[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri May 10 02:52:31 EEST 2013
New commits:
commit 80c5166cceb48e5d607c5392beb7ada1c6c324db
Merge: 5d6facd 4ae8a68
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 9 19:52:21 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 5d6facd157ffc90960924ba8d44c176928eab42f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 9 19:52:05 2013 -0400
* updated changes
commit 9040be5131fe57dda3f9dad4a07586a1e9daeea9
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 9 19:49:26 2013 -0400
* pluto: Add support for OID_SHA224_WITH_RSA signatures
Also log a more meaningful error when we see OID_MD2_WITH_RSA. It's not that
we don't support it, we just think it shouldn't be accepted as it's too weak.
commit 94b9ef1f0803aa9225f0563fc9aac6ddb0c95bfa
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 9 19:33:54 2013 -0400
* Fix for CRL signature verification failure if first byte is a zero
ASN.1 integer values have a leading zero if they are above a certain size to
denote whether they are positive or negative values. Oddly enough, the signature
is stored as an integer value.
The CRL verification code introduced with the NSS code path used the gmp library's
bignum to convert the signature chunk_t into a bignum and back, thereby removing
the leading zero. However, this would remove more then the 1 leading zero, so if
the signature started with a 0x00, then the RSA signature of the CRL would be short
a byte and fail to verify. The CRL would be rejected.
This patch removes the conversions to bignum, and handles the leading zero by just
moving the pointer one forward, and reducing the length by 1.
Debugging was also slightly cleaned up, and errors in the CRL are now reported back
to the user if reading the CRLs was triggered by "ipsec auto --rereadall
(this is rhbz#959969)
commit 8f6711bcc52ef5cee85f5f52cae242509f405afc
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu May 9 19:32:46 2013 -0400
* whack: throw an error to the user if CRL is rejected
More information about the Swan-commit
mailing list