[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Fri May 10 02:52:31 EEST 2013 

New commits:
commit 80c5166cceb48e5d607c5392beb7ada1c6c324db
Merge: 5d6facd 4ae8a68
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:52:21 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 5d6facd157ffc90960924ba8d44c176928eab42f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:52:05 2013 -0400

    * updated changes

commit 9040be5131fe57dda3f9dad4a07586a1e9daeea9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:49:26 2013 -0400

    * pluto: Add support for OID_SHA224_WITH_RSA signatures
    
    Also log a more meaningful error when we see OID_MD2_WITH_RSA. It's not that
    we don't support it, we just think it shouldn't be accepted as it's too weak.

commit 94b9ef1f0803aa9225f0563fc9aac6ddb0c95bfa
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:33:54 2013 -0400

    * Fix for CRL signature verification failure if first byte is a zero
    
    ASN.1 integer values have a leading zero if they are above a certain size to
    denote whether they are positive or negative values. Oddly enough, the signature
    is stored as an integer value.
    
    The CRL verification code introduced with the NSS code path used the gmp library's
    bignum to convert the signature chunk_t into a bignum and back, thereby removing
    the leading zero. However, this would remove more then the 1 leading zero, so if
    the signature started with a 0x00, then the RSA signature of the CRL would be short
    a byte and fail to verify. The CRL would be rejected.
    
    This patch removes the conversions to bignum, and handles the leading zero by just
    moving the pointer one forward, and reducing the length by 1.
    
    Debugging was also slightly cleaned up, and errors in the CRL are now reported back
    to the user if reading the CRLs was triggered by "ipsec auto --rereadall
    
    (this is rhbz#959969)

commit 8f6711bcc52ef5cee85f5f52cae242509f405afc
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu May 9 19:32:46 2013 -0400

    * whack: throw an error to the user if CRL is rejected

More information about the Swan-commit mailing list