Bug 441383 - IPV6DOD: openswan should negotiate CCM algorithm.
Summary: IPV6DOD: openswan should negotiate CCM algorithm.
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan
Version: 5.2
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Avesh Agarwal
QA Contact:
Keywords: ZStream
Depends On:
Blocks: 253764 450126
TreeView+ depends on / blocked
Reported: 2008-04-07 20:00 UTC by IBM Bug Proxy
Modified: 2009-09-02 11:18 UTC (History)
7 users (show)

Clone Of:
Last Closed: 2009-09-02 11:18:32 UTC

Attachments (Terms of Use)
Add CCM support to Openswan (11.91 KB, patch)
2008-05-27 11:26 UTC, Herbert Xu
no flags Details | Diff
Resync 14rc5 with my patches (16.06 KB, patch)
2008-05-31 11:38 UTC, Herbert Xu
no flags Details | Diff
SADB_EALG_MAX and sadb_x_lifetime_packets fix (893 bytes, patch)
2008-06-01 20:21 UTC, Paul Wouters
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2009:1350 normal SHIPPED_LIVE openswan bug fix update 2009-09-01 10:49:14 UTC
IBM Linux Technology Center 43885 None None None Never

Description IBM Bug Proxy 2008-04-07 20:00:18 UTC
---Problem Description---
openswan's ikev2 daemon should negotiate CCM algorithm.
Contact Information = Joy Latten/latten@us.ibm.com
---uname output---
Machine Type = lpar
---Steps to Reproduce---
ikev2 is not aware of CCM algorithm. See rfc 4309
---Base System Tools Component Data---
Userspace tool common name: openswan ikev2

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.09-1.el5.ppc.rpm

Comment 3 Herbert Xu 2008-05-27 11:26:44 UTC
Created attachment 306757 [details]
Add CCM support to Openswan

This lets me use CCM with openswan.  As I tried to minimise the changes to
Openswan, the syntax is a bit awkward.	You have to specify something like
esp=aes-ccm-a-152-null for it to work, where a/b/c means ICV lengths 8, 12 and
16, and 152 is the AES key length 128 plus a fixed 24 bits of nonce (and the
null needs to be there to prevent Openswan from sticking in an additional auth

Since I don't have anything else to test against it is only known to
interoperate with itself.

Comment 4 Paul Wouters 2008-05-27 18:01:20 UTC
One hunk did not apply against 2.6.12. Please verify my merge with 2.6.14rc4

Comment 5 Herbert Xu 2008-05-27 23:36:02 UTC
Paul, if you could let me know where 2.6.14rc4 is then I'll verify it :)

Comment 6 Paul Wouters 2008-05-28 19:09:28 UTC
Oops. Uploaded now :)


Note that this release also has some fixes in kernel_netlink.c (from #testing
merge). If you have the time to go over those, that would be great too.

Comment 8 Herbert Xu 2008-05-29 11:40:07 UTC
OK I've had a look:

1) What happened to ikev2= in the config file? The parser no longer understands it.

2) AEAD is mutually exclusive with enckeylen.  So unless you've changed it to
not set enckeylen when AEAD is in use, the AEAD test in kernel_netlink's add_sa
needs to be before the enckeylen test and the latter needs to be in the else
clause (i.e., not AEAD).


Comment 9 Paul Wouters 2008-05-29 15:06:55 UTC
I'll have a look at 1)

2) is indeed the failed hunk of your patch. I think you removed 

      if (sa->enckeylen)

for the else, but the diff did not show that, and I merged it in wrong.

I now changed it to:
    aead = get_aead_alg(sa->enc(sa->encalg);
    if (aead)
    if (sa->enckeylen)

Comment 10 Herbert Xu 2008-05-29 23:42:31 UTC
Oh I see.  Did you apply my patch to support NULL encryption? That's the one
which removed the enckeylen check.  Thanks!

Comment 11 Herbert Xu 2008-05-31 11:38:49 UTC
Created attachment 307268 [details]
Resync 14rc5 with my patches

This is the merge of all my patches for 12 for 14rc5.  Note that I killed
AUTH_NULL because it's not meant to be included in the proposal.  That is, the
absence of an integ transform is used to indicate NULL.

Comment 12 Paul Wouters 2008-05-31 20:15:51 UTC
thanks. I just completed double checking my merge and found the problem of the
ikev2 keyword missing (and some other merge artifacts due to merging in #testing
with overlapip support). I will verify everything with your patch, and then put
out an 2.6.14rc6.

Thanks for your work Herbert!

Comment 14 Paul Wouters 2008-06-01 15:20:53 UTC
The upload had been aborted partially.
This has now been fixed in the new uploaded version

Comment 15 Paul Wouters 2008-06-01 20:19:47 UTC
Please use attached patch against rc6

Comment 16 Paul Wouters 2008-06-01 20:21:17 UTC
Created attachment 307319 [details]
SADB_EALG_MAX and sadb_x_lifetime_packets fix

commit 1203aef777814501622c7053c613e2b162f27e2c
Author: Paul Wouters <paul@xelerance.com>
Date:	Sun Jun 1 16:18:17 2008 -0400

    Added sadb_x_lifetime_packets to struct sadb_lifetime

Comment 19 Steve Grubb 2008-06-04 17:22:27 UTC
2.6.14rc7-1 was built to address the bug being reported.

Comment 22 IBM Bug Proxy 2008-06-05 20:48:45 UTC
------- Comment From tchicks@us.ibm.com 2008-06-05 16:47 EDT-------
I verified ccm support in openswan-2.6.14rc10 from openswan.org between an i386
and ppc machine.

Comment 23 IBM Bug Proxy 2008-06-05 20:57:09 UTC
------- Comment From tchicks@us.ibm.com 2008-06-05 16:53 EDT-------
BTW, I wanted to document that the ESP Algorithm identifier line that I had to
use was a little different than what was reported earlier in the bug report.  I
had to use:


as opposed to:


The only difference is a few '_' characters in place of some '-' characters

Comment 24 Herbert Xu 2008-06-06 05:34:09 UTC
Sorry my bad.  Yes only underscores can appear in the encryption part of the

Comment 27 Chris Ward 2009-07-03 18:02:02 UTC
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.

Comment 30 errata-xmlrpc 2009-09-02 11:18:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.