Package: strongswan Version: 4.1.10-1 Tags: patch I'm using strongSwan with RSA private keys on a smartcard via opencryptoki's pkcs11 library. The opencryptoki pkcs11 libraries link with OpenSSL's libcrypto which includes a function AES_cbc_encrypt. That function also exists in strongSwan's builtin libcrypto but it takes different parameters and generally functions differently. So, when pluto attempts to use the AES_cbc_encrypt after dlopen*ing opencryptoki's pkcs11 library, it segfaults because it has been overwritten with OpenSSL's different AES_cbc_encrypt in the symbol table.
I've written a trivial patch to rename strongSwan's AES_cbc_encrypt to ss_AES_cbc_encrypt to avoid this conflict. With the patch, pluto functions normally and connections succeed. I have sent the patch upstream to strongSwan's mailing list twice, once in late November 2007[1] and again in the beginning of March 2008[2]. I have yet to receive any reply from upstream, neither positive or negative, so as "plan B" I ask that you please include it in the Debian package. Thank you [1] https://lists.strongswan.org/pipermail/users/2007-November/002160.html [2] https://lists.strongswan.org/pipermail/users/2008-March/002292.html -- man perl | tail -6 | head -2
commit 306736b995127de2f0ef54671c3cfac86870f94c Author: David Smith <[EMAIL PROTECTED]> Date: Sat Nov 24 19:07:04 2007 +1100 Rename AES_cbc_encrypt to ss_AES_cbc_encrypt to not conflict with OpenSSL's function when using opencryptoki's TPM token. diff --git a/src/libcrypto/libaes/aes_cbc.c b/src/libcrypto/libaes/aes_cbc.c index 962dd1a..83feeb7 100644 --- a/src/libcrypto/libaes/aes_cbc.c +++ b/src/libcrypto/libaes/aes_cbc.c @@ -10,4 +10,4 @@ int AES_set_key(aes_context *aes_ctx, const u_int8_t *key, int keysize) { aes_set_key(aes_ctx, key, keysize, 0); return 1; } -CBC_IMPL_BLK16(AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt); +CBC_IMPL_BLK16(ss_AES_cbc_encrypt, aes_context, u_int8_t *, aes_encrypt, aes_decrypt); diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c index 44de09b..9df79cb 100644 --- a/src/pluto/alg/ike_alg_aes.c +++ b/src/pluto/alg/ike_alg_aes.c @@ -34,7 +34,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t * memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE , AES_CBC_BLOCK_SIZE); - AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc); + ss_AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc); if (enc) new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
signature.asc
Description: This is a digitally signed message part.