Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 441383

Summary: IPV6DOD: openswan should negotiate CCM algorithm.
Product: Red Hat Enterprise Linux 5 Reporter: IBM Bug Proxy <bugproxy>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: urgent    
Version: 5.2CC: cward, herbert.xu, jplans, lwang, pwouters, tgraf, tis
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 11:18:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 253764, 450126    
Attachments:
Description Flags
Add CCM support to Openswan
none
Resync 14rc5 with my patches
none
SADB_EALG_MAX and sadb_x_lifetime_packets fix none

Description IBM Bug Proxy 2008-04-07 20:00:18 UTC 
---Problem Description---
openswan's ikev2 daemon should negotiate CCM algorithm.
 
Contact Information = Joy Latten/latten.com
 
---uname output---
2.6.18-88.el5
 
Machine Type = lpar
 
---Steps to Reproduce---
ikev2 is not aware of CCM algorithm. See rfc 4309
 
---Base System Tools Component Data---
Userspace tool common name: openswan ikev2

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.09-1.el5.ppc.rpm
Comment 3 Herbert Xu 2008-05-27 11:26:44 UTC 
Created attachment 306757 [details]
Add CCM support to Openswan

This lets me use CCM with openswan.  As I tried to minimise the changes to
Openswan, the syntax is a bit awkward.	You have to specify something like
esp=aes-ccm-a-152-null for it to work, where a/b/c means ICV lengths 8, 12 and
16, and 152 is the AES key length 128 plus a fixed 24 bits of nonce (and the
null needs to be there to prevent Openswan from sticking in an additional auth
algorithm).

Since I don't have anything else to test against it is only known to
interoperate with itself.
Comment 4 Paul Wouters 2008-05-27 18:01:20 UTC 
One hunk did not apply against 2.6.12. Please verify my merge with 2.6.14rc4
Comment 5 Herbert Xu 2008-05-27 23:36:02 UTC 
Paul, if you could let me know where 2.6.14rc4 is then I'll verify it :)
Comment 6 Paul Wouters 2008-05-28 19:09:28 UTC 
Oops. Uploaded now :)

ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc4.tar.gz 

Note that this release also has some fixes in kernel_netlink.c (from #testing
merge). If you have the time to go over those, that would be great too.
Comment 7 Paul Wouters 2008-05-28 20:51:44 UTC 
ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc5.tar.gz
Comment 8 Herbert Xu 2008-05-29 11:40:07 UTC 
OK I've had a look:

1) What happened to ikev2= in the config file? The parser no longer understands it.

2) AEAD is mutually exclusive with enckeylen.  So unless you've changed it to
not set enckeylen when AEAD is in use, the AEAD test in kernel_netlink's add_sa
needs to be before the enckeylen test and the latter needs to be in the else
clause (i.e., not AEAD).

Thanks.
Comment 9 Paul Wouters 2008-05-29 15:06:55 UTC 
I'll have a look at 1)

2) is indeed the failed hunk of your patch. I think you removed 

      if (sa->enckeylen)

for the else, but the diff did not show that, and I merged it in wrong.

I now changed it to:
    if(sa->authkeylen)
    {
      [...]
    }
    aead = get_aead_alg(sa->enc(sa->encalg);
    if (aead)
    {
      [...]
    }
    else
    if (sa->enckeylen)
    {
      [...]
    }
Comment 10 Herbert Xu 2008-05-29 23:42:31 UTC 
Oh I see.  Did you apply my patch to support NULL encryption? That's the one
which removed the enckeylen check.  Thanks!
Comment 11 Herbert Xu 2008-05-31 11:38:49 UTC 
Created attachment 307268 [details]
Resync 14rc5 with my patches

This is the merge of all my patches for 12 for 14rc5.  Note that I killed
AUTH_NULL because it's not meant to be included in the proposal.  That is, the
absence of an integ transform is used to indicate NULL.
Comment 12 Paul Wouters 2008-05-31 20:15:51 UTC 
thanks. I just completed double checking my merge and found the problem of the
ikev2 keyword missing (and some other merge artifacts due to merging in #testing
with overlapip support). I will verify everything with your patch, and then put
out an 2.6.14rc6.

Thanks for your work Herbert!
Comment 13 Paul Wouters 2008-06-01 02:46:04 UTC 
It's available now:

ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc6.tar.gz 
ftp://ftp.openswan.org/openswan/development/openswan-2.6.14rc6.tar.gz.asc
Comment 14 Paul Wouters 2008-06-01 15:20:53 UTC 
The upload had been aborted partially.
This has now been fixed in the new uploaded version
Comment 15 Paul Wouters 2008-06-01 20:19:47 UTC 
Please use attached patch against rc6
Comment 16 Paul Wouters 2008-06-01 20:21:17 UTC 
Created attachment 307319 [details]
SADB_EALG_MAX and sadb_x_lifetime_packets fix

commit 1203aef777814501622c7053c613e2b162f27e2c
Author: Paul Wouters <paul>
Date:	Sun Jun 1 16:18:17 2008 -0400

    SADB_EALG_MAX -> K_SADB_EALG_MAX fix
    Added sadb_x_lifetime_packets to struct sadb_lifetime
Comment 19 Steve Grubb 2008-06-04 17:22:27 UTC 
2.6.14rc7-1 was built to address the bug being reported.
Comment 22 IBM Bug Proxy 2008-06-05 20:48:45 UTC 
------- Comment From tchicks.com 2008-06-05 16:47 EDT-------
I verified ccm support in openswan-2.6.14rc10 from openswan.org between an i386
and ppc machine.
Comment 23 IBM Bug Proxy 2008-06-05 20:57:09 UTC 
------- Comment From tchicks.com 2008-06-05 16:53 EDT-------
BTW, I wanted to document that the ESP Algorithm identifier line that I had to
use was a little different than what was reported earlier in the bug report.  I
had to use:

phase2alg=aes_ccm_a-152-null

as opposed to:

phase2alg=aes-ccm-a-152-null

The only difference is a few '_' characters in place of some '-' characters
Comment 24 Herbert Xu 2008-06-06 05:34:09 UTC 
Sorry my bad.  Yes only underscores can appear in the encryption part of the
specification.
Comment 27 Chris Ward 2009-07-03 18:02:02 UTC 
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 30 errata-xmlrpc 2009-09-02 11:18:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html