1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From acdd65497d164082e0462b3f2d4407f0c50ccf71 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Apr 2013 10:32:52 +0200
Subject: [PATCH 06/10] do_3des: Abort on failure
The routine cannot signal encryption failures to the caller
and would leave the buffer unencrypted on error.
---
lib/libopenswan/pem.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/lib/libopenswan/pem.c b/lib/libopenswan/pem.c
index 36da401..d42655a 100644
--- a/lib/libopenswan/pem.c
+++ b/lib/libopenswan/pem.c
@@ -483,7 +483,7 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
memcpy(&symkey, key, key_size);
if (symkey == NULL) {
loglog(RC_LOG_SERIOUS, "do_3des: NSS derived enc key is NULL \n");
- goto out;
+ abort();
}
ivitem.type = siBuffer;
@@ -493,7 +493,7 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
secparam = PK11_ParamFromIV(ciphermech, &ivitem);
if (secparam == NULL) {
loglog(RC_LOG_SERIOUS, "do_3des: Failure to set up PKCS11 param (err %d)\n",PR_GetError());
- goto out;
+ abort();
}
outlen = 0;
@@ -505,8 +505,15 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
}
enccontext = PK11_CreateContextBySymKey(ciphermech, enc? CKA_ENCRYPT: CKA_DECRYPT, symkey, secparam);
+ if (enccontext == NULL) {
+ loglog(RC_LOG_SERIOUS, "do_3des: PKCS11 context creation failure (err %d)\n", PR_GetError());
+ abort();
+ }
rv = PK11_CipherOp(enccontext, tmp_buf, &outlen, buf_len, buf, buf_len);
- passert(rv==SECSuccess);
+ if (rv != SECSuccess) {
+ loglog(RC_LOG_SERIOUS, "do_3des: PKCS11 operation failure (err %d)\n", PR_GetError());
+ abort();
+ }
if(enc) {
memcpy(new_iv, (char*) tmp_buf + buf_len-DES_CBC_BLOCK_SIZE, DES_CBC_BLOCK_SIZE);
@@ -518,7 +525,6 @@ void do_3des_nss(u_int8_t *buf, size_t buf_len
PR_Free(tmp_buf);
PR_Free(new_iv);
-out:
if (secparam) {
SECITEM_FreeItem(secparam, PR_TRUE);
}
--
1.8.1.4
|
