[strongSwan] Unable to load the private key without openssl plugin

Kiran Joshi kiran.joshi38 at yahoo.com
Wed Jan 23 00:41:23 CET 2013 

Added the issue to the user lists as the Strongswan Issues tracker is probably not the right place for support questions.
 
I'm making a minimal build of strongswan 5.0.1 and kernel version 2.6.33.5 without the openssl plugin.
We are testing IKEv2 and tunnel mode exchange.
Getting an error with regards to key integrity tests failed and private key loading failure in the charon.log.
1) List of loaded plugins without the openssl for the failed test case.
a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke updown
b) charon.log errors below:
"00[LIB] key integrity tests failed"
"00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders 
00[CFG]   loading private key from '/tmp/ssl/private/MyServerKey.pem' failed 
00[LIB] feature PRIVKEY:DSA in 'pem' plugin has unsatisfied dependency: PRIVKEY:DSA\par
00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency: PUBKEY:ECDSA\par
00[LIB] feature PUBKEY:DSA in 'pem' plugin has unsatisfied dependency: PUBKEY:DSA    \par
00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in 'pem' plugin has unsatisfied dependency: CERT_DECODE:X509_OCSP_RE\par
00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16     \par
00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in 'xcbc' plugin has unsatisfied dependency: CRYPTER:CAMELLIA_CBC-16      \par
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke updown"
2) List of loaded plugins with the openssl plugin for successful test case.
a) loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-pfkey kernel-netlink socket-default stroke updown
b) The loaded openssl plugin results in the private key being successfully loaded. The ipsec tunnel gets established just fine without any issues.
The only difference in the setup environment is enabing/disabling strongswan5 openssl plugin.
As workaround to some other issues, we had to disable the openssl plugin.
We ran into some compatibility issues of the openssl plugin and the OCF layer/openssl -engine cryptodev h/w driver.
This was resulting in MAC verification failures bringing down the tunnel and not restarting around 2-4hours of test run.
Our rekeying is happening on every hour and reauthenticating of the public key every 3 hours.
Please let me know what are other plugins are required when openssl plugin is disabled as to support these ipsec.conf settings.
leftcert=/tmp/ssl/certs/MyServerCert.pem
rightauth=pubkey
 
Let me know if you need the full charon.log or config details for this issue.
 
FYI....
When openssl plugin was enabled, we created a patch file as workaround to bypass the RSA_check_key.
This had addressed "key integrity test failed" error in short term solution. It was the only way to bring up the tunnel with pubkey authentication since our certs/private key was created with the OCF and h/w acceleration driver.
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c       2012-06-08 17:07:42.245836492 -0500
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c       2012-06-08 17:08:38.435845825 -0500
@ -374,7 +374,7 @
if (blob.ptr)        {
this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
-               if (this->rsa && RSA_check_key(this->rsa))
+               if (this->rsa)                {
return &this->public;
}
@ -396,10 +396,7 @
this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL);
}
this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL);
-               if (RSA_check_key(this->rsa))
-               {
-                       return &this->public;
-               }
+               return &this->public;
}
destroy(this);
return NULL;
 
Since the private key is now being parsed by gmp plugin (without the openssl plugin), it is safe for to bypass the integrity check in gmp plugin as another workaround? I have not tried that yet.
 
Kiran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130122/a93f8ca4/attachment.html>

More information about the Users mailing list