[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Thu May 2 20:19:22 EEST 2013
New commits:
commit c8310a891affc471e0a77cc46accd0116f5f51ba
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 2 13:19:11 2013 -0400
* updated changes
commit a2f7496d7a79cb67c6a08ffafd1a6308fa88b508
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 2 13:15:21 2013 -0400
* security: Remove stale non-NSS ASN1 handling and pem decryption code
pem_decrypt_3des() has incorrect padding verification code. (There can
be at most 8 bytes of padding.) first_padding_pos can be blob->ptr -
1, which appears to result in an out-of-bounds array read.
This code however is not used anymore, since NSS is mandatory and we don't
read encrypted keys from /etc/ipsec.d/private anymore. (we might do again
later for an openssl port, but then we should be using native openssl calls)
looking further into pem.c, more dead code was found and removed, and the
remaining code was stripped of any decryption hooks, as we do still use
load_cert() (the non-nss version) to load CRLs and CAcerts from disk.
Note that openswan when compiled without HAVE_NSS does have a problem with
verifying the padding and requires a different fix.
More information about the Swan-commit
mailing list