summaryrefslogtreecommitdiffstats
path: root/main/openswan/openswan-libreswan-backport-949437-do_aes.patch
blob: aedb4d34aba5ff9770a510a3bb88690f18401e07 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
From ee267f812f6d72da400cc24265c399c3e9048a8a Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Apr 2013 10:33:02 +0200
Subject: [PATCH 07/10] do_aes: Abort on failure

The routine cannot signal encryption failures to the caller
and would leave the buffer unencrypted on error.
---
 programs/pluto/ike_alg_aes.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/programs/pluto/ike_alg_aes.c b/programs/pluto/ike_alg_aes.c
index 1d4aada..95999bb 100644
--- a/programs/pluto/ike_alg_aes.c
+++ b/programs/pluto/ike_alg_aes.c
@@ -48,7 +48,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
 
     if (symkey == NULL) {
 	loglog(RC_LOG_SERIOUS, "do_aes: NSS derived enc key in NULL\n");
-	goto out;
+	abort();
     }
 
     ivitem.type = siBuffer;
@@ -58,7 +58,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
     secparam = PK11_ParamFromIV(ciphermech, &ivitem);
     if (secparam == NULL) {
 	loglog(RC_LOG_SERIOUS, "do_aes: Failure to set up PKCS11 param (err %d)\n",PR_GetError());
-	goto out;
+	abort();
    }
 
    outlen = 0;
@@ -69,8 +69,15 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
     }
 
     enccontext = PK11_CreateContextBySymKey(ciphermech, enc? CKA_ENCRYPT : CKA_DECRYPT, symkey, secparam); 
+    if (enccontext == NULL) {
+        loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 context creation failure (err %d)\n", PR_GetError());
+        abort();
+    }
     rv = PK11_CipherOp(enccontext, tmp_buf, &outlen, buf_len, buf, buf_len);
-    passert(rv==SECSuccess);
+    if (rv != SECSuccess) {
+        loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 operation failure (err %d)\n", PR_GetError());
+        abort();
+    }
     PK11_DestroyContext(enccontext, PR_TRUE);
     memcpy(buf,tmp_buf,buf_len);  
 
@@ -81,8 +88,6 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
     memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE);
     PR_Free(tmp_buf);
 
-out:
- 
 if (secparam)
     SECITEM_FreeItem(secparam, PR_TRUE);
 DBG(DBG_CRYPT, DBG_log("NSS do_aes: exit"));
-- 
1.8.1.4