* Wed Sep 29 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.4-2
- Clarify which block device should be passed as an argument Resolves: #636541 - Recognize SSL error messages from NSS as well Resolves: #638732
This commit is contained in:
parent
62a674eb0b
commit
2e6d0e53e8
460
volume_key-0.3.4-ssl-errors.patch
Normal file
460
volume_key-0.3.4-ssl-errors.patch
Normal file
@ -0,0 +1,460 @@
|
|||||||
|
2010-09-29 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* lib/SSLerrs.h: New file.
|
||||||
|
* Makefile.am (lib_libvolume_key_la_SOURCES): Add lib/SSLerrs.h.
|
||||||
|
* lib/nss_error.c (mapping): Use SSLerrs.h.
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 9874ff1..fc06d95 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -48,7 +48,7 @@ python/volume_key_wrap.c python/volume_key.py: python/volume_key.i
|
||||||
|
python/volume_key.py: python/volume_key_wrap.c
|
||||||
|
|
||||||
|
## Dependency data
|
||||||
|
-lib_libvolume_key_la_SOURCES = lib/SECerrs.h \
|
||||||
|
+lib_libvolume_key_la_SOURCES = lib/SECerrs.h lib/SSLerrs.h \
|
||||||
|
lib/crypto.c lib/crypto.h \
|
||||||
|
lib/kmip.c lib/kmip.h \
|
||||||
|
lib/libvolume_key.c lib/libvolume_key.h \
|
||||||
|
diff --git a/lib/SSLerrs.h b/lib/SSLerrs.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..4ae90f6
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/SSLerrs.h
|
||||||
|
@@ -0,0 +1,407 @@
|
||||||
|
+/* copied from nss-3.12.6/mozilla/security/nss/cmd/lib because NSS does not
|
||||||
|
+ provide any API for error number => string translation:
|
||||||
|
+ https://bugzilla.mozilla.org/show_bug.cgi?id=329017 */
|
||||||
|
+/* ***** BEGIN LICENSE BLOCK *****
|
||||||
|
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||||||
|
+ *
|
||||||
|
+ * The contents of this file are subject to the Mozilla Public License Version
|
||||||
|
+ * 1.1 (the "License"); you may not use this file except in compliance with
|
||||||
|
+ * the License. You may obtain a copy of the License at
|
||||||
|
+ * http://www.mozilla.org/MPL/
|
||||||
|
+ *
|
||||||
|
+ * Software distributed under the License is distributed on an "AS IS" basis,
|
||||||
|
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||||||
|
+ * for the specific language governing rights and limitations under the
|
||||||
|
+ * License.
|
||||||
|
+ *
|
||||||
|
+ * The Original Code is the Netscape security libraries.
|
||||||
|
+ *
|
||||||
|
+ * The Initial Developer of the Original Code is
|
||||||
|
+ * Netscape Communications Corporation.
|
||||||
|
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
|
||||||
|
+ * the Initial Developer. All Rights Reserved.
|
||||||
|
+ *
|
||||||
|
+ * Contributor(s):
|
||||||
|
+ *
|
||||||
|
+ * Alternatively, the contents of this file may be used under the terms of
|
||||||
|
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
|
||||||
|
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||||||
|
+ * in which case the provisions of the GPL or the LGPL are applicable instead
|
||||||
|
+ * of those above. If you wish to allow use of your version of this file only
|
||||||
|
+ * under the terms of either the GPL or the LGPL, and not to allow others to
|
||||||
|
+ * use your version of this file under the terms of the MPL, indicate your
|
||||||
|
+ * decision by deleting the provisions above and replace them with the notice
|
||||||
|
+ * and other provisions required by the GPL or the LGPL. If you do not delete
|
||||||
|
+ * the provisions above, a recipient may use your version of this file under
|
||||||
|
+ * the terms of any one of the MPL, the GPL or the LGPL.
|
||||||
|
+ *
|
||||||
|
+ * ***** END LICENSE BLOCK ***** */
|
||||||
|
+
|
||||||
|
+/* SSL-specific security error codes */
|
||||||
|
+/* caller must include "sslerr.h" */
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0,
|
||||||
|
+"Unable to communicate securely. Peer does not support high-grade encryption.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1,
|
||||||
|
+"Unable to communicate securely. Peer requires high-grade encryption which is not supported.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2,
|
||||||
|
+"Cannot communicate securely with peer: no common encryption algorithm(s).")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3,
|
||||||
|
+"Unable to find the certificate or key necessary for authentication.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4,
|
||||||
|
+"Unable to communicate securely with peer: peers's certificate was rejected.")
|
||||||
|
+
|
||||||
|
+/* unused (SSL_ERROR_BASE + 5),*/
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6,
|
||||||
|
+"The server has encountered bad data from the client.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7,
|
||||||
|
+"The client has encountered bad data from the server.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8,
|
||||||
|
+"Unsupported certificate type.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9,
|
||||||
|
+"Peer using unsupported version of security protocol.")
|
||||||
|
+
|
||||||
|
+/* unused (SSL_ERROR_BASE + 10),*/
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11,
|
||||||
|
+"Client authentication failed: private key in key database does not match public key in certificate database.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12,
|
||||||
|
+"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
|
||||||
|
+
|
||||||
|
+/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13),
|
||||||
|
+ defined in sslerr.h
|
||||||
|
+*/
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14),
|
||||||
|
+"Peer only supports SSL version 2, which is locally disabled.")
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15),
|
||||||
|
+"SSL received a record with an incorrect Message Authentication Code.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16),
|
||||||
|
+"SSL peer reports incorrect Message Authentication Code.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17),
|
||||||
|
+"SSL peer cannot verify your certificate.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18),
|
||||||
|
+"SSL peer rejected your certificate as revoked.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19),
|
||||||
|
+"SSL peer rejected your certificate as expired.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20),
|
||||||
|
+"Cannot connect: SSL is disabled.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21),
|
||||||
|
+"Cannot connect: SSL peer is in another FORTEZZA domain.")
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22),
|
||||||
|
+"An unknown SSL cipher suite has been requested.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23),
|
||||||
|
+"No cipher suites are present and enabled in this program.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24),
|
||||||
|
+"SSL received a record with bad block padding.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25),
|
||||||
|
+"SSL received a record that exceeded the maximum permissible length.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26),
|
||||||
|
+"SSL attempted to send a record that exceeded the maximum permissible length.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received a malformed (too long or short or invalid content) SSL handshake.
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27),
|
||||||
|
+"SSL received a malformed Hello Request handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28),
|
||||||
|
+"SSL received a malformed Client Hello handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29),
|
||||||
|
+"SSL received a malformed Server Hello handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30),
|
||||||
|
+"SSL received a malformed Certificate handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31),
|
||||||
|
+"SSL received a malformed Server Key Exchange handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32),
|
||||||
|
+"SSL received a malformed Certificate Request handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33),
|
||||||
|
+"SSL received a malformed Server Hello Done handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34),
|
||||||
|
+"SSL received a malformed Certificate Verify handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35),
|
||||||
|
+"SSL received a malformed Client Key Exchange handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36),
|
||||||
|
+"SSL received a malformed Finished handshake message.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received a malformed (too long or short) SSL record.
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37),
|
||||||
|
+"SSL received a malformed Change Cipher Spec record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38),
|
||||||
|
+"SSL received a malformed Alert record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39),
|
||||||
|
+"SSL received a malformed Handshake record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
|
||||||
|
+"SSL received a malformed Application Data record.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received an SSL handshake that was inappropriate for the state we're in.
|
||||||
|
+ * E.g. Server received message from server, or wrong state in state machine.
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41),
|
||||||
|
+"SSL received an unexpected Hello Request handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42),
|
||||||
|
+"SSL received an unexpected Client Hello handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43),
|
||||||
|
+"SSL received an unexpected Server Hello handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44),
|
||||||
|
+"SSL received an unexpected Certificate handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
|
||||||
|
+"SSL received an unexpected Server Key Exchange handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46),
|
||||||
|
+"SSL received an unexpected Certificate Request handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47),
|
||||||
|
+"SSL received an unexpected Server Hello Done handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48),
|
||||||
|
+"SSL received an unexpected Certificate Verify handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
|
||||||
|
+"SSL received an unexpected Client Key Exchange handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50),
|
||||||
|
+"SSL received an unexpected Finished handshake message.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received an SSL record that was inappropriate for the state we're in.
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51),
|
||||||
|
+"SSL received an unexpected Change Cipher Spec record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52),
|
||||||
|
+"SSL received an unexpected Alert record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53),
|
||||||
|
+"SSL received an unexpected Handshake record.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
|
||||||
|
+"SSL received an unexpected Application Data record.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received record/message with unknown discriminant.
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55),
|
||||||
|
+"SSL received a record with an unknown content type.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56),
|
||||||
|
+"SSL received a handshake message with an unknown message type.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57),
|
||||||
|
+"SSL received an alert record with an unknown alert description.")
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Received an alert reporting what we did wrong. (more alerts above)
|
||||||
|
+ */
|
||||||
|
+ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58),
|
||||||
|
+"SSL peer has closed this connection.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59),
|
||||||
|
+"SSL peer was not expecting a handshake message it received.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60),
|
||||||
|
+"SSL peer was unable to successfully decompress an SSL record it received.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61),
|
||||||
|
+"SSL peer was unable to negotiate an acceptable set of security parameters.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62),
|
||||||
|
+"SSL peer rejected a handshake message for unacceptable content.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63),
|
||||||
|
+"SSL peer does not support certificates of the type it received.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64),
|
||||||
|
+"SSL peer had some unspecified issue with the certificate it received.")
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65),
|
||||||
|
+"SSL experienced a failure of its random number generator.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66),
|
||||||
|
+"Unable to digitally sign data required to verify your certificate.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67),
|
||||||
|
+"SSL was unable to extract the public key from the peer's certificate.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68),
|
||||||
|
+"Unspecified failure while processing SSL Server Key Exchange handshake.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69),
|
||||||
|
+"Unspecified failure while processing SSL Client Key Exchange handshake.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70),
|
||||||
|
+"Bulk data encryption algorithm failed in selected cipher suite.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71),
|
||||||
|
+"Bulk data decryption algorithm failed in selected cipher suite.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72),
|
||||||
|
+"Attempt to write encrypted data to underlying socket failed.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73),
|
||||||
|
+"MD5 digest function failed.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74),
|
||||||
|
+"SHA-1 digest function failed.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75),
|
||||||
|
+"MAC computation failed.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76),
|
||||||
|
+"Failure to create Symmetric Key context.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77),
|
||||||
|
+"Failure to unwrap the Symmetric key in Client Key Exchange message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78),
|
||||||
|
+"SSL Server attempted to use domestic-grade public key with export cipher suite.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79),
|
||||||
|
+"PKCS11 code failed to translate an IV into a param.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80),
|
||||||
|
+"Failed to initialize the selected cipher suite.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81),
|
||||||
|
+"Client failed to generate session keys for SSL session.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82),
|
||||||
|
+"Server has no key for the attempted key exchange algorithm.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83),
|
||||||
|
+"PKCS#11 token was inserted or removed while operation was in progress.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84),
|
||||||
|
+"No PKCS#11 token could be found to do a required operation.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85),
|
||||||
|
+"Cannot communicate securely with peer: no common compression algorithm(s).")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86),
|
||||||
|
+"Cannot initiate another SSL handshake until current handshake is complete.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87),
|
||||||
|
+"Received incorrect handshakes hash values from peer.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88),
|
||||||
|
+"The certificate provided cannot be used with the selected key exchange algorithm.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89),
|
||||||
|
+"No certificate authority is trusted for SSL client authentication.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90),
|
||||||
|
+"Client's SSL session ID not found in server's session cache.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91),
|
||||||
|
+"Peer was unable to decrypt an SSL record it received.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92),
|
||||||
|
+"Peer received an SSL record that was longer than is permitted.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93),
|
||||||
|
+"Peer does not recognize and trust the CA that issued your certificate.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94),
|
||||||
|
+"Peer received a valid certificate, but access was denied.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95),
|
||||||
|
+"Peer could not decode an SSL handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96),
|
||||||
|
+"Peer reports failure of signature verification or key exchange.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97),
|
||||||
|
+"Peer reports negotiation not in compliance with export regulations.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98),
|
||||||
|
+"Peer reports incompatible or unsupported protocol version.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
|
||||||
|
+"Server requires ciphers more secure than those supported by client.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100),
|
||||||
|
+"Peer reports it experienced an internal error.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101),
|
||||||
|
+"Peer user canceled handshake.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102),
|
||||||
|
+"Peer does not permit renegotiation of SSL security parameters.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103),
|
||||||
|
+"SSL server cache not configured and not disabled for this socket.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104),
|
||||||
|
+"SSL peer does not support requested TLS hello extension.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105),
|
||||||
|
+"SSL peer could not obtain your certificate from the supplied URL.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106),
|
||||||
|
+"SSL peer has no certificate for the requested DNS name.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107),
|
||||||
|
+"SSL peer was unable to get an OCSP response for its certificate.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108),
|
||||||
|
+"SSL peer reported bad certificate hash value.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
|
||||||
|
+"SSL received an unexpected New Session Ticket handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
|
||||||
|
+"SSL received a malformed New Session Ticket handshake message.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111),
|
||||||
|
+"SSL received a compressed record that could not be decompressed.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, (SSL_ERROR_BASE + 112),
|
||||||
|
+"Renegotiation is not allowed on this SSL socket.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_UNSAFE_NEGOTIATION, (SSL_ERROR_BASE + 113),
|
||||||
|
+"Peer attempted old style (potentially vulnerable) handshake.")
|
||||||
|
+
|
||||||
|
+ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
|
||||||
|
+"SSL received an unexpected uncompressed record.")
|
||||||
|
diff --git a/lib/nss_error.c b/lib/nss_error.c
|
||||||
|
index 211f2db..ea7f9ca 100644
|
||||||
|
--- a/lib/nss_error.c
|
||||||
|
+++ b/lib/nss_error.c
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/* Internal (library + application) error reporting utilities.
|
||||||
|
|
||||||
|
-Copyright (C) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
+Copyright (C) 2009, 2010 Red Hat, Inc. All rights reserved.
|
||||||
|
This copyrighted material is made available to anyone wishing to use, modify,
|
||||||
|
copy, or redistribute it subject to the terms and conditions of the GNU General
|
||||||
|
Public License v.2.
|
||||||
|
@@ -20,6 +20,7 @@ Author: Miloslav Trmač <mitr@redhat.com> */
|
||||||
|
#include <glib.h>
|
||||||
|
#include <prerror.h>
|
||||||
|
#include <secerr.h>
|
||||||
|
+#include <sslerr.h>
|
||||||
|
|
||||||
|
#include "nss_error.h"
|
||||||
|
|
||||||
|
@@ -32,6 +33,7 @@ struct mapping
|
||||||
|
static const struct mapping mapping[] = {
|
||||||
|
#define ER3(A, B, C) { (A), (C) },
|
||||||
|
#include "SECerrs.h"
|
||||||
|
+ #include "SSLerrs.h"
|
||||||
|
#undef ER3
|
||||||
|
};
|
||||||
|
|
64
volume_key-0.3.4-volume-doc.patch
Normal file
64
volume_key-0.3.4-volume-doc.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
2010-09-29 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* README
|
||||||
|
* doc/volume_key.8: Clarify which block device should be passed to
|
||||||
|
volume_key(8).
|
||||||
|
|
||||||
|
diff --git a/README b/README
|
||||||
|
index a57bb02..ac58f51 100644
|
||||||
|
--- a/README
|
||||||
|
+++ b/README
|
||||||
|
@@ -27,6 +27,11 @@ this:
|
||||||
|
* Run
|
||||||
|
volume_key --save /path/to/volume -o escrow-packet
|
||||||
|
You will be prompted for an escrow packet passphrase to protect the key.
|
||||||
|
+
|
||||||
|
+ In all examples in this file, /path/to/volume is a LUKS device, not the
|
||||||
|
+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should
|
||||||
|
+ report TYPE="crypto_LUKS".
|
||||||
|
+
|
||||||
|
* Save the generated `escrow-packet' file, make sure you won't forget the
|
||||||
|
passphrase.
|
||||||
|
|
||||||
|
@@ -87,6 +92,10 @@ Saving encryption keys
|
||||||
|
volume_key --save /path/to/volume -c /path/to/cert -o escrow-packet
|
||||||
|
where /path/to/cert points to the certificate distributed in the preparation
|
||||||
|
phase.
|
||||||
|
+
|
||||||
|
+ In all examples in this file, /path/to/volume is a LUKS device, not the
|
||||||
|
+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should
|
||||||
|
+ report TYPE="crypto_LUKS".
|
||||||
|
* Save the generated `escrow-packet' file in the prepared storage, associating
|
||||||
|
it with the system and the volume.
|
||||||
|
|
||||||
|
diff --git a/doc/volume_key.8 b/doc/volume_key.8
|
||||||
|
index b4a2000..be75b99 100644
|
||||||
|
--- a/doc/volume_key.8
|
||||||
|
+++ b/doc/volume_key.8
|
||||||
|
@@ -16,7 +16,7 @@
|
||||||
|
.\" Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
.\"
|
||||||
|
.\" Author: Miloslav Trmač <mitr@redhat.com>])
|
||||||
|
-.TH volume_key 8 "May 2009" volume_key
|
||||||
|
+.TH volume_key 8 "Sep 2010" volume_key
|
||||||
|
|
||||||
|
.SH NAME
|
||||||
|
volume_key \- work with volume encryption secrets and escrow packets
|
||||||
|
@@ -45,6 +45,17 @@ options.
|
||||||
|
See the OPTIONS sections for details.
|
||||||
|
|
||||||
|
.SH OPTIONS
|
||||||
|
+
|
||||||
|
+In all options described below,
|
||||||
|
+.I VOLUME
|
||||||
|
+is a LUKS device,
|
||||||
|
+not the plaintext device containted within:
|
||||||
|
+.RS
|
||||||
|
+.B blkid \-s TYPE
|
||||||
|
+.I VOLUME
|
||||||
|
+.RE
|
||||||
|
+should report \fBTYPE="crypto_LUKS"\fP.
|
||||||
|
+
|
||||||
|
The following options determine the mode of operation and expected operands of
|
||||||
|
\fBvolume_key\fP:
|
||||||
|
|
@ -3,13 +3,17 @@
|
|||||||
Summary: An utility for manipulating storage encryption keys and passphrases
|
Summary: An utility for manipulating storage encryption keys and passphrases
|
||||||
Name: volume_key
|
Name: volume_key
|
||||||
Version: 0.3.4
|
Version: 0.3.4
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
URL: https://fedorahosted.org/volume_key/
|
URL: https://fedorahosted.org/volume_key/
|
||||||
Requires: volume_key-libs = %{version}-%{release}
|
Requires: volume_key-libs = %{version}-%{release}
|
||||||
|
|
||||||
Source0: https://fedorahosted.org/releases/v/o/volume_key/volume_key-%{version}.tar.xz
|
Source0: https://fedorahosted.org/releases/v/o/volume_key/volume_key-%{version}.tar.xz
|
||||||
|
# Upstream commit 3486c1c8112bd625bfe6bde55c337c4edbd75277
|
||||||
|
Patch0: volume_key-0.3.4-volume-doc.patch
|
||||||
|
# Upstream commit a2ab2a3546f3ee5937bb4272f4f26650f31f42bb
|
||||||
|
Patch1: volume_key-0.3.4-ssl-errors.patch
|
||||||
BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, gnupg
|
BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, gnupg
|
||||||
BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python-devel
|
BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python-devel
|
||||||
|
|
||||||
@ -73,6 +77,8 @@ for other formats is possible, some formats are planned for future releases.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch0 -p1 -b .volume-doc
|
||||||
|
%patch1 -p1 -b .ssl-errors
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure
|
%configure
|
||||||
@ -113,6 +119,12 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{python_sitearch}/volume_key.py*
|
%{python_sitearch}/volume_key.py*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 29 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.4-2
|
||||||
|
- Clarify which block device should be passed as an argument
|
||||||
|
Resolves: #636541
|
||||||
|
- Recognize SSL error messages from NSS as well
|
||||||
|
Resolves: #638732
|
||||||
|
|
||||||
* Fri Aug 27 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.4-1
|
* Fri Aug 27 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.4-1
|
||||||
- Update to volume_key-0.3.4
|
- Update to volume_key-0.3.4
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user