[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Thu May 2 20:19:22 EEST 2013

New commits:
commit c8310a891affc471e0a77cc46accd0116f5f51ba
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 2 13:19:11 2013 -0400

    * updated changes

commit a2f7496d7a79cb67c6a08ffafd1a6308fa88b508
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 2 13:15:21 2013 -0400

    * security: Remove stale non-NSS ASN1 handling and pem decryption code
    pem_decrypt_3des() has incorrect padding verification code.  (There can
    be at most 8 bytes of padding.)  first_padding_pos can be blob->ptr -
    1, which appears to result in an out-of-bounds array read.
    This code however is not used anymore, since NSS is mandatory and we don't
    read encrypted keys from /etc/ipsec.d/private anymore. (we might do again
    later for an openssl port, but then we should be using native openssl calls)
    looking further into pem.c, more dead code was found and removed, and the
    remaining code was stripped of any decryption hooks, as we do still use
    load_cert() (the non-nss version) to load CRLs and CAcerts from disk.
    Note that openswan when compiled without HAVE_NSS does have a problem with
    verifying the padding and requires a different fix.

More information about the Swan-commit mailing list