summaryrefslogtreecommitdiffstats
path: root/main/openswan/openswan-libreswan-backport-949437-do_3des.patch
blob: 75dbe3b636e088358bc4ed35321609bf2b587aae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
From acdd65497d164082e0462b3f2d4407f0c50ccf71 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Apr 2013 10:32:52 +0200
Subject: [PATCH 06/10] do_3des: Abort on failure

The routine cannot signal encryption failures to the caller
and would leave the buffer unencrypted on error.
---
 lib/libopenswan/pem.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/libopenswan/pem.c b/lib/libopenswan/pem.c
index 36da401..d42655a 100644
--- a/lib/libopenswan/pem.c
+++ b/lib/libopenswan/pem.c
@@ -483,7 +483,7 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
     memcpy(&symkey, key, key_size);
     if (symkey == NULL) {
 	loglog(RC_LOG_SERIOUS, "do_3des: NSS derived enc key is NULL \n");
-	goto out;
+	abort();
     }
 
     ivitem.type = siBuffer;
@@ -493,7 +493,7 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
     secparam = PK11_ParamFromIV(ciphermech, &ivitem);
     if (secparam == NULL) {
 	loglog(RC_LOG_SERIOUS, "do_3des: Failure to set up PKCS11 param (err %d)\n",PR_GetError());
-	goto out;
+	abort();
     }
 
     outlen = 0;
@@ -505,8 +505,15 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
     }
 
     enccontext = PK11_CreateContextBySymKey(ciphermech, enc? CKA_ENCRYPT: CKA_DECRYPT, symkey, secparam);
+    if (enccontext == NULL) {
+        loglog(RC_LOG_SERIOUS, "do_3des: PKCS11 context creation failure (err %d)\n", PR_GetError());
+        abort();
+    }
     rv = PK11_CipherOp(enccontext, tmp_buf, &outlen, buf_len, buf, buf_len);
-    passert(rv==SECSuccess);
+    if (rv != SECSuccess) {
+        loglog(RC_LOG_SERIOUS, "do_3des: PKCS11 operation failure (err %d)\n", PR_GetError());
+        abort();
+    }
 
     if(enc) {
 	memcpy(new_iv, (char*) tmp_buf + buf_len-DES_CBC_BLOCK_SIZE, DES_CBC_BLOCK_SIZE);
@@ -518,7 +525,6 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
     PR_Free(tmp_buf);
     PR_Free(new_iv);
 
-out:
     if (secparam) {
 	SECITEM_FreeItem(secparam, PR_TRUE);
     }
-- 
1.8.1.4