Bug 807772

Summary: Update RHEL 6.2 OpenSwan bug fixes in RHEL 5.9, to conform to USGv6 cert
Product: Red Hat Enterprise Linux 5 Reporter: Ann Marie Rubin <arubin>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: high Docs Contact:
Priority: high    
Version: 5.9CC: amarecek, bgollahe, iboverma, jrieden, ksrot, omoris, pkis, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openswan-2.6.32-4.el5 Doc Type: Known Issue
Doc Text:
Openswan generates a Diffie-Hellman (DH) shared key that is 1 byte short because nss does not add leading zero bytes when needed. Also, openswan in Red Hat Enterprise Linux 5.9 does not support setting of the sha2_truncbug parameter in Red Hat Enterprise Linux 5.9, because the kernel does not support it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 07:31:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 857527    

Description Ann Marie Rubin 2012-03-28 16:46:29 UTC 
Description of problem:

rebase OpenSwan in RHEL 5.9 with all fixes to the oepnswan bugs listed in Bug 573526 - (USGv6Cert) [RHEL6 DoC] USGv6 Certification.
 
Version-Release number of selected component (if applicable):
RHEL 6.1 to be rebased for RHEL 5.9

How reproducible:
n/a

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 5 Avesh Agarwal 2012-09-05 14:50:52 UTC 
Bug BZ#768442 is dependent on following kernel bug:
https://bugzilla.redhat.com/show_bug.cgi?id=768460

If the above fix is not there in 5.9 kernel, that means you cant you sha2_truncbug=yes, so just remove this from the ipsec conf file and it should work.
Comment 6 Patrik Kis 2012-09-06 07:34:10 UTC 
Ok, that helps, but like this the test is passing also with old version of openswan. So it seems it is not testing what it suppose to.
Comment 7 Patrik Kis 2012-09-06 15:38:37 UTC 
I think I see the point now (as it is described here https://bugzilla.redhat.com/show_bug.cgi?id=768442#c10), the test is failing/passing because the bug fix requires not only fix on openswan but also in kernel, which is missing. Moreover, the openswan part is optional and can be switched on/off with sha2_truncbug.
Comment 8 Ondrej Moriš 2012-09-11 08:29:54 UTC 
Avesh, recently we found out that there is also a problem with Bug 768162. Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that this bug contained two issues: 

1. openswan generated a KE payload with 1 less byte occasionally.

This issue is correctly resolved in openswan-2.6.32-4.el5
  
2. openswan generated DH shared key that was 1 byte short because nss did not add leading zero bytes when needed
 
Unfortunately this problems is still present on rhel5.9 (with openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809).

So, how to handle this? If nss will no be fixed (and it might be already too late), I suggest to add a technical note that the second part of Bug 768162 is still present. Is there any workaround for it (I do not see any)?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
Comment 9 Avesh Agarwal 2012-09-11 14:26:36 UTC 
(In reply to comment #8)
> Avesh, recently we found out that there is also a problem with Bug 768162.
> Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that
> this bug contained two issues: 
> 
> 1. openswan generated a KE payload with 1 less byte occasionally.
> 
> This issue is correctly resolved in openswan-2.6.32-4.el5
>   
> 2. openswan generated DH shared key that was 1 byte short because nss did
> not add leading zero bytes when needed
>  
> Unfortunately this problems is still present on rhel5.9 (with
> openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809).
> 
> So, how to handle this? If nss will no be fixed (and it might be already too
> late), I suggest to add a technical note that the second part of Bug 768162
> is still present. Is there any workaround for it (I do not see any)?

I am OK with adding a technical note about it. However, I am just thinking if some customer looks at it and wonder why it has not been fixed.
 
Yes, even I do not know any work around. 

> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
Comment 10 Patrik Kis 2012-09-11 14:58:55 UTC 
(In reply to comment #9)
> (In reply to comment #8)

Hi Avesh,
shouldn't there be a technical note also for missing kernel fix that you mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix of other component on which the openswan fix depends.
Comment 11 Avesh Agarwal 2012-09-11 15:09:28 UTC 
(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #8)
> 
> Hi Avesh,
> shouldn't there be a technical note also for missing kernel fix that you
> mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix
> of other component on which the openswan fix depends.

Yes right I agree with you, and a note saying something like that sha2_truncbug is not supported on 5.9, simply because kernel support for this does not exist.
Comment 15 errata-xmlrpc 2013-01-08 07:31:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0077.html