Your message dated Sun, 30 Mar 2008 11:17:15 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#470721: fixed in strongswan 4.1.11-1
has caused the Debian Bug report #470721,
regarding pluto segfaults when using pkcs11 library linked with OpenSSL
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
470721: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470721
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: strongswan
Version: 4.1.10-1
Tags: patch
I'm using strongSwan with RSA private keys on a smartcard via opencryptoki's
pkcs11 library. The opencryptoki pkcs11 libraries link with OpenSSL's
libcrypto which includes a function AES_cbc_encrypt. That function also
exists in strongSwan's builtin libcrypto but it takes different parameters
and generally functions differently. So, when pluto attempts to use the
AES_cbc_encrypt after dlopen*ing opencryptoki's pkcs11 library, it segfaults
because it has been overwritten with OpenSSL's different AES_cbc_encrypt in
the symbol table.
I've written a trivial patch to rename strongSwan's AES_cbc_encrypt to
ss_AES_cbc_encrypt to avoid this conflict. With the patch, pluto functions
normally and connections succeed. I have sent the patch upstream to
strongSwan's mailing list twice, once in late November 2007[1] and again in
the beginning of March 2008[2]. I have yet to receive any reply from
upstream, neither positive or negative, so as "plan B" I ask that you please
include it in the Debian package.
Thank you
[1] https://lists.strongswan.org/pipermail/users/2007-November/002160.html
[2] https://lists.strongswan.org/pipermail/users/2008-March/002292.html
--
man perl | tail -6 | head -2
commit 306736b995127de2f0ef54671c3cfac86870f94c
Author: David Smith <[EMAIL PROTECTED]>
Date: Sat Nov 24 19:07:04 2007 +1100
Rename AES_cbc_encrypt to ss_AES_cbc_encrypt to not conflict
with OpenSSL's function when using opencryptoki's TPM token.
diff --git a/src/libcrypto/libaes/aes_cbc.c b/src/libcrypto/libaes/aes_cbc.c
index 962dd1a..83feeb7 100644
--- a/src/libcrypto/libaes/aes_cbc.c
+++ b/src/libcrypto/libaes/aes_cbc.c
@@ -10,4 +10,4 @@ int AES_set_key(aes_context *aes_ctx, const u_int8_t *key, int keysize) {
aes_set_key(aes_ctx, key, keysize, 0);
return 1;
}
-CBC_IMPL_BLK16(AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
+CBC_IMPL_BLK16(ss_AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt);
diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
index 44de09b..9df79cb 100644
--- a/src/pluto/alg/ike_alg_aes.c
+++ b/src/pluto/alg/ike_alg_aes.c
@@ -34,7 +34,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE
, AES_CBC_BLOCK_SIZE);
- AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
+ ss_AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
if (enc)
new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: strongswan
Source-Version: 4.1.11-1
We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:
strongswan_4.1.11-1.diff.gz
to pool/main/s/strongswan/strongswan_4.1.11-1.diff.gz
strongswan_4.1.11-1.dsc
to pool/main/s/strongswan/strongswan_4.1.11-1.dsc
strongswan_4.1.11-1_i386.deb
to pool/main/s/strongswan/strongswan_4.1.11-1_i386.deb
strongswan_4.1.11.orig.tar.gz
to pool/main/s/strongswan/strongswan_4.1.11.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Mayrhofer <[EMAIL PROTECTED]> (supplier of updated strongswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 30 Mar 2008 10:35:16 +0200
Source: strongswan
Binary: strongswan
Architecture: source i386
Version: 4.1.11-1
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <[EMAIL PROTECTED]>
Changed-By: Rene Mayrhofer <[EMAIL PROTECTED]>
Description:
strongswan - IPSec utilities for strongSwan
Closes: 470721
Changes:
strongswan (4.1.11-1) unstable; urgency=low
.
* New upstream release.
* DBUS support now interacts with network-manager, so need to build-depend
on network-manager-dev.
* The web interface has been improved and now requires libfcgi-dev and
clearsilver-dev to compile, so build-depend on them. Also build-depend
on libxml2-dev, libdbus-1-dev, libtool, and libsqlite3-dev (which were
all build-deps before but were not listed explicitly so far - fix that).
* Add patch to rename internal AES_cbc_encrypt function and thus avoid
conflict with the openssl function.
Closes: #470721: pluto segfaults when using pkcs11 library linked with
OpenSSL
Files:
90301ccf58740c3febffd9bd3500cf22 902 net optional strongswan_4.1.11-1.dsc
cd435212abdd797b2b932f63b5c117ab 2791446 net optional
strongswan_4.1.11.orig.tar.gz
71f5bdd78743ad3c9d3dd4ee7fb8acc2 56738 net optional strongswan_4.1.11-1.diff.gz
b7b14a3f8dce0190cc5da978ffc710d3 1296908 net optional
strongswan_4.1.11-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH73H8q7SPDcPCS94RAtv1AJ9rHj1IyymZb7mjTLvCyVxF9bSw3wCeI1OF
2fz1KvmzYm/uAzzgFqelJR8=
=Fuo+
-----END PGP SIGNATURE-----
--- End Message ---
