Bug 442955 - [IPv6-DoD] openswan doesn't accept null esp auth alg
[IPv6-DoD] openswan doesn't accept null esp auth alg
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
other All
urgent Severity urgent
: rc
: ---
Assigned To: Avesh Agarwal
: ZStream
Depends On:
Blocks: 253764 450127
  Show dependency treegraph
 
Reported: 2008-04-17 16:49 EDT by IBM Bug Proxy
Modified: 2009-09-02 07:18 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:18:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/secure showing failure to use null auth alg (13.97 KB, text/plain)
2008-04-17 16:49 EDT, IBM Bug Proxy
no flags Details
Add conf-only ESP support (6.39 KB, patch)
2008-04-28 08:00 EDT, Herbert Xu
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 44182 None None None Never

  None (edit)
Description IBM Bug Proxy 2008-04-17 16:49:28 EDT
=Comment: #0=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:02 EDT
---Problem Description---
openswan doesn't recognize null authentication algorithm for esp
(phase2alg=ENC-null).
 
Contact Information = Tyler Hicks <tyhicks@linux.vnet.ibm.com>
 
---uname output---
Linux eal5.ltc.austin.ibm.com 2.6.18-88.el5 #1 SMP Tue Apr 1 19:01:20 EDT 2008
i686 i686 i386 GNU/Linux
 
Machine Type = Xseries 335
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---

/etc/ipsec.conf
--------------------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn i386-i386
        left=9.3.190.198
        right=9.3.190.196
        ikev2=insist
        phase2=esp
        phase2alg=aes128-null
        authby=secret
        auto=add
--------------------------

To reproduce:
--------------------------
[root@eal5 ~]# ipsec auto --verbose --up i386-i386
000 initiating all conns with alias='i386-i386' 
021 no connection named "i386-i386"
--------------------------

The connection is invalid because the null authentication algorithm for esp
isn't found.

 
---Security Component Data---
Userspace tool common name: openswan

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.11-1.el5
=Comment: #1=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:06 EDT

/var/log/secure showing failure to use null auth alg

=Comment: #2=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:09 EDT
RFC 4305 states that a NULL Auth Alg is required for compliance.  Also important
is that we don't allow a user to use NULL for Encr and Auth on the same connection.

----------------------
3.1.1. ESP Encryption and Authentication Algorithms

   These tables list encryption and authentication algorithms for the
   IPsec Encapsulating Security Payload protocol.

<snip>

      Requirement    Authentication Algorithm (notes)
      -----------    ------------------------
      MUST           HMAC-SHA1-96 [RFC2404]
      MUST           NULL (1)
      SHOULD+        AES-XCBC-MAC-96 [RFC3566]
      MAY            HMAC-MD5-96 [RFC2403] (2)

   Notes:

   (1) Since ESP encryption and authentication are optional, support for
       the two "NULL" algorithms is required to maintain consistency
       with the way these services are negotiated.  Note that while
       authentication and encryption can each be "NULL", they MUST NOT
       both be "NULL".
----------------------
Comment 1 IBM Bug Proxy 2008-04-17 16:49:31 EDT
Created attachment 302806 [details]
/var/log/secure showing failure to use null auth alg
Comment 5 Herbert Xu 2008-04-28 08:00:01 EDT
Created attachment 303965 [details]
Add conf-only ESP support

This patch adds support for confidentiality-only ESP by recognising the string
"null" in ESP algorithm specifications.  Only tested between Openswan and
itself as Strongswan doesn't seem to support this either (and I don't have a
racoon close by to test :)
Comment 6 IBM Bug Proxy 2008-04-30 17:17:39 EDT
------- Comment From tchicks@us.ibm.com 2008-04-30 17:13 EDT-------
Red Hat - Can we get confirmation that a fix for this bug is targeted for the
zstream release?  Thanks!
Comment 7 Linda Wang 2008-05-09 11:56:00 EDT
yes, herbert's patch see comment#5 is targeted for zstream.
Comment 8 Paul Wouters 2008-05-14 23:09:15 EDT
This patch will be in openswan 2.6.13
Comment 9 Steve Grubb 2008-06-04 13:23:15 EDT
2.6.14rc7-1 was built to address the problem being reported.
Comment 12 IBM Bug Proxy 2008-06-05 14:48:42 EDT
------- Comment From tchicks@us.ibm.com 2008-06-05 14:30 EDT-------
I have verified this bug fix between i386 and ppc using openswan-2.6.14rc7,
built from source from openswan.org.  I can't find the RPM that Red Hat built.
Comment 13 IBM Bug Proxy 2008-06-18 18:32:38 EDT
------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to FIXEDAWAITINGTEST on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to TESTED on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to ACCEPTED on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:26 EDT-------
Changing status to CLOSED on IBM's side.  I verified the official
openswan-2.6.14-1.el5_2.1 rpm between i386 and ppc.
Comment 18 errata-xmlrpc 2009-09-02 07:18:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.