7_t, build_envelopedData, bool, DBG3(DBG_LIB, " padded unencrypted data: %B", &in); /* symmetric encryption of data object */ - crypter->set_key(crypter, symmetricKey); - if (!crypter->encrypt(crypter, in, iv, &out)) + if (!crypter->set_key(crypter, symmetricKey) || + !crypter->encrypt(crypter, in, iv, &out)) { crypter->destroy(crypter); chunk_clear(&in); diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c index 03d3cdeda..6b3d03cea 100644 --- a/src/libstrongswan/plugins/aes/aes_crypter.c +++ b/src/libstrongswan/plugins/aes/aes_crypter.c @@ -1430,7 +1430,7 @@ METHOD(crypter_t, get_key_size, size_t, return this->key_size; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_aes_crypter_t *this, chunk_t key) { u_int32_t *kf, *kt, rci, f = 0; @@ -1515,6 +1515,7 @@ METHOD(crypter_t, set_key, void, } cpy(kt, kf); } + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c index 7fc0e59d8..ed268c0c9 100644 --- a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c @@ -179,10 +179,11 @@ METHOD(crypter_t, get_key_size, size_t, return this->keymat_size; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_af_alg_crypter_t *this, chunk_t key) { this->ops->set_key(this->ops, key); + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c index 18c8f48a9..253f9b4a4 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c @@ -155,10 +155,11 @@ METHOD(crypter_t, get_key_size, size_t, return this->key_size; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_blowfish_crypter_t *this, chunk_t key) { BF_set_key(&this->schedule, key.len , key.ptr); + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c index 06d08783a..0e2f9b75f 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.c +++ b/src/libstrongswan/plugins/ccm/ccm_aead.c @@ -316,8 +316,7 @@ METHOD(aead_t, set_key, bool, { memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); key.len -= SALT_SIZE; - this->crypter->set_key(this->crypter, key); - return TRUE; + return this->crypter->set_key(this->crypter, key); } METHOD(aead_t, destroy, void, diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c index e5c44d02b..725d02d76 100644 --- a/src/libstrongswan/plugins/cmac/cmac.c +++ b/src/libstrongswan/plugins/cmac/cmac.c @@ -279,8 +279,8 @@ METHOD(mac_t, set_key, bool, memset(iv.ptr, 0, iv.len); l = chunk_alloca(this->b); memset(l.ptr, 0, l.len); - this->k->set_key(this->k, resized); - if (!this->k->encrypt(this->k, l, iv, NULL)) + if (!this->k->set_key(this->k, resized) || + !this->k->encrypt(this->k, l, iv, NULL)) { return FALSE; } diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c index 78aad84c5..59d201a6f 100644 --- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c +++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c @@ -113,13 +113,13 @@ METHOD(crypter_t, get_key_size, size_t, + sizeof(this->state.nonce); } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_ctr_ipsec_crypter_t *this, chunk_t key) { memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce), sizeof(this->state.nonce)); key.len -= sizeof(this->state.nonce); - this->crypter->set_key(this->crypter, key); + return this->crypter->set_key(this->crypter, key); } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index ca9ae8fc7..c81318b19 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -1541,18 +1541,20 @@ METHOD(crypter_t, get_key_size, size_t, return this->key_size; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_des_crypter_t *this, chunk_t key) { des_set_key((des_cblock*)(key.ptr), &this->ks); + return TRUE; } -METHOD(crypter_t, set_key3, void, +METHOD(crypter_t, set_key3, bool, private_des_crypter_t *this, chunk_t key) { des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]); des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]); des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]); + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c index 985e759a9..79ee65d98 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.c +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -348,8 +348,8 @@ METHOD(aead_t, set_key, bool, { memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); key.len -= SALT_SIZE; - this->crypter->set_key(this->crypter, key); - return create_h(this, this->h); + return this->crypter->set_key(this->crypter, key) && + create_h(this, this->h); } METHOD(aead_t, destroy, void, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c index 3627c5064..0b5dc0365 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c @@ -141,7 +141,7 @@ METHOD(crypter_t, get_key_size, size_t, return len; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_gcrypt_crypter_t *this, chunk_t key) { if (this->ctr_mode) @@ -151,7 +151,7 @@ METHOD(crypter_t, set_key, void, sizeof(this->ctr.nonce)); key.len -= sizeof(this->ctr.nonce); } - gcry_cipher_setkey(this->h, key.ptr, key.len); + return gcry_cipher_setkey(this->h, key.ptr, key.len) == 0; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 07799b1c7..07b96b320 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -144,10 +144,11 @@ METHOD(crypter_t, get_key_size, size_t, return this->key.len; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_openssl_crypter_t *this, chunk_t key) { memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len)); + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c index b9d4eac7b..b5060de0a 100644 --- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c +++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c @@ -141,10 +141,11 @@ METHOD(crypter_t, get_key_size, size_t, return this->key.len; } -METHOD(crypter_t, set_key, void, +METHOD(crypter_t, set_key, bool, private_padlock_aes_crypter_t *this, chunk_t key) { memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len)); + return TRUE; } METHOD(crypter_t, destroy, void, diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index c1ce5c809..655491e53 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -125,7 +125,6 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, encryption_algorithm_names, alg); return NOT_SUPPORTED; } - crypter->set_key(crypter, key); if (iv.len != crypter->get_iv_size(crypter) || blob->len % crypter->get_block_size(crypter)) @@ -134,7 +133,8 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, DBG1(DBG_ASN, " data size is not multiple of block size"); return PARSE_ERROR; } - if (!crypter->decrypt(crypter, *blob, iv, &decrypted)) + if (!crypter->set_key(crypter, key) || + !crypter->decrypt(crypter, *blob, iv, &decrypted)) { crypter->destroy(crypter); return FAILED; diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index f9bef7786..9afd0d44d 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -168,9 +168,8 @@ static private_key_t *decrypt_private_key(chunk_t blob, { continue; } - - crypter->set_key(crypter, key); - if (!crypter->decrypt(crypter, blob, iv, &decrypted)) + if (!crypter->set_key(crypter, key) || + !crypter->decrypt(crypter, blob, iv, &decrypted)) { continue; } diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c index 745efcaa4..1bb7e640a 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc.c +++ b/src/libstrongswan/plugins/xcbc/xcbc.c @@ -257,17 +257,16 @@ METHOD(mac_t, set_key, bool, memset(this->k2, 0x02, this->b); memset(this->k3, 0x03, this->b); - this->k1->set_key(this->k1, lengthened); - if (!this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL) || + if (!this->k1->set_key(this->k1, lengthened) || + !this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL) || !this->k1->encrypt(this->k1, chunk_create(this->k3, this->b), iv, NULL) || - !this->k1->encrypt(this->k1, k1, iv, NULL)) + !this->k1->encrypt(this->k1, k1, iv, NULL) || + !this->k1->set_key(this->k1, k1)) { + memwipe(k1.ptr, k1.len); return FALSE; } - this->k1->set_key(this->k1, k1); - memwipe(k1.ptr, k1.len); - return TRUE; } diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index fde03b800..074479478 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1560,13 +1560,19 @@ static bool expand_keys(private_tls_crypto_t *this, if (this->tls->is_server(this->tls)) { - this->crypter_in->set_key(this->crypter_in, client_write); - this->crypter_out->set_key(this->crypter_out, server_write); + if (!this->crypter_in->set_key(this->crypter_in, client_write) || + !this->crypter_out->set_key(this->crypter_out, server_write)) + { + return FALSE; + } } else { - this->crypter_out->set_key(this->crypter_out, client_write); - this->crypter_in->set_key(this->crypter_in, server_write); + if (!this->crypter_out->set_key(this->crypter_out, client_write) || + !this->crypter_in->set_key(this->crypter_in, server_write)) + { + return FALSE; + } } if (ivs) {