Bug 1310262

Summary: libreswan does not check crl files after start
Product: Red Hat Enterprise Linux 6 Reporter: Jaroslav Aster <jaster>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED WONTFIX QA Contact: Jaroslav Aster <jaster>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: cww, jaster, mrogers, omoris, tis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-15 19:02:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
IPsec data files. none

Description Jaroslav Aster 2016-02-19 22:15:58 UTC 
Description of problem:

Libreswan does not check crl files after start, respectively it does not print information about check into the log file. This is a different behaviour against libreswan on rhel-7.


Version-Release number of selected component (if applicable):

libreswan-3.15-5.1.el6


How reproducible:

100%

Steps to Reproduce:
1. Create directory /etc/ipsec.d/crls and put some crl file into it.
2. Start ipsec: service ipsec start.
3. Check there is loading message in pluto log file: grep 'loading crl file' /var/log/secure.

# grep 'loading crl file' /var/log/secure
<NOTHING>

# 

Actual results:

There is no loading message in pluto log file.

Expected results:

There is loading message in pluto log file.

Additional info:

The same test on rhel-7 on libreswan-3.15-5.el7_1.

# grep 'loading crl file' /var/log/secure
Feb 19 16:38:19 qeos-21 pluto[7150]:  loading crl file 'myca.crl' (436 bytes)
Comment 1 Tuomo Soini 2016-02-21 21:32:42 UTC 
I just did test this with latest libreswan git version running el6 based system:

Feb 21 23:28:10 omout pluto[1027]:   loading crl file 'foobar.crl' (4250 bytes)

I don't see any problem. Are you absolutely sure about testing? 

How about restorecon -Rv /etc/ipsec.d/crls and retry. If you copy the crl from home directory and you forget to reset selinux context it won't work.
Comment 2 Paul Wouters 2016-02-22 14:55:32 UTC 
The libreswan code in rhel6 and rhel7 is identical. So I would also guess that possibly there is a missing selinux policy update for rhel6?
Comment 3 Jaroslav Aster 2016-02-22 15:34:10 UTC 
I feel a little bit confused now, because the scenario, which i described, is not reproducible anymore, but my, much more complicated, test fails on rhel-6 and passes on rhel-7. It's needed more investigation. SELinux context is ok.
Comment 4 Paul Wouters 2016-02-22 16:45:49 UTC 
note that the initscripts and service file call ipsec checknss which handles importing CRL data from /etc/ipsec.d/crls/ but only when we are converting from the old nss db format to the new nss sql format.

Once convered, the /etc/ipsec.d/crls/ and /etc/ipsec.d/cacerts directories are ignored.
Comment 5 Tuomo Soini 2016-02-22 17:15:18 UTC 
Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup. Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there are any.
Comment 6 Paul Wouters 2016-02-22 18:41:27 UTC 
(In reply to Tuomo Soini from comment #5)
> Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup.
> Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there
> are any.

Not that I see. If you look at programs/ipsec/ipsec.in you will see the section of code at

    # import cacerts and crls

is inside the "check for old nss db" if statement
Comment 7 Tuomo Soini 2016-02-22 20:14:21 UTC 
Sure. Scripting does import of current crl files to nss db when database is converted. But after that pluto still reads crl files directly.
Comment 8 Paul Wouters 2016-02-23 16:10:54 UTC 
Tuomo and I are looking into this issue. It seems a more complicated bug.
Comment 9 Jaroslav Aster 2016-02-24 15:56:07 UTC 
Hi,

I did some tests and I have some results. I hope it will be useful for you.

My test creates an old version of db, so on start, ipsec --checknss is called and crl file myca.crl is imported into the new version of database. This is true for both versions, rhel-6 and rhel-7. Rhel-6's libreswan does not read myca.crl anymore, but rhel-7's libreswan still read this file everytime it is started and prints 'loading crl file myca.crl' into the log file. 

I attached ipsec files from my test. You can copy it into the right place and start ipsec.

# service ipsec stop
# tar zxvf ipsec_data.tar.gz
# cd ipsec_data
# rm -rf /etc/ipsec.*
# cp -apr * /etc/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# ipsec auto --listcrls
# grep 'loading crl' /var/log/secure

# service ipsec stop
# rm /etc/ipsec.d/crls/myca.crl
# service ipsec start
# grep 'loading crl' /var/log/secure

# service ipsec start
# cp ipsec.d/crls/myca.crl /etc/ipsec.d/crls/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# grep 'loading crl' /var/log/secure
Comment 10 Jaroslav Aster 2016-02-24 15:56:49 UTC 
Created attachment 1130248 [details]
IPsec data files.
Comment 11 Jaroslav Aster 2016-02-24 16:40:08 UTC 
Another issue. ipsec auto --rereadcrls does not work on rhel-6 (and rhel-7). It is marked as obsolete, but I think it still should work. At least it is confusing when 'loading crl' message is printed, but nothing is happen.

# ls /etc/ipsec.d/
cacerts  cert9.db  certs  crls  key4.db  nsspassword  nsspassword2.txt  nsspassword.txt  pkcs11.txt  policies  private  v6neighbor-hole.conf
# ls /etc/ipsec.d/crls/
myca.crl
# ipsec auto --listcrls
000  
000 List of CRLs:
# ipsec auto --rereadcrls
002   loading crl file 'myca.crl' (307 bytes)
# ipsec auto --listcrls
000  
000 List of CRLs:
Comment 13 Paul Wouters 2016-11-21 05:56:24 UTC 
Fixed with upstream commit

https://github.com/libreswan/libreswan/commit/52149be911e14dc3f89d8d0c1e0742954a35dbba
Comment 14 Paul Wouters 2017-01-17 20:35:17 UTC 
note you can see CRLs within NSS using:

crlutil -L -d sql:/etc/ipsec.d