Bug 441383
| Summary: | IPV6DOD: openswan should negotiate CCM algorithm. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | IBM Bug Proxy <bugproxy> | ||||||||
| Component: | openswan | Assignee: | Avesh Agarwal <avagarwa> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | 5.2 | CC: | cward, herbert.xu, jplans, lwang, pwouters, tgraf, tis | ||||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-09-02 11:18:32 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 253764, 450126 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
IBM Bug Proxy
2008-04-07 20:00:18 UTC
Created attachment 306757 [details]
Add CCM support to Openswan
This lets me use CCM with openswan. As I tried to minimise the changes to
Openswan, the syntax is a bit awkward. You have to specify something like
esp=aes-ccm-a-152-null for it to work, where a/b/c means ICV lengths 8, 12 and
16, and 152 is the AES key length 128 plus a fixed 24 bits of nonce (and the
null needs to be there to prevent Openswan from sticking in an additional auth
algorithm).
Since I don't have anything else to test against it is only known to
interoperate with itself.
One hunk did not apply against 2.6.12. Please verify my merge with 2.6.14rc4 Paul, if you could let me know where 2.6.14rc4 is then I'll verify it :) Oops. Uploaded now :) ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc4.tar.gz Note that this release also has some fixes in kernel_netlink.c (from #testing merge). If you have the time to go over those, that would be great too. OK I've had a look: 1) What happened to ikev2= in the config file? The parser no longer understands it. 2) AEAD is mutually exclusive with enckeylen. So unless you've changed it to not set enckeylen when AEAD is in use, the AEAD test in kernel_netlink's add_sa needs to be before the enckeylen test and the latter needs to be in the else clause (i.e., not AEAD). Thanks. I'll have a look at 1)
2) is indeed the failed hunk of your patch. I think you removed
if (sa->enckeylen)
for the else, but the diff did not show that, and I merged it in wrong.
I now changed it to:
if(sa->authkeylen)
{
[...]
}
aead = get_aead_alg(sa->enc(sa->encalg);
if (aead)
{
[...]
}
else
if (sa->enckeylen)
{
[...]
}
Oh I see. Did you apply my patch to support NULL encryption? That's the one which removed the enckeylen check. Thanks! Created attachment 307268 [details]
Resync 14rc5 with my patches
This is the merge of all my patches for 12 for 14rc5. Note that I killed
AUTH_NULL because it's not meant to be included in the proposal. That is, the
absence of an integ transform is used to indicate NULL.
thanks. I just completed double checking my merge and found the problem of the ikev2 keyword missing (and some other merge artifacts due to merging in #testing with overlapip support). I will verify everything with your patch, and then put out an 2.6.14rc6. Thanks for your work Herbert! It's available now: ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc6.tar.gz ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc6.tar.gz.asc The upload had been aborted partially. This has now been fixed in the new uploaded version Please use attached patch against rc6 Created attachment 307319 [details]
SADB_EALG_MAX and sadb_x_lifetime_packets fix
commit 1203aef777814501622c7053c613e2b162f27e2c
Author: Paul Wouters <paul>
Date: Sun Jun 1 16:18:17 2008 -0400
SADB_EALG_MAX -> K_SADB_EALG_MAX fix
Added sadb_x_lifetime_packets to struct sadb_lifetime
2.6.14rc7-1 was built to address the bug being reported. ------- Comment From tchicks.com 2008-06-05 16:47 EDT------- I verified ccm support in openswan-2.6.14rc10 from openswan.org between an i386 and ppc machine. ------- Comment From tchicks.com 2008-06-05 16:53 EDT------- BTW, I wanted to document that the ESP Algorithm identifier line that I had to use was a little different than what was reported earlier in the bug report. I had to use: phase2alg=aes_ccm_a-152-null as opposed to: phase2alg=aes-ccm-a-152-null The only difference is a few '_' characters in place of some '-' characters Sorry my bad. Yes only underscores can appear in the encryption part of the specification. ~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html |