[Openswan dev] bug in openswan-2.1.0rc1/programs/pluto/whack.c

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Niki" == Niki Waibel <niki.waibel at newlogic.com> writes:
    Niki> the problematic function is get_secret. you can find it in
    Niki> ./programs/pluto/whack.c. it seems that this part:
    Niki> ===
    Niki> case RC_ENTERSECRET:
    Niki> if(!gotxauthpass)
    Niki> {
    Niki> xauthpasslen = get_secret(xauthpass
    Niki> , sizeof(xauthpass));
    Niki> }
    Niki> ===
    Niki> is wrong. it is a bit stange to me that the var ``xauthpass''
    Niki> is used. i am 
    Niki> not using the XAUTH feature ... anyway, sizeof(xauthpass)
    Niki> seems to be zero... 

  Both XAUTH and %prompt need to ask for a secret.
  However, "whack" lets you put that on the command line if you like,
so the variables got renamed.

    Niki> i think this should be:
    Niki> xauthpasslen = get_secret(xauthpass, 128);

  Well, sizeof(xauthpass) is 128.
  You are right that get_secret was broken in a subtle way.
  I have used it. Hmm.

    Niki> This function is obsolete. Do not use it.

    Niki> note ---> ``This function is obsolete. Do not use it.''

  Can you suggest an alternative function?
  It has to open /dev/tty, because the input to whack may not be the
tty. 

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGBRXoqHRg3pndX9AQEg0wQAqRCN0BlXikBXxZk6nTiOySbgh7qaxb2W
92d5ATbBXLa0nru3I65TjKjKN3IjXPesbThOq144TozKP7mcbpciU/Yi5q8QKCrs
O0WBaHojA/dbNSVzZJYuufEpR3UAaX0AGK9qFHJ9lOd+jUFTTlZ4RPwA4Jx/njuQ
G0TNylQTnJ8=
=zWCF
-----END PGP SIGNATURE-----