1399883 – rebase libreswan to 3.20

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1399883 - rebase libreswan to 3.20

Summary: rebase libreswan to 3.20

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Ondrej Moriš
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (1):	1418377 (view as bug list)
Depends On:
Blocks:	1367490 1411853 1428409
TreeView+	depends on / blocked

Reported:	2016-11-30 01:37 UTC by Paul Wouters
Modified:	2020-12-07 08:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	3.20-3
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	_libreswan_ rebased to version 3.20 The _libreswan_ packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include: * Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts. * FIPS further tightened. * Added support for routed-based VPN using Virtual Tunnel Interface (VTI). * Improved support for non-root configurations. * Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support. * Added new "whack" command options: "--fipsstatus", "--fetchcrls", "--globalstatus", and "--shuntstatus". * Added support for the NAT Opportunistic Encryption (OE) Client Address Translation: "leftcat=yes". * Added support for the Traffic Flow Confidentiality mechanism: "tfc=". * Updated cipher preferences as per RFC 4307bis and RFC 7321bis. * Added support for Extended Sequence Numbers (ESN): "esn=yes". * Added support for disabling and increasing the replay window: "replay-window=".
Clone Of:
Clones:	1463317 (view as bug list)
Environment:
Last Closed:	2017-08-01 12:31:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2101	0	normal	SHIPPED_LIVE	libreswan bug fix and enhancement update	2017-08-01 16:07:26 UTC

Description Paul Wouters 2016-11-30 01:37:32 UTC

rebase of libreswan brings in various maintenance updates as well as some features listed as part of other libreswan rhbz's:

- Opportunistic Encryption support (mesh encryption)
- Further FIPS tightening
- routed based VPN support using VTI (leftvti=, vti-interface= vti-routing=, vti-shared, mark=)
- Improved support for non-root configuration/nss db location
- Improved OCSP and CRLs support (ocsp-method ocsp-cache-size ocsp-cache-min-age, ocsp-cache-max-age)
- SECCOMP support (seccomp=enabled|tolerant|disabled)
- Support for NAT OE Client Address Translation (leftcat=yes)
- Support for Traffic Flow Confidentiality tfc=
- Update cipher preferences as per RFC 4307bis and RFC 7321bis
- Improved proposal packet transform parser
- ESN support (XFRM linux 2.6.39+) via esn=yes|no
- Support disabling and increasing replay window via replay-window=

new whack options:
ipsec whack --fipsstatus
ipsec whack --fetchcrls
ipsec whack --globalstatus
ipsec whack --shuntstatus

Comment 2 Chris Williams 2017-02-07 16:13:00 UTC

*** Bug 1418377 has been marked as a duplicate of this bug. ***

Comment 3 Ondrej Moriš 2017-02-10 09:11:25 UTC

> Opportunistic Encryption support (mesh encryption)
> Support for NAT OE Client Address Translation (leftcat=yes)

Already covered by BZ#1300752.

> Routed based VPN support using VTI (leftvti=, vti-interface= vti-routing=, vti-shared, mark=)

Unfortunately cannot test, no VPN available for testing.

> Improved support for non-root configuration/nss db location
> Improved proposal packet transform parser
> Further FIPS tightening

Can you please give us more details about these, Paul? Or are there any GH issues associated with these changes?

> SECCOMP support (seccomp=enabled|tolerant|disabled)

Already covered by BZ#1375750 - SECCOMP support for libreswan.

> Support for Traffic Flow Confidentiality tfc=
> Support disabling and increasing replay window via replay-window=

SanityOnly candidates. We can check that options work. These changes are aimed to mitigate rather non-trivial attacks and hence we probably cannot test them properly.

> Update cipher preferences as per RFC 4307bis and RFC 7321bis

Already covered by BZ#1335949.

> ESN support (XFRM linux 2.6.39+) via esn=yes|no
> Improved OCSP and CRLs support (ocsp-method ocsp-cache-size ocsp-cache-min-age, ocsp-cache-max-age)

These should be relatively easy to test.

Comment 4 Paul Wouters 2017-02-10 18:34:10 UTC

VTI can be tested between two libreswan endpoints. Just pick any existing host to host test case and on both ends _add_ to the conn:

  mark=2/0xffffffff
  vti-routing=no
  vti-shared=no
  vti-interface=ipsec0
  leftsubnet=0.0.0.0/0
  rightsubnet=0.0.0.0/0

You can do various pings and nothing should get encrypted, you can verify with ipsec whack --trafficstatus. Then let's say you configure the "right" end to have 10.0.2.0/24, so on the "left" end run:

ip route add 10.0.2.0/24 dev ipsec0

Do a ping to that network and packets should get encrypted.

As a bonus, using this setup you can use tcpdump -n -i ipsec0 to see pre-encrypt and post-decrypted traffic, without seeing the ESP encrypted traffic. And when running tcpdump on the physical interface, no cleartext should be visiable at all (unlike before, without VTI where you say "half" the plaintext with tcpdump)

The non-root / not-default locations are to better support neutron generated configurations. This can be tested by using a non-root user nss db and ipsec.conf in a custom dir, and starting pluto with ipsec pluto --nssdir XXX --configdir YYY

The improved proposal parser is tested most easilly by using a strongswan interop test with default proposal set on strongswan, and plutodebug=all on the libreswan end. This basically runs pluto into an infinite loop going over proposals and logigng things (for minutes or more!). With the newer libreswan version, this does not happen as the parser is much smarter in accepting/rejecting from the Giant List of Strongswan Proposals

Further FIPS tightening consists of a few things. From the changelog:

* FIPS: Only pluto needs a .hmac file, reducing crypto boundary [Paul]
* FIPS: do not allow DBG_PRIVATE to be set when running in FIPS mode [Paul]
* FIPS: Ignore failureshunt=passthrough and negotiationshunt=passthrough [Paul]
* FIPS: Filter default proposals of non-FIPS allowed proposals [Andrew]
* FIPS: Added CAVP test for pluto GCM code [Andrew]
* FIPS: More cleanup of crypto related structs and functions [Andrew]
* FIPS: Implement SHA based PRFs directly in NSS [Andrew]
* FIPS: Support for CAVP testing 'HMAC construct' based SHA PRF code [Andrew]
* verify: fix "with FIPS" output to print OK [Paul]
* FIPS: Only the pluto binary needs a fipscheck .hmac file for self-test [Paul]
* FIPS: Change SA_LIFE_DURATION_MAXIMUM from 1 day to 8h [Paul]
* FIPS: Do not allow Linux-style sha2 truncation for ESP in FIPS mode [Paul]
* FIPS: Allow PSK in FIPS mode. This was erroneously not allowed [Paul]
* FIPS: Added new ipsec whack --fipsstatus [Paul]
* FIPS: Code cleanup and misc. fixes [Andrew / Paul]

I'm not sure what you would want to test here. Probably testing PSK in FIPS mode would be a useful test to add. And trying to use 3des-md5 to confirm it fails, and ensuring connections cannot have sha2-truncbug=yes, and test if using plutostderrlog=private is properly unset when in FIPS mode.

Comment 5 Ondrej Moriš 2017-02-15 14:27:13 UTC

Thanks a lot Paul, is it possible to build scratch build of 3.20 for RHEL? I would like to run a full test coverage we have.

Comment 7 Ondrej Moriš 2017-02-17 10:24:38 UTC

(In reply to Ondrej Moriš from comment #5)
> Thanks a lot Paul, is it possible to build scratch build of 3.20 for RHEL? I
> would like to run a full test coverage we have.

(Or is there a way to build x86_64 rpm for RHEL-7 from github?)

Comment 9 Ondrej Moriš 2017-03-06 15:20:13 UTC

We executed all tests we have using libreswan-3.20 to check regressions and identify differences from the last RHEL-7 version (3.15) and here are the results:

 * Notable changes
   
   1. Configuration options
      a) esp - obsoleted, phase2alg should be used instead
      b) auth - not supported, causes parser error, service fails to
         start 
      c) force_busy - replaced by force-busy and obsoleted by ddos-mode
      d) nat_traversal - not supported (ignored)

   2. Commands & Parameters
      a) ipsec auto --rereadall - obsoleted by ipsec whack --fetchcrls
      b) ipsec ikeping - not supported (unknown command)
      c) ipsec {check,init}nss - location of NSS DB is not the first 
         argument but it is expected as argument of --nssdir parameter
      d) ipsec newhostkey - parameter --random changed to --seeddev,
         previous a default value of --output was /etc/ipsec.secrets, 
         now there is no default value
      e) ipsec {new,show}hostkey - output changed

   3. Cryptography
      a) FIPS-related messages changed
      b) Only pluto hmac is checked by POST. But hmacs are provided for 
         all commands
      c) DH22 is not supported
      d) mark phase2alg is not supported
      e) plase2alg not support null value

 * Possible regressions
   
   1. BZ#1146106 - phase2alg=null causes abort:

      > "test" #1: ASSERTION FAILED: "test" #1: encrypt->keydeflen > 0 (in append_encrypt_transform at /root/rpmbuild/BUILD/libreswan-3.20dr3/programs/pluto/ikev2_spdb_struct.c:1775)
      > "test" #1: ABORT at /root/rpmbuild/BUILD/libreswan-3.20dr3/programs/pluto/ikev2_spdb_struct.c:1775
      > "test" #1: ABORT at /root/rpmbuild/BUILD/libreswan-3.20dr3/programs/pluto/ikev2_spdb_struct.c:1775

   2. keyingtries - it looks like keyingtries does not work, we see no
      keyingtries attempts being logged 

   3. BZ#1126066 - using Paul's reproducer with ddos-mode=force instead
      of force_mode=yes leads to the following:

      > # ipsec auto --up test
      > 002 "test" #1: initiating v2 parent SA
      > 133 "test" #1: STATE_PARENT_I1: initiate
      > 002 "test" #1: test IKE proposals for initial initiator (selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default)
      > 133 "test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
      > 002 "test" #1: Received anti-DDOS COOKIE, resending I1 with cookie payload
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 500ms for response
      > 002 "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.16.68.122 port 500, complainant 10.16.68.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 1000ms for response
      > 002 "test" #1: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.16.68.122 port 500, complainant 10.16.68.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 2000ms for response
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 4000ms for response
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 8000ms for response
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 16000ms for response
      > 010 "test" #1: STATE_PARENT_I1: retransmission; will wait 32000ms for response
      > 031 "test" #1: max number of retransmissions (8) reached STATE_PARENT_I1.  No response (or no acceptable response) to our first IKEv2 message
      > 000 "test" #1: starting keying attempt 2 of an unlimited number, but releasing whack

Paul, check you please check "regressions" and confirm that the changes mentioned above are expected? Are there anything else I am missing?

Comment 11 Paul Wouters 2017-03-23 15:01:04 UTC

Some feedback on your findings:

1. Configuration options
a) esp - obsoleted, phase2alg should be used instead

This has always been the case for libreswan (and even openswan). It's not new
We will not remove the esp= or ah= keywords. So this should not be a problem
other then updating documentation to use phase2= and phase2alg= instead of esp= or ah=

b) auth - not supported, causes parser error, service fails to
start

This is a change due to the nature of the parser. We cannot have a symmetric option that is also an asymmetric option. We introduced support for asymmetric authentication. Since the symmetric keyword is authby=, we could not use leftauthby= and rightauthby=, so we used leftauth= and rightauth=. This means the (already long obsolete) auth= option can no longer be specified as it has been changed.

c) force_busy - replaced by force-busy and obsoleted by ddos-mode

Docs need updating. but all old names are left for compatibility. Should not cause any issus.

d) nat_traversal - not supported (ignored)

Also, is no actual change unless someone set this to "no". But even if they set it to "no" it does not lead to different runtime behaviour.

2. Commands & Parameters
a) ipsec auto --rereadall - obsoleted by ipsec whack --fetchcrls

rereadall is not obsoleted. It still should cause the fetchcrl action and other reread actions. A quick peek at the code looks like this is a bug we should fix.

b) ipsec ikeping - not supported (unknown command)

It really did not work well and was pretty broken and not a standard so all
non-swan implementations would not answer anyway.

c) ipsec {check,init}nss - location of NSS DB is not the first
argument but it is expected as argument of --nssdir parameter

This was done for consistency. The old -d also still works. I'm not aware of
the use of specifying the dir without a option name.

d) ipsec newhostkey - parameter --random changed to --seeddev,

The name was clarified because originally it did mean the random device used for entropy. But libreswan always used the NSS functions to get entropy. The name was re-used for the BSI additional seeddev requirements. This was confusing, so we changed the name to match reality. But basically no one should be affected by this as in production one woult never specify the --random device. If any scripts used this, it should simply remove the option.

previous a default value of --output was /etc/ipsec.secrets,
now there is no default value

That is because it is no longer required. pluto can pull the keys from NSS without needing this obsoleted information from ipsec.secrets. Also, the ipsec showhostkey command that relied on it no longer relies on this, and for administrators trying to find keys without knowing the keyid, they can run: ipsec showhostkey --list

e) ipsec {new,show}hostkey - output changed

See above.

1. BZ#1146106 - phase2alg=null causes abort:

Fixed upstream, will be backported.

2. keyingtries - it looks like keyingtries does not work, we see no
keyingtries attempts being logged

I need to investigate this,

3. BZ#1126066 - using Paul's reproducer with ddos-mode=force instead
of force_mode=yes leads to the following:

I need to investigate this one too.

We also found a rekeying regression ourselves that we are working on fixing.
It seems we "forget" the DH if the responder rekeys, and then don't match up a valid proposal.

Comment 13 Ondrej Moriš 2017-06-28 10:09:45 UTC

Successfully verified libreswan rebased to 3.20 upstream version. Based on agreement with development and product management the following list of features were planned to be tested:

Priority 0
==========
updated ciphers to keep up with modern cryptography standards

 * VERIFIED (BZ#1335949, BZ#1444115) 

Priority 1
==========
GSSAPI authentication for cloud/mesh encryption

 * postponed to RHEL-7.5.0 (BZ#1300751)
 
Important bugfixes (CRL, CREATE_CHILD_SA, reconnecting)

 * VERIFIED (BZ#1073137)

IKEv2: Opportunistic IPsec

 * VERIFIED (BZ#1324458)

Priority 2
==========
IKEv2: support CERT chain sending

 * VEFIFIED SanityOnly (BZ#1416144, BZ#1375751)
 
VTI support and MARK support for routing based VPNs

 * VERIFIED SanityOnly

Priority 3
==========
X509: New whack --fetchcrls

 * VERIFIED
 
split-dns draft support (BZ#1300763)

 * postponed to RHEL-7.5.0 (BZ#1375750)

Priority 4
==========
pluto: EXPERIMENTAL SECCOMP support (seccomp=enabled|tolerant|disabled)

 * postponed to RHEL-7.5.0 (BZ#1375750)

Priority 5
==========
pluto: Add keyword replay-window= (default 32, 0 means disable)

 * VERIFIED (BZ#1373280)

IKEv2: Add asymmetric AUTH support (leftauth= and rightauth=)

* VERIFIED (BZ#1168795)

X509: Additional OCSP options to tweak the cache and fetch method

 * not tested due to QA capacity

XFRM: Support for Traffic Flow Confidentiality tfc=XXX

 * not tested due to QA capacity

IKEv2: ESN support (XFRM linux 2.6.39+) via esn=yes|no(default)|either

 * not tested due to QA capacity

Complete test coverage has been executed and results reviewed several times (TR#306842, TR#309731 and TR#313761). No significant issues or regressions were found. Various parts of test coverage were updated to work with 3.20 version of libreswan.

Comment 14 errata-xmlrpc 2017-08-01 12:31:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2101

Note You need to log in before you can comment on or make changes to this bug.