<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Added the issue to the user lists as the Strongswan Issues tracker is probably not the right place for support questions<var id="yui-ie-cursor"></var>.</div><div> </div><div>I'm making a minimal build of strongswan 5.0.1 and kernel version 2.6.33.5 without the openssl plugin.<br>We are testing IKEv2 and tunnel mode exchange.</div><div>Getting an error with regards to key integrity tests failed and private key loading failure in the charon.log.</div><div>1) List of loaded plugins without the openssl for the failed test case.</div><pre><code>a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke updown<br>b) charon.log errors below:</code></pre><div>"00[LIB] key integrity tests failed"</div><div>"00[LIB]
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders <br>00[CFG] loading private key from '/tmp/ssl/private/MyServerKey.pem' failed <br>00[LIB] feature PRIVKEY:DSA in 'pem' plugin has unsatisfied dependency: PRIVKEY:DSA\par<br>00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency: PUBKEY:ECDSA\par<br>00[LIB] feature PUBKEY:DSA in 'pem' plugin has unsatisfied dependency: PUBKEY:DSA \par<br>00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in 'pem' plugin has unsatisfied dependency: CERT_DECODE:X509_OCSP_RE\par<br>00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 \par<br>00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16 \par<br>00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey
kernel-netlink socket-default stroke updown"</div><div>2) List of loaded plugins with the openssl plugin for successful test case.</div><pre><code>a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke updown<br>b) The loaded openssl plugin results in the private key being successfully loaded. The ipsec tunnel gets established just fine without any issues.</code></pre><div>The only difference in the setup environment is enabing/disabling strongswan5 openssl plugin.</div><div>As workaround to some other issues, we had to disable the openssl plugin.<br>We ran into some compatibility issues of the openssl plugin and the OCF layer/openssl -engine cryptodev h/w driver.<br>This was resulting in MAC verification failures bringing down the tunnel and not restarting around 2-4hours of test run.<br>Our rekeying is happening on every hour and
reauthenticating of the public key every 3 hours.</div><div>Please let me know what are other plugins are required when openssl plugin is disabled as to support these ipsec.conf settings.<br> leftcert=/tmp/ssl/certs/MyServerCert.pem<br> rightauth=pubkey</div><div> </div><div>Let me know if you need the full charon.log or config details for this issue.</div><div> </div><div>FYI....</div><div>When openssl plugin was enabled, we created a patch file as workaround to bypass the RSA_check_key.<br>This had addressed "key integrity test failed" error in short term solution. It was the only way to bring up the tunnel with pubkey authentication since our certs/private key was created with the OCF and h/w acceleration driver.</div><div>--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c 2012-06-08 17:07:42.245836492 -0500<br>+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c 2012-06-08
17:08:38.435845825 -0500<br><code>@ -374,7 +374,7 </code>@<br> if (blob.ptr) {<br> this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);<br>- if (this->rsa && RSA_check_key(this->rsa))<br>+ if (this->rsa) {<br> return &this->public;<br> }<br><code>@ -396,10 +396,7 </code>@<br> this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);<br> }<br> this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);<br>- if (RSA_check_key(this->rsa))<br>- {<br>- return &this->public;<br>- }<br>+ return &this->public;<br> }<br> destroy(this);<br> return NULL;</div><div> </div><div>Since the private key
is now being parsed by gmp plugin (without the openssl plugin), it is safe for to bypass the integrity check in gmp plugin as another workaround? I have not tried that yet.</div><div> </div><div>Kiran</div></div></body></html>