rpms/openswan/F-11 openswan-2.6-initscript-correction.patch, NONE, 1.1 openswan-2.6.22-CVE-2009-2185.patch, NONE, 1.1 openswan-2.6.22-gcc44.patch, NONE, 1.1 openswan-2.6.22-nss.patch, NONE, 1.1 openswan-2.6.22-selinux.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 openswan.spec, 1.79, 1.80 sources, 1.25, 1.26 openswan-2.6-selinux.patch, 1.1, NONE openswan-2.6.16-initscript-correction.patch, 1.1, NONE openswan-2.6.21-CVE-2009-2185.patch, 1.1, NONE openswan-2.6.21-gcc44.patch, 1.6, NONE openswan-2.6.21-nss-fedora-diff-modified.patch, 1.1, NONE openswan-2.6.21-nss.patch, 1.3, NONE
avesh agarwal
avesh at fedoraproject.org
Thu Sep 10 16:35:41 UTC 2009
Author: avesh
Update of /cvs/pkgs/rpms/openswan/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4537
Modified Files:
.cvsignore openswan.spec sources
Added Files:
openswan-2.6-initscript-correction.patch
openswan-2.6.22-CVE-2009-2185.patch
openswan-2.6.22-gcc44.patch openswan-2.6.22-nss.patch
openswan-2.6.22-selinux.patch
Removed Files:
openswan-2.6-selinux.patch
openswan-2.6.16-initscript-correction.patch
openswan-2.6.21-CVE-2009-2185.patch
openswan-2.6.21-gcc44.patch
openswan-2.6.21-nss-fedora-diff-modified.patch
openswan-2.6.21-nss.patch
Log Message:
* Thu Sep 10 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.22-1
- New upstream release
- Added support for using PSK with NSS
- Fixed several warnings and undid unnecessary debug messages
- Updated README.nss with an example configuration
- Moved README.nss to openswan/doc/
- Improved FIPS integrity check functionality
- Patch for Openswan ASN.1 parser vulnerability (CVE-2009-2185)
openswan-2.6-initscript-correction.patch:
setup.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openswan-2.6-initscript-correction.patch ---
--- openswan-2.6.22-orig/programs/setup/setup.in 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/setup/setup.in 2009-09-10 11:48:23.395338383 -0400
@@ -39,7 +39,7 @@
# times of NFS filesystem startup/shutdown). Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
-# chkconfig: 2345 47 76
+# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
openswan-2.6.22-CVE-2009-2185.patch:
asn1.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- NEW FILE openswan-2.6.22-CVE-2009-2185.patch ---
--- openswan-2.6.22/lib/libopenswan/asn1.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2/lib/libopenswan/asn1.c 2009-08-17 14:07:00.153981683 -0400
@@ -76,8 +76,15 @@ asn1_length(chunk_t *blob)
n = *blob->ptr++;
blob->len--;
- if ((n & 0x80) == 0) /* single length octet */
+ if ((n & 0x80) == 0) { /* single length octet */
+ if (n > blob->len) {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than ASN.1 object")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return n;
+ }
/* composite length, determine number of length octets */
n &= 0x7f;
@@ -243,7 +250,6 @@ asn1totime(const chunk_t *utctime, asn1_
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
{
return 0; /* error in positive timezone offset format */
@@ -411,7 +417,7 @@ extract_object(asn1Object_t const *objec
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN1 object invalid or too large",
openswan-2.6.22-gcc44.patch:
tncfg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openswan-2.6.22-gcc44.patch ---
--- openswan-2.6.22-orig/programs/tncfg/tncfg.c 2009-06-23 04:53:08.000000000 +0200
+++ openswan-2.6.22/programs/tncfg/tncfg.c 2009-07-09 23:58:03.000000000 +0200
@@ -176,7 +176,7 @@ int
main(int argc, char *argv[])
{
struct ifreq ifr;
- struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&ifr.ifr_data;
+ struct ipsectunnelconf *shc=(struct ipsectunnelconf *)ifr.ifr_data;
int s;
int c, previous = -1;
int argcount = argc;
openswan-2.6.22-nss.patch:
doc/README.nss | 123 ++++++++++++++++++--
lib/libcrypto/libmd5/md5.c | 10 +
lib/libcrypto/libsha1/sha1.c | 4
lib/libipsecconf/Makefile | 7 +
lib/libipsecconf/confread.c | 17 ++
lib/libipsecconf/keywords.c | 3
lib/libopenswan/alg_info.c | 11 +
lib/libopenswan/pem.c | 8 +
lib/libopenswan/secrets.c | 2
lib/libopenswan/x509dn.c | 1
programs/pluto/crypt_dh.c | 246 +++++++++++++++++++++++++++--------------
programs/pluto/crypto.h | 3
programs/pluto/hmac.c | 88 ++++++++++----
programs/pluto/ike_alg_aes.c | 2
programs/pluto/ikev1.h | 9 +
programs/pluto/ikev1_main.c | 27 ++--
programs/pluto/ikev2_psk.c | 63 ++++++++++
programs/pluto/ikev2_rsa.c | 4
programs/pluto/keys.c | 42 ++++---
programs/pluto/keys.h | 2
programs/pluto/pluto_crypt.c | 27 ----
programs/pluto/plutomain.c | 59 ++++++++-
programs/pluto/state.c | 6 +
programs/rsasigkey/rsasigkey.c | 8 -
24 files changed, 578 insertions(+), 194 deletions(-)
--- NEW FILE openswan-2.6.22-nss.patch ---
diff -urNp openswan-2.6.22-orig/doc/README.nss openswan-2.6.22/doc/README.nss
--- openswan-2.6.22-orig/doc/README.nss 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/doc/README.nss 2009-07-23 16:36:01.690589655 -0400
@@ -2,12 +2,11 @@ Title: Using NSS crypto library with Plu
Author: Avesh Agarwal email: avagarwa at redhat.com
Version:0.0
-
About NSS crypto library
--------------------------
Please visit http://www.mozilla.org/projects/security/pki/nss/
-NSS crypto library is user space library. It is only used with Pluto (user space IKE daemon) for cryptographic operations. When using NSS, it does not impact the way IPSEC kernel (KLIPS or NETKEY) works. The usefulness of using NSS lies in the fact that the secret information (like private keys or anything else) never comes out of NSS database.
+NSS crypto library is user space library. It is only used with Pluto (user space IKE daemon) for cryptographic operations. When using NSS, it does not impact the way IPSEC kernel (KLIPS or NETKEY) works. The usefulness of using NSS lies in the fact that the secret information (like private keys or anything else) never comes out of NSS database. Openswan with NSS supports IKEV1, IKEv2, authentication using PSK, Raw RSA Sig key, and Digital Certs.
How to enable NSS crypto library with Openswan
@@ -49,9 +48,9 @@ About the password file "nsspassword"
If you create the database with a password, and want to run NSS in FIPS mode, you must create a password file with the name "nsspassword" in the /etc/ipsec.d before running pluto with NSS. The "nsspassword" file must contain the password you provided when creating NSS database.
Important thing to note:
-i) You only need the "nsspassword" file if you run pluto in FIPS. In other way, if you run pluto in normal or NonFIPS mode and even if you create the NSS database with a password, you need not create a "nsspassword" file.
+i) You only need the "nsspassword" file if you run pluto in FIPS. In other way, if you run pluto in normal or NonFIPS mode, then you can create the NSS database without password, and you need not create a "nsspassword" file. However, if the NSS db is created with a password, the "nsspassword" file must also be provided.
-ii) If you create he "nsspassword" file, it must contain only the password nothing else.
+ii) If you create the "nsspassword" file, it must contain only the password nothing else.
Generating RSA keys when using NSS
@@ -60,7 +59,7 @@ You can still use ipsec newhostkey and i
ipsec newhostkey --configdir /etc/ipsec.d [--password password] --output /etc/ipsec.d/ipsec.secrets
-A password is only required if NSS database is used in FIPS mode. If you use NSS and create RSA keys (private/public), you will notice that the contents of the ipsec.secrets are different than what used to be before.
+A password is only required if NSS database created with password. If you use NSS and create RSA keys (private/public), you will notice that the contents of the ipsec.secrets are different than what used to be before.
Public key information in ipsec.secrets is stored in the same way as before. However, all the fields of the Private key information contain just a similar ID. This ID is called CKA ID, which is used to locate private keys inside NSS database during the IKE negotiation.
@@ -90,9 +89,9 @@ It creates a user cert with nick name "u
Important thing to note: You must provided a nick name when creating a user cert, because Pluto reads the user cert from the NSS database nased on the user cert's nickname.
-Changes in the certitificates usage with Pluto
+Changes in the certificates usage with Pluto
------------------------------------------------
-1) ipsec.comf changes
+1) ipsec.conf changes
The only change is "leftcert" field must contain the nick name of the user cert. For example if the nickname of the user cert is "xyz", then it can be "leftid=xyz".
@@ -109,9 +108,111 @@ There is no need to provide private key
3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.
-ii) If you obtain a CA certificate from outside, and it is not inside NSS database, then you need to put the certificate inside "cacerts" directory, so that Pluto can read it. If the CA certificate is created in the NSS database, or imported from outside inside the NSS database, you need not have "cacerts" directory,as Pluto can read the CA cert from the database.
+ii) If you obtain a CA certificate from outside, and it is not inside NSS database, then you need to put the certificate inside "cacerts" directory, so that Pluto can read it. If the CA certificate is created in the NSS database, or imported from outside inside the NSS database, you need not have "cacerts" directory, as Pluto can read the CA cert from the database.
+
+
+An example Scenario: To setup ipsec with certs in tunnel mode using NSS
+------------------------------------------------------------
+
+GW Machine 1: w1.x1.y1.z1
+GW Machine 2: w2.x2.y2.z2
+
+w1.x1.y1.z1 <---> w2.x2.y2.z2
+
+Note: In this example setup, both machines are using NSS. If you want to use
+NSS only at one machine, say machine 1, you can use the following procedure
+only at machine 1, and you can use traditional ipsec setup at machine 2.
+
+1. Create a new (if not already) nss db on both machines as follows:
+
+certutil -N -d <path-to-ipsec.d dir>/ipsec.d
+
+2. Creating CA certs at both machines:
+
+On machine 1:
+certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d
+<path-to-ipsec.d dir>/ipsec.d
+
+As we want to use the same certificate "cacert1" at machine 2, it needs to be
+exported first. To export the cacert1, do the following at machine 1:
+
+pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
+
+Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.
+
+On machine 2:
+Import the "cacert1" as follows:
+
+cd /etc/ipsec.d
+pk12util -i cacert1.p12 -d /etc/ipsec.d
+certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
+
+Now machine 2 also has the CA certificates "cacert1" in its NSS database.
+
+3. Creating user certs at both machines:
+
+On machine 1:
+certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u"
+-d /etc/ipsec.d
+(Note this cert is signed by "cacert1")
+
+On machine 2:
+certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u"
+-d /etc/ipsec.d
+(Note this cert is signed by "cacert1" too)
+
+4. Preparing ipsec.conf at both machines
+
+ipsec.conf at machine 1:
+
+
+conn pluto-1-2
+ left=w1.x1.y1.z1
+ leftid="CN=usercert1"
+ leftsourceip=w1.x1.y1.z1
+ leftrsasigkey=%cert
+ leftcert=usercert1
+ leftnexthop=w2.x2.y2.z2
+ right=w2.x2.y2.z2
+ rightid="CN=usercert2"
+ rightsourceip=w2.x2.y2.z2
+ rightrsasigkey=%cert
+ rightnexthop=w1.x1.y1.z1
+ rekey=no
+ esp="aes-sha1"
+ ike="aes-sha1"
+ auto=add
+
+
+ipsec.conf at machine 2:
+
+
+conn pluto-1-2
+ left=w2.x2.y2.z2
+ leftid="CN=usercert2"
+ leftsourceip=w2.x2.y2.z2
+ leftrsasigkey=%cert
+ leftcert=usercert2
+ leftnexthop=w1.x1.y1.z1
+ right=w1.x1.y1.z1
+ rightid="CN=usercert1"
+ rightsourceip=w1.x1.y1.z1
+ rightrsasigkey=%cert
+ rightnexthop=w2.x2.y2.z2
+ rekey=no
+ esp="aes-sha1"
+ ike="aes-sha1"
+ auto=add
+
+5. Preparing ipsec.secrets at both machines
+
+ipsec.secrets at machine 1:
+
+ : RSA usercert1
+
+
+ipsec.secrets at machine 1:
+
+ : RSA usercert2
-Things not supported
----------------------
-PSK: It is not supported when using NSS, because it required both pluto peers to have a mutual keys created outside the NSS database. So It should not be configured with NSS.
diff -urNp openswan-2.6.22-orig/lib/libcrypto/libmd5/md5.c openswan-2.6.22/lib/libcrypto/libmd5/md5.c
--- openswan-2.6.22-orig/lib/libcrypto/libmd5/md5.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libcrypto/libmd5/md5.c 2009-07-23 16:36:01.691592011 -0400
@@ -75,7 +75,9 @@ documentation and/or software.
#define MD5Transform _MD5Transform
+#ifndef HAVE_LIBNSS
static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64]));
+#endif
#if BYTE_ORDER == LITTLE_ENDIAN
#define Encode MD5_memcpy
@@ -100,11 +102,13 @@ static void MD5_memcpy PROTO_LIST ((POIN
static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
#endif
#endif
+#ifndef HAVE_LIBNSS
static unsigned char PADDING[64] = {
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
+#endif
/* F, G, H and I are basic MD5 functions.
*/
@@ -147,14 +151,12 @@ void osMD5Init (context)
MD5_CTX *context; /* context */
{
#ifdef HAVE_LIBNSS
- DBG(DBG_CRYPT, DBG_log("NSS: md5 init start"));
SECStatus status;
context->ctx_nss=NULL;
context->ctx_nss = PK11_CreateDigestContext(SEC_OID_MD5);
PR_ASSERT(context->ctx_nss!=NULL);
status=PK11_DigestBegin(context->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 init end"));
#else
context->count[0] = context->count[1] = 0;
/* Load magic initialization constants.
@@ -178,7 +180,6 @@ UINT4 inputLen;
#ifdef HAVE_LIBNSS
SECStatus status=PK11_DigestOp(context->ctx_nss, input, inputLen);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 update end"));
#else
UINT4 i;
unsigned int myindex, partLen;
@@ -225,7 +226,6 @@ MD5_CTX *context;
PR_ASSERT(length==MD5_DIGEST_SIZE);
PR_ASSERT(status==SECSuccess);
PK11_DestroyContext(context->ctx_nss, PR_TRUE);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 final end"));
#else
unsigned char bits[8];
unsigned int myindex, padLen;
@@ -256,6 +256,7 @@ MD5_CTX *context;
/* MD5 basic transformation. Transforms state based on block.
*/
+#ifndef HAVE_LIBNSS
static void MD5Transform (state, block)
UINT4 state[4];
const unsigned char block[64];
@@ -345,6 +346,7 @@ const unsigned char block[64];
*/
MD5_memset ((POINTER)x, 0, sizeof (x));
}
+#endif
#if BYTE_ORDER != LITTLE_ENDIAN
diff -urNp openswan-2.6.22-orig/lib/libcrypto/libsha1/sha1.c openswan-2.6.22/lib/libcrypto/libsha1/sha1.c
--- openswan-2.6.22-orig/lib/libcrypto/libsha1/sha1.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libcrypto/libsha1/sha1.c 2009-07-23 16:36:01.692591026 -0400
@@ -118,14 +118,12 @@ CHAR64LONG16* block = (const CHAR64LONG1
void SHA1Init(SHA1_CTX* context)
{
#ifdef HAVE_LIBNSS
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 init start"));
SECStatus status;
context->ctx_nss=NULL;
context->ctx_nss = PK11_CreateDigestContext(SEC_OID_SHA1);
PR_ASSERT(context->ctx_nss!=NULL);
status=PK11_DigestBegin(context->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 init end"));
#else
/* SHA1 initialization constants */
context->state[0] = 0x67452301;
@@ -145,7 +143,6 @@ void SHA1Update(SHA1_CTX* context, const
#ifdef HAVE_LIBNSS
SECStatus status=PK11_DigestOp(context->ctx_nss, data, len);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 update end"));
/*loglog(RC_LOG_SERIOUS, "enter sha1 ctx update end");*/
#else
u_int32_t i;
@@ -181,7 +178,6 @@ void SHA1Final(unsigned char digest[20],
PR_ASSERT(length==SHA1_DIGEST_SIZE);
PR_ASSERT(status==SECSuccess);
PK11_DestroyContext(context->ctx_nss, PR_TRUE);
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 final end"));
#else
unsigned i;
unsigned char finalcount[8];
diff -urNp openswan-2.6.22-orig/lib/libipsecconf/confread.c openswan-2.6.22/lib/libipsecconf/confread.c
--- openswan-2.6.22-orig/lib/libipsecconf/confread.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libipsecconf/confread.c 2009-07-23 16:36:01.693590073 -0400
@@ -32,6 +32,11 @@
#include "ipsecconf/starterlog.h"
#include "ipsecconf/oeconns.h"
+#ifdef HAVE_LIBNSS
+//#ifdef FIPS_CHECK
+#include "oswconf.h"
+#endif
+
static char _tmp_err[512];
/**
@@ -969,6 +974,18 @@ static int load_conn (struct starter_con
/* reset authby flags */
if(conn->options_set[KBF_AUTHBY]) {
conn->policy &= ~(POLICY_ID_AUTH_MASK);
+
+#ifdef HAVE_LIBNSS
+//#ifdef FIPS_CHECK
+ if(Pluto_IsFIPS()) {
+ if((conn->options[KBF_AUTHBY] & POLICY_PSK) == POLICY_PSK){
+ starter_log(LOG_LEVEL_INFO
+ ,"while loading conn '%s', PSK not allowed in FIPS mode with NSS", conn->name);
+ return 1;
+ }
+ }
+#endif
+
conn->policy |= conn->options[KBF_AUTHBY];
#if STARTER_POLICY_DEBUG
diff -urNp openswan-2.6.22-orig/lib/libipsecconf/keywords.c openswan-2.6.22/lib/libipsecconf/keywords.c
--- openswan-2.6.22-orig/lib/libipsecconf/keywords.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libipsecconf/keywords.c 2009-07-23 16:36:01.694590809 -0400
@@ -79,10 +79,7 @@ struct keyword_enum_values kw_fourvalued
struct keyword_enum_value kw_authby_values[]={
{ "never", 0},
{ "rsasig", POLICY_RSASIG},
-/* You cannot have a PSK in an nss database */
-#ifndef HAVE_LIBNSS
{ "secret", POLICY_PSK},
-#endif
};
struct keyword_enum_values kw_authby_list=
diff -urNp openswan-2.6.22-orig/lib/libipsecconf/Makefile openswan-2.6.22/lib/libipsecconf/Makefile
--- openswan-2.6.22-orig/lib/libipsecconf/Makefile 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libipsecconf/Makefile 2009-07-23 16:36:01.695600060 -0400
@@ -32,6 +32,13 @@ SRCS+=interfaces.c
#enable to get lots more debugging about semantics.
#CFLAGS+=-DPARSER_TYPE_DEBUG
+#ifeq ($(USE_FIPSCHECK),true)
+#CFLAGS+=-DFIPS_CHECK
+ifeq ($(USE_LIBNSS),true)
+CFLAGS+=-DHAVE_LIBNSS
+CFLAGS+=-I/usr/include/nspr4 -I/usr/include/nss3
+endif
+
ifeq ($(USE_KLIPS),true)
SRCS+=virtif.c
endif
diff -urNp openswan-2.6.22-orig/lib/libopenswan/alg_info.c openswan-2.6.22/lib/libopenswan/alg_info.c
--- openswan-2.6.22-orig/lib/libopenswan/alg_info.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libopenswan/alg_info.c 2009-07-23 16:36:01.696590101 -0400
@@ -36,6 +36,10 @@
#include "oswlog.h"
#include "oswalloc.h"
+#ifdef HAVE_LIBNSS
+#include "oswconf.h"
+#endif
+
/* abstract reference */
struct oakley_group_desc;
@@ -625,6 +629,13 @@ parser_alg_info_add(struct parser_contex
p_ctx->err="hash_alg not found";
goto out;
}
+
+#ifdef HAVE_LIBNSS
+ if ( Pluto_IsFIPS() && ((aalg_id == OAKLEY_SHA2_256 ) ||(aalg_id == OAKLEY_SHA2_384 ) || (aalg_id == OAKLEY_SHA2_512 )) ) {
+ p_ctx->err="SHA2 Not supported in FIPS mode with NSS";
+ goto out;
+ }
+#endif
DBG(DBG_CRYPT, DBG_log("parser_alg_info_add() "
"aalg_getbyname(\"%s\")=%d",
p_ctx->aalg_buf,
diff -urNp openswan-2.6.22-orig/lib/libopenswan/pem.c openswan-2.6.22/lib/libopenswan/pem.c
--- openswan-2.6.22-orig/lib/libopenswan/pem.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libopenswan/pem.c 2009-07-23 16:36:01.768617374 -0400
@@ -195,10 +195,13 @@ pem_decrypt_3des(chunk_t *blob, chunk_t
{
MD5_CTX context;
u_char digest[MD5_DIGEST_SIZE];
- u_char des_iv[DES_CBC_BLOCK_SIZE];
u_char key[24];
+
+#ifndef HAVE_LIBNSS
+ u_char des_iv[DES_CBC_BLOCK_SIZE];
des_cblock *deskey = (des_cblock *)key;
des_key_schedule ks[3];
+#endif
u_char padding, *last_padding_pos, *first_padding_pos;
/* Convert passphrase to 3des key */
@@ -217,7 +220,8 @@ pem_decrypt_3des(chunk_t *blob, chunk_t
memcpy(key + MD5_DIGEST_SIZE, digest, 24 - MD5_DIGEST_SIZE);
#ifdef HAVE_LIBNSS
- do_3des_nss(blob->ptr, blob->len, key, DES_CBC_BLOCK_SIZE * 3 , iv, FALSE);
+ do_3des_nss(blob->ptr, blob->len,
+ key, DES_CBC_BLOCK_SIZE * 3 , (u_int8_t*)iv, FALSE);
#else
(void) oswcrypto.des_set_key(&deskey[0], ks[0]);
(void) oswcrypto.des_set_key(&deskey[1], ks[1]);
diff -urNp openswan-2.6.22-orig/lib/libopenswan/secrets.c openswan-2.6.22/lib/libopenswan/secrets.c
--- openswan-2.6.22-orig/lib/libopenswan/secrets.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libopenswan/secrets.c 2009-07-23 16:36:01.770594010 -0400
@@ -121,11 +121,13 @@ RSA_show_key_fields(struct RSA_private_k
}
/* debugging info that compromises security! */
+#ifndef HAVE_LIBNSS
static void
RSA_show_private_key(struct RSA_private_key *k)
{
RSA_show_key_fields(k, elemsof(RSA_private_field));
}
+#endif
static void
RSA_show_public_key(struct RSA_public_key *k)
diff -urNp openswan-2.6.22-orig/lib/libopenswan/x509dn.c openswan-2.6.22/lib/libopenswan/x509dn.c
--- openswan-2.6.22-orig/lib/libopenswan/x509dn.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/lib/libopenswan/x509dn.c 2009-07-23 16:36:01.772589393 -0400
@@ -56,6 +56,7 @@
#ifdef HAVE_LIBNSS
# include <nss.h>
# include <pk11pub.h>
+# include <keyhi.h>
# include <secerr.h>
# include "oswconf.h"
#endif
diff -urNp openswan-2.6.22-orig/programs/pluto/crypt_dh.c openswan-2.6.22/programs/pluto/crypt_dh.c
--- openswan-2.6.22-orig/programs/pluto/crypt_dh.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/crypt_dh.c 2009-07-23 16:36:01.775588265 -0400
@@ -58,6 +58,9 @@
# include <keyhi.h>
# include "oswconf.h"
+#define PK11_Derive(base, mechanism, param, target, operation, keysize) \
+ PK11_Derive_osw(base, mechanism, param, target, operation, keysize)
+
static PK11SymKey *pk11_extract_derive_wrapper_osw(PK11SymKey *base, CK_EXTRACT_PARAMS bs
, CK_MECHANISM_TYPE target , CK_ATTRIBUTE_TYPE operation, int keySize)
{
@@ -67,7 +70,7 @@ static PK11SymKey *pk11_extract_derive_w
return PK11_Derive(base, CKM_EXTRACT_KEY_FROM_KEY, ¶m, target, operation, keySize);
}
-
+/*
static CK_MECHANISM_TYPE nss_hmac_mech(const struct hash_desc *hasher)
{
CK_MECHANISM_TYPE mechanism;
@@ -78,21 +81,22 @@ static CK_MECHANISM_TYPE nss_hmac_mech(c
case OAKLEY_SHA2_256: mechanism = CKM_SHA256_HMAC; break;
case OAKLEY_SHA2_384: mechanism = CKM_SHA384_HMAC; break;
case OAKLEY_SHA2_512: mechanism = CKM_SHA512_HMAC; break;
- default: loglog(RC_LOG_SERIOUS,"NSS: undefined hmac mechanism"); break; /*should not reach here*/
+ default: loglog(RC_LOG_SERIOUS,"NSS: undefined hmac mechanism"); break;
}
return mechanism;
}
+*/
static CK_MECHANISM_TYPE nss_encryption_mech(const struct encrypt_desc *encrypter)
{
- CK_MECHANISM_TYPE mechanism;
+CK_MECHANISM_TYPE mechanism=0x80000000;
- switch(encrypter->common.algo_id) {
- case OAKLEY_3DES_CBC: mechanism = CKM_DES3_CBC; break;
- case OAKLEY_AES_CBC: mechanism = CKM_AES_CBC; break;
- default: loglog(RC_LOG_SERIOUS,"NSS: Unsupported encryption mechanism"); break; /*should not reach here*/
+ switch(encrypter->common.algo_id){
+ case OAKLEY_3DES_CBC: mechanism = CKM_DES3_CBC; break;
+ case OAKLEY_AES_CBC: mechanism = CKM_AES_CBC; break;
+ default: loglog(RC_LOG_SERIOUS,"NSS: Unsupported encryption mechanism"); break; /*should not reach here*/
}
- return mechanism;
+return mechanism;
}
#endif
@@ -111,14 +115,11 @@ calc_dh_shared(chunk_t *shared, const ch
unsigned long tv_diff;
SECKEYPublicKey *remote_pubk, *local_pubk;
SECKEYPrivateKey *privk;
- SECItem nss_g,param1;
+ SECItem nss_g;
PK11SymKey *dhshared;
PRArenaPool *arena;
SECStatus status;
- DBG_cond_dump_chunk(DBG_CRYPT, "NSS: DH pubk pointer:\n", pubk);
- DBG_cond_dump_chunk(DBG_CRYPT, "NSS: DH priv key pointer:\n", secret);
-
memcpy(&local_pubk,pubk.ptr,pubk.len);
memcpy(&privk,secret.ptr,secret.len);
@@ -129,12 +130,9 @@ calc_dh_shared(chunk_t *shared, const ch
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PR_ASSERT(arena!=NULL);
- DBG(DBG_CRYPT, DBG_log("Started DH shared-secret computation in NSS:created arena\n"));
remote_pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
- DBG(DBG_CRYPT, DBG_log("Started DH shared-secret computation in NSS:created remote pubk\n"));
-
remote_pubk->arena = arena;
remote_pubk->keyType = dhKey;
remote_pubk->pkcs11Slot = NULL;
@@ -153,7 +151,6 @@ calc_dh_shared(chunk_t *shared, const ch
status = SECITEM_CopyItem(remote_pubk->arena, &remote_pubk->u.dh.publicValue, &nss_g);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("Started DH shared-secret computation in NSS:created remote pubk data\n"));
dhshared=PK11_PubDerive(privk,remote_pubk,PR_FALSE, NULL, NULL
, CKM_DH_PKCS_DERIVE, CKM_CONCATENATE_DATA_AND_BASE
@@ -161,10 +158,6 @@ calc_dh_shared(chunk_t *shared, const ch
, osw_return_nss_password_file_info());
PR_ASSERT(dhshared!=NULL);
- nss_symkey_log(dhshared,"DH Shared Secret");
-
- DBG(DBG_CRYPT, DBG_log("Started DH shared-secret computation in NSS:created dh shared secret\n"));
-
shared->len=sizeof(PK11SymKey *);
shared->ptr = alloc_bytes(shared->len, "calculated shared secret");
memcpy(shared->ptr, &dhshared,shared->len);
@@ -247,17 +240,115 @@ calc_dh_shared(chunk_t *shared, const ch
/* SKEYID for preshared keys.
* See draft-ietf-ipsec-ike-01.txt 4.1
*/
+
+#ifdef HAVE_LIBNSS
+static void
+skeyid_preshared(const chunk_t pss
+ , const chunk_t ni
+ , const chunk_t nr
+ , const chunk_t shared_chunk
+ , const struct hash_desc *hasher
+ , chunk_t *skeyid_chunk)
+#else
static void
skeyid_preshared(const chunk_t pss
, const chunk_t ni
, const chunk_t nr
, const struct hash_desc *hasher
, chunk_t *skeyid)
+#endif
{
struct hmac_ctx ctx;
passert(hasher != NULL);
+#ifdef HAVE_LIBNSS
+ chunk_t nir;
+ int k;
+ CK_MECHANISM_TYPE mechanism;
+ u_char buf1[HMAC_BUFSIZE], buf2[HMAC_BUFSIZE];
+ chunk_t buf1_chunk, buf2_chunk;
+ PK11SymKey *shared, *skeyid;
+
+ DBG(DBG_CRYPT,
+ DBG_log("NSS: skeyid inputs (pss+NI+NR+shared) hasher: %s", hasher->common.name);
+ DBG_dump_chunk("shared-secret: ", shared_chunk);
+ DBG_dump_chunk("ni: ", ni);
+ DBG_dump_chunk("nr: ", nr));
+
+ memcpy(&shared, shared_chunk.ptr, shared_chunk.len);
+
+ /* We need to hmac_init with the concatenation of Ni_b and Nr_b,
+ * so we have to build a temporary concatentation.
+ */
+
+ nir.len = ni.len + nr.len;
+ nir.ptr = alloc_bytes(nir.len, "Ni + Nr in skeyid_preshared");
+ memcpy(nir.ptr, ni.ptr, ni.len);
+ memcpy(nir.ptr+ ni.len, nr.ptr, nr.len);
+
+ memset(buf1, '\0', HMAC_BUFSIZE);
+
+ if (pss.len <= HMAC_BUFSIZE)
+ {
+ memcpy(buf1, pss.ptr, pss.len);
+ }
+ else
+ {
+ hasher->hash_init(&ctx.hash_ctx);
+ hasher->hash_update(&ctx.hash_ctx, pss.ptr, pss.len);
+ hasher->hash_final(buf1, &ctx.hash_ctx);
+ }
+
+ memcpy(buf2, buf1, HMAC_BUFSIZE);
+
+ for (k = 0; k < HMAC_BUFSIZE; k++)
+ {
+ buf1[k] ^= HMAC_IPAD;
+ buf2[k] ^= HMAC_OPAD;
+ }
+
+ //pfree(nir.ptr);
+
+ mechanism=nss_key_derivation_mech(hasher);
+ buf1_chunk.ptr=buf1;
+ buf1_chunk.len=HMAC_BUFSIZE;
+
+ buf2_chunk.ptr=buf2;
+ buf2_chunk.len=HMAC_BUFSIZE;
+
+ PK11SymKey *tkey4 = pk11_derive_wrapper_osw(shared, CKM_CONCATENATE_DATA_AND_BASE, buf1_chunk, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
+ //nss_symkey_log(tkey4, "pss+ipad+shared");
+
+ CK_EXTRACT_PARAMS bs=0;
+ PK11SymKey *tkey5 = pk11_extract_derive_wrapper_osw(tkey4, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, HMAC_BUFSIZE);
+ //nss_symkey_log(tkey5, "pss+ipad");
+
+ PK11SymKey *tkey6 = pk11_derive_wrapper_osw(tkey5, CKM_CONCATENATE_BASE_AND_DATA, nir, mechanism, CKA_DERIVE, 0);
+ pfree(nir.ptr);
+ //nss_symkey_log(tkey6, "pss+ipad+nir");
+
+ //PK11SymKey *tkey1 = pk11_derive_wrapper_osw(shared, CKM_CONCATENATE_DATA_AND_BASE, buf1_chunk, mechanism, CKA_DERIVE, 0);
+ PK11SymKey *tkey2 = PK11_Derive(tkey6, mechanism, NULL, CKM_CONCATENATE_DATA_AND_BASE, CKA_DERIVE, 0);
+ //nss_symkey_log(tkey2, "pss : tkey2");
+
+ PK11SymKey *tkey3 = pk11_derive_wrapper_osw(tkey2, CKM_CONCATENATE_DATA_AND_BASE, buf2_chunk, mechanism, CKA_DERIVE, 0);
+ skeyid = PK11_Derive(tkey3, mechanism, NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
+ //nss_symkey_log(tkey2, "pss : tkey3");
+
+ skeyid_chunk->len = sizeof(PK11SymKey *);
+ skeyid_chunk->ptr = alloc_bytes(skeyid_chunk->len, "calculated skeyid(pss)");
+ memcpy(skeyid_chunk->ptr, &skeyid, skeyid_chunk->len);
+
+ PK11_FreeSymKey(tkey4);
+ PK11_FreeSymKey(tkey5);
+ PK11_FreeSymKey(tkey6);
+ PK11_FreeSymKey(tkey2);
+ PK11_FreeSymKey(tkey3);
+
+ DBG(DBG_CRYPT,
+ DBG_dump_chunk("NSS: st_skeyid in skeyid_preshared(): ", *skeyid_chunk));
+#else
DBG(DBG_CRYPT,
DBG_log("Skey inputs (PSK+NI+NR)");
DBG_dump_chunk("ni: ", ni);
@@ -269,6 +360,7 @@ skeyid_preshared(const chunk_t pss
hmac_final_chunk(*skeyid, "st_skeyid in skeyid_preshared()", &ctx);
DBG(DBG_CRYPT,
DBG_dump_chunk("keyid: ", *skeyid));
+#endif
}
static void
@@ -406,8 +498,8 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
{
case OAKLEY_PRESHARED_KEY:
#ifdef HAVE_LIBNSS
- loglog(RC_LOG_SERIOUS,"OAKLEY_PRESHARED_KEY: Not Supported with NSS");
- bad_case(auth);
+ setchunk_fromwire(pss, &skq->pss, skq);
+ skeyid_preshared(pss, ni, nr, shared_chunk, hasher, skeyid_chunk);
#else
setchunk_fromwire(pss, &skq->pss, skq);
skeyid_preshared(pss, ni, nr, hasher, skeyid_chunk);
@@ -465,7 +557,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
PR_ASSERT(tkey2!=NULL);
keyhandle=PK11_GetSymKeyHandle(shared);
- param.data=&keyhandle;
+ param.data=(unsigned char *) &keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey3 = PK11_Derive(tkey2, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
@@ -494,7 +586,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
keyhandle=PK11_GetSymKeyHandle(tkey7);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey9 = PK11_Derive(tkey8, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
@@ -508,14 +600,14 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
/*Deriving SKEYID_a = hmac_xxx(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)*/
keyhandle=PK11_GetSymKeyHandle(skeyid_d);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey10 = PK11_Derive(tkey2, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey10!=NULL);
keyhandle=PK11_GetSymKeyHandle(shared);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey11 = PK11_Derive(tkey10, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
@@ -537,7 +629,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
PR_ASSERT(tkey15!=NULL);
keyhandle=PK11_GetSymKeyHandle(tkey15);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey16 = PK11_Derive(tkey8, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
@@ -551,14 +643,14 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
/*Deriving SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)*/
keyhandle=PK11_GetSymKeyHandle(skeyid_a);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey17 = PK11_Derive(tkey2, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey17!=NULL);
keyhandle=PK11_GetSymKeyHandle(shared);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey18 = PK11_Derive(tkey17, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
@@ -580,28 +672,27 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
PR_ASSERT(tkey22!=NULL);
keyhandle=PK11_GetSymKeyHandle(tkey22);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey23 = PK11_Derive(tkey8, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
PR_ASSERT(tkey23!=NULL);
- DBG(DBG_CRYPT, DBG_log("NSS: enc keysize=%d\n",keysize));
+ DBG(DBG_CRYPT, DBG_log("NSS: enc keysize=%d\n",(int)keysize));
/*Deriving encryption key from SKEYID_e*/
/* Oakley Keying Material
* Derived from Skeyid_e: if it is not big enough, generate more
* using the PRF.
* See RFC 2409 "IKE" Appendix B*/
- CK_EXTRACT_PARAMS bitstart = 0;
- param1.data = &bitstart;
+ CK_EXTRACT_PARAMS bitstart = 0;
+ param1.data = (unsigned char*)&bitstart;
param1.len = sizeof (bitstart);
if(keysize <= hasher->hash_digest_len){
skeyid_e = PK11_Derive(tkey23, nss_key_derivation_mech(hasher), NULL, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
PR_ASSERT(skeyid_e!=NULL);
- nss_symkey_log(skeyid_e, "skeyid_e");
enc_key = PK11_DeriveWithFlags(skeyid_e, CKM_EXTRACT_KEY_FROM_KEY, ¶m1
, nss_encryption_mech(encrypter), CKA_FLAGS_ONLY, keysize, CKF_ENCRYPT|CKF_DECRYPT);
@@ -617,7 +708,6 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
skeyid_e = PK11_Derive(tkey23, nss_key_derivation_mech(hasher), NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(skeyid_e!=NULL);
- nss_symkey_log(skeyid_e, "skeyid_e");
PK11SymKey *tkey25 = pk11_derive_wrapper_osw(skeyid_e, CKM_CONCATENATE_BASE_AND_DATA
, hmac_pad,CKM_XOR_BASE_AND_DATA, CKA_DERIVE, HMAC_BUFSIZE);
@@ -640,7 +730,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
PR_ASSERT(tkey29!=NULL);
keyhandle=PK11_GetSymKeyHandle(tkey28);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey30 = PK11_Derive(tkey29, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
@@ -668,7 +758,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
for(;;){
keyhandle=PK11_GetSymKeyHandle(tkey31);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey34 = PK11_Derive(tkey33, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
@@ -679,7 +769,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
PR_ASSERT(tkey35!=NULL);
keyhandle=PK11_GetSymKeyHandle(tkey35);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey37 = PK11_Derive(tkey36, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
@@ -694,14 +784,12 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
/*concatenating K1 and K2 */
keyhandle=PK11_GetSymKeyHandle(tkey38);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey39 = PK11_Derive(keymat, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey39!=NULL);
- DBG(DBG_CRYPT, DBG_log("NSS: encrypter= %d, keysize =%d\n", nss_encryption_mech(encrypter), keysize));
-
enc_key = PK11_DeriveWithFlags(tkey39, CKM_EXTRACT_KEY_FROM_KEY, ¶m1
, nss_encryption_mech(encrypter), CKA_FLAGS_ONLY, /*0*/ keysize, CKF_ENCRYPT|CKF_DECRYPT);
@@ -731,7 +819,7 @@ calc_skeyids_iv(struct pcr_skeyid_q *skq
else{
keyhandle=PK11_GetSymKeyHandle(tkey38);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey39=PK11_Derive(keymat,CKM_CONCATENATE_BASE_AND_KEY, ¶m,CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
@@ -1119,18 +1207,16 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
#ifdef HAVE_LIBNSS
const struct hash_desc *hasher = crypto_get_hasher(skq->prf_hash);
passert(hasher);
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: found hasher\n"));
+
const struct encrypt_desc *encrypter = skq->encrypter;
passert(encrypter);
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: found encrypter\n"));
+
hmac_opad = hmac_pads(HMAC_OPAD,HMAC_BUFSIZE);
hmac_ipad = hmac_pads(HMAC_IPAD,HMAC_BUFSIZE);
hmac_pad_prf = hmac_pads(0x00,HMAC_BUFSIZE-hasher->hash_digest_len);
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: computed required pads\n"));
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: Started computing SKEYSEED\n"));
/* generate SKEYSEED from key=(Ni|Nr), hash of shared */
{
@@ -1138,8 +1224,6 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
memcpy(&skeyseed_k, skeyseed->ptr, skeyseed->len);
}
passert(skeyseed_k);
- nss_symkey_log(skeyseed_k, "skeyseed");
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: Computed SKEYSEED\n"));
#else
vpss.prf_hasher = crypto_get_hasher(skq->prf_hash);
@@ -1202,19 +1286,18 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
DBG_dump_chunk("Nr", vpss.nr);
DBG_dump_chunk("SPIi", vpss.spii);
DBG_dump_chunk("SPIr", vpss.spir);
- DBG_log("Total keysize needed %ld", total_keysize);
+ DBG_log("Total keysize needed %d", (int)total_keysize);
}
#ifdef HAVE_LIBNSS
counter.ptr = &vpss.counter[0];
counter.len =1;
- DBG(DBG_CRYPT, DBG_log("NSS ikev2: Started computing key material for IKEv2 SA\n"));
PK11SymKey *finalkey;
PK11SymKey *tkey1 = pk11_derive_wrapper_osw(skeyseed_k, CKM_CONCATENATE_BASE_AND_DATA
, hmac_pad_prf,CKM_XOR_BASE_AND_DATA, CKA_DERIVE, HMAC_BUFSIZE);
PR_ASSERT(tkey1!=NULL);
- nss_symkey_log(tkey1, "1");
+
for(;;)
{
@@ -1224,7 +1307,6 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
PK11SymKey *tkey2 = pk11_derive_wrapper_osw(tkey1, CKM_XOR_BASE_AND_DATA
, hmac_ipad, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey2!=NULL);
- nss_symkey_log(tkey2, "2");
tkey3 = pk11_derive_wrapper_osw(tkey2, CKM_CONCATENATE_BASE_AND_DATA
, vpss.ni, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
@@ -1233,16 +1315,15 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
PK11SymKey *tkey2 = pk11_derive_wrapper_osw(tkey1, CKM_XOR_BASE_AND_DATA
, hmac_ipad, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey2!=NULL);
- nss_symkey_log(tkey2, "2");
+
keyhandle=PK11_GetSymKeyHandle(tkey11);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey12 = PK11_Derive(tkey2, CKM_CONCATENATE_BASE_AND_KEY
, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey12!=NULL);
- nss_symkey_log(tkey12, "tkey12");
tkey3 = pk11_derive_wrapper_osw(tkey12, CKM_CONCATENATE_BASE_AND_DATA
, vpss.ni, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
@@ -1252,70 +1333,67 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
}
PR_ASSERT(tkey3!=NULL);
- nss_symkey_log(tkey3, "3");
+
PK11SymKey *tkey4 = pk11_derive_wrapper_osw(tkey3, CKM_CONCATENATE_BASE_AND_DATA
, vpss.nr, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey4!=NULL);
- nss_symkey_log(tkey4, "4");
+
PK11SymKey *tkey5 = pk11_derive_wrapper_osw(tkey4, CKM_CONCATENATE_BASE_AND_DATA
, vpss.spii, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey5!=NULL);
- nss_symkey_log(tkey5, "5");
+
PK11SymKey *tkey6 = pk11_derive_wrapper_osw(tkey5, CKM_CONCATENATE_BASE_AND_DATA
, vpss.spir, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey6!=NULL);
- nss_symkey_log(tkey6, "6");
+
PK11SymKey *tkey7 = pk11_derive_wrapper_osw(tkey6, CKM_CONCATENATE_BASE_AND_DATA
, counter, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
PR_ASSERT(tkey7!=NULL);
- nss_symkey_log(tkey7, "7");
+
PK11SymKey *tkey8 = PK11_Derive(tkey7, nss_key_derivation_mech(hasher), NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
PR_ASSERT(tkey8!=NULL);
- nss_symkey_log(tkey8, "8");
+
PK11SymKey *tkey9 = pk11_derive_wrapper_osw(tkey1, CKM_XOR_BASE_AND_DATA
, hmac_opad, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey9!=NULL);
- nss_symkey_log(tkey9, "9");
+
keyhandle=PK11_GetSymKeyHandle(tkey8);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
PK11SymKey *tkey10 = PK11_Derive(tkey9, CKM_CONCATENATE_BASE_AND_KEY, ¶m, nss_key_derivation_mech(hasher), CKA_DERIVE, 0);
PR_ASSERT(tkey10!=NULL);
- nss_symkey_log(tkey10, "10");
+
if(vpss.counter[0]== 0x01) {
finalkey = PK11_Derive(tkey10, nss_key_derivation_mech(hasher), NULL, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(finalkey!=NULL);
- nss_symkey_log(finalkey, "finalkey");
+
tkey11 = PK11_Derive(tkey10, nss_key_derivation_mech(hasher), NULL, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey11!=NULL);
- nss_symkey_log(tkey11, "tkey11");
} else {
tkey11 = PK11_Derive(tkey10, nss_key_derivation_mech(hasher), NULL, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
PR_ASSERT(tkey11!=NULL);
- nss_symkey_log(tkey11, "tkey11");
+
keyhandle=PK11_GetSymKeyHandle(tkey11);
- param.data=&keyhandle;
+ param.data=(unsigned char*)&keyhandle;
param.len=sizeof(keyhandle);
if( total_keysize <= (PK11_GetKeyLength(finalkey)+PK11_GetKeyLength(tkey11)) ) {
finalkey = PK11_Derive(finalkey, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
PR_ASSERT(finalkey!=NULL);
- nss_symkey_log(finalkey, "finalkey");
} else {
finalkey = PK11_Derive(finalkey, CKM_CONCATENATE_BASE_AND_KEY, ¶m, CKM_CONCATENATE_BASE_AND_KEY, CKA_DERIVE, 0);
PR_ASSERT(finalkey!=NULL);
- nss_symkey_log(finalkey, "finalkey");
}
}
@@ -1340,37 +1418,37 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
DBG(DBG_CRYPT, DBG_log("NSS ikev2: finished computing key material for IKEv2 SA\n"));
CK_EXTRACT_PARAMS bs=0;
SK_d_k = pk11_extract_derive_wrapper_osw(finalkey, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, skd_bytes);
- nss_symkey_log(SK_d_k, "SK_d_k");
+
bs= skd_bytes*BITS_PER_BYTE;
SK_ai_k = pk11_extract_derive_wrapper_osw(finalkey, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, ska_bytes);
- nss_symkey_log(SK_ai_k, "SK_ai_k");
+
bs= (skd_bytes + ska_bytes)*BITS_PER_BYTE;
SK_ar_k = pk11_extract_derive_wrapper_osw(finalkey, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, ska_bytes);
- nss_symkey_log(SK_ar_k, "SK_ar_k");
+
bs= (skd_bytes + (2*ska_bytes))*BITS_PER_BYTE;
param1.data =(unsigned char*)&bs;
param1.len = sizeof(bs);
SK_ei_k = PK11_DeriveWithFlags(finalkey, CKM_EXTRACT_KEY_FROM_KEY, ¶m1
, nss_encryption_mech(encrypter), CKA_FLAGS_ONLY, ske_bytes, CKF_ENCRYPT|CKF_DECRYPT);
- nss_symkey_log(SK_ei_k, "SK_ei_k");
+
bs= (skd_bytes + (2*ska_bytes) + ske_bytes)*BITS_PER_BYTE;
param1.data =(unsigned char*)&bs;
param1.len = sizeof(bs);
SK_er_k = PK11_DeriveWithFlags(finalkey, CKM_EXTRACT_KEY_FROM_KEY, ¶m1
, nss_encryption_mech(encrypter), CKA_FLAGS_ONLY, ske_bytes, CKF_ENCRYPT|CKF_DECRYPT);
- nss_symkey_log(SK_er_k, "SK_er_k");
+
bs= (skd_bytes + (2*ska_bytes) + (2*ske_bytes))*BITS_PER_BYTE;
SK_pi_k = pk11_extract_derive_wrapper_osw(finalkey, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, skp_bytes);
- nss_symkey_log(SK_pi_k, "SK_pi_k");
+
bs= (skd_bytes + (2*ska_bytes) + (2*ske_bytes)+skp_bytes)*BITS_PER_BYTE;
SK_pr_k = pk11_extract_derive_wrapper_osw(finalkey, bs, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, skp_bytes);
- nss_symkey_log(SK_pr_k, "SK_pr_k");
+
DBG(DBG_CRYPT, DBG_log("NSS ikev2: finished computing individual keys for IKEv2 SA\n"));
@@ -1380,37 +1458,37 @@ calc_skeyseed_v2(struct pcr_skeyid_q *sk
SK_d->len = sizeof(PK11SymKey *);
SK_d->ptr = alloc_bytes(SK_d->len, "SK_d");
memcpy(SK_d->ptr, &SK_d_k, SK_d->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_d\n"));
+
SK_ai->len = sizeof(PK11SymKey *);
SK_ai->ptr = alloc_bytes(SK_ai->len, "SK_ai");
memcpy(SK_ai->ptr, &SK_ai_k, SK_ai->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_ai\n"));
+
SK_ar->len = sizeof(PK11SymKey *);
SK_ar->ptr = alloc_bytes(SK_ar->len, "SK_ar");
memcpy(SK_ar->ptr, &SK_ar_k, SK_ar->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_ar\n"));
+
SK_ei->len = sizeof(PK11SymKey *);
SK_ei->ptr = alloc_bytes(SK_ei->len, "SK_ei");
memcpy(SK_ei->ptr, &SK_ei_k, SK_ei->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_ei\n"));
+
SK_er->len = sizeof(PK11SymKey *);
SK_er->ptr = alloc_bytes(SK_er->len, "SK_er");
memcpy(SK_er->ptr, &SK_er_k, SK_er->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_er\n"));
+
SK_pi->len = sizeof(PK11SymKey *);
SK_pi->ptr = alloc_bytes(SK_pi->len, "SK_pi");
memcpy(SK_pi->ptr, &SK_pi_k, SK_pi->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_pi\n"));
+
SK_pr->len = sizeof(PK11SymKey *);
SK_pr->ptr = alloc_bytes(SK_pr->len, "SK_pr");
memcpy(SK_pr->ptr, &SK_pr_k, SK_pr->len);
- DBG(DBG_CRYPT, DBG_log("NSS: copied SK_pr\n"));
+
freeanychunk(hmac_opad);
freeanychunk(hmac_ipad);
diff -urNp openswan-2.6.22-orig/programs/pluto/crypto.h openswan-2.6.22/programs/pluto/crypto.h
--- openswan-2.6.22-orig/programs/pluto/crypto.h 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/crypto.h 2009-07-23 16:36:01.776589745 -0400
@@ -148,6 +148,9 @@ extern chunk_t hmac_pads(u_char val, uns
extern PK11SymKey *pk11_derive_wrapper_osw(PK11SymKey *base, CK_MECHANISM_TYPE mechanism
, chunk_t data, CK_MECHANISM_TYPE target
, CK_ATTRIBUTE_TYPE operation, int keySize);
+extern PK11SymKey *PK11_Derive_osw(PK11SymKey *base, CK_MECHANISM_TYPE mechanism
+ , SECItem *param, CK_MECHANISM_TYPE target
+ , CK_ATTRIBUTE_TYPE operation, int keySize);
#endif
#endif /* _CRYPTO_H */
diff -urNp openswan-2.6.22-orig/programs/pluto/hmac.c openswan-2.6.22/programs/pluto/hmac.c
--- openswan-2.6.22-orig/programs/pluto/hmac.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/hmac.c 2009-07-23 16:36:01.779603531 -0400
@@ -26,7 +26,6 @@
#include "crypto.h" /* requires sha1.h and md5.h */
#include "alg_info.h"
#include "ike_alg.h"
-#include "oswlog.h"
#ifdef HAVE_LIBNSS
# include <nss.h>
@@ -69,23 +68,20 @@ hmac_init(struct hmac_ctx *ctx,
unsigned int klen;
chunk_t hmac_opad, hmac_ipad, hmac_pad;
/* empty parameters for the cryptographic context */
- SECItem noparams = { siBuffer, NULL, 0 };
memcpy(&symkey, key, key_len);
- nss_symkey_log(symkey, "hmac symkey");
klen = PK11_GetKeyLength(symkey);
hmac_opad = hmac_pads(HMAC_OPAD,HMAC_BUFSIZE);
hmac_ipad = hmac_pads(HMAC_IPAD,HMAC_BUFSIZE);
- hmac_pad = hmac_pads(0x00,HMAC_BUFSIZE-h->hash_digest_len);
+ //hmac_pad = hmac_pads(0x00,HMAC_BUFSIZE-h->hash_digest_len);
+ hmac_pad = hmac_pads(0x00,HMAC_BUFSIZE-klen);
if(klen > HMAC_BUFSIZE)
{
- DBG(DBG_CRYPT, DBG_log("NSS: key len is greater than block size"));
- tkey1 = PK11_Derive(symkey, nss_key_derivation_mech(h), NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
- DBG(DBG_CRYPT, DBG_log("NSS: created digest of key"));
- nss_symkey_log(tkey1, "hmac symkey digested");
+ //tkey1 = PK11_Derive(symkey, nss_key_derivation_mech(h), NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
+ tkey1 = PK11_Derive_osw(symkey, nss_key_derivation_mech(h), NULL, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, 0);
}
else
{
@@ -102,13 +98,11 @@ hmac_init(struct hmac_ctx *ctx,
, hmac_ipad,nss_hash_mech(h), CKA_DIGEST, 0);
PR_ASSERT(ctx->ikey !=NULL);
- nss_symkey_log(ctx->ikey, "ctx ikey");
ctx->okey = pk11_derive_wrapper_osw(tkey2, CKM_XOR_BASE_AND_DATA
, hmac_opad,nss_hash_mech(h), CKA_DIGEST, 0);
PR_ASSERT(ctx->okey !=NULL);
- nss_symkey_log(ctx->okey, "ctx okey");
if(tkey1!=symkey) {
PK11_FreeSymKey(tkey1);
@@ -120,17 +114,13 @@ hmac_init(struct hmac_ctx *ctx,
freeanychunk(hmac_pad);
ctx->ctx_nss = PK11_CreateDigestContext(nss_hash_oid(h));
PR_ASSERT(ctx->ctx_nss!=NULL);
- DBG(DBG_CRYPT, DBG_log("NSS: context created for hmac (doing it the hash way)"));
status=PK11_DigestBegin(ctx->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: Digest begin succeeded"));
status=PK11_DigestKey(ctx->ctx_nss, ctx->ikey);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: digested inner key"));
-
#else
/* Prepare the two pads for the HMAC */
@@ -174,12 +164,10 @@ hmac_update(struct hmac_ctx *ctx,
const u_char *data, size_t data_len)
{
#ifdef HAVE_LIBNSS
- DBG(DBG_CRYPT, DBG_log("NSS: hmac update start"));
if(data_len > 0) {
SECStatus status = PK11_DigestOp(ctx->ctx_nss, data, data_len);
PR_ASSERT(status == SECSuccess);
}
- DBG(DBG_CRYPT, DBG_log("NSS: hmac update end"));
#else
ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
#endif
@@ -198,7 +186,6 @@ hmac_final(u_char *output, struct hmac_c
h->hash_update(&ctx->hash_ctx, output, h->hash_digest_len);
h->hash_final(output, &ctx->hash_ctx);
#else
- DBG(DBG_CRYPT, DBG_log("NSS: hmac final start"));
unsigned int outlen = 0;
SECStatus status = PK11_DigestFinal(ctx->ctx_nss, output, &outlen, ctx->hmac_digest_len);
PR_ASSERT(status == SECSuccess);
@@ -208,20 +195,16 @@ hmac_final(u_char *output, struct hmac_c
ctx->ctx_nss = PK11_CreateDigestContext(nss_hash_oid(ctx->h));
PR_ASSERT(ctx->ctx_nss!=NULL);
- DBG(DBG_CRYPT, DBG_log("NSS: hmac final context creation"));
status=PK11_DigestBegin(ctx->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: hmac second final digest begin"));
status=PK11_DigestKey(ctx->ctx_nss, ctx->okey);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: digested outer key"));
status = PK11_DigestOp(ctx->ctx_nss, output, outlen);
PR_ASSERT(status == SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: digested inner data"));
status = PK11_DigestFinal(ctx->ctx_nss, output, &outlen, ctx->hmac_digest_len);
PR_ASSERT(status == SECSuccess);
PR_ASSERT(outlen == ctx->hmac_digest_len);
@@ -236,7 +219,7 @@ hmac_final(u_char *output, struct hmac_c
#ifdef HAVE_LIBNSS
static SECOidTag nss_hash_oid(const struct hash_desc *hasher)
{
- SECOidTag mechanism;
+ SECOidTag mechanism=0;
switch(hasher->common.algo_id) {
case OAKLEY_MD5: mechanism = SEC_OID_MD5; break;
@@ -251,7 +234,7 @@ static SECOidTag nss_hash_oid(const stru
static CK_MECHANISM_TYPE nss_hash_mech(const struct hash_desc *hasher)
{
- CK_MECHANISM_TYPE mechanism;
+ CK_MECHANISM_TYPE mechanism=0x80000000;
switch(hasher->common.algo_id) {
case OAKLEY_MD5: mechanism = CKM_MD5; break;
@@ -279,9 +262,66 @@ PK11SymKey *pk11_derive_wrapper_osw(PK11
return PK11_Derive(base, mechanism, ¶m, target, operation, keySize);
}
+PK11SymKey * PK11_Derive_osw(PK11SymKey *base, CK_MECHANISM_TYPE mechanism
+ , SECItem *param, CK_MECHANISM_TYPE target
+ , CK_ATTRIBUTE_TYPE operation, int keysize)
+{
+ SECOidTag oid;
+ PK11Context *ctx;
+ unsigned char dkey[HMAC_BUFSIZE];
+ SECItem dkey_param;
+ SECStatus status;
+ unsigned int len=0;
+ CK_EXTRACT_PARAMS bs;
+ chunk_t dkey_chunk;
+
+ if( ((mechanism == CKM_SHA256_KEY_DERIVATION) ||
+ (mechanism == CKM_SHA384_KEY_DERIVATION)||
+ (mechanism == CKM_SHA512_KEY_DERIVATION)) && (param == NULL) && (keysize ==0)) {
+
+ switch (mechanism) {
+ case CKM_SHA256_KEY_DERIVATION: oid = SEC_OID_SHA256; break;
+ case CKM_SHA384_KEY_DERIVATION: oid = SEC_OID_SHA384; break;
+ case CKM_SHA512_KEY_DERIVATION: oid = SEC_OID_SHA512; break;
+ default: DBG(DBG_CRYPT, DBG_log("PK11_Derive_osw: Invalid NSS mechanism ")); break; /*should not reach here*/
+ }
+
+ ctx = PK11_CreateDigestContext(oid);
+ PR_ASSERT(ctx!=NULL);
+ status=PK11_DigestBegin(ctx);
+ PR_ASSERT(status == SECSuccess);
+ status=PK11_DigestKey(ctx, base);
+ PR_ASSERT(status == SECSuccess);
+ PK11_DigestFinal(ctx, dkey, &len, sizeof dkey);
+ PK11_DestroyContext(ctx, PR_TRUE);
+
+ dkey_chunk.ptr = dkey;
+ dkey_chunk.len = len;
+
+ PK11SymKey *tkey1 = pk11_derive_wrapper_osw(base, CKM_CONCATENATE_DATA_AND_BASE, dkey_chunk, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
+ PR_ASSERT(tkey1!=NULL);
+
+ bs=0;
+ dkey_param.data = (unsigned char*)&bs;
+ dkey_param.len = sizeof (bs);
+ PK11SymKey *tkey2 = PK11_Derive(tkey1, CKM_EXTRACT_KEY_FROM_KEY, &dkey_param, target, operation, len);
+ PR_ASSERT(tkey2!=NULL);
+
+ PK11_FreeSymKey(tkey1);
+
+ return tkey2;
+
+ }
+ else {
+ return PK11_Derive(base, mechanism, param, target, operation, keysize);
+ }
+
+}
+
+
CK_MECHANISM_TYPE nss_key_derivation_mech(const struct hash_desc *hasher)
{
- CK_MECHANISM_TYPE mechanism;
+ CK_MECHANISM_TYPE mechanism=0x80000000;
switch(hasher->common.algo_id) {
case OAKLEY_MD5: mechanism = CKM_MD5_KEY_DERIVATION; break;
diff -urNp openswan-2.6.22-orig/programs/pluto/ike_alg_aes.c openswan-2.6.22/programs/pluto/ike_alg_aes.c
--- openswan-2.6.22-orig/programs/pluto/ike_alg_aes.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/ike_alg_aes.c 2009-07-23 16:36:01.780592711 -0400
@@ -78,7 +78,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_
memcpy(buf,tmp_buf,buf_len);
if(enc){
- new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
+ new_iv = (u_int8_t*) buf + buf_len-AES_CBC_BLOCK_SIZE;
}
memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE);
diff -urNp openswan-2.6.22-orig/programs/pluto/ikev1.h openswan-2.6.22/programs/pluto/ikev1.h
--- openswan-2.6.22-orig/programs/pluto/ikev1.h 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/ikev1.h 2009-07-23 16:36:01.780592711 -0400
@@ -68,12 +68,21 @@ extern void ikev1_delete_out(struct stat
extern bool
decode_peer_id(struct msg_digest *md, bool initiator, bool aggrmode);
+#ifdef HAVE_LIBNSS
+extern void
+main_mode_hash_body(struct state *st
+ , bool hashi /* Initiator? */
+ , const pb_stream *idpl /* ID payload, as PBS */
+ , struct hmac_ctx *ctx
+ , hash_update_t hash_update_void);
+#else
extern void
main_mode_hash_body(struct state *st
, bool hashi /* Initiator? */
, const pb_stream *idpl /* ID payload, as PBS */
, union hash_ctx *ctx
, hash_update_t hash_update_void);
+#endif
extern size_t
RSA_sign_hash(struct connection *c
diff -urNp openswan-2.6.22-orig/programs/pluto/ikev1_main.c openswan-2.6.22/programs/pluto/ikev1_main.c
--- openswan-2.6.22-orig/programs/pluto/ikev1_main.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/ikev1_main.c 2009-07-23 16:36:01.782590767 -0400
@@ -286,13 +286,23 @@ main_outI1(int whack_sock
* See draft-ietf-ipsec-ike-01.txt 4.1 and 6.1.1.2
*/
+#ifdef HAVE_LIBNSS
+void
+main_mode_hash_body(struct state *st
+ , bool hashi /* Initiator? */
+ , const pb_stream *idpl /* ID payload, as PBS */
+ , struct hmac_ctx *ctx
+ , hash_update_t hash_update_void)
+#else
void
main_mode_hash_body(struct state *st
, bool hashi /* Initiator? */
, const pb_stream *idpl /* ID payload, as PBS */
, union hash_ctx *ctx
, hash_update_t hash_update_void)
+#endif
{
+#ifndef HAVE_LIBNSS
#define HASH_UPDATE_T (union hash_ctx *, const u_char *input, unsigned int len)
hash_update_t hash_update=(hash_update_t) hash_update_void;
#if 0 /* if desperate to debug hashing */
@@ -303,6 +313,9 @@ main_mode_hash_body(struct state *st
#endif
# define hash_update_chunk(ctx, ch) hash_update((ctx), (ch).ptr, (ch).len)
+#else
+ hash_update_void = NULL;
+#endif
if (hashi)
{
@@ -492,8 +505,10 @@ try_RSA_signature_v1(const u_char hash_v
{
const u_char *sig_val = sig_pbs->cur;
size_t sig_len = pbs_left(sig_pbs);
+#ifndef HAVE_LIBNSS
u_char s[RSA_MAX_OCTETS]; /* for decrypted sig_val */
u_char *hash_in_s = &s[sig_len - hash_len];
+#endif
const struct RSA_public_key *k = &kr->u.rsa;
/* decrypt the signature -- reversing RSA_sign_hash */
@@ -742,18 +757,6 @@ main_inI1_outR1(struct msg_digest *md)
}
#endif
-#ifdef HAVE_LIBNSS
- if(PK11_IsFIPS())
- {
-#define SEND_PLUTO_VID 0
- }
- else
- {
-#define SEND_PLUTO_VID 1
- }
-
-#endif
-
#if SEND_PLUTO_VID || defined(openpgp_peer)
numvidtosend++;
#endif
diff -urNp openswan-2.6.22-orig/programs/pluto/ikev2_psk.c openswan-2.6.22/programs/pluto/ikev2_psk.c
--- openswan-2.6.22-orig/programs/pluto/ikev2_psk.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/ikev2_psk.c 2009-07-23 16:36:01.784590529 -0400
@@ -58,6 +58,11 @@
#include "dpd.h"
#include "keys.h"
+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif
+
static u_char psk_key_pad_str[] = "Key Pad for IKEv2"; /* 4306 2:15 */
static int psk_key_pad_str_len = 17; /* sizeof( psk_key_pad_str); -1 */
@@ -80,6 +85,14 @@ static bool ikev2_calculate_psk_sighash(
return FALSE; /* failure: no PSK to use */
}
+#ifdef HAVE_LIBNSS
+ PK11SymKey *shared;
+ CK_EXTRACT_PARAMS bs;
+ SECItem param;
+
+ memcpy(&shared, st->st_shared.ptr, st->st_shared.len);
+#endif
+
/* RFC 4306 2:15
AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>)
*/
@@ -87,7 +100,30 @@ static bool ikev2_calculate_psk_sighash(
/* calculate inner prf */
{
struct hmac_ctx id_ctx;
+#ifdef HAVE_LIBNSS
+ chunk_t pss_chunk;
+
+ PK11SymKey *tkey1 = pk11_derive_wrapper_osw(shared, CKM_CONCATENATE_DATA_AND_BASE, *pss, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
+ PR_ASSERT(tkey1!=NULL);
+
+ bs=0;
+ param.data = (unsigned char*)&bs;
+ param.len = sizeof (bs);
+ PK11SymKey *tkey2 = PK11_Derive(tkey1, CKM_EXTRACT_KEY_FROM_KEY, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, pss->len);
+ PR_ASSERT(tkey2!=NULL);
+
+ pss_chunk.len = sizeof(PK11SymKey *);
+ pss_chunk.ptr = alloc_bytes(pss_chunk.len, "ikev2_calculate_psk_sighash: calculated pss_chunk");
+ memcpy(pss_chunk.ptr, &tkey2, pss_chunk.len);
+
+ hmac_init_chunk(&id_ctx, st->st_oakley.prf_hasher, pss_chunk);
+
+ PK11_FreeSymKey(tkey1);
+ PK11_FreeSymKey(tkey2);
+ pfree(pss_chunk.ptr);
+#else
hmac_init_chunk(&id_ctx, st->st_oakley.prf_hasher, *pss);
+#endif
hmac_update(&id_ctx, psk_key_pad_str, psk_key_pad_str_len);
hmac_final(prf_psk, &id_ctx);
}
@@ -117,8 +153,33 @@ static bool ikev2_calculate_psk_sighash(
/* calculate outer prf */
{
struct hmac_ctx id_ctx;
+#ifdef HAVE_LIBNSS
+ chunk_t pp_chunk, pps_chunk;
- hmac_init(&id_ctx, st->st_oakley.prf_hasher, prf_psk, hash_len);
+ pp_chunk.ptr = prf_psk;
+ pp_chunk.len = hash_len;
+
+ PK11SymKey *tkey1 = pk11_derive_wrapper_osw(shared, CKM_CONCATENATE_DATA_AND_BASE, pp_chunk, CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE, 0);
+ PR_ASSERT(tkey1!=NULL);
+
+ bs=0;
+ param.data = (unsigned char*)&bs;
+ param.len = sizeof (bs);
+ PK11SymKey *tkey2 = PK11_Derive(tkey1, CKM_EXTRACT_KEY_FROM_KEY, ¶m, CKM_CONCATENATE_BASE_AND_DATA, CKA_DERIVE, hash_len);
+ PR_ASSERT(tkey2!=NULL);
+
+ pps_chunk.len = sizeof(PK11SymKey *);
+ pps_chunk.ptr = alloc_bytes(pps_chunk.len, "ikev2_calculate_psk_sighash: calculated pss_chunk");
+ memcpy(pps_chunk.ptr, &tkey2, pps_chunk.len);
+
+ hmac_init_chunk(&id_ctx, st->st_oakley.prf_hasher, pps_chunk);
+
+ PK11_FreeSymKey(tkey1);
+ PK11_FreeSymKey(tkey2);
+ pfree(pps_chunk.ptr);
+#else
+ hmac_init(&id_ctx, st->st_oakley.prf_hasher, prf_psk, hash_len);
+#endif
/*
* For the responder, the octets to
diff -urNp openswan-2.6.22-orig/programs/pluto/ikev2_rsa.c openswan-2.6.22/programs/pluto/ikev2_rsa.c
--- openswan-2.6.22-orig/programs/pluto/ikev2_rsa.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/ikev2_rsa.c 2009-07-23 16:36:01.784590529 -0400
@@ -152,10 +152,12 @@ try_RSA_signature_v2(const u_char hash_v
{
const u_char *sig_val = sig_pbs->cur;
size_t sig_len = pbs_left(sig_pbs);
+#ifndef HAVE_LIBNSS
u_char s[RSA_MAX_OCTETS]; /* for decrypted sig_val */
u_char *sig;
- const struct RSA_public_key *k = &kr->u.rsa;
unsigned int padlen;
+#endif
+ const struct RSA_public_key *k = &kr->u.rsa;
if (k == NULL)
return "1""no key available"; /* failure: no key to use */
diff -urNp openswan-2.6.22-orig/programs/pluto/keys.c openswan-2.6.22/programs/pluto/keys.c
--- openswan-2.6.22-orig/programs/pluto/keys.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/keys.c 2009-07-23 16:36:01.785593513 -0400
@@ -213,7 +213,7 @@ sign_hash(const struct RSA_private_key *
}
#ifdef HAVE_LIBNSS
-void sign_hash_nss(const struct RSA_private_key *k
+int sign_hash_nss(const struct RSA_private_key *k
, const u_char *hash_val, size_t hash_len
, u_char *sig_val, size_t sig_len)
{
@@ -229,14 +229,19 @@ void sign_hash_nss(const struct RSA_priv
ckaId.len=k->ckaid_len;
ckaId.data=k->ckaid;
- DBG(DBG_CRYPT, DBG_dump("RSA_sign_hash NSS CKA_ID:\n", ckaId.data, ckaId.len));
-
slot = PK11_GetInternalKeySlot();
if (slot == NULL) {
loglog(RC_LOG_SERIOUS, "RSA_sign_hash: Unable to find (slot security) device (err %d)\n", PR_GetError());
return 0;
}
+ if( PK11_Authenticate(slot, PR_FALSE,osw_return_nss_password_file_info()) == SECSuccess ) {
+ DBG(DBG_CRYPT, DBG_log("NSS: Authentication to NSS successful\n"));
+ }
+ else {
+ DBG(DBG_CRYPT, DBG_log("NSS: Authentication to NSS either failed or not required,if NSS DB without password\n"));
+ }
+
privateKey = PK11_FindKeyByKeyID(slot, &ckaId, osw_return_nss_password_file_info());
if(privateKey==NULL) {
if(k->pub.nssCert != NULL) {
@@ -269,10 +274,8 @@ void sign_hash_nss(const struct RSA_priv
return 0;
}
- DBG(DBG_CRYPT, DBG_log("RSA_sign_hash: input_sig_len=%d, output_signature-len=%d", sig_len, signature.len));
- DBG(DBG_CRYPT, DBG_dump("RSA_sign_hash signature:\n", signature.data, signature.len));
DBG(DBG_CRYPT, DBG_log("RSA_sign_hash: Ended using NSS"));
- /*return signature.len;*/
+ return signature.len;
}
err_t RSA_signature_verify_nss(const struct RSA_public_key *k
@@ -334,20 +337,31 @@ err_t RSA_signature_verify_nss(const str
signature.data = sig_val;
signature.len = (unsigned int)sig_len;
+ data.len = (unsigned int)sig_len;
+ data.data = alloc_bytes(data.len, "NSS decrypted signature");
data.type = siBuffer;
- data.data = hash_val;
- data.len = (unsigned int)hash_len;
-
- /*Verifying RSA signature*/
- retVal = PK11_Verify(publicKey,&signature,&data,osw_return_nss_password_file_info());
+ if(PK11_VerifyRecover(publicKey, &signature, &data, osw_return_nss_password_file_info()) == SECSuccess ) {
+ DBG(DBG_CRYPT,DBG_dump("NSS RSA verify: decrypted sig: ", data.data, data.len));
+ }
+ else {
+ DBG(DBG_CRYPT,DBG_log("NSS RSA verify: decrypting signature is failed"));
+ return "13" "NSS error: Not able to decrypt";
+ }
+
+ if(memcmp(data.data+data.len-hash_len, hash_val, hash_len)!=0) {
+ pfree(data.data);
+ loglog(RC_LOG_SERIOUS, "RSA Signature NOT verified");
+ return "14" "NSS error: Not able to verify";
+ }
+
+ DBG(DBG_CRYPT,DBG_dump("NSS RSA verify: hash value: ", hash_val, hash_len));
+
+ pfree(data.data);
pfree(n.ptr);
pfree(e.ptr);
SECKEY_DestroyPublicKey (publicKey);
- if(retVal != SECSuccess) {
- loglog(RC_LOG_SERIOUS, "RSA Signature NOT verified");
- }
DBG(DBG_CRYPT, DBG_log("RSA Signature verified"));
return NULL;
diff -urNp openswan-2.6.22-orig/programs/pluto/keys.h openswan-2.6.22/programs/pluto/keys.h
--- openswan-2.6.22-orig/programs/pluto/keys.h 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/keys.h 2009-07-23 16:36:01.786598958 -0400
@@ -31,7 +31,7 @@ extern void sign_hash(const struct RSA_p
, size_t hash_len, u_char *sig_val, size_t sig_len);
#ifdef HAVE_LIBNSS
-extern void sign_hash_nss(const struct RSA_private_key *k, const u_char *hash_val
+extern int sign_hash_nss(const struct RSA_private_key *k, const u_char *hash_val
, size_t hash_len, u_char *sig_val, size_t sig_len);
extern err_t RSA_signature_verify_nss(const struct RSA_public_key *k
, const u_char *hash_val, size_t hash_len
diff -urNp openswan-2.6.22-orig/programs/pluto/pluto_crypt.c openswan-2.6.22/programs/pluto/pluto_crypt.c
--- openswan-2.6.22-orig/programs/pluto/pluto_crypt.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/pluto_crypt.c 2009-07-23 16:36:01.787591260 -0400
@@ -71,7 +71,8 @@ TAILQ_HEAD(req_queue, pluto_crypto_req_c
struct pluto_crypto_worker {
int pcw_helpernum;
#ifdef HAVE_LIBNSS
- pthread_t pcw_pid;
+ //pthread_t pcw_pid;
+ long int pcw_pid;
#else
pid_t pcw_pid;
#endif
@@ -168,6 +169,7 @@ void pluto_do_crypto_op(struct pluto_cry
}
}
+#ifndef HAVE_LIBNSS
static void catchhup(int signo UNUSED)
{
/* socket closed die */
@@ -178,6 +180,7 @@ static void catchusr1(int signo UNUSED)
{
return;
}
+#endif
static void
helper_passert_fail(const char *pred_str
@@ -885,7 +888,7 @@ static void init_crypto_helper(struct pl
return;
}
else{
- openswan_log("started helper (thread) pid=%d (fd:%d)", w->pcw_pid, w->pcw_pipe);
+ openswan_log("started helper (thread) pid=%ld (fd:%d)", w->pcw_pid, w->pcw_pipe);
}
#else
w->pcw_pid = fork();
@@ -934,22 +937,6 @@ static void init_crypto_helper(struct pl
pluto_init_log();
-/* XXX Paul: this is never reaches anymore? */
-#ifdef HAVE_LIBNSS
- NSS_Shutdown();
- const struct osw_conf_options *oco;
- char buf[100];
- oco=osw_init_options();
- snprintf(buf, sizeof(buf), "sql:%s",oco->confddir);
- loglog(RC_LOG_SERIOUS,"nss directory crypt helper: %s",buf);
- SECStatus nss_init_status=NSS_InitReadWrite(buf);
- if(nss_init_status != SECSuccess) {
- loglog(RC_LOG_SERIOUS, "NSS initialization failed in crypto helper(err %d)\n", PR_GetError());
- } else{
- loglog(RC_LOG_SERIOUS, "NSS initialized in crypto helper\n");
- PK11_SetPasswordFunc(getNSSPassword);
- }
-#endif
init_rnd_pool();
load_oswcrypto();
@@ -959,10 +946,6 @@ static void init_crypto_helper(struct pl
pluto_crypto_helper(fds[1], n);
-#if defined(HAVE_LIBNSS)
- NSS_Shutdown();
- loglog(RC_LOG_SERIOUS, "init_crypto_helper: helper (%d) is exiting\n",n);
-#endif
exit(0);
/* NOTREACHED */
}
diff -urNp openswan-2.6.22-orig/programs/pluto/plutomain.c openswan-2.6.22/programs/pluto/plutomain.c
--- openswan-2.6.22-orig/programs/pluto/plutomain.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/plutomain.c 2009-07-23 17:17:50.010576404 -0400
@@ -99,7 +99,9 @@
# include <nss.h>
# include <nspr.h>
# ifdef FIPS_CHECK
-# include <fipscheck.h>
+# include <fipscheck.h>
+#define IPSECLIBDIR "/usr/libexec/ipsec"
+#define IPSECSBINDIR "/usr/sbin"
# endif
#endif
@@ -771,12 +773,57 @@ main(int argc, char **argv)
} else {
loglog(RC_LOG_SERIOUS, "NSS Initialized");
PK11_SetPasswordFunc(getNSSPassword);
+
#ifdef FIPS_CHECK
- if (Pluto_IsFIPS() && !FIPSCHECK_verify(NULL, NULL)) {
- loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
- exit_pluto(10);
- }
+ const char *package_files[]= { IPSECLIBDIR"/setup",
+ IPSECLIBDIR"/addconn",
+ IPSECLIBDIR"/auto",
+ IPSECLIBDIR"/barf",
+ IPSECLIBDIR"/_copyright",
+ IPSECLIBDIR"/eroute",
+ IPSECLIBDIR"/ikeping",
+ IPSECLIBDIR"/_include",
+ IPSECLIBDIR"/_keycensor",
+ IPSECLIBDIR"/klipsdebug",
+ IPSECLIBDIR"/look",
+ IPSECLIBDIR"/newhostkey",
+ IPSECLIBDIR"/pf_key",
+ IPSECLIBDIR"/_pluto_adns",
+ IPSECLIBDIR"/_plutoload",
+ IPSECLIBDIR"/_plutorun",
+ IPSECLIBDIR"/ranbits",
+ IPSECLIBDIR"/_realsetup",
+ IPSECLIBDIR"/rsasigkey",
+ IPSECLIBDIR"/pluto",
+ IPSECLIBDIR"/_secretcensor",
+ IPSECLIBDIR"/secrets",
+ IPSECLIBDIR"/showdefaults",
+ IPSECLIBDIR"/showhostkey",
+ IPSECLIBDIR"/showpolicy",
+ IPSECLIBDIR"/spi",
+ IPSECLIBDIR"/spigrp",
+ IPSECLIBDIR"/_startklips",
+ IPSECLIBDIR"/_startklips.old",
+ IPSECLIBDIR"/_startnetkey",
+ IPSECLIBDIR"/tncfg",
+ IPSECLIBDIR"/_updown",
+ IPSECLIBDIR"/_updown.klips",
+ IPSECLIBDIR"/_updown.klips.old",
+ IPSECLIBDIR"/_updown.mast",
+ IPSECLIBDIR"/_updown.mast.old",
+ IPSECLIBDIR"/_updown.netkey",
+ IPSECLIBDIR"/verify",
+ IPSECLIBDIR"/whack",
+ IPSECSBINDIR"/ipsec",
+ NULL
+ };
+
+ if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
+ loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
+ exit_pluto(10);
+ }
#endif
+
}
#endif
@@ -786,7 +833,7 @@ main(int argc, char **argv)
{
#ifdef PLUTO_SENDS_VENDORID
# ifdef HAVE_LIBNSS
- if(PK11_IsFIPS()) {
+ if(Pluto_IsFIPS()) {
openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u"
, ipsec_version_code() , compile_time_interop_options, getpid());
} else {
diff -urNp openswan-2.6.22-orig/programs/pluto/state.c openswan-2.6.22/programs/pluto/state.c
--- openswan-2.6.22-orig/programs/pluto/state.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/pluto/state.c 2009-07-23 16:36:01.832590240 -0400
@@ -60,6 +60,12 @@
#include "crypto.h" /* requires sha1.h and md5.h */
#include "spdb.h"
+#ifdef HAVE_LIBNSS
+# include <nss.h>
+# include <pk11pub.h>
+# include <keyhi.h>
+#endif
+
/*
* Global variables: had to go somewhere, might as well be this file.
*/
diff -urNp openswan-2.6.22-orig/programs/rsasigkey/rsasigkey.c openswan-2.6.22/programs/rsasigkey/rsasigkey.c
--- openswan-2.6.22-orig/programs/rsasigkey/rsasigkey.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/rsasigkey/rsasigkey.c 2009-07-23 16:36:01.836589243 -0400
@@ -588,10 +588,10 @@ rsasigkey(int nbits, char *configdir, ch
PK11_SetPasswordFunc(GetModulePassword);
nss_initialized = PR_TRUE;
- /* Good for now but someone may want to use a hardware token
- *slot = PK11_GetInternalKeySlot();
- * In which case this may be better */
- slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, password ? &pwdata : NULL);
+ /* Good for now but someone may want to use a hardware token*/
+ slot = PK11_GetInternalKeySlot();
+ /* In which case this may be better */
+ //slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, password ? &pwdata : NULL);
/*or the user may specify the name of a token.*/
/*if (PK11_IsFIPS() || !PK11_IsInternal(slot)) {
openswan-2.6.22-selinux.patch:
verify.in | 12 ------------
1 file changed, 12 deletions(-)
--- NEW FILE openswan-2.6.22-selinux.patch ---
--- openswan-2.6.22-orig/programs/verify/verify.in 2009-06-23 04:53:08.000000000 +0200
+++ openswan-2.6.22/programs/verify/verify.in 2009-07-09 23:50:15.000000000 +0200
@@ -262,18 +262,6 @@ sub installstartcheck {
} else { warnchk "","UNKNOWN"; }
}
- if ( -e "/selinux/enforce") {
- printfun "Testing against enforced SElinux mode";
- open("cat", "/selinux/enforce");
- if(<cat> == "1")
- {
- errchk "";
- print "\n SElinux is running in 'enforced' mode. Since no working SElinux\n policies exist for Openswan, SElinux should be disabled.\n";
- print "\n echo \"0\" > /selinux/enforce (or edit /etc/sysconfig/selinux)\n\n";
- }
- else { errchk "1"; }
- }
-
if ( -c "/dev/hw_random" || -c "/dev/hwrng" ) {
printfun "Hardware RNG detected, testing if used properly";
run "pidof rngd";
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-11/.cvsignore,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- .cvsignore 30 Mar 2009 15:32:53 -0000 1.26
+++ .cvsignore 10 Sep 2009 16:35:40 -0000 1.27
@@ -10,3 +10,4 @@ openswan-2.6.16.tar.gz
openswan-2.6.18.tar.gz
openswan-2.6.19.tar.gz
openswan-2.6.21.tar.gz
+openswan-2.6.22.tar.gz
Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-11/openswan.spec,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -p -r1.79 -r1.80
--- openswan.spec 6 Jul 2009 14:52:23 -0000 1.79
+++ openswan.spec 10 Sep 2009 16:35:41 -0000 1.80
@@ -1,10 +1,13 @@
+%define USE_LIBNSS 1
%define USE_FIPSCHECK 1
+%define nss_version 3.12.3-2
+%define fipscheck_version 1.2.0-1
Summary: Openswan IPSEC implementation
Name: openswan
-Version: 2.6.21
+Version: 2.6.22
-Release: 5%{?dist}
+Release: 1%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -13,16 +16,19 @@ Source2: ipsec.conf
Patch1: openswan-2.6.16-examples.patch
Patch2: openswan-2.6-relpath.patch
-Patch3: openswan-2.6-selinux.patch
-Patch4: openswan-2.6.16-initscript-correction.patch
-Patch5: openswan-2.6.21-gcc44.patch
-Patch6: openswan-2.6.21-nss.patch
-Patch7: openswan-2.6.21-nss-fedora-diff-modified.patch
-Patch8: openswan-2.6.21-CVE-2009-2185.patch
+Patch3: openswan-2.6.22-selinux.patch
+Patch4: openswan-2.6-initscript-correction.patch
+Patch5: openswan-2.6.22-gcc44.patch
+Patch6: openswan-2.6.22-nss.patch
+Patch7: openswan-2.6.22-CVE-2009-2185.patch
+
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: gmp-devel bison flex man xmlto bind-devel nss-devel
+BuildRequires: gmp-devel bison flex man xmlto bind-devel
+%if %{USE_LIBNSS}
+BuildRequires: nss-devel >= %{nss_version}
+%endif
Requires(post): coreutils bash
Requires(preun): initscripts chkconfig
Requires(post): /sbin/chkconfig
@@ -30,7 +36,7 @@ Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
%if %{USE_FIPSCHECK}
-BuildRequires: fipscheck-devel
+BuildRequires: fipscheck-devel >= %{fipscheck_version}
%endif
Provides: ipsec-userland = %{version}-%{release}
@@ -73,7 +79,6 @@ find doc -name .gitignore -print0 | xarg
%patch5 -p1
%patch6 -p1
%patch7 -p1
-%patch8 -p1
%build
@@ -86,6 +91,12 @@ find doc -name .gitignore -print0 | xarg
IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/libexec/ipsec}" \
MANTREE=%{_mandir} \
INC_RCDEFAULT=%{_initrddir} \
+%if %{USE_LIBNSS}
+ USE_LIBNSS=true \
+%endif
+%if %{USE_FIPSCHECK}
+ USE_FIPSCHECK=true \
+%endif
programs
FS=$(pwd)
@@ -95,8 +106,46 @@ FS=$(pwd)
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
- fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/rsasigkey \
- fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pluto \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/setup \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/addconn \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/auto \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/barf \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_copyright \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/eroute \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/ikeping \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_include \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_keycensor \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/klipsdebug \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/look \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/newhostkey \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pf_key \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_pluto_adns \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_plutoload \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_plutorun \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/ranbits \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_realsetup \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/rsasigkey \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pluto \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_secretcensor \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/secrets \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/showdefaults \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/showhostkey \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/showpolicy \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/spi \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/spigrp \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_startklips \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_startklips.old \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_startnetkey \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/tncfg \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown.klips \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown.klips.old \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown.mast \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown.mast.old \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_updown.netkey \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/verify \
+ fipshmac $RPM_BUILD_ROOT%{_libexecdir}/ipsec/whack \
+ fipshmac $RPM_BUILD_ROOT%{_sbindir}/ipsec \
%{nil}
%endif
@@ -154,6 +203,9 @@ rm -rf %{buildroot}
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%{_initrddir}/ipsec
%{_sbindir}/ipsec
+%if %{USE_FIPSCHECK}
+%{_sbindir}/.ipsec.hmac
+%endif
%{_libexecdir}/ipsec
%{_mandir}/*/*.gz
%{_localstatedir}/run/pluto
@@ -173,6 +225,15 @@ fi
chkconfig --add ipsec || :
%changelog
+* Thu Sep 10 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.22-1
+- New upstream release
+- Added support for using PSK with NSS
+- Fixed several warnings and undid unnecessary debug messages
+- Updated README.nss with an example configuration
+- Moved README.nss to openswan/doc/
+- Improved FIPS integrity check functionality
+- Patch for Openswan ASN.1 parser vulnerability (CVE-2009-2185)
+
* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-5
- Added support for using PSK with NSS
- Fixed several warnings and undid unnecessary comments
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-11/sources,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -p -r1.25 -r1.26
--- sources 30 Mar 2009 15:32:53 -0000 1.25
+++ sources 10 Sep 2009 16:35:41 -0000 1.26
@@ -1 +1 @@
-ba9da6c90e0f5fe856767d7510ce371f openswan-2.6.21.tar.gz
+9a30009bade8a1b09fba27680c87cf72 openswan-2.6.22.tar.gz
--- openswan-2.6-selinux.patch DELETED ---
--- openswan-2.6.16-initscript-correction.patch DELETED ---
--- openswan-2.6.21-CVE-2009-2185.patch DELETED ---
--- openswan-2.6.21-gcc44.patch DELETED ---
--- openswan-2.6.21-nss-fedora-diff-modified.patch DELETED ---
--- openswan-2.6.21-nss.patch DELETED ---
More information about the fedora-extras-commits
mailing list