rpms/openswan/F-11 openswan-2.6.21-CVE-2009-2185.patch, NONE, 1.1 openswan-2.6.21-nss-fedora-diff-modified.patch, NONE, 1.1 openswan.spec, 1.78, 1.79
avesh agarwal
avesh at fedoraproject.org
Mon Jul 6 14:52:53 UTC 2009
- Previous message (by thread): rpms/gnome-power-manager/devel gnome-power-manager-2.27.2-fix-potfiles.patch, NONE, 1.1 .cvsignore, 1.60, 1.61 gnome-power-manager-port-to-polkit1.patch, 1.1, 1.2 gnome-power-manager.spec, 1.162, 1.163 sources, 1.60, 1.61
- Next message (by thread): rpms/libxcb/devel libxcb.spec,1.23,1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: avesh
Update of /cvs/pkgs/rpms/openswan/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv522
Modified Files:
openswan.spec
Added Files:
openswan-2.6.21-CVE-2009-2185.patch
openswan-2.6.21-nss-fedora-diff-modified.patch
Log Message:
* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-5
- Added support for using PSK with NSS
- Fixed several warnings and undid unnecessary comments
- Updated README.nss with an example configuration
- Fixed Openswan ASN.1 parser vulnerability (CVE-2009-2185)
openswan-2.6.21-CVE-2009-2185.patch:
--- NEW FILE openswan-2.6.21-CVE-2009-2185.patch ---
--- ../openswan-2.6.21-orig/lib/libopenswan/asn1.c 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2/lib/libopenswan/asn1.c 2009-06-26 10:14:54.000000000 -0400
@@ -11,7 +11,6 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
*/
#include <stdlib.h>
@@ -77,8 +76,15 @@ asn1_length(chunk_t *blob)
n = *blob->ptr++;
blob->len--;
- if ((n & 0x80) == 0) /* single length octet */
+ if ((n & 0x80) == 0) { /* single length octet */
+ if (n > blob->len) {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than ASN.1 object")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return n;
+ }
/* composite length, determine number of length octets */
n &= 0x7f;
@@ -107,6 +113,14 @@ asn1_length(chunk_t *blob)
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("length is larger than remaining blob size")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
+
return len;
}
@@ -236,14 +250,21 @@ asn1totime(const chunk_t *utctime, asn1_
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
+
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
}
else
@@ -255,14 +276,22 @@ asn1totime(const chunk_t *utctime, asn1_
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
- &t.tm_hour, &t.tm_min);
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time format */
+ }
+
}
/* is there a seconds field? */
if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
+
}
else
{
@@ -283,7 +312,11 @@ asn1totime(const chunk_t *utctime, asn1_
t.tm_year += 100;
}
- /* representation of month 0..11*/
+ if (t.tm_mon < 1 || t.tm_mon > 12)
+ {
+ return 0; /* error in month format */
+ }
+ /* representation of month 0..11 in struct tm */
t.tm_mon--;
/* set daylight saving time to off */
@@ -384,7 +417,7 @@ extract_object(asn1Object_t const *objec
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN1 object invalid or too large",
openswan-2.6.21-nss-fedora-diff-modified.patch:
--- NEW FILE openswan-2.6.21-nss-fedora-diff-modified.patch ---
diff -urNp openswan-2.6.21/include/oswconf.h openswan-2.6.21-fedora-diff/include/oswconf.h
--- openswan-2.6.21/include/oswconf.h 2009-05-18 22:52:31.000000000 -0400
+++ openswan-2.6.21-fedora-diff/include/oswconf.h 2009-06-25 17:09:00.000000000 -0400
@@ -79,6 +79,10 @@ extern char *getNSSPassword(PK11SlotInfo
extern bool Pluto_IsFIPS(void);
#endif
+//#ifdef FIPS_CHECK
+//extern bool Pluto_IsFIPS(void);
+//#endif
+
#endif /* _OSW_ALLOC_H_ */
/*
diff -urNp openswan-2.6.21/lib/libcrypto/libmd5/md5.c openswan-2.6.21-fedora-diff/lib/libcrypto/libmd5/md5.c
--- openswan-2.6.21/lib/libcrypto/libmd5/md5.c 2009-05-18 22:52:31.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libcrypto/libmd5/md5.c 2009-06-25 18:25:00.000000000 -0400
@@ -74,8 +74,9 @@ documentation and/or software.
#define S44 21
#define MD5Transform _MD5Transform
-
+#ifndef HAVE_LIBNSS
static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64]));
+#endif
#if BYTE_ORDER == LITTLE_ENDIAN
#define Encode MD5_memcpy
@@ -100,11 +101,13 @@ static void MD5_memcpy PROTO_LIST ((POIN
static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
#endif
#endif
+#ifndef HAVE_LIBNSS
static unsigned char PADDING[64] = {
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
+#endif
/* F, G, H and I are basic MD5 functions.
*/
@@ -147,14 +150,14 @@ void osMD5Init (context)
MD5_CTX *context; /* context */
{
#ifdef HAVE_LIBNSS
- DBG(DBG_CRYPT, DBG_log("NSS: md5 init start"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: md5 init start"));
SECStatus status;
context->ctx_nss=NULL;
context->ctx_nss = PK11_CreateDigestContext(SEC_OID_MD5);
PR_ASSERT(context->ctx_nss!=NULL);
status=PK11_DigestBegin(context->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 init end"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: md5 init end"));
#else
context->count[0] = context->count[1] = 0;
/* Load magic initialization constants.
@@ -178,7 +181,7 @@ UINT4 inputLen;
#ifdef HAVE_LIBNSS
SECStatus status=PK11_DigestOp(context->ctx_nss, input, inputLen);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 update end"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: md5 update end"));
#else
UINT4 i;
unsigned int myindex, partLen;
@@ -225,7 +228,7 @@ MD5_CTX *context;
PR_ASSERT(length==MD5_DIGEST_SIZE);
PR_ASSERT(status==SECSuccess);
PK11_DestroyContext(context->ctx_nss, PR_TRUE);
- DBG(DBG_CRYPT, DBG_log("NSS: md5 final end"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: md5 final end"));
#else
unsigned char bits[8];
unsigned int myindex, padLen;
@@ -256,6 +259,7 @@ MD5_CTX *context;
/* MD5 basic transformation. Transforms state based on block.
*/
+#ifndef HAVE_LIBNSS
static void MD5Transform (state, block)
UINT4 state[4];
const unsigned char block[64];
@@ -345,6 +349,7 @@ const unsigned char block[64];
*/
MD5_memset ((POINTER)x, 0, sizeof (x));
}
+#endif
#if BYTE_ORDER != LITTLE_ENDIAN
diff -urNp openswan-2.6.21/lib/libcrypto/libsha1/sha1.c openswan-2.6.21-fedora-diff/lib/libcrypto/libsha1/sha1.c
--- openswan-2.6.21/lib/libcrypto/libsha1/sha1.c 2009-05-18 22:52:31.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libcrypto/libsha1/sha1.c 2009-06-22 21:14:50.000000000 -0400
@@ -124,7 +124,7 @@ void SHA1Init(SHA1_CTX* context)
PR_ASSERT(context->ctx_nss!=NULL);
status=PK11_DigestBegin(context->ctx_nss);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 init end"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: sha1 init end"));
#else
/* SHA1 initialization constants */
context->state[0] = 0x67452301;
@@ -144,7 +144,7 @@ void SHA1Update(SHA1_CTX* context, const
#ifdef HAVE_LIBNSS
SECStatus status=PK11_DigestOp(context->ctx_nss, data, len);
PR_ASSERT(status==SECSuccess);
- DBG(DBG_CRYPT, DBG_log("NSS: sha1 update end"));
+ //DBG(DBG_CRYPT, DBG_log("NSS: sha1 update end"));
/*loglog(RC_LOG_SERIOUS, "enter sha1 ctx update end");*/
#else
u_int32_t i;
diff -urNp openswan-2.6.21/lib/libipsecconf/confread.c openswan-2.6.21-fedora-diff/lib/libipsecconf/confread.c
--- openswan-2.6.21/lib/libipsecconf/confread.c 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libipsecconf/confread.c 2009-06-27 00:08:09.000000000 -0400
@@ -32,6 +32,11 @@
#include "ipsecconf/starterlog.h"
#include "ipsecconf/oeconns.h"
+#ifdef HAVE_LIBNSS
+//#ifdef FIPS_CHECK
+#include "oswconf.h"
+#endif
+
static char _tmp_err[512];
/**
@@ -969,6 +974,18 @@ static int load_conn (struct starter_con
/* reset authby flags */
if(conn->options_set[KBF_AUTHBY]) {
conn->policy &= ~(POLICY_ID_AUTH_MASK);
+
+#ifdef HAVE_LIBNSS
+//#ifdef FIPS_CHECK
+ if(Pluto_IsFIPS()) {
+ if((conn->options[KBF_AUTHBY] & POLICY_PSK) == POLICY_PSK){
+ starter_log(LOG_LEVEL_INFO
+ ,"while loading conn '%s', PSK not allowed in FIPS mode with NSS", conn->name);
+ return 1;
+ }
+ }
+#endif
+
conn->policy |= conn->options[KBF_AUTHBY];
#if STARTER_POLICY_DEBUG
diff -urNp openswan-2.6.21/lib/libipsecconf/Makefile openswan-2.6.21-fedora-diff/lib/libipsecconf/Makefile
--- openswan-2.6.21/lib/libipsecconf/Makefile 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libipsecconf/Makefile 2009-06-25 18:18:35.000000000 -0400
@@ -32,6 +32,13 @@ SRCS+=interfaces.c
#enable to get lots more debugging about semantics.
#CFLAGS+=-DPARSER_TYPE_DEBUG
+#ifeq ($(USE_FIPSCHECK),true)
+#CFLAGS+=-DFIPS_CHECK
+ifeq ($(USE_LIBNSS),true)
+CFLAGS+=-DHAVE_LIBNSS
+CFLAGS+=-I/usr/include/nspr4 -I/usr/include/nss3
+endif
+
ifeq ($(USE_KLIPS),true)
SRCS+=virtif.c
endif
diff -urNp openswan-2.6.21/lib/libopenswan/alg_info.c openswan-2.6.21-fedora-diff/lib/libopenswan/alg_info.c
--- openswan-2.6.21/lib/libopenswan/alg_info.c 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libopenswan/alg_info.c 2009-06-27 00:43:35.000000000 -0400
@@ -36,6 +36,10 @@
#include "oswlog.h"
#include "oswalloc.h"
+#ifdef HAVE_LIBNSS
+#include "oswconf.h"
+#endif
+
/* abstract reference */
struct oakley_group_desc;
@@ -625,6 +629,13 @@ parser_alg_info_add(struct parser_contex
p_ctx->err="hash_alg not found";
goto out;
}
+
+#ifdef HAVE_LIBNSS
+ if ( Pluto_IsFIPS() && ((aalg_id == OAKLEY_SHA2_256 ) ||(aalg_id == OAKLEY_SHA2_384 ) || (aalg_id == OAKLEY_SHA2_512 )) ) {
+ p_ctx->err="SHA2 Not supported in FIPS mode with NSS";
+ goto out;
+ }
+#endif
DBG(DBG_CRYPT, DBG_log("parser_alg_info_add() "
"aalg_getbyname(\"%s\")=%d",
p_ctx->aalg_buf,
diff -urNp openswan-2.6.21/lib/libopenswan/Makefile openswan-2.6.21-fedora-diff/lib/libopenswan/Makefile
--- openswan-2.6.21/lib/libopenswan/Makefile 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21-fedora-diff/lib/libopenswan/Makefile 2009-06-25 17:20:41.000000000 -0400
@@ -103,6 +103,10 @@ CFLAGS+=-DHAVE_LIBNSS
CFLAGS+=-I/usr/include/nspr4 -I/usr/include/nss3
endif
[...1772 lines suppressed...]
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
- snprintf(buf, sizeof(buf), "sql:%s",configdir);
+ snprintf(buf, sizeof(buf), "sql:%s",configdir);
if ((rv = NSS_InitReadWrite(buf)) != SECSuccess) {
fprintf(stderr, "%s: NSS_InitReadWrite returned %d\n", me, PR_GetError());
break;
@@ -590,10 +590,10 @@ rsasigkey(int nbits, char *configdir, ch
PK11_SetPasswordFunc(GetModulePassword);
nss_initialized = PR_TRUE;
- /* Good for now but someone may want to use a hardware token
- *slot = PK11_GetInternalKeySlot();
- * In which case this may be better*/
- slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, password ? &pwdata : NULL);
+ /* Good for now but someone may want to use a hardware token*/
+ slot = PK11_GetInternalKeySlot();
+ /* In which case this may be better*/
+ //slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, password ? &pwdata : NULL);
/*or the user may specify the name of a token.
*/
diff -urNp openswan-2.6.21/programs/showhostkey/showhostkey.c openswan-2.6.21-fedora-diff/programs/showhostkey/showhostkey.c
--- openswan-2.6.21/programs/showhostkey/showhostkey.c 2009-05-18 22:52:31.000000000 -0400
+++ openswan-2.6.21-fedora-diff/programs/showhostkey/showhostkey.c 2009-05-18 22:53:35.000000000 -0400
@@ -489,7 +489,7 @@ int main(int argc, char *argv[])
PRBool nss_initialized = PR_FALSE;
SECStatus rv;
char buf[100];
- snprintf(buf, sizeof(buf), "sql:%s",oco->confddir);
+ snprintf(buf, sizeof(buf), "sql:%s",oco->confddir);
loglog(RC_LOG_SERIOUS,"nss directory showhostkey: %s",buf);
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
if ((rv = NSS_InitReadWrite(buf)) != SECSuccess){
diff -urNp openswan-2.6.21/README.nss openswan-2.6.21-fedora-diff/README.nss
--- openswan-2.6.21/README.nss 2009-05-18 22:52:31.000000000 -0400
+++ openswan-2.6.21-fedora-diff/README.nss 2009-06-27 00:22:42.000000000 -0400
@@ -2,12 +2,11 @@ Title: Using NSS crypto library with Plu
Author: Avesh Agarwal email: avagarwa at redhat.com
Version:0.0
-
About NSS crypto library
--------------------------
Please visit http://www.mozilla.org/projects/security/pki/nss/
-NSS crypto library is user space library. It is only used with Pluto (user space IKE daemon) for cryptographic operations. When using NSS, it does not impact the way IPSEC kernel (KLIPS or NETKEY) works. The usefulness of using NSS lies in the fact that the secret information (like private keys or anything else) never comes out of NSS database.
+NSS crypto library is user space library. It is only used with Pluto (user space IKE daemon) for cryptographic operations. When using NSS, it does not impact the way IPSEC kernel (KLIPS or NETKEY) works. The usefulness of using NSS lies in the fact that the secret information (like private keys or anything else) never comes out of NSS database. Openswan with NSS supports IKEV1, IKEv2, authentication using PSK, Raw RSA Sig key, and Digital Certs.
How to enable NSS crypto library with Openswan
@@ -49,9 +48,9 @@ About the password file "nsspassword"
If you create the database with a password, and want to run NSS in FIPS mode, you must create a password file with the name "nsspassword" in the /etc/ipsec.d before running pluto with NSS. The "nsspassword" file must contain the password you provided when creating NSS database.
Important thing to note:
-i) You only need the "nsspassword" file if you run pluto in FIPS. In other way, if you run pluto in normal or NonFIPS mode and even if you create the NSS database with a password, you need not create a "nsspassword" file.
+i) You only need the "nsspassword" file if you run pluto in FIPS. In other way, if you run pluto in normal or NonFIPS mode, then you can create the NSS database without password, and you need not create a "nsspassword" file. However, if the NSS db is created with a password, the "nsspassword" file must also be provided.
-ii) If you create he "nsspassword" file, it must contain only the password nothing else.
+ii) If you create the "nsspassword" file, it must contain only the password nothing else.
Generating RSA keys when using NSS
@@ -60,7 +59,7 @@ You can still use ipsec newhostkey and i
ipsec newhostkey --configdir /etc/ipsec.d [--password password] --output /etc/ipsec.d/ipsec.secrets
-A password is only required if NSS database is used in FIPS mode. If you use NSS and create RSA keys (private/public), you will notice that the contents of the ipsec.secrets are different than what used to be before.
+A password is only required if NSS database created with password. If you use NSS and create RSA keys (private/public), you will notice that the contents of the ipsec.secrets are different than what used to be before.
Public key information in ipsec.secrets is stored in the same way as before. However, all the fields of the Private key information contain just a similar ID. This ID is called CKA ID, which is used to locate private keys inside NSS database during the IKE negotiation.
@@ -90,9 +89,9 @@ It creates a user cert with nick name "u
Important thing to note: You must provided a nick name when creating a user cert, because Pluto reads the user cert from the NSS database nased on the user cert's nickname.
-Changes in the certitificates usage with Pluto
+Changes in the certificates usage with Pluto
------------------------------------------------
-1) ipsec.comf changes
+1) ipsec.conf changes
The only change is "leftcert" field must contain the nick name of the user cert. For example if the nickname of the user cert is "xyz", then it can be "leftid=xyz".
@@ -109,9 +108,111 @@ There is no need to provide private key
3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
i)You need not have "private" or "certs" directory.
-ii) If you obtain a CA certificate from outside, and it is not inside NSS database, then you need to put the certificate inside "cacerts" directory, so that Pluto can read it. If the CA certificate is created in the NSS database, or imported from outside inside the NSS database, you need not have "cacerts" directory,as Pluto can read the CA cert from the database.
+ii) If you obtain a CA certificate from outside, and it is not inside NSS database, then you need to put the certificate inside "cacerts" directory, so that Pluto can read it. If the CA certificate is created in the NSS database, or imported from outside inside the NSS database, you need not have "cacerts" directory, as Pluto can read the CA cert from the database.
+
+
+An example Scenario: To setup ipsec with certs in tunnel mode using NSS
+------------------------------------------------------------
+
+GW Machine 1: w1.x1.y1.z1
+GW Machine 2: w2.x2.y2.z2
+
+w1.x1.y1.z1 <---> w2.x2.y2.z2
+
+Note: In this example setup, both machines are using NSS. If you want to use
+NSS only at one machine, say machine 1, you can use the following procedure
+only at machine 1, and you can use traditional ipsec setup at machine 2.
+
+1. Create a new (if not already) nss db on both machines as follows:
+
+certutil -N -d <path-to-ipsec.d dir>/ipsec.d
+
+2. Creating CA certs at both machines:
+
+On machine 1:
+certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d
+<path-to-ipsec.d dir>/ipsec.d
+
+As we want to use the same certificate "cacert1" at machine 2, it needs to be
+exported first. To export the cacert1, do the following at machine 1:
+
+pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
+
+Copy the file "cacert1.p12" to the machine2 in "/etc/ipsec.d" directory.
+
+On machine 2:
+Import the "cacert1" as follows:
+
+cd /etc/ipsec.d
+pk12util -i cacert1.p12 -d /etc/ipsec.d
+certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
+
+Now machine 2 also has the CA certificates "cacert1" in its NSS database.
+
+3. Creating user certs at both machines:
+
+On machine 1:
+certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u"
+-d /etc/ipsec.d
+(Note this cert is signed by "cacert1")
+
+On machine 2:
+certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u"
+-d /etc/ipsec.d
+(Note this cert is signed by "cacert1" too)
+
+4. Preparing ipsec.conf at both machines
+
+ipsec.conf at machine 1:
+
+
+conn pluto-1-2
+ left=w1.x1.y1.z1
+ leftid="CN=usercert1"
+ leftsourceip=w1.x1.y1.z1
+ leftrsasigkey=%cert
+ leftcert=usercert1
+ leftnexthop=w2.x2.y2.z2
+ right=w2.x2.y2.z2
+ rightid="CN=usercert2"
+ rightsourceip=w2.x2.y2.z2
+ rightrsasigkey=%cert
+ rightnexthop=w1.x1.y1.z1
+ rekey=no
+ esp="aes-sha1"
+ ike="aes-sha1"
+ auto=add
+
+
+ipsec.conf at machine 2:
+
+
+conn pluto-1-2
+ left=w2.x2.y2.z2
+ leftid="CN=usercert2"
+ leftsourceip=w2.x2.y2.z2
+ leftrsasigkey=%cert
+ leftcert=usercert2
+ leftnexthop=w1.x1.y1.z1
+ right=w1.x1.y1.z1
+ rightid="CN=usercert1"
+ rightsourceip=w1.x1.y1.z1
+ rightrsasigkey=%cert
+ rightnexthop=w2.x2.y2.z2
+ rekey=no
+ esp="aes-sha1"
+ ike="aes-sha1"
+ auto=add
+
+5. Preparing ipsec.secrets at both machines
+
+ipsec.secrets at machine 1:
+
+ : RSA usercert1
+
+
+ipsec.secrets at machine 1:
+
+ : RSA usercert2
-Things not supported
----------------------
-PSK: It is not supported when using NSS, because it required both pluto peers to have a mutual keys created outside the NSS database. So It should not be configured with NSS.
Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-11/openswan.spec,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -p -r1.78 -r1.79
--- openswan.spec 14 Apr 2009 20:01:08 -0000 1.78
+++ openswan.spec 6 Jul 2009 14:52:23 -0000 1.79
@@ -4,7 +4,7 @@ Summary: Openswan IPSEC implementation
Name: openswan
Version: 2.6.21
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -17,6 +17,8 @@ Patch3: openswan-2.6-selinux.patch
Patch4: openswan-2.6.16-initscript-correction.patch
Patch5: openswan-2.6.21-gcc44.patch
Patch6: openswan-2.6.21-nss.patch
+Patch7: openswan-2.6.21-nss-fedora-diff-modified.patch
+Patch8: openswan-2.6.21-CVE-2009-2185.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -70,6 +72,8 @@ find doc -name .gitignore -print0 | xarg
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
@@ -169,6 +173,12 @@ fi
chkconfig --add ipsec || :
%changelog
+* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-5
+- Added support for using PSK with NSS
+- Fixed several warnings and undid unnecessary comments
+- Updated README.nss with an example configuration
+- Fixed Openswan ASN.1 parser vulnerability (CVE-2009-2185)
+
* Tue Apr 14 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-4
- Updated the Openswan-NSS porting to enable nss and fipscheck by default
- fipscheck requires fipscheck-devel library
- Previous message (by thread): rpms/gnome-power-manager/devel gnome-power-manager-2.27.2-fix-potfiles.patch, NONE, 1.1 .cvsignore, 1.60, 1.61 gnome-power-manager-port-to-polkit1.patch, 1.1, 1.2 gnome-power-manager.spec, 1.162, 1.163 sources, 1.60, 1.61
- Next message (by thread): rpms/libxcb/devel libxcb.spec,1.23,1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list