RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1324421 - libreswan works not well when setting leftid field to be email address
Summary: libreswan works not well when setting leftid field to be email address
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 7.5
Assignee: Paul Wouters
QA Contact: Ondrej Moriš
URL:
Whiteboard:
: 1375406 (view as bug list)
Depends On:
Blocks: 1375406
TreeView+ depends on / blocked
 
Reported: 2016-04-06 09:52 UTC by Jianwen Ji
Modified: 2018-04-10 17:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1375406 (view as bug list)
Environment:
Last Closed: 2018-04-10 17:22:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
pluto log file (291.98 KB, text/plain)
2016-04-07 02:51 UTC, Jianwen Ji 		no flags Details
pcap file (5.84 KB, application/octet-stream)
2016-04-07 02:52 UTC, Jianwen Ji 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0932 0 None None None 2018-04-10 17:23:18 UTC

Description Jianwen Ji 2016-04-06 09:52:49 UTC 
Description of problem:
Configure leftid to be email address, the 'Identificaton Data' in Identification payload in IKE_AUTH initiator request will be null

Version-Release number of selected component (if applicable):
libreswan-3.15-5.3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
version 2.0     # conforms to second version of ipsec.conf specification

My configuration example: 

/etc/ipsec.conf
# basic configuration
config setup
        protostack=netkey
        plutodebug="all crypt"
        plutostderrlog="/tmp/pluto.log"
conn ikev2
        left=3000::215:17ff:fe37:13cc
        right=3001::200:10ff:fe10:1180
        leftid="nut"
        rightid=3001::200:10ff:fe10:1180
        authby=rsasig
        leftrsasigkey=%cert
        leftcert="NUT - IOL"
        rightrsasigkey=%cert
        rightcert="iolintact - IOL"
        type=transport
        ikev2=insist
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1
        auto=start
        connaddrfamily=ipv6


Actual results:

Identification Data is null

Expected results:
Identification Data is email address configured in ipsec.conf

Additional info:
Comment 2 Paul Wouters 2016-04-06 14:39:28 UTC 
I just ran a few tests, and i dont see this problem. I need to know what is in both sides NSS DB. Please run on both endpoints:

certutil -L -d sql:/etc/ipsec.d

(if the other end is not libreswan, I guess we can only assume it does the right thing)

If you can also set plutodebug=all and provide the log, that would be helpful
Comment 3 Jianwen Ji 2016-04-07 02:51:01 UTC 
Clarify this issue:
Here is procedure:

NUT is a machine with RHEL6.8 installation, TN1 is a tester node with IOL USGv6 test software.

On NUT:
# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

NUT - IOL                                                    u,u,u
CA - IOL                                                     ,,   
iolintact - IOL                                              u,u,u


NUT(RHEL6.8)   TN1
(End-Node)   (End-Node)
¦               ¦
¦-------------->¦ IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
¦               ¦ (Judgment #1)
¦<--------------¦ IKE_SA_INIT response (HDR, SAr1, KEr, Nr, CERTREQ)
¦               ¦ (Packet #1)
¦               ¦
¦-------------->¦ IKE_AUTH request (HDR, SK {IDi, CERT, AUTH, N, SAi2, TSi, TSr})
¦               ¦ (Judgment #2)
¦               ¦
V               V
N: USE_TRANSPORT_MODE

We failed at Judgment #2, the IKE_AUTH request should include an ID payload with ID_RFC822_ADDR(3)

Decrypted Data
  Contained Data
    Type Payload: Identification - Initiator (35)
      Next payload: Certificate (37)
      0... .... = Critical Bit: Not Critical
      Payload length: 23
      ID Type: ID_REC822_ADDR (3)      <-------- as expect
      Protocol ID : Unused
      Port: Unused
      Identificatoin Data: nut  <------------- as expect

But we got request with DER_ASN1_DN(9)

Decrypted Data
  Contained Data
    Type Payload: Identification - Initiator (35)
      Next payload: Certificate (37)
      0... .... = Critical Bit: Not Critical
      Payload length: 90
      ID Type: DER_ASN1_DN (9)       <--------- Expect  ID_REC822_ADDR
      Protocol ID : Unused
      Port: Unused
      Identificatoin Data: 0         <--------- Expect nut
        rdnSequence: 5 items:
          RDNSequence item: 1 item (id-at-countryName=US)
          RDNSequence item: 1 item (id-at-stateOrProvinceName=New Hampshire)
          RDNSequence item: 1 item (id-at-organizationName=IOL)
          RDNSequence item: 1 item (id-at-organizatoinUnitName=IPv6)
          RDNSequence item: 1 item (id-at-commonName=NUT)
    ...
Comment 4 Jianwen Ji 2016-04-07 02:51:47 UTC 
Created attachment 1144528 [details]
pluto log file
Comment 5 Jianwen Ji 2016-04-07 02:52:43 UTC 
Created attachment 1144530 [details]
pcap file
Comment 6 Jianwen Ji 2016-04-07 03:09:28 UTC 
Can use wireshark to decrypt IKE_AUTH request in attached pcap file

Initiator's SPI: A0D615DA4CD8E77E
Responder's SPI: 0102030405060708
SK_ei: DEC3D4701456044EA1E14B33E7FA2DF22FA1487CF82E466C
SK_er: 42F8B006115B7DABDC3BF5033332072A103FAF341B5E45E2
Encription algorithm: 3EDS [RFC2451]
SK_ai: F747A5FC67BA91C58DFA3F5CA5B4D16BC2044ECC
SK_ar: 096874EE72FB21A1718E63CF46F6A2D829AC2F49
Integrity algorithm:  HMAC_SHA1_96[RFC2404]
Comment 7 Paul Wouters 2016-07-04 07:58:05 UTC 
If you use leftcert=XXXX you should use leftid=%fromcert

certificate authentication always uses type DER_ASN1_DN.

ID_REC822_ADDR might be used for raw RSA keys (public keys without certificates)

Can you explain what the test case is really testing?
Comment 8 Jianwen Ji 2016-07-06 01:59:20 UTC 
(In reply to Paul Wouters from comment #7)
> If you use leftcert=XXXX you should use leftid=%fromcert
> 
> certificate authentication always uses type DER_ASN1_DN.
> 
> ID_REC822_ADDR might be used for raw RSA keys (public keys without
> certificates)
> 
> Can you explain what the test case is really testing?

I am testing IKEv2 Conformance with 'UNH IOL' test suite.
Test case item is IKEv2.En.I.1.1.10.1(C). You can see the more detail info on this test item via https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

I will try it as you said. Will close this bug if it can passes testing
Comment 10 Paul Wouters 2016-08-25 02:57:26 UTC 
still need more info on this
Comment 11 Jianwen Ji 2016-08-26 05:05:10 UTC 
Hi Paul, here is the detail info of this test case:
Link:
IKEv2.EN.I.1.1.10.1 Part C, page 168, https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

NUT - Node Under Test
TN  - Test Node

Purpose: 
    To verify an IKEv2 device handles CERTREQ payload and transmits CERT payload properly

References: 
    [RFC 4306] - Sections 1.2 and 3.8

Procedure:

   NUT             TN1  
    |             | 
    |------------>| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) 
    |             | (Judgment #1) 
    |<------------| IKE_SA_INIT response (HDR, SAr1, KEr, Nr, CERTREQ) 
    |             | (Packet #1) 
    |             | 
    |------------>| IKE_AUTH request (HDR, SK {IDi, CERT, AUT
H, N, SAi2, TSi, TSr}) 
    |             | (Judgment #2) 
    |             | 
    V             V 
N: USE_TRANSPORT_MODE  

Expected Result:
Judgment #1 
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H Group 2" as proposed 
algorithms. 

Judgment #2 
The NUT transmits an IKE_AUTH request. The request includes an ID payload with 
ID_RFC822_ADDR and a CERT payload which contains 4 (X.509 Certificate - Signature) as Certificate Encoding and the NUT’s certificate as Certificate Data. 

Actual Result:
As said in Comment 3:

We failed at Judgment #2, the IKE_AUTH request should include an ID payload with ID_RFC822_ADDR(3), but include DER_ASN1_DN (9)

And as you said in comment 7, certificate authentication always uses type DER_ASN1_DN.

By the way, this test case can pass on RHEL-7.2 with libreswan 3.12-10.1.el7_1
Comment 12 Tuomo Soini 2016-08-31 15:37:46 UTC 
It would help if you let others see all comments - I can't really judge about this because you keep your comments private.
Comment 14 Paul Wouters 2017-09-06 03:43:57 UTC 
This has been fixed in libreswan-3.21, which will be in rhel-7.5, and you can specify an email address provided it is a valid SAN on the certificate. I've moved this bug to that version for QA.

This issue will not be fixed for rhel6.
Comment 16 Paul Wouters 2017-12-16 01:38:23 UTC 
fix came in via rebase
Comment 18 Paul Wouters 2017-12-16 01:43:12 UTC 
upstream testcase https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-x509-09-san-email-match
Comment 24 Ondrej Moriš 2018-01-19 09:22:44 UTC 
OLD (libreswan-3.20-5.el7_4)
============================
SERVER
------
:: [   FAIL   ] :: File '/var/log/pluto/pluto.log' should contain 'IKEv2 mode peer ID is ID_USER_FQDN: 'client'' 
:: [   FAIL   ] :: File '/var/log/pluto/pluto.log' should contain 'ID type: ID_USER_FQDN (0x3)' 

CLIENT
------
:: [   PASS   ] :: File '/var/log/pluto/pluto.log' should contain 'IKEv2 mode peer ID is ID_USER_FQDN: 'server'' 
:: [   FAIL   ] :: File '/var/log/pluto/pluto.log' should contain 'ID type: ID_USER_FQDN (0x3)'

NEW (libreswan-3.23-0.1.rc4.el7)
================================
SERVER
------
:: [   PASS   ] :: File '/var/log/pluto/pluto.log' should contain 'IKEv2 mode peer ID is ID_USER_FQDN: 'client'' 
:: [   PASS   ] :: File '/var/log/pluto/pluto.log' should contain 'ID type: ID_USER_FQDN (0x3)' 

CLIENT
------
:: [   PASS   ] :: File '/var/log/pluto/pluto.log' should contain 'IKEv2 mode peer ID is ID_USER_FQDN: 'server'' 
:: [   PASS   ] :: File '/var/log/pluto/pluto.log' should contain 'ID type: ID_USER_FQDN (0x3)' 

See TJ#2258272 and TJ#2258274 for more details.
Comment 25 Ondrej Moriš 2018-02-05 12:01:26 UTC 
*** Bug 1375406 has been marked as a duplicate of this bug. ***
Comment 28 errata-xmlrpc 2018-04-10 17:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0932
Note You need to log in before you can comment on or make changes to this bug.