442955 – [IPv6-DoD] openswan doesn't accept null esp auth alg

Bug 442955 - [IPv6-DoD] openswan doesn't accept null esp auth alg

Summary: [IPv6-DoD] openswan doesn't accept null esp auth alg

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openswan
Sub Component:
Version:	5.2
Hardware:	other
OS:	All
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Avesh Agarwal
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	253764 450127
TreeView+	depends on / blocked

Reported:	2008-04-17 20:49 UTC by IBM Bug Proxy
Modified:	2009-09-02 11:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-02 11:18:35 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/log/secure showing failure to use null auth alg (13.97 KB, text/plain) 2008-04-17 20:49 UTC, IBM Bug Proxy	no flags	Details
Add conf-only ESP support (6.39 KB, patch) 2008-04-28 12:00 UTC, Herbert Xu	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	44182	0	None	None	None	Never
Red Hat Product Errata	RHEA-2009:1350	0	normal	SHIPPED_LIVE	openswan bug fix update	2009-09-01 10:49:14 UTC

Description IBM Bug Proxy 2008-04-17 20:49:28 UTC

=Comment: #0=================================================
TYLER C. HICKS <tchicks.com> - 2008-04-17 15:02 EDT
---Problem Description---
openswan doesn't recognize null authentication algorithm for esp
(phase2alg=ENC-null).
 
Contact Information = Tyler Hicks <tyhicks.ibm.com>
 
---uname output---
Linux eal5.ltc.austin.ibm.com 2.6.18-88.el5 #1 SMP Tue Apr 1 19:01:20 EDT 2008
i686 i686 i386 GNU/Linux
 
Machine Type = Xseries 335
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---

/etc/ipsec.conf
--------------------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn i386-i386
        left=9.3.190.198
        right=9.3.190.196
        ikev2=insist
        phase2=esp
        phase2alg=aes128-null
        authby=secret
        auto=add
--------------------------

To reproduce:
--------------------------
[root@eal5 ~]# ipsec auto --verbose --up i386-i386
000 initiating all conns with alias='i386-i386' 
021 no connection named "i386-i386"
--------------------------

The connection is invalid because the null authentication algorithm for esp
isn't found.

 
---Security Component Data---
Userspace tool common name: openswan

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.11-1.el5
=Comment: #1=================================================
TYLER C. HICKS <tchicks.com> - 2008-04-17 15:06 EDT

/var/log/secure showing failure to use null auth alg

=Comment: #2=================================================
TYLER C. HICKS <tchicks.com> - 2008-04-17 15:09 EDT
RFC 4305 states that a NULL Auth Alg is required for compliance.  Also important
is that we don't allow a user to use NULL for Encr and Auth on the same connection.

----------------------
3.1.1. ESP Encryption and Authentication Algorithms

   These tables list encryption and authentication algorithms for the
   IPsec Encapsulating Security Payload protocol.

<snip>

      Requirement    Authentication Algorithm (notes)
      -----------    ------------------------
      MUST           HMAC-SHA1-96 [RFC2404]
      MUST           NULL (1)
      SHOULD+        AES-XCBC-MAC-96 [RFC3566]
      MAY            HMAC-MD5-96 [RFC2403] (2)

   Notes:

   (1) Since ESP encryption and authentication are optional, support for
       the two "NULL" algorithms is required to maintain consistency
       with the way these services are negotiated.  Note that while
       authentication and encryption can each be "NULL", they MUST NOT
       both be "NULL".
----------------------

Comment 1 IBM Bug Proxy 2008-04-17 20:49:31 UTC

Created attachment 302806 [details]
/var/log/secure showing failure to use null auth alg

Comment 5 Herbert Xu 2008-04-28 12:00:01 UTC

Created attachment 303965 [details]
Add conf-only ESP support

This patch adds support for confidentiality-only ESP by recognising the string
"null" in ESP algorithm specifications.  Only tested between Openswan and
itself as Strongswan doesn't seem to support this either (and I don't have a
racoon close by to test :)

Comment 6 IBM Bug Proxy 2008-04-30 21:17:39 UTC

------- Comment From tchicks.com 2008-04-30 17:13 EDT-------
Red Hat - Can we get confirmation that a fix for this bug is targeted for the
zstream release?  Thanks!

Comment 7 Linda Wang 2008-05-09 15:56:00 UTC

yes, herbert's patch see comment#5 is targeted for zstream.

Comment 8 Paul Wouters 2008-05-15 03:09:15 UTC

This patch will be in openswan 2.6.13

Comment 9 Steve Grubb 2008-06-04 17:23:15 UTC

2.6.14rc7-1 was built to address the problem being reported.

Comment 12 IBM Bug Proxy 2008-06-05 18:48:42 UTC

------- Comment From tchicks.com 2008-06-05 14:30 EDT-------
I have verified this bug fix between i386 and ppc using openswan-2.6.14rc7,
built from source from openswan.org.  I can't find the RPM that Red Hat built.

Comment 13 IBM Bug Proxy 2008-06-18 22:32:38 UTC

------- Comment From tchicks.com 2008-06-18 18:25 EDT-------
Changing status to FIXEDAWAITINGTEST on IBM's side.

------- Comment From tchicks.com 2008-06-18 18:25 EDT-------
Changing status to TESTED on IBM's side.

------- Comment From tchicks.com 2008-06-18 18:25 EDT-------
Changing status to ACCEPTED on IBM's side.

------- Comment From tchicks.com 2008-06-18 18:26 EDT-------
Changing status to CLOSED on IBM's side.  I verified the official
openswan-2.6.14-1.el5_2.1 rpm between i386 and ppc.

Comment 18 errata-xmlrpc 2009-09-02 11:18:35 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.