Bug 442955 - [IPv6-DoD] openswan doesn't accept null esp auth alg
Summary: [IPv6-DoD] openswan doesn't accept null esp auth alg
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan   
(Show other bugs)
Version: 5.2
Hardware: other
OS: All
Target Milestone: rc
: ---
Assignee: Avesh Agarwal
QA Contact:
Keywords: ZStream
Depends On:
Blocks: 253764 450127
TreeView+ depends on / blocked
Reported: 2008-04-17 20:49 UTC by IBM Bug Proxy
Modified: 2009-09-02 11:18 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 11:18:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/secure showing failure to use null auth alg (13.97 KB, text/plain)
2008-04-17 20:49 UTC, IBM Bug Proxy
no flags Details
Add conf-only ESP support (6.39 KB, patch)
2008-04-28 12:00 UTC, Herbert Xu
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2009:1350 normal SHIPPED_LIVE openswan bug fix update 2009-09-01 10:49:14 UTC
IBM Linux Technology Center 44182 None None None Never

Description IBM Bug Proxy 2008-04-17 20:49:28 UTC
=Comment: #0=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:02 EDT
---Problem Description---
openswan doesn't recognize null authentication algorithm for esp
Contact Information = Tyler Hicks <tyhicks@linux.vnet.ibm.com>
---uname output---
Linux eal5.ltc.austin.ibm.com 2.6.18-88.el5 #1 SMP Tue Apr 1 19:01:20 EDT 2008
i686 i686 i386 GNU/Linux
Machine Type = Xseries 335
A debugger is not configured
---Steps to Reproduce---

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

conn i386-i386

To reproduce:
[root@eal5 ~]# ipsec auto --verbose --up i386-i386
000 initiating all conns with alias='i386-i386' 
021 no connection named "i386-i386"

The connection is invalid because the null authentication algorithm for esp
isn't found.

---Security Component Data---
Userspace tool common name: openswan

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.11-1.el5
=Comment: #1=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:06 EDT

/var/log/secure showing failure to use null auth alg

=Comment: #2=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-17 15:09 EDT
RFC 4305 states that a NULL Auth Alg is required for compliance.  Also important
is that we don't allow a user to use NULL for Encr and Auth on the same connection.

3.1.1. ESP Encryption and Authentication Algorithms

   These tables list encryption and authentication algorithms for the
   IPsec Encapsulating Security Payload protocol.


      Requirement    Authentication Algorithm (notes)
      -----------    ------------------------
      MUST           HMAC-SHA1-96 [RFC2404]
      MUST           NULL (1)
      SHOULD+        AES-XCBC-MAC-96 [RFC3566]
      MAY            HMAC-MD5-96 [RFC2403] (2)


   (1) Since ESP encryption and authentication are optional, support for
       the two "NULL" algorithms is required to maintain consistency
       with the way these services are negotiated.  Note that while
       authentication and encryption can each be "NULL", they MUST NOT
       both be "NULL".

Comment 1 IBM Bug Proxy 2008-04-17 20:49:31 UTC
Created attachment 302806 [details]
/var/log/secure showing failure to use null auth alg

Comment 5 Herbert Xu 2008-04-28 12:00:01 UTC
Created attachment 303965 [details]
Add conf-only ESP support

This patch adds support for confidentiality-only ESP by recognising the string
"null" in ESP algorithm specifications.  Only tested between Openswan and
itself as Strongswan doesn't seem to support this either (and I don't have a
racoon close by to test :)

Comment 6 IBM Bug Proxy 2008-04-30 21:17:39 UTC
------- Comment From tchicks@us.ibm.com 2008-04-30 17:13 EDT-------
Red Hat - Can we get confirmation that a fix for this bug is targeted for the
zstream release?  Thanks!

Comment 7 Linda Wang 2008-05-09 15:56:00 UTC
yes, herbert's patch see comment#5 is targeted for zstream.

Comment 8 Paul Wouters 2008-05-15 03:09:15 UTC
This patch will be in openswan 2.6.13

Comment 9 Steve Grubb 2008-06-04 17:23:15 UTC
2.6.14rc7-1 was built to address the problem being reported.

Comment 12 IBM Bug Proxy 2008-06-05 18:48:42 UTC
------- Comment From tchicks@us.ibm.com 2008-06-05 14:30 EDT-------
I have verified this bug fix between i386 and ppc using openswan-2.6.14rc7,
built from source from openswan.org.  I can't find the RPM that Red Hat built.

Comment 13 IBM Bug Proxy 2008-06-18 22:32:38 UTC
------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to FIXEDAWAITINGTEST on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to TESTED on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:25 EDT-------
Changing status to ACCEPTED on IBM's side.

------- Comment From tchicks@us.ibm.com 2008-06-18 18:26 EDT-------
Changing status to CLOSED on IBM's side.  I verified the official
openswan-2.6.14-1.el5_2.1 rpm between i386 and ppc.

Comment 18 errata-xmlrpc 2009-09-02 11:18:35 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.