Bug 1444115

Summary: FIPS: libreswan must generate RSA keys with a minimal exponent of F4, nor E=3
Product: Red Hat Enterprise Linux 7 Reporter: Paul Wouters <pwouters>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:31:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wouters 2017-04-20 15:27:05 UTC 
Description of problem:

libreswan uses an exponent of 3 instead of F4 or better for new raw RSA keys.

upstream fix: 

https://github.com/libreswan/libreswan/commit/1227e16e76015c87dcb157e32f55e896bd191033


to test:

mkdir /tmp/test
ipsec initnss --nssdir /tmp/test
ipsec newhostkey --nssdir /tmp/test --output /tmp/test/test.secrets
grep Exponent /tmp/test/test.secrets 


unfixed versions will show:
	PublicExponent: 0x03

fixed versions will show:
	PublicExponent: 0x010001

Additionally, rerunning raw RSA test cases could be done (we did this upstream and found no issue)
Comment 3 Ondrej Moriš 2017-05-22 09:51:03 UTC 
Successfully verified in both FIPS disabled and enabled.

NEW (libreswan-3.20-2.el7)
==========================
: RSA	{
        ...
	PublicExponent: 0x010001
	}
Comment 4 errata-xmlrpc 2017-08-01 12:31:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2101