1743649 – ipsec auto --listall prints un-escaped left/right ID

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1743649 - ipsec auto --listall prints un-escaped left/right ID

Summary: ipsec auto --listall prints un-escaped left/right ID

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Paul Wouters
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1820206
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-20 11:36 UTC by Jaroslav Aster
Modified:	2020-11-09 14:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 03:18:00 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Jaroslav Aster 2019-08-20 11:36:33 UTC

Description of problem:

ipsec auto --listall prints un-escaped left/right ID. ID escaping was introduced in bug bz#868986. It works, but ipsec auto --listall has started to print ID un-escaped. Same for ipsec auto --status. I think, it came from commit

commit 542f32f1f1c9a8dfce850271eeea445ac3653e75
Author: D. Hugh Redelmeier <hugh>
Date:   Sat Nov 3 10:31:44 2018 -0400

    lib/libswan/x509dn.c dn_parse()

    For each ',' or '/' in an ASN.1 string, double it in the ASCII-fied version.
    This is the inverse of what is done in the ASCII to ASN.1 code.

    Our code never did this before.  Surely a bug.


Version-Release number of selected component (if applicable):

libreswan-3.29-6.el8


How reproducible:

100%


Steps to Reproduce:

# cat /etc/ipsec.conf 
conn   tuntest
        connaddrfamily=ipv4
        type=tunnel
        authby=rsasig
        left=10.37.162.52
        leftid="C=CZ, ST=Moravia, L=Brno, O=Test Example, OU=Global,, Support,, Services, CN=leftcert"
        leftrsasigkey=%cert
        leftcert="leftcert"
        right=127.0.0.1
        rightid="C=CZ, ST=Moravia, L=Brno, O=Test Example, OU=Global,, Support,, Services, CN=rightcert"
        rekey=no
        ike=aes-sha1
        esp=aes-sha1
        auto=add


# ipsec auto --listall
000  
000 List of Public Keys:
000  
000 Aug 20 13:31:42 2019, 2048 RSA Key AwEAAcVde (no private key), until Aug 20 13:31:32 2020 ok
000        ID_DER_ASN1_DN 'CN=leftcert, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ'
000        Issuer 'CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ'
000  
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000  
000  
000 List of X.509 End Certificates:
000  
000 End certificate "leftcert" - SN: 0x02
000   subject: CN=leftcert, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   issuer: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   not before: Tue Aug 20 11:31:32 2019
000   not after: Thu Aug 20 11:31:32 2020
000   2048 bit RSA: has private key
000  
000 List of X.509 CA Certificates:
000  
000 Root CA certificate "myca" - SN: 0x01
000   subject: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   issuer: CN=myca, OU=Global,, Support,, Services, O=Test Example, L=Brno, ST=Moravia, C=CZ
000   not before: Mon May 20 11:31:28 2019
000   not after: Fri Aug 20 11:31:28 2027
000   2048 bit RSA: has private key
000  
000 List of CRLs:


Actual results:

ipsec auto --listall prints un-escaped ID.

Expected results:

ipsec auto --listall prints escaped ID.

Comment 1 D. Hugh Redelmeier 2019-09-02 16:18:19 UTC

"escaping" was introduced as a fix to bz 868986
It allows "," and "/" to be used within the ASCII representation of an OID even though they normally are separators.
I have no idea if this follows some standard.

commit 542f32f1f1c9a8dfce850271eeea445ac3653e75 was intended to do the reverse.  The result is any ASCII representation produced by libreswan could be used as an input to libreswan.

The representation in /etc/ipsec.conf looks like the representation in the output of --listall (i.e. with escapes).

This seems like a Good Thing.  In what way is this a problem?

Comment 2 Paul Wouters 2019-09-04 16:30:08 UTC

Jaroslav,

I still do not fully understand the bug.

The ID input specifies 2 comma's, did you expect 4 in the print?

What is on the certificate / ASN itself ?Can you show the output of:

openssl x509 -in file.crt -nooout -subject

Comment 3 Paul Wouters 2019-09-17 19:38:57 UTC

This has been addressed upstream where this handling has been improved. It did change a lot of string functions, so this cannot be reasonably backported. It will come into RHEL via a rebase to 3.30

Comment 4 Jaroslav Aster 2019-10-08 13:47:31 UTC

Hi Paul,

do you still need my answer or, based on the comment #3, you understand where is the issue?

Comment 19 Paul Wouters 2020-04-22 00:45:58 UTC

Allowing the old ,, syntax support was added upstream. Will be part of 3.32 release.

Upstream test case is ikev2-x509-39-OU-comma

Comment 27 errata-xmlrpc 2020-11-04 03:18:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4722

Note You need to log in before you can comment on or make changes to this bug.