Bug 671542

Summary: ipsec auto --status shows Blowfish being supported
Product: Red Hat Enterprise Linux 5 Reporter: Robin R. Price II <rprice>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 5.6CC: cww, jwest, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-18 18:59:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 590060    

Description Robin R. Price II 2011-01-21 19:39:03 UTC 
Description of problem:

'ipsec auto --status' shows Blowfish being supported


Actual results:

# ipsec auto --status
....
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
....
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128


Expected results:

Customers have been supporting Blowfish with racoon in the field and may expect to be backward compatible when they migrate to openswan or when they setup an IPSEC connection running Racoon on one end and openswan on other side. 

Also we can certainly disable the usage of BlowFish algorithm support since its not approved list of FIPS 140-2 algorithms. 

~rp
Comment 3 Paul Wouters 2011-02-09 02:18:43 UTC 
I've changed openswan's USE_EXTRACRYPTO option in Makefile.inc slightly. It was required to get the SHA2 family of functions, but it would bring in blowfish, twofish and serpent ciphers.

I've moved the SHA2 into the default cipher list, so as of openswan 2.6.33+ Red Hat can disable USE_EXTRACRYPTO to not support blowfish/twofish/serpent, while keeping the SHA2 family supported.

Note that this applies only to userland (IKE) support.

For ESP, we load "all" the crypto modules we can find. You can prevent this my customising the _startnetkey script for the Red Hat build, or just ensure those kernel modules are not available at all. Note that ipsec auto --status will still show the ESP algo id number if you "rmmod blowfish" until it is restarted. I've just filed a bug on that in the openswan tracker.
Comment 4 Chris Williams 2012-01-18 18:59:42 UTC 
Customer issue resolved and there has been no activity on the BZ for some time. Closing NOTABUG. Feel free to open a case with Red Hat Support via the Customer Portal if this is still an issue.