From 043053ad27f1a523a4f2eb1fc514bf2ccd965870 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 24 Sep 2025 15:44:22 -0400 Subject: [PATCH] Re-enable python subpackage, re-enable upstream tests - patch to use --no-isolation with python by Carlos Rodriguez-Fernandez - python dependencies fixed so pip no longer tries to download items - apply upstream patch to remove md2 support - now all tests pass again --- strongswan-6.0.2-no-md5-b3011e8e.patch | 514 +++++++++++++++++++++++++ strongswan.spec | 5 +- 2 files changed, 518 insertions(+), 1 deletion(-) create mode 100644 strongswan-6.0.2-no-md5-b3011e8e.patch diff --git a/strongswan-6.0.2-no-md5-b3011e8e.patch b/strongswan-6.0.2-no-md5-b3011e8e.patch new file mode 100644 index 0000000..1aca73c --- /dev/null +++ b/strongswan-6.0.2-no-md5-b3011e8e.patch @@ -0,0 +1,514 @@ +From b3011e8e87a1fad1bfb026448fc37b80b7cfc007 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 23 Sep 2025 14:59:37 +0200 +Subject: [PATCH] Remove support for MD2 + +No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no +reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2, +MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes). + +It caused test vectors to fail on systems where OpenSSL is built with +MD2 support but has it disabled at runtime. +--- + src/libstrongswan/asn1/oid.txt | 4 +- + .../credentials/containers/pkcs12.c | 1 - + src/libstrongswan/crypto/hashers/hasher.c | 15 --- + src/libstrongswan/crypto/hashers/hasher.h | 16 +-- + src/libstrongswan/crypto/xofs/xof.c | 1 - + .../plugins/gcrypt/gcrypt_hasher.c | 3 - + .../plugins/openssl/openssl_plugin.c | 3 - + .../plugins/pkcs11/pkcs11_hasher.c | 1 - + .../plugins/pkcs11/pkcs11_plugin.c | 1 - + .../plugins/test_vectors/Makefile.am | 1 - + .../plugins/test_vectors/test_vectors.h | 7 - + .../plugins/test_vectors/test_vectors/md2.c | 64 --------- + src/libstrongswan/tests/suites/test_hasher.c | 127 +++++++++--------- + 13 files changed, 71 insertions(+), 173 deletions(-) + delete mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c + +diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt +index f58a44d326..b9c3189cd2 100644 +--- a/src/libstrongswan/asn1/oid.txt ++++ b/src/libstrongswan/asn1/oid.txt +@@ -94,7 +94,7 @@ + 0x01 "PKCS" + 0x01 "PKCS-1" + 0x01 "rsaEncryption" OID_RSA_ENCRYPTION +- 0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA ++ 0x02 "md2WithRSAEncryption" + 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA + 0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA + 0x07 "id-RSAES-OAEP" OID_RSAES_OAEP +@@ -148,7 +148,7 @@ + 0x05 "secretBag" + 0x06 "safeContentsBag" + 0x02 "digestAlgorithm" +- 0x02 "md2" OID_MD2 ++ 0x02 "md2" + 0x05 "md5" OID_MD5 + 0x07 "hmacWithSHA1" OID_HMAC_SHA1 + 0x08 "hmacWithSHA224" OID_HMAC_SHA224 +diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c +index d738910077..be0c750393 100644 +--- a/src/libstrongswan/credentials/containers/pkcs12.c ++++ b/src/libstrongswan/credentials/containers/pkcs12.c +@@ -83,7 +83,6 @@ static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt, + } + switch (hash) + { +- case HASH_MD2: + case HASH_MD5: + case HASH_SHA1: + case HASH_SHA224: +diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c +index 2fed3b4133..444a59c5f0 100644 +--- a/src/libstrongswan/crypto/hashers/hasher.c ++++ b/src/libstrongswan/crypto/hashers/hasher.c +@@ -30,7 +30,6 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY, + "HASH_IDENTITY"); + ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, + "HASH_UNKNOWN", +- "HASH_MD2", + "HASH_MD4", + "HASH_MD5", + "HASH_SHA2_224", +@@ -48,7 +47,6 @@ ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY, + "identity"); + ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, + "unknown", +- "md2", + "md4", + "md5", + "sha224", +@@ -66,7 +64,6 @@ ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY, + "IDENTITY"); + ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY, + "UNKNOWN", +- "MD2", + "MD4", + "MD5", + "SHA2_224", +@@ -91,8 +88,6 @@ size_t hasher_hash_size(hash_algorithm_t alg) + return HASH_SIZE_SHA384; + case HASH_SHA512: + return HASH_SIZE_SHA512; +- case HASH_MD2: +- return HASH_SIZE_MD2; + case HASH_MD4: + return HASH_SIZE_MD4; + case HASH_MD5: +@@ -121,9 +116,6 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) + { + switch (oid) + { +- case OID_MD2: +- case OID_MD2_WITH_RSA: +- return HASH_MD2; + case OID_MD5: + case OID_MD5_WITH_RSA: + return HASH_MD5; +@@ -323,7 +315,6 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg, + return AUTH_HMAC_SHA2_512_512; + } + break; +- case HASH_MD2: + case HASH_MD4: + case HASH_SHA224: + case HASH_SHA3_224: +@@ -350,7 +341,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg) + case HASH_SHA512: + return TRUE; + case HASH_UNKNOWN: +- case HASH_MD2: + case HASH_MD4: + case HASH_MD5: + case HASH_SHA1: +@@ -373,9 +363,6 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) + + switch (alg) + { +- case HASH_MD2: +- oid = OID_MD2; +- break; + case HASH_MD5: + oid = OID_MD5; + break; +@@ -422,8 +409,6 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key) + case KEY_RSA: + switch (alg) + { +- case HASH_MD2: +- return OID_MD2_WITH_RSA; + case HASH_MD5: + return OID_MD5_WITH_RSA; + case HASH_SHA1: +diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h +index ad434035da..0a4237cd93 100644 +--- a/src/libstrongswan/crypto/hashers/hasher.h ++++ b/src/libstrongswan/crypto/hashers/hasher.h +@@ -45,17 +45,15 @@ enum hash_algorithm_t { + HASH_IDENTITY = 5, + /* use private use range for algorithms not defined/permitted by RFC 7427 */ + HASH_UNKNOWN = 1024, +- HASH_MD2 = 1025, +- HASH_MD4 = 1026, +- HASH_MD5 = 1027, +- HASH_SHA224 = 1028, +- HASH_SHA3_224 = 1029, +- HASH_SHA3_256 = 1030, +- HASH_SHA3_384 = 1031, +- HASH_SHA3_512 = 1032 ++ HASH_MD4 = 1025, ++ HASH_MD5 = 1026, ++ HASH_SHA224 = 1027, ++ HASH_SHA3_224 = 1028, ++ HASH_SHA3_256 = 1029, ++ HASH_SHA3_384 = 1030, ++ HASH_SHA3_512 = 1031 + }; + +-#define HASH_SIZE_MD2 16 + #define HASH_SIZE_MD4 16 + #define HASH_SIZE_MD5 16 + #define HASH_SIZE_SHA1 20 +diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c +index 7c1eb37e42..f21e037a5a 100644 +--- a/src/libstrongswan/crypto/xofs/xof.c ++++ b/src/libstrongswan/crypto/xofs/xof.c +@@ -60,7 +60,6 @@ ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg) + return XOF_MGF1_SHA3_384; + case HASH_IDENTITY: + case HASH_UNKNOWN: +- case HASH_MD2: + case HASH_MD4: + case HASH_MD5: + break; +diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +index 29f86a5139..5e30ac7dc3 100644 +--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c ++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +@@ -92,9 +92,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) + + switch (algo) + { +- case HASH_MD2: +- gcrypt_alg = GCRY_MD_MD2; +- break; + case HASH_MD4: + gcrypt_alg = GCRY_MD_MD4; + break; +diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c +index c3e1d2e173..ef7fe8908f 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c ++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c +@@ -400,9 +400,6 @@ METHOD(plugin_t, get_features, int, + PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0), + /* hashers */ + PLUGIN_REGISTER(HASHER, openssl_hasher_create), +-#ifndef OPENSSL_NO_MD2 +- PLUGIN_PROVIDE(HASHER, HASH_MD2), +-#endif + #ifndef OPENSSL_NO_MD4 + PLUGIN_PROVIDE(HASHER, HASH_MD4), + #endif +diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c +index e5ac18ed8c..409a05a2ab 100644 +--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c ++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c +@@ -234,7 +234,6 @@ static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size) + CK_MECHANISM mechanism; + size_t size; + } mappings[] = { +- {HASH_MD2, {CKM_MD2, NULL, 0}, HASH_SIZE_MD2}, + {HASH_MD5, {CKM_MD5, NULL, 0}, HASH_SIZE_MD5}, + {HASH_SHA1, {CKM_SHA_1, NULL, 0}, HASH_SIZE_SHA1}, + {HASH_SHA256, {CKM_SHA256, NULL, 0}, HASH_SIZE_SHA256}, +diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +index 5510db99f4..aa27f1e384 100644 +--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c ++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +@@ -189,7 +189,6 @@ METHOD(plugin_t, get_features, int, + { + static plugin_feature_t f_hash[] = { + PLUGIN_REGISTER(HASHER, pkcs11_hasher_create), +- PLUGIN_PROVIDE(HASHER, HASH_MD2), + PLUGIN_PROVIDE(HASHER, HASH_MD5), + PLUGIN_PROVIDE(HASHER, HASH_SHA1), + PLUGIN_PROVIDE(HASHER, HASH_SHA256), +diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am +index 6074027f7d..eaf6485abc 100644 +--- a/src/libstrongswan/plugins/test_vectors/Makefile.am ++++ b/src/libstrongswan/plugins/test_vectors/Makefile.am +@@ -37,7 +37,6 @@ libstrongswan_test_vectors_la_SOURCES = \ + test_vectors/rc5.c \ + test_vectors/serpent_cbc.c \ + test_vectors/twofish_cbc.c \ +- test_vectors/md2.c \ + test_vectors/md4.c \ + test_vectors/md5.c \ + test_vectors/md5_hmac.c \ +diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h +index bf8609cb62..85436ff74a 100644 +--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h ++++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h +@@ -160,13 +160,6 @@ TEST_VECTOR_SIGNER(sha512_hmac_s1) + TEST_VECTOR_SIGNER(sha512_hmac_s2) + TEST_VECTOR_SIGNER(sha512_hmac_s3) + +-TEST_VECTOR_HASHER(md2_1) +-TEST_VECTOR_HASHER(md2_2) +-TEST_VECTOR_HASHER(md2_3) +-TEST_VECTOR_HASHER(md2_4) +-TEST_VECTOR_HASHER(md2_5) +-TEST_VECTOR_HASHER(md2_6) +-TEST_VECTOR_HASHER(md2_7) + TEST_VECTOR_HASHER(md4_1) + TEST_VECTOR_HASHER(md4_2) + TEST_VECTOR_HASHER(md4_3) +diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c +deleted file mode 100644 +index b2707a1317..0000000000 +--- a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c ++++ /dev/null +@@ -1,64 +0,0 @@ +-/* +- * Copyright (C) 2009 Martin Willi +- * +- * Copyright (C) secunet Security Networks AG +- * +- * This program is free software; you can redistribute it and/or modify it +- * under the terms of the GNU General Public License as published by the +- * Free Software Foundation; either version 2 of the Licenseor (at your +- * option) any later version. See . +- * +- * This program is distributed in the hope that it will be usefulbut +- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +- * for more details. +- */ +- +-#include +- +-/** +- * MD2 vectors from RFC 1319 +- */ +-hasher_test_vector_t md2_1 = { +- .alg = HASH_MD2, .len = 0, +- .data = "", +- .hash = "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73" +-}; +- +-hasher_test_vector_t md2_2 = { +- .alg = HASH_MD2, .len = 1, +- .data = "a", +- .hash = "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1" +-}; +- +-hasher_test_vector_t md2_3 = { +- .alg = HASH_MD2, .len = 3, +- .data = "abc", +- .hash = "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb" +-}; +- +-hasher_test_vector_t md2_4 = { +- .alg = HASH_MD2, .len = 14, +- .data = "message digest", +- .hash = "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0" +-}; +- +-hasher_test_vector_t md2_5 = { +- .alg = HASH_MD2, .len = 26, +- .data = "abcdefghijklmnopqrstuvwxyz", +- .hash = "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b" +-}; +- +-hasher_test_vector_t md2_6 = { +- .alg = HASH_MD2, .len = 62, +- .data = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", +- .hash = "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd" +-}; +- +-hasher_test_vector_t md2_7 = { +- .alg = HASH_MD2, .len = 80, +- .data = "1234567890123456789012345678901234567890" +- "1234567890123456789012345678901234567890", +- .hash = "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8" +-}; +- +diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c +index c07eed8d93..3bdcc7e3d7 100644 +--- a/src/libstrongswan/tests/suites/test_hasher.c ++++ b/src/libstrongswan/tests/suites/test_hasher.c +@@ -28,41 +28,39 @@ typedef struct { + key_type_t key; + }hasher_oid_t; + ++/* make sure to adjust offsets in constructor when changing this array */ + static hasher_oid_t oids[] = { +- { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */ +- { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */ +- { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */ +- { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */ +- { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */ +- { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */ +- { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */ +- { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */ +- { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */ +- { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */ +- { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */ +- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */ +- { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */ +- { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */ +- { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */ +- { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */ +- { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */ +- { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */ +- { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */ +- { OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */ +- { OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */ +- { OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */ +- { OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */ +- { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 23 */ +- { OID_ED25519, HASH_IDENTITY, KEY_ED25519 }, /* 24 */ +- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 }, /* 25 */ +- { OID_ED448, HASH_IDENTITY, KEY_ED448 }, /* 26 */ +- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 }, /* 27 */ +- { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 28 */ +- { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 29 */ +- { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 30 */ +- { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 31 */ +- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 32 */ +- ++ { OID_MD5, HASH_MD5, KEY_ANY }, /* 0 */ ++ { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 1 */ ++ { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 2 */ ++ { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 3 */ ++ { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 4 */ ++ { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 5 */ ++ { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 6 */ ++ { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 7 */ ++ { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 8 */ ++ { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 9 */ ++ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 10 */ ++ { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 11 */ ++ { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 12 */ ++ { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 13 */ ++ { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 14 */ ++ { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 15 */ ++ { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 16 */ ++ { OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 17 */ ++ { OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 18 */ ++ { OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 19 */ ++ { OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 20 */ ++ { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 21 */ ++ { OID_ED25519, HASH_IDENTITY, KEY_ED25519 }, /* 22 */ ++ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 }, /* 23 */ ++ { OID_ED448, HASH_IDENTITY, KEY_ED448 }, /* 24 */ ++ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 }, /* 25 */ ++ { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 26 */ ++ { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 27 */ ++ { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 28 */ ++ { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 29 */ ++ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 30 */ + }; + + START_TEST(test_hasher_from_oid) +@@ -174,32 +172,32 @@ typedef struct { + size_t length; + }hasher_auth_t; + ++/* make sure to adjust offsets in constructor when changing this array */ + static hasher_auth_t auths[] = { +- { AUTH_UNDEFINED, HASH_MD2, 0 }, +- { AUTH_UNDEFINED, HASH_MD4, 0 }, +- { AUTH_UNDEFINED, HASH_SHA224, 0 }, +- { AUTH_UNDEFINED, 9, 0 }, +- { AUTH_UNDEFINED, HASH_UNKNOWN, 0 }, +- { AUTH_HMAC_MD5_96, HASH_MD5, 12 }, +- { AUTH_HMAC_SHA1_96, HASH_SHA1, 12 }, +- { AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 }, +- { AUTH_HMAC_MD5_128, HASH_MD5, 16 }, +- { AUTH_HMAC_SHA1_128, HASH_SHA1, 16 }, +- { AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, +- { AUTH_HMAC_SHA1_160, HASH_SHA1, 20 }, +- { AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, +- { AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, +- { AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, +- { AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, +- { AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, +- { AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 }, +- { AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 }, +- { AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 }, +- { AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 }, +- { AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 }, +- { AUTH_DES_MAC, HASH_UNKNOWN, 0 }, +- { AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 }, +- { 0, HASH_UNKNOWN, 0 } ++ { AUTH_UNDEFINED, HASH_MD4, 0 }, /* 0 */ ++ { AUTH_UNDEFINED, HASH_SHA224, 0 }, /* 1 */ ++ { AUTH_UNDEFINED, 9, 0 }, /* 2 */ ++ { AUTH_UNDEFINED, HASH_UNKNOWN, 0 }, /* 3 */ ++ { AUTH_HMAC_MD5_96, HASH_MD5, 12 }, /* 4 */ ++ { AUTH_HMAC_SHA1_96, HASH_SHA1, 12 }, /* 5 */ ++ { AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 }, /* 6 */ ++ { AUTH_HMAC_MD5_128, HASH_MD5, 16 }, /* 7 */ ++ { AUTH_HMAC_SHA1_128, HASH_SHA1, 16 }, /* 8 */ ++ { AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, /* 9 */ ++ { AUTH_HMAC_SHA1_160, HASH_SHA1, 20 }, /* 10 */ ++ { AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, /* 11 */ ++ { AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, /* 12 */ ++ { AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, /* 13 */ ++ { AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, /* 14 */ ++ { AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, /* 15 */ ++ { AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 }, /* 16 */ ++ { AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 }, /* 17 */ ++ { AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 }, /* 18 */ ++ { AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 }, /* 19 */ ++ { AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 }, /* 20 */ ++ { AUTH_DES_MAC, HASH_UNKNOWN, 0 }, /* 21 */ ++ { AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 }, /* 22 */ ++ { 0, HASH_UNKNOWN, 0 } /* 23 */ + }; + + START_TEST(test_hasher_from_integrity) +@@ -237,7 +235,6 @@ static hasher_ikev2_t ikev2[] = { + { HASH_SHA384, TRUE }, + { HASH_SHA512, TRUE }, + { HASH_UNKNOWN, FALSE }, +- { HASH_MD2, FALSE }, + { HASH_MD4, FALSE }, + { HASH_MD5, FALSE }, + { HASH_SHA224, FALSE }, +@@ -262,15 +259,15 @@ Suite *hasher_suite_create() + s = suite_create("hasher"); + + tc = tcase_create("from_oid"); +- tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28); ++ tcase_add_loop_test(tc, test_hasher_from_oid, 0, 26); + suite_add_tcase(s, tc); + + tc = tcase_create("to_oid"); +- tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12); ++ tcase_add_loop_test(tc, test_hasher_to_oid, 0, 11); + suite_add_tcase(s, tc); + + tc = tcase_create("sig_to_oid"); +- tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids)); ++ tcase_add_loop_test(tc, test_hasher_sig_to_oid, 10, countof(oids)); + suite_add_tcase(s, tc); + + tc = tcase_create("from_sig_scheme"); +@@ -283,11 +280,11 @@ Suite *hasher_suite_create() + suite_add_tcase(s, tc); + + tc = tcase_create("from_integrity"); +- tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths)); ++ tcase_add_loop_test(tc, test_hasher_from_integrity, 3, countof(auths)); + suite_add_tcase(s, tc); + + tc = tcase_create("to_integrity"); +- tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17); ++ tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 16); + suite_add_tcase(s, tc); + + tc = tcase_create("for_ikev2"); diff --git a/strongswan.spec b/strongswan.spec index 7e77ea0..4cd3295 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -23,8 +23,11 @@ Source2: https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY Source3: tmpfiles-strongswan.conf # https://github.com/strongswan/strongswan/issues/1198 (also pinged upstream via email) Patch1: strongswan-5.9.7-error-no-format.patch -# this patch doesn't seem to help unfortunately +# Use isolation to prevent pip attempting to download during build Patch2: strongswan-6.0.2-no-isolation.patch +# Remove MD2, which causes test case failures due to fedora crypto policies +# https://github.com/strongswan/strongswan/commit/b3011e8e87a1fad1bfb026448fc37b80b7cfc007 +Patch3: strongswan-6.0.2-no-md5-b3011e8e.patch BuildRequires: autoconf BuildRequires: automake