aboutsummaryrefslogtreecommitdiffstats
path: root/main/openswan/openswan-libreswan-backport-949437-do_aes.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/openswan/openswan-libreswan-backport-949437-do_aes.patch')
-rw-r--r--main/openswan/openswan-libreswan-backport-949437-do_aes.patch62
1 files changed, 62 insertions, 0 deletions
diff --git a/main/openswan/openswan-libreswan-backport-949437-do_aes.patch b/main/openswan/openswan-libreswan-backport-949437-do_aes.patch
new file mode 100644
index 0000000000..aedb4d34ab
--- /dev/null
+++ b/main/openswan/openswan-libreswan-backport-949437-do_aes.patch
@@ -0,0 +1,62 @@
+From ee267f812f6d72da400cc24265c399c3e9048a8a Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 10 Apr 2013 10:33:02 +0200
+Subject: [PATCH 07/10] do_aes: Abort on failure
+
+The routine cannot signal encryption failures to the caller
+and would leave the buffer unencrypted on error.
+---
+ programs/pluto/ike_alg_aes.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ike_alg_aes.c b/programs/pluto/ike_alg_aes.c
+index 1d4aada..95999bb 100644
+--- a/programs/pluto/ike_alg_aes.c
++++ b/programs/pluto/ike_alg_aes.c
+@@ -48,7 +48,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
+
+ if (symkey == NULL) {
+ loglog(RC_LOG_SERIOUS, "do_aes: NSS derived enc key in NULL\n");
+- goto out;
++ abort();
+ }
+
+ ivitem.type = siBuffer;
+@@ -58,7 +58,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
+ secparam = PK11_ParamFromIV(ciphermech, &ivitem);
+ if (secparam == NULL) {
+ loglog(RC_LOG_SERIOUS, "do_aes: Failure to set up PKCS11 param (err %d)\n",PR_GetError());
+- goto out;
++ abort();
+ }
+
+ outlen = 0;
+@@ -69,8 +69,15 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
+ }
+
+ enccontext = PK11_CreateContextBySymKey(ciphermech, enc? CKA_ENCRYPT : CKA_DECRYPT, symkey, secparam);
++ if (enccontext == NULL) {
++ loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 context creation failure (err %d)\n", PR_GetError());
++ abort();
++ }
+ rv = PK11_CipherOp(enccontext, tmp_buf, &outlen, buf_len, buf, buf_len);
+- passert(rv==SECSuccess);
++ if (rv != SECSuccess) {
++ loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 operation failure (err %d)\n", PR_GetError());
++ abort();
++ }
+ PK11_DestroyContext(enccontext, PR_TRUE);
+ memcpy(buf,tmp_buf,buf_len);
+
+@@ -81,8 +88,6 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
+ memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE);
+ PR_Free(tmp_buf);
+
+-out:
+-
+ if (secparam)
+ SECITEM_FreeItem(secparam, PR_TRUE);
+ DBG(DBG_CRYPT, DBG_log("NSS do_aes: exit"));
+--
+1.8.1.4
+