From 2e6d0e53e85a3cbdee1de854942e0a55afb0d565 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 29 Sep 2010 21:37:53 +0200 Subject: [PATCH] =?UTF-8?q?*=20Wed=20Sep=2029=202010=20Miloslav=20Trma?= =?UTF-8?q?=C4=8D=20=20-=200.3.4-2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Clarify which block device should be passed as an argument Resolves: #636541 - Recognize SSL error messages from NSS as well Resolves: #638732 --- volume_key-0.3.4-ssl-errors.patch | 460 ++++++++++++++++++++++++++++++ volume_key-0.3.4-volume-doc.patch | 64 +++++ volume_key.spec | 14 +- 3 files changed, 537 insertions(+), 1 deletion(-) create mode 100644 volume_key-0.3.4-ssl-errors.patch create mode 100644 volume_key-0.3.4-volume-doc.patch diff --git a/volume_key-0.3.4-ssl-errors.patch b/volume_key-0.3.4-ssl-errors.patch new file mode 100644 index 0000000..e15caa2 --- /dev/null +++ b/volume_key-0.3.4-ssl-errors.patch @@ -0,0 +1,460 @@ +2010-09-29 Miloslav Trmač + + * lib/SSLerrs.h: New file. + * Makefile.am (lib_libvolume_key_la_SOURCES): Add lib/SSLerrs.h. + * lib/nss_error.c (mapping): Use SSLerrs.h. + +diff --git a/Makefile.am b/Makefile.am +index 9874ff1..fc06d95 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -48,7 +48,7 @@ python/volume_key_wrap.c python/volume_key.py: python/volume_key.i + python/volume_key.py: python/volume_key_wrap.c + + ## Dependency data +-lib_libvolume_key_la_SOURCES = lib/SECerrs.h \ ++lib_libvolume_key_la_SOURCES = lib/SECerrs.h lib/SSLerrs.h \ + lib/crypto.c lib/crypto.h \ + lib/kmip.c lib/kmip.h \ + lib/libvolume_key.c lib/libvolume_key.h \ +diff --git a/lib/SSLerrs.h b/lib/SSLerrs.h +new file mode 100644 +index 0000000..4ae90f6 +--- /dev/null ++++ b/lib/SSLerrs.h +@@ -0,0 +1,407 @@ ++/* copied from nss-3.12.6/mozilla/security/nss/cmd/lib because NSS does not ++ provide any API for error number => string translation: ++ https://bugzilla.mozilla.org/show_bug.cgi?id=329017 */ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape security libraries. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1994-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++/* SSL-specific security error codes */ ++/* caller must include "sslerr.h" */ ++ ++ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, ++"Unable to communicate securely. Peer does not support high-grade encryption.") ++ ++ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, ++"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") ++ ++ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, ++"Cannot communicate securely with peer: no common encryption algorithm(s).") ++ ++ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, ++"Unable to find the certificate or key necessary for authentication.") ++ ++ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, ++"Unable to communicate securely with peer: peers's certificate was rejected.") ++ ++/* unused (SSL_ERROR_BASE + 5),*/ ++ ++ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, ++"The server has encountered bad data from the client.") ++ ++ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, ++"The client has encountered bad data from the server.") ++ ++ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, ++"Unsupported certificate type.") ++ ++ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, ++"Peer using unsupported version of security protocol.") ++ ++/* unused (SSL_ERROR_BASE + 10),*/ ++ ++ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, ++"Client authentication failed: private key in key database does not match public key in certificate database.") ++ ++ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, ++"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") ++ ++/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), ++ defined in sslerr.h ++*/ ++ ++ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), ++"Peer only supports SSL version 2, which is locally disabled.") ++ ++ ++ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), ++"SSL received a record with an incorrect Message Authentication Code.") ++ ++ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), ++"SSL peer reports incorrect Message Authentication Code.") ++ ++ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), ++"SSL peer cannot verify your certificate.") ++ ++ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), ++"SSL peer rejected your certificate as revoked.") ++ ++ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), ++"SSL peer rejected your certificate as expired.") ++ ++ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), ++"Cannot connect: SSL is disabled.") ++ ++ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), ++"Cannot connect: SSL peer is in another FORTEZZA domain.") ++ ++ ++ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), ++"An unknown SSL cipher suite has been requested.") ++ ++ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), ++"No cipher suites are present and enabled in this program.") ++ ++ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), ++"SSL received a record with bad block padding.") ++ ++ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), ++"SSL received a record that exceeded the maximum permissible length.") ++ ++ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), ++"SSL attempted to send a record that exceeded the maximum permissible length.") ++ ++/* ++ * Received a malformed (too long or short or invalid content) SSL handshake. ++ */ ++ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), ++"SSL received a malformed Hello Request handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), ++"SSL received a malformed Client Hello handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), ++"SSL received a malformed Server Hello handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), ++"SSL received a malformed Certificate handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), ++"SSL received a malformed Server Key Exchange handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), ++"SSL received a malformed Certificate Request handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), ++"SSL received a malformed Server Hello Done handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), ++"SSL received a malformed Certificate Verify handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), ++"SSL received a malformed Client Key Exchange handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), ++"SSL received a malformed Finished handshake message.") ++ ++/* ++ * Received a malformed (too long or short) SSL record. ++ */ ++ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), ++"SSL received a malformed Change Cipher Spec record.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), ++"SSL received a malformed Alert record.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), ++"SSL received a malformed Handshake record.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), ++"SSL received a malformed Application Data record.") ++ ++/* ++ * Received an SSL handshake that was inappropriate for the state we're in. ++ * E.g. Server received message from server, or wrong state in state machine. ++ */ ++ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), ++"SSL received an unexpected Hello Request handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), ++"SSL received an unexpected Client Hello handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), ++"SSL received an unexpected Server Hello handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), ++"SSL received an unexpected Certificate handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), ++"SSL received an unexpected Server Key Exchange handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), ++"SSL received an unexpected Certificate Request handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), ++"SSL received an unexpected Server Hello Done handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), ++"SSL received an unexpected Certificate Verify handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), ++"SSL received an unexpected Client Key Exchange handshake message.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), ++"SSL received an unexpected Finished handshake message.") ++ ++/* ++ * Received an SSL record that was inappropriate for the state we're in. ++ */ ++ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), ++"SSL received an unexpected Change Cipher Spec record.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), ++"SSL received an unexpected Alert record.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), ++"SSL received an unexpected Handshake record.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), ++"SSL received an unexpected Application Data record.") ++ ++/* ++ * Received record/message with unknown discriminant. ++ */ ++ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), ++"SSL received a record with an unknown content type.") ++ ++ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), ++"SSL received a handshake message with an unknown message type.") ++ ++ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), ++"SSL received an alert record with an unknown alert description.") ++ ++/* ++ * Received an alert reporting what we did wrong. (more alerts above) ++ */ ++ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), ++"SSL peer has closed this connection.") ++ ++ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), ++"SSL peer was not expecting a handshake message it received.") ++ ++ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), ++"SSL peer was unable to successfully decompress an SSL record it received.") ++ ++ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), ++"SSL peer was unable to negotiate an acceptable set of security parameters.") ++ ++ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), ++"SSL peer rejected a handshake message for unacceptable content.") ++ ++ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), ++"SSL peer does not support certificates of the type it received.") ++ ++ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), ++"SSL peer had some unspecified issue with the certificate it received.") ++ ++ ++ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), ++"SSL experienced a failure of its random number generator.") ++ ++ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), ++"Unable to digitally sign data required to verify your certificate.") ++ ++ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), ++"SSL was unable to extract the public key from the peer's certificate.") ++ ++ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), ++"Unspecified failure while processing SSL Server Key Exchange handshake.") ++ ++ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), ++"Unspecified failure while processing SSL Client Key Exchange handshake.") ++ ++ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), ++"Bulk data encryption algorithm failed in selected cipher suite.") ++ ++ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), ++"Bulk data decryption algorithm failed in selected cipher suite.") ++ ++ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), ++"Attempt to write encrypted data to underlying socket failed.") ++ ++ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), ++"MD5 digest function failed.") ++ ++ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), ++"SHA-1 digest function failed.") ++ ++ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), ++"MAC computation failed.") ++ ++ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), ++"Failure to create Symmetric Key context.") ++ ++ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), ++"Failure to unwrap the Symmetric key in Client Key Exchange message.") ++ ++ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), ++"SSL Server attempted to use domestic-grade public key with export cipher suite.") ++ ++ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), ++"PKCS11 code failed to translate an IV into a param.") ++ ++ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), ++"Failed to initialize the selected cipher suite.") ++ ++ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), ++"Client failed to generate session keys for SSL session.") ++ ++ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), ++"Server has no key for the attempted key exchange algorithm.") ++ ++ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), ++"PKCS#11 token was inserted or removed while operation was in progress.") ++ ++ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), ++"No PKCS#11 token could be found to do a required operation.") ++ ++ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), ++"Cannot communicate securely with peer: no common compression algorithm(s).") ++ ++ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), ++"Cannot initiate another SSL handshake until current handshake is complete.") ++ ++ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), ++"Received incorrect handshakes hash values from peer.") ++ ++ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), ++"The certificate provided cannot be used with the selected key exchange algorithm.") ++ ++ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), ++"No certificate authority is trusted for SSL client authentication.") ++ ++ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), ++"Client's SSL session ID not found in server's session cache.") ++ ++ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), ++"Peer was unable to decrypt an SSL record it received.") ++ ++ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), ++"Peer received an SSL record that was longer than is permitted.") ++ ++ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), ++"Peer does not recognize and trust the CA that issued your certificate.") ++ ++ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), ++"Peer received a valid certificate, but access was denied.") ++ ++ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), ++"Peer could not decode an SSL handshake message.") ++ ++ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), ++"Peer reports failure of signature verification or key exchange.") ++ ++ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), ++"Peer reports negotiation not in compliance with export regulations.") ++ ++ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), ++"Peer reports incompatible or unsupported protocol version.") ++ ++ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), ++"Server requires ciphers more secure than those supported by client.") ++ ++ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), ++"Peer reports it experienced an internal error.") ++ ++ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), ++"Peer user canceled handshake.") ++ ++ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), ++"Peer does not permit renegotiation of SSL security parameters.") ++ ++ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), ++"SSL server cache not configured and not disabled for this socket.") ++ ++ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), ++"SSL peer does not support requested TLS hello extension.") ++ ++ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), ++"SSL peer could not obtain your certificate from the supplied URL.") ++ ++ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), ++"SSL peer has no certificate for the requested DNS name.") ++ ++ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), ++"SSL peer was unable to get an OCSP response for its certificate.") ++ ++ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), ++"SSL peer reported bad certificate hash value.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109), ++"SSL received an unexpected New Session Ticket handshake message.") ++ ++ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110), ++"SSL received a malformed New Session Ticket handshake message.") ++ ++ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111), ++"SSL received a compressed record that could not be decompressed.") ++ ++ER3(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, (SSL_ERROR_BASE + 112), ++"Renegotiation is not allowed on this SSL socket.") ++ ++ER3(SSL_ERROR_UNSAFE_NEGOTIATION, (SSL_ERROR_BASE + 113), ++"Peer attempted old style (potentially vulnerable) handshake.") ++ ++ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114), ++"SSL received an unexpected uncompressed record.") +diff --git a/lib/nss_error.c b/lib/nss_error.c +index 211f2db..ea7f9ca 100644 +--- a/lib/nss_error.c ++++ b/lib/nss_error.c +@@ -1,6 +1,6 @@ + /* Internal (library + application) error reporting utilities. + +-Copyright (C) 2009 Red Hat, Inc. All rights reserved. ++Copyright (C) 2009, 2010 Red Hat, Inc. All rights reserved. + This copyrighted material is made available to anyone wishing to use, modify, + copy, or redistribute it subject to the terms and conditions of the GNU General + Public License v.2. +@@ -20,6 +20,7 @@ Author: Miloslav Trmač */ + #include + #include + #include ++#include + + #include "nss_error.h" + +@@ -32,6 +33,7 @@ struct mapping + static const struct mapping mapping[] = { + #define ER3(A, B, C) { (A), (C) }, + #include "SECerrs.h" ++ #include "SSLerrs.h" + #undef ER3 + }; + diff --git a/volume_key-0.3.4-volume-doc.patch b/volume_key-0.3.4-volume-doc.patch new file mode 100644 index 0000000..898d9fd --- /dev/null +++ b/volume_key-0.3.4-volume-doc.patch @@ -0,0 +1,64 @@ +2010-09-29 Miloslav Trmač + + * README + * doc/volume_key.8: Clarify which block device should be passed to + volume_key(8). + +diff --git a/README b/README +index a57bb02..ac58f51 100644 +--- a/README ++++ b/README +@@ -27,6 +27,11 @@ this: + * Run + volume_key --save /path/to/volume -o escrow-packet + You will be prompted for an escrow packet passphrase to protect the key. ++ ++ In all examples in this file, /path/to/volume is a LUKS device, not the ++ plaintext device containted within: (blkid -s TYPE /path/to/volume) should ++ report TYPE="crypto_LUKS". ++ + * Save the generated `escrow-packet' file, make sure you won't forget the + passphrase. + +@@ -87,6 +92,10 @@ Saving encryption keys + volume_key --save /path/to/volume -c /path/to/cert -o escrow-packet + where /path/to/cert points to the certificate distributed in the preparation + phase. ++ ++ In all examples in this file, /path/to/volume is a LUKS device, not the ++ plaintext device containted within: (blkid -s TYPE /path/to/volume) should ++ report TYPE="crypto_LUKS". + * Save the generated `escrow-packet' file in the prepared storage, associating + it with the system and the volume. + +diff --git a/doc/volume_key.8 b/doc/volume_key.8 +index b4a2000..be75b99 100644 +--- a/doc/volume_key.8 ++++ b/doc/volume_key.8 +@@ -16,7 +16,7 @@ + .\" Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + .\" + .\" Author: Miloslav Trmač ]) +-.TH volume_key 8 "May 2009" volume_key ++.TH volume_key 8 "Sep 2010" volume_key + + .SH NAME + volume_key \- work with volume encryption secrets and escrow packets +@@ -45,6 +45,17 @@ options. + See the OPTIONS sections for details. + + .SH OPTIONS ++ ++In all options described below, ++.I VOLUME ++is a LUKS device, ++not the plaintext device containted within: ++.RS ++.B blkid \-s TYPE ++.I VOLUME ++.RE ++should report \fBTYPE="crypto_LUKS"\fP. ++ + The following options determine the mode of operation and expected operands of + \fBvolume_key\fP: + diff --git a/volume_key.spec b/volume_key.spec index e6eccf9..9112e80 100644 --- a/volume_key.spec +++ b/volume_key.spec @@ -3,13 +3,17 @@ Summary: An utility for manipulating storage encryption keys and passphrases Name: volume_key Version: 0.3.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: Applications/System URL: https://fedorahosted.org/volume_key/ Requires: volume_key-libs = %{version}-%{release} Source0: https://fedorahosted.org/releases/v/o/volume_key/volume_key-%{version}.tar.xz +# Upstream commit 3486c1c8112bd625bfe6bde55c337c4edbd75277 +Patch0: volume_key-0.3.4-volume-doc.patch +# Upstream commit a2ab2a3546f3ee5937bb4272f4f26650f31f42bb +Patch1: volume_key-0.3.4-ssl-errors.patch BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, gnupg BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python-devel @@ -73,6 +77,8 @@ for other formats is possible, some formats are planned for future releases. %prep %setup -q +%patch0 -p1 -b .volume-doc +%patch1 -p1 -b .ssl-errors %build %configure @@ -113,6 +119,12 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/volume_key.py* %changelog +* Wed Sep 29 2010 Miloslav Trmač - 0.3.4-2 +- Clarify which block device should be passed as an argument + Resolves: #636541 +- Recognize SSL error messages from NSS as well + Resolves: #638732 + * Fri Aug 27 2010 Miloslav Trmač - 0.3.4-1 - Update to volume_key-0.3.4