1021961 – pluto abort when using SHA2_{384,512} IKE encryption algorithm

Bug 1021961 - pluto abort when using SHA2_{384,512} IKE encryption algorithm

Summary: pluto abort when using SHA2_{384,512} IKE encryption algorithm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openswan
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-22 12:21 UTC by Ondrej Moriš
Modified:	2014-10-14 08:18 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 08:18:58 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Output of 'ipsec barf' (57.25 KB, text/plain) 2013-10-22 12:21 UTC, Ondrej Moriš	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1588	0	normal	SHIPPED_LIVE	openswan bug fix and enhancement update	2014-10-14 01:39:53 UTC

Description Ondrej Moriš 2013-10-22 12:21:05 UTC

Created attachment 814958 [details]
Output of 'ipsec barf'

Description of problem:

When 384 or 512 bit SHA2 IKE encryption/authentication algorithm is used, pluto keeps aborting on responder machine. With 256 bit SHA2 it works fine.

Version-Release number of selected component (if applicable):

openswan-2.6.32-27.el6

How reproducible:

100%

Steps to Reproduce:

1. Setup initiator and responder as follows (ipsec.conf):

   version 2.0

   config setup
     plutodebug="lifecycle"
     protostack=netkey
     nat_traversal=yes
     virtual_private=
     oe=off

   conn test
     authby=secret
     type=transport
     left=<initiator>
      right=<responder
      ike=aes128-sha2_512 # (or sha2_384)
      esp=3des-sha1
      ikev2=insist 
      auto=add

2. Start ipsec on both initiator and responder (service ipsec start)

3. Initiate connection from initiator (ipsec auto --up test)

4. See /var/log/messages on responder.

Actual results:

Connection does not work.

Responder (/var/log/messages):

002 added connection description "test"
ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 19521 Aborted                 (core dumped) /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-lifecycle --use-netkey --uniqueids --nat_traversal --virtual_private oe=off
ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)
ipsec__plutorun: restarting IPsec after pause...
...
(and repeating)

Expected results:

Connection successful. 

Additional info:

This is *not* a regression in 6.5 from 6.4, in happens in openswan-2.6.32-21.el6_4 as well. In FIPS mode it does not work as well. Output of 'ipsec barf' from responder is attached.

Comment 1 Ondrej Moriš 2013-10-22 12:31:16 UTC

May be I am just not configuring it correctly, where can I find the list of suitable options for ike=? Man page ipsec.conf(5) says: "...The options must be suitable as a value of ipsec_spi(8)´s --ike option.", but there is not ike option mentioned in ipsec_spi(8).

Comment 4 errata-xmlrpc 2014-10-14 08:18:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html

Note You need to log in before you can comment on or make changes to this bug.