Added the issue to the user lists as the Strongswan Issues tracker is probably
not the right place for support questions.
I'm making a minimal build of strongswan 5.0.1 and kernel version 2.6.33.5
without the openssl plugin.
We are testing IKEv2 and tunnel mode exchange.
Getting an error with regards to key integrity tests failed and private key
loading failure in the charon.log.
1) List of loaded plugins without the openssl for the failed test case.
a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1
pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke
updown
b) charon.log errors below:
"00[LIB] key integrity tests failed"
"00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
00[CFG] loading private key from '/tmp/ssl/private/MyServerKey.pem' failed
00[LIB] feature PRIVKEY:DSA in 'pem' plugin has unsatisfied dependency:
PRIVKEY:DSA\par
00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency:
PUBKEY:ECDSA\par
00[LIB] feature PUBKEY:DSA in 'pem' plugin has unsatisfied dependency:
PUBKEY:DSA \par
00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in 'pem' plugin has unsatisfied
dependency: CERT_DECODE:X509_OCSP_RE\par
00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied
dependency: CRYPTER:CAMELLIA_CBC-16 \par
00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied
dependency: CRYPTER:CAMELLIA_CBC-16 \par
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey
pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-default
stroke updown"
2) List of loaded plugins with the openssl plugin for successful test case.
a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1
pkcs8 pgp pem openssl gmp xcbc hmac kernel-pfkey kernel-netlink socket-default
stroke updown
b) The loaded openssl plugin results in the private key being successfully
loaded. The ipsec tunnel gets established just fine without any issues.
The only difference in the setup environment is enabing/disabling strongswan5
openssl plugin.
As workaround to some other issues, we had to disable the openssl plugin.
We ran into some compatibility issues of the openssl plugin and the OCF
layer/openssl -engine cryptodev h/w driver.
This was resulting in MAC verification failures bringing down the tunnel and
not restarting around 2-4hours of test run.
Our rekeying is happening on every hour and reauthenticating of the public key
every 3 hours.
Please let me know what are other plugins are required when openssl plugin is
disabled as to support these ipsec.conf settings.
leftcert=/tmp/ssl/certs/MyServerCert.pem
rightauth=pubkey
Let me know if you need the full charon.log or config details for this issue.
FYI....
When openssl plugin was enabled, we created a patch file as workaround to
bypass the RSA_check_key.
This had addressed "key integrity test failed" error in short term solution. It
was the only way to bring up the tunnel with pubkey authentication since our
certs/private key was created with the OCF and h/w acceleration driver.
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
2012-06-08 17:07:42.245836492 -0500
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
2012-06-08 17:08:38.435845825 -0500
@ -374,7 +374,7 @
if (blob.ptr) {
this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
- if (this->rsa && RSA_check_key(this->rsa))
+ if (this->rsa) {
return &this->public;
}
@ -396,10 +396,7 @
this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
}
this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
- if (RSA_check_key(this->rsa))
- {
- return &this->public;
- }
+ return &this->public;
}
destroy(this);
return NULL;
Since the private key is now being parsed by gmp plugin (without the openssl
plugin), it is safe for to bypass the integrity check in gmp plugin as another
workaround? I have not tried that yet.
Kiran_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
