Bug 439985 - opeswan IKEv2 responder fails when encr=aes and dh=modp1024
Summary: opeswan IKEv2 responder fails when encr=aes and dh=modp1024
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan
Version: 5.2
Hardware: All
OS: All
urgent
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On:
Blocks: 253764
TreeView+ depends on / blocked
 
Reported: 2008-04-01 08:24 UTC by IBM Bug Proxy
Modified: 2008-05-21 15:29 UTC (History)
6 users (show)

Fixed In Version: RHBA-2008-0395
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 15:29:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
log from eal5 (initiator) (28.73 KB, text/plain)
2008-04-01 08:24 UTC, IBM Bug Proxy
no flags Details
log from elm3a58 (responder) (105.03 KB, text/plain)
2008-04-01 08:24 UTC, IBM Bug Proxy
no flags Details


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 43674 0 None None None Never
Red Hat Product Errata RHBA-2008:0395 0 normal SHIPPED_LIVE new package: openswan 2008-05-19 23:09:47 UTC

Description IBM Bug Proxy 2008-04-01 08:24:38 UTC
=Comment: #0=================================================
TYLER C. HICKS <tchicks.com> - 2008-03-31 19:05 EDT
---Problem Description---
openswan IKEv2 fails to negotiate a SA when using aes as the encryption
algorithm and modp1024 as the Diffie-Hellman group.
 
Contact Information = Tyler Hicks <tyhicks.ibm.com>
 
---uname output---
Linux eal5.ltc.austin.ibm.com 2.6.18-86.el5 #1 SMP Tue Mar 18 18:19:47 EDT 2008
i686 i686 i386 GNU/Linux
Linux elm3a58.beaverton.ibm.com 2.6.18-86.el5 #1 SMP Tue Mar 18 18:19:59 EDT
2008 x86_64 x86_64 x86_64 GNU/Linux
 
Machine Type = eal5: x335
elm3a58: x3455
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
eal5's /etc/ipsec.conf:
-----------------------------------------------------------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn aes-modp1024
        left=9.3.190.198
        right=9.47.66.58
        ike=aes-md5-modp1024,aes-sha1-modp1024
        ikev2=insist
        authby=secret
        auto=add
-----------------------------------------------------------------

elm3a58's /etc/ipsec.conf:
-----------------------------------------------------------------

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn aes-modp1024
        left=9.3.190.198
        right=9.47.66.58
        ikev2=insist
        authby=secret
        auto=add
-----------------------------------------------------------------

steps to recreate:
-----------------------------------------------------------------
[root@eal5 ~]# ipsec auto --verbose --up aes-modp1024
002 "aes-modp1024" #1: initiating v2 parent SA
133 "aes-modp1024" #1: STATE_PARENT_I1: initiate
002 "aes-modp1024" #1: transition from state STATE_IKEv2_START to state
STATE_PARENT_I1
133 "aes-modp1024" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
-----------------------------------------------------------------

It seems that by default, as a responder openswan doesn't include
aes-ANY_HASH-modp1024 in its default list of possible algorithm combinations. 
If the "ike=aes-md5-modp1024,aes-sha1-modp1024" line is added to elm3a58's
/etc/ipsec.conf, then the SA is negotiated successfully.

With regards to RFC 4307, since modp1024 is a MUST- and aes_cbc is a SHOULD+, it
seems like openswan should honor the request to use the combination by default
(without having to add ike= line to the config).
 
---Security Component Data---
Userspace tool common name: openswan

The userspace tool has the following bit modes: both

Userspace rpm: openswan-2.6.09-1.el5

Comment 1 IBM Bug Proxy 2008-04-01 08:24:42 UTC
Created attachment 299867 [details]
log from eal5 (initiator)

Comment 2 IBM Bug Proxy 2008-04-01 08:24:44 UTC
Created attachment 299868 [details]
log from elm3a58 (responder)

Comment 3 Paul Wouters 2008-04-01 15:40:54 UTC
Thank you for this bug report. You are right. We will address this issue

Comment 7 Steve Grubb 2008-04-09 21:10:03 UTC
openswan-2.6.11-1.el5 was built to resolve this problem.

Comment 9 Paul Wouters 2008-04-09 21:25:38 UTC
I don't think 2.6.11 will address this issue? Since we do not yet have the
aes-XXX in our proposals (to suggest or accept)

Comment 10 IBM Bug Proxy 2008-04-09 22:08:49 UTC
------- Comment From tchicks.com 2008-04-09 18:06 EDT-------
I just ran the test again with 2.6.11 and it doesn't address this bug.

Comment 13 Paul Wouters 2008-04-17 18:48:21 UTC
aes-*-modp1024 has been added to the default responder policy database in
2.6.12, which we will release shortly. That should resolve this item.


Comment 14 Linda Wang 2008-04-22 13:27:47 UTC
http://www.openswan.org/download/development/openswan-2.6.12.tar.gz
http://www.openswan.org/download/development/openswan-2.6.12.tar.gz.asc

From the CHANGES file:

v2.6.12
* Add aes-*-modp1024 proposals to default responder policy db [antony]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=439985
* Fix for ikev1 continuation segfault (only the first helper's continuations
  were cleaned up properly (eg. on dpd, sa expires..) [Anthony Tong]
* Redid fix for leftsourceip/rightsourceip getting deleted [paul]
  This is bug https://bugzilla.redhat.com/show_bug.cgi?id=432821
* As per RFC 4309, use modp2048 as default for PSK with IKEv2 [paul]
  Relates to https://bugzilla.redhat.com/show_bug.cgi?id=441588
* Added workaround for INITIATOR/RESPONDER keys being swapped [herbert]
* Preliminary work to support IKEv2_ENCR_AES_CCM__* algos [paul]
* modprobe the AES ccm kernel module on startup [paul]

Comment 15 Steve Grubb 2008-04-22 18:35:18 UTC
openswan-2.6.12-1.el5 was built to address this problem.

Comment 17 IBM Bug Proxy 2008-04-22 23:08:47 UTC
------- Comment From tchicks.com 2008-04-22 19:04 EDT-------
I have verified that openswan-2.6.12 fixes this bug.

Comment 19 IBM Bug Proxy 2008-04-30 20:16:52 UTC
------- Comment From tchicks.com 2008-04-30 16:10 EDT-------
I verified this bug fix in openswan-2.6.12-2.el5 (snapshot #7) between an i386
and a ppc machine.  Thanks Paul!

Comment 21 errata-xmlrpc 2008-05-21 15:29:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0395.html



Note You need to log in before you can comment on or make changes to this bug.