rpms/openswan/devel openswan-2.6.21-nss.patch, NONE, 1.1 openswan.spec, 1.74, 1.75 openswan-2.6.21-nss-disabled.patch, 1.1, NONE
avesh agarwal
avesh at fedoraproject.org
Tue Apr 14 17:22:47 UTC 2009
Author: avesh
Update of /cvs/pkgs/rpms/openswan/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16478
Modified Files:
openswan.spec
Added Files:
openswan-2.6.21-nss.patch
Removed Files:
openswan-2.6.21-nss-disabled.patch
Log Message:
* Mon Apr 14 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-3
- Updated the Openswan-NSS porting to enable nss by default
- The patch includes README.nss for information about NSS usage
openswan-2.6.21-nss.patch:
--- NEW FILE openswan-2.6.21-nss.patch ---
diff -urNp openswan-2.6.21-orig/include/certs.h openswan-2.6.21/include/certs.h
--- openswan-2.6.21-orig/include/certs.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/certs.h 2009-04-02 14:49:47.000000000 -0400
@@ -90,6 +90,12 @@ extern bool load_coded_file(const char *
, int verbose
, const char *type, chunk_t *blob, bool *pgp);
+#ifdef HAVE_LIBNSS
+extern bool load_cert_from_nss(bool forcedtype, const char *nssHostCertNickName, int verbose,
+ const char *label, cert_t *cert);
+extern void load_authcerts_from_nss(const char *type, u_char auth_flags);
+#endif
+
#endif /* _CERTS_H */
/*
diff -urNp openswan-2.6.21-orig/include/constants.h openswan-2.6.21/include/constants.h
--- openswan-2.6.21-orig/include/constants.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/constants.h 2009-04-02 14:49:47.000000000 -0400
@@ -53,10 +53,10 @@ typedef int bool;
#define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
#define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
-
-/* Also comes in via <nspr4/prcpucfg.h> with USE_NSS */
-#ifndef BITS_PER_BYTE
-# define BITS_PER_BYTE 8
+#ifdef HAVE_LIBNSS
+#include <prcpucfg.h>
+#else
+#define BITS_PER_BYTE 8
#endif
#define BYTES_FOR_BITS(b) (((b) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
diff -urNp openswan-2.6.21-orig/include/md5.h openswan-2.6.21/include/md5.h
--- openswan-2.6.21-orig/include/md5.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/md5.h 2009-04-02 14:49:47.000000000 -0400
@@ -62,11 +62,21 @@ These notices must be retained in any co
documentation and/or software.
*/
+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif
+
+
/* MD5 context. */
typedef struct {
+#ifdef HAVE_LIBNSS
+ PK11Context* ctx_nss;
+#else
UINT4 state[4]; /* state (ABCD) */
UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
unsigned char buffer[64]; /* input buffer */
+#endif
} MD5_CTX;
void osMD5Init PROTO_LIST ((MD5_CTX *));
diff -urNp openswan-2.6.21-orig/include/oswconf.h openswan-2.6.21/include/oswconf.h
--- openswan-2.6.21-orig/include/oswconf.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/oswconf.h 2009-04-02 14:49:47.000000000 -0400
@@ -19,6 +19,11 @@
#include "constants.h"
+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif
+
struct paththing {
char *path;
size_t path_space;
@@ -50,10 +55,30 @@ struct osw_conf_options {
char *ocspcerts_dir; /* "/etc/ipsec.d/ocspcerts" */
};
+#ifdef HAVE_LIBNSS
+typedef struct {
+ enum {
+ PW_NONE = 0, /* no password */
+ PW_FROMFILE = 1, /* password data in a text file */
+ PW_PLAINTEXT = 2, /* password data in the clear in memory buffer */
+ PW_EXTERNAL = 3 /* external source, user will be prompted */
+ } source ;
+ char *data;
+} secuPWData;
+#endif
+
+
extern const struct osw_conf_options *osw_init_options(void);
extern const struct osw_conf_options *osw_init_ipsecdir(const char *ipsec_dir);
extern const struct osw_conf_options *osw_init_rootdir(const char *root_dir);
+
+#ifdef HAVE_LIBNSS
+extern secuPWData *osw_return_nss_password_file_info(void);
+extern char *getNSSPassword(PK11SlotInfo *slot, PRBool retry, void *arg);
+extern bool Pluto_IsFIPS(void);
+#endif
+
#endif /* _OSW_ALLOC_H_ */
/*
diff -urNp openswan-2.6.21-orig/include/pem.h openswan-2.6.21/include/pem.h
--- openswan-2.6.21-orig/include/pem.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/pem.h 2009-04-02 14:49:47.000000000 -0400
@@ -18,3 +18,6 @@
extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label
, bool *pgp);
+
+extern void do_3des_nss(u_int8_t *buf, size_t buf_len
+ , u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
diff -urNp openswan-2.6.21-orig/include/secrets.h openswan-2.6.21/include/secrets.h
--- openswan-2.6.21-orig/include/secrets.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/secrets.h 2009-04-02 14:49:47.000000000 -0400
@@ -19,6 +19,11 @@
#include <gmp.h> /* GNU MP library */
#include "id.h"
+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <pk11pub.h>
+#endif
+
#ifndef SHARED_SECRETS_FILE
# define SHARED_SECRETS_FILE "/etc/ipsec.secrets"
#endif
@@ -37,6 +42,9 @@ struct RSA_public_key
MP_INT
n, /* modulus: p * q */
e; /* exponent: relatively prime to (p-1) * (q-1) [probably small] */
+#ifdef HAVE_LIBNSS
+ CERTCertificate *nssCert;
+#endif
};
struct RSA_private_key {
@@ -50,6 +58,10 @@ struct RSA_private_key {
dP, /* first factor's exponent: (e^-1) mod (p-1) == d mod (p-1) */
dQ, /* second factor's exponent: (e^-1) mod (q-1) == d mod (q-1) */
qInv; /* (q^-1) mod p */
+#ifdef HAVE_LIBNSS
+ unsigned char ckaid[HMAC_BUFSIZE]; /*ckaid for use in NSS*/
+ unsigned int ckaid_len;
+#endif
};
extern void free_RSA_public_content(struct RSA_public_key *rsa);
@@ -133,6 +145,11 @@ extern void delete_public_keys(struct pu
, enum pubkey_alg alg);
extern void form_keyid(chunk_t e, chunk_t n, char* keyid, unsigned *keysize);
+#ifdef HAVE_LIBNSS
+extern void form_keyid_from_nss(SECItem e, SECItem n, char* keyid, unsigned *keysize);
+extern err_t extract_and_add_secret_from_nss_cert_file(struct RSA_private_key *rsak, char *nssHostCertNickName);
+#endif
+
extern struct pubkey *reference_key(struct pubkey *pk);
extern void unreference_key(struct pubkey **pkp);
diff -urNp openswan-2.6.21-orig/include/sha1.h openswan-2.6.21/include/sha1.h
--- openswan-2.6.21-orig/include/sha1.h 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/include/sha1.h 2009-04-02 14:49:47.000000000 -0400
@@ -15,7 +15,7 @@ By Steve Reid <steve at edmweb.com>
typedef struct {
#ifdef HAVE_LIBNSS
-PK11Context* DigestContext;
+ PK11Context* ctx_nss;
#else
u_int32_t state[5];
u_int32_t count[2];
diff -urNp openswan-2.6.21-orig/lib/libcrypto/libmd5/Makefile openswan-2.6.21/lib/libcrypto/libmd5/Makefile
--- openswan-2.6.21-orig/lib/libcrypto/libmd5/Makefile 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/lib/libcrypto/libmd5/Makefile 2009-04-02 14:49:47.000000000 -0400
@@ -10,4 +10,9 @@ ONEFILE=md5.c
LIBRARY=crypto/libmd5
LIB=libmd5.a
+ifeq ($(USE_LIBNSS),true)
+CFLAGS+=-DHAVE_LIBNSS
+CFLAGS+=-I/usr/include/nspr4 -I/usr/include/nss3
+endif
+
include ${srcdir}../../Makefile.library
diff -urNp openswan-2.6.21-orig/lib/libcrypto/libmd5/md5.c openswan-2.6.21/lib/libcrypto/libmd5/md5.c
--- openswan-2.6.21-orig/lib/libcrypto/libmd5/md5.c 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2.6.21/lib/libcrypto/libmd5/md5.c 2009-04-02 14:49:47.000000000 -0400
@@ -46,6 +46,11 @@ documentation and/or software.
#include "md5.h"
#include "oswendian.h" /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
+#ifdef HAVE_LIBNSS
+#include <pk11pub.h>
+#include "oswlog.h"
+#endif
[...5344 lines suppressed...]
@@ -0,0 +1,117 @@
+Title: Using NSS crypto library with Pluto (Openswan)
+Author: Avesh Agarwal email: avagarwa at redhat.com
+Version:0.0
+
+
+About NSS crypto library
+--------------------------
+Please visit http://www.mozilla.org/projects/security/pki/nss/
+
+NSS crypto library is user space library. It is only used with Pluto (user space IKE daemon) for cryptographic operations. When using NSS, it does not impact the way IPSEC kernel (KLIPS or NETKEY) works. The usefulness of using NSS lies in the fact that the secret information (like private keys or anything else) never comes out of NSS database.
+
+
+How to enable NSS crypto library with Openswan
+-----------------------------------------------
+Change the flag USE_LIBNSS in openswan/Makefile.inc to "true" before compilation
+
+
+Basic NSS tools required
+-------------------------
+certutil: To create/modify/delete NSS db, certificates etc. More description can be found at
+http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
+
+pk12util: To import/export certificates or keys in to/out of NSS db. More description can be found at
+http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
+
+modutil: To put NSS into FIPS mode.
+http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html
+
+
+Creating database before using NSS with Pluto (Openswan)
+--------------------------------------------------------
+You must create a NSS db before running pluto with NSS enabled. NSS db can be created as follows.
+
+certutil -N -d <path-to-ipsec.d- dir>/ipsec.d
+
+By default the path to ipsec.d is set to /etc/ipsec.d.
+
+Without loss of generality, the further discussion is based on that the path to ipsec.d is "/etc/ipsec.d".
+
+
+NSS database password
+----------------------
+When creating a database, the certutil command also prompts for a password. It is upto the user to provide a password or not for the database.
+However, database password must be provided in FIPS mode.
+
+
+About the password file "nsspassword"
+-------------------------------------
+If you create the database with a password, and want to run NSS in FIPS mode, you must create a password file with the name "nsspassword" in the /etc/ipsec.d before running pluto with NSS. The "nsspassword" file must contain the password you provided when creating NSS database.
+
+Important thing to note:
+i) You only need the "nsspassword" file if you run pluto in FIPS. In other way, if you run pluto in normal or NonFIPS mode and even if you create the NSS database with a password, you need not create a "nsspassword" file.
+
+ii) If you create he "nsspassword" file, it must contain only the password nothing else.
+
+
+Generating RSA keys when using NSS
+-----------------------------------
+You can still use ipsec newhostkey and ipsec rsasigkey tools for creating RSA keys. The only difference is that you need to provide a path to NSS db directory (or config directoty). Assuming that NSS db is is "/etc/ipsec.d", an example is as follows
+
+ipsec newhostkey --configdir /etc/ipsec.d [--password password] --output /etc/ipsec.d/ipsec.secrets
+
+A password is only required if NSS database is used in FIPS mode. If you use NSS and create RSA keys (private/public), you will notice that the contents of the ipsec.secrets are different than what used to be before.
+
+Public key information in ipsec.secrets is stored in the same way as before. However, all the fields of the Private key information contain just a similar ID. This ID is called CKA ID, which is used to locate private keys inside NSS database during the IKE negotiation.
+
+Important thing to note
+------------------------
+It means that ipsec.secrets does not contain any real private key information, as private key never comes out of NSS database. Therefore ipsec.secrets is not really a secret file anymore when using pluto with NSS.
+
+ipsec.conf does not require any changes the way it is configured when using RSA sig keys with Pluto.
+
+
+Creating certificates with NSS
+-------------------------------
+i)To create a certificate authority (CA certficate):
+
+certutil -S -k rsa -n <ca-cert-nickname> -s "CN=ca-cert-common-name" -w 12 -d . -t "C,C,C" -x -d /etc/ipsec.d
+
+It creates a certificate with RSA keys (-k rsa) with the nick name "ca-cert-nickname", and with common name "ca-cert-common-name". The option "-w" specifies the certificates validy period. "-t" specifies the attributes of the certificate. "C" is require for creating a CA certificate. "-x" mean self signed. "-d" specifies the path of the database directory.
+
+Important thing to note: It is not a requirement to create the CA in NSS database. The CA certificate can be obtained from anywhere in the world.
+
+ii) To create a user certificate signed by the above CA
+
+certutil -S -k rsa -c <ca-cert-nickname> -n <user-cert-nickname> -s "CN=user-cet-common-name" -w 12 -t "u,u,u" -d /etc/ipsec.d
+
+It creates a user cert with nick name "user-cert-nickname" with attributes "u,u,u" signed by the CA cert "ca-cert-name".
+
+Important thing to note: You must provided a nick name when creating a user cert, because Pluto reads the user cert from the NSS database nased on the user cert's nickname.
+
+
+Changes in the certitificates usage with Pluto
+------------------------------------------------
+1) ipsec.comf changes
+
+The only change is "leftcert" field must contain the nick name of the user cert. For example if the nickname of the user cert is "xyz", then it can be "leftid=xyz".
+
+2) ipsec.secrets changes
+
+ : RSA <user-cert-nick-name>
+
+You just need to provide the user cert's nick name. For example if the nickname of the user cert is "xyz", then
+
+ : RSA xyz
+
+There is no need to provide private key file information or its password.
+
+3) changes in the directories in /etc/ipsec.d/ (cacerts, certs, private)
+i)You need not have "private" or "certs" directory.
+
+ii) If you obtain a CA certificate from outside, and it is not inside NSS database, then you need to put the certificate inside "cacerts" directory, so that Pluto can read it. If the CA certificate is created in the NSS database, or imported from outside inside the NSS database, you need not have "cacerts" directory,as Pluto can read the CA cert from the database.
+
+
+Things not supported
+---------------------
+PSK: It is not supported when using NSS, because it required both pluto peers to have a mutual keys created outside the NSS database. So It should not be configured with NSS.
diff -urNp openswan-2.6.21-orig/testing/pluto/nss-examples/x509-nss/local.conf openswan-2.6.21/testing/pluto/nss-examples/x509-nss/local.conf
--- openswan-2.6.21-orig/testing/pluto/nss-examples/x509-nss/local.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.21/testing/pluto/nss-examples/x509-nss/local.conf 2009-04-02 14:49:47.000000000 -0400
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - Openswan IPsec configuration file
+
+version 2.0
+
+config setup
+ # put the logs in /tmp for the UMLs, so that we can operate
+ # without syslogd, which seems to break on UMLs
+ plutostderrlog=/tmp/pluto.log
+ plutorestartoncrash=false
+ dumpdir=/var/tmp
+
+# only used in x509-pluto-02
+conn north-east-x509-pluto-02
+ also=eastnet
+ also=northnet
+ # Left security gateway, subnet behind it, next hop toward right.
+ left=192.1.3.33
+ leftrsasigkey=%cert
+ leftnexthop=192.1.3.254
+ leftid="C=ca, ST=Ontario, O=Xelerance, L=Toronto, CN=north.testing.xelerance.com, E=testing at xelerance.com"
+ leftcert="user-cert-nick-name"
+ # Right security gateway, subnet behind it, next hop toward left.
+ right=192.1.2.23
+ rightnexthop=192.1.2.254
+ rightrsasigkey=%cert
+ auto=ignore
+
+conn northnet
+ leftsubnet=192.0.3.0/24
+
+include /etc/ipsec.d/ipsec.conf.common
+
+conn us
+ rightsubnet=192.0.2.0/24
+
+conn them
+ leftsubnet=192.0.1.0/24
diff -urNp openswan-2.6.21-orig/testing/pluto/nss-examples/x509-nss/remote.conf openswan-2.6.21/testing/pluto/nss-examples/x509-nss/remote.conf
--- openswan-2.6.21-orig/testing/pluto/nss-examples/x509-nss/remote.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.21/testing/pluto/nss-examples/x509-nss/remote.conf 2009-04-02 14:49:47.000000000 -0400
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - Openswan IPsec configuration file
+
+version 2.0
+
+config setup
+ # put the logs in /tmp for the UMLs, so that we can operate
+ # without syslogd, which seems to break on UMLs
+ plutostderrlog=/tmp/pluto.log
+ plutorestartoncrash=false
+ dumpdir=/var/tmp
+
+# only used in x509-pluto-02
+conn north-east-x509-pluto-02
+ also=eastnet
+ also=northnet
+ # Left security gateway, subnet behind it, next hop toward right.
+ left=192.1.2.33
+ leftrsasigkey=%cert
+ leftnexthop=192.1.2.254
+ leftid="C=ca, ST=Ontario, O=Xelerance, L=Toronto, CN=north.testing.xelerance.com, E=testing at xelerance.com"
+ leftcert="user-cert-nick-name"
+ # Right security gateway, subnet behind it, next hop toward left.
+ right=192.1.3.23
+ rightnexthop=192.1.3.254
+ rightrsasigkey=%cert
+ auto=ignore
+
+conn northnet
+ leftsubnet=192.0.2.0/24
+
+include /etc/ipsec.d/ipsec.conf.common
+
+conn us
+ rightsubnet=192.0.3.0/24
+
+conn them
+ leftsubnet=192.0.1.0/24
Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/devel/openswan.spec,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- openswan.spec 13 Apr 2009 16:16:48 -0000 1.74
+++ openswan.spec 14 Apr 2009 17:22:17 -0000 1.75
@@ -4,7 +4,7 @@
Name: openswan
Version: 2.6.21
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -16,7 +16,7 @@
Patch3: openswan-2.6-selinux.patch
Patch4: openswan-2.6.16-initscript-correction.patch
Patch5: openswan-2.6.21-gcc44.patch
-Patch6: openswan-2.6.21-nss-disabled.patch
+Patch6: openswan-2.6.21-nss.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -169,6 +169,10 @@
chkconfig --add ipsec || :
%changelog
+* Mon Apr 14 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-3
+- Updated the Openswan-NSS porting to enable nss by default
+- The patch includes README.nss for information about NSS usage
+
* Mon Apr 13 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
- Applied patch to support NSS, currently disabled due to
dependency on rh bz #491693
--- openswan-2.6.21-nss-disabled.patch DELETED ---
More information about the scm-commits
mailing list