Bug 1743649

Summary: ipsec auto --listall prints un-escaped left/right ID
Product: Red Hat Enterprise Linux 8 Reporter: Jaroslav Aster <jaster>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 8.0CC: dapospis, hugh, omoris, pvrabec, pwouters
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:18:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820206    
Bug Blocks:    

Description Jaroslav Aster 2019-08-20 11:36:33 UTC 
Description of problem:

ipsec auto --listall prints un-escaped left/right ID. ID escaping was introduced in bug bz#868986. It works, but ipsec auto --listall has started to print ID un-escaped. Same for ipsec auto --status. I think, it came from commit

commit 542f32f1f1c9a8dfce850271eeea445ac3653e75
Author: D. Hugh Redelmeier <hugh>
Date:   Sat Nov 3 10:31:44 2018 -0400

    lib/libswan/x509dn.c dn_parse()

    For each ',' or '/' in an ASN.1 string, double it in the ASCII-fied version.
    This is the inverse of what is done in the ASCII to ASN.1 code.

    Our code never did this before.  Surely a bug.


Version-Release number of selected component (if applicable):

libreswan-3.29-6.el8


How reproducible:

100%


Steps to Reproduce:

# cat /etc/ipsec.conf 
conn   tuntest
        connaddrfamily=ipv4
        type=tunnel
        authby=rsasig
        left=10.37.162.52
        leftid="C=CZ, ST=Moravia, L=Brno, O=Test Example, OU=Global,, Support,, Services, CN=leftcert"
        leftrsasigkey=%cert
        leftcert="leftcert"
        right=127.0.0.1
        rightid="C=CZ, ST=Moravia, L=Brno, O=Test Example, OU=Global,, Support,, Services, CN=rightcert"
        rekey=no
        ike=aes-sha1
        esp=aes-sha1
        auto=add


# ipsec auto --listall
000  
000 List of Public Keys:
000  
000 Aug 20 13:31:42 2019, 2048 RSA Key AwEAAcVde (no private key), until Aug 20 13:31:32 2020 ok
000        ID_DER_ASN1_DN 'CN=leftcert, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ'
000        Issuer 'CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ'
000  
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000  
000  
000 List of X.509 End Certificates:
000  
000 End certificate "leftcert" - SN: 0x02
000   subject: CN=leftcert, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   issuer: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   not before: Tue Aug 20 11:31:32 2019
000   not after: Thu Aug 20 11:31:32 2020
000   2048 bit RSA: has private key
000  
000 List of X.509 CA Certificates:
000  
000 Root CA certificate "myca" - SN: 0x01
000   subject: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   issuer: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   not before: Mon May 20 11:31:28 2019
000   not after: Fri Aug 20 11:31:28 2027
000   2048 bit RSA: has private key
000  
000 List of CRLs:


Actual results:

ipsec auto --listall prints un-escaped ID.

Expected results:

ipsec auto --listall prints escaped ID.
Comment 1 D. Hugh Redelmeier 2019-09-02 16:18:19 UTC 
"escaping" was introduced as a fix to bz 868986
It allows "," and "/" to be used within the ASCII representation of an OID even though they normally are separators.
I have no idea if this follows some standard.

commit 542f32f1f1c9a8dfce850271eeea445ac3653e75 was intended to do the reverse.  The result is any ASCII representation produced by libreswan could be used as an input to libreswan.

The representation in /etc/ipsec.conf looks like the representation in the output of --listall (i.e. with escapes).

This seems like a Good Thing.  In what way is this a problem?
Comment 2 Paul Wouters 2019-09-04 16:30:08 UTC 
Jaroslav,

I still do not fully understand the bug.

The ID input specifies 2 comma's, did you expect 4 in the print?

What is on the certificate / ASN itself ?Can you show the output of:

openssl x509 -in file.crt -nooout -subject
Comment 3 Paul Wouters 2019-09-17 19:38:57 UTC 
This has been addressed upstream where this handling has been improved. It did change a lot of string functions, so this cannot be reasonably backported. It will come into RHEL via a rebase to 3.30
Comment 4 Jaroslav Aster 2019-10-08 13:47:31 UTC 
Hi Paul,

do you still need my answer or, based on the comment #3, you understand where is the issue?
Comment 19 Paul Wouters 2020-04-22 00:45:58 UTC 
Allowing the old ,, syntax support was added upstream. Will be part of 3.32 release.

Upstream test case is ikev2-x509-39-OU-comma
Comment 27 errata-xmlrpc 2020-11-04 03:18:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4722