Bug 807772 - Update RHEL 6.2 OpenSwan bug fixes in RHEL 5.9, to conform to USGv6 cert
Update RHEL 6.2 OpenSwan bug fixes in RHEL 5.9, to conform to USGv6 cert
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.9
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Avesh Agarwal
Patrik Kis
:
Depends On:
Blocks: 857527
  Show dependency treegraph
 
Reported: 2012-03-28 12:46 EDT by Ann Marie Rubin
Modified: 2014-04-30 08:29 EDT (History)
8 users (show)

See Also:
Fixed In Version: openswan-2.6.32-4.el5
Doc Type: Known Issue
Doc Text:
Openswan generates a Diffie-Hellman (DH) shared key that is 1 byte short because nss does not add leading zero bytes when needed. Also, openswan in Red Hat Enterprise Linux 5.9 does not support setting of the sha2_truncbug parameter in Red Hat Enterprise Linux 5.9, because the kernel does not support it.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-08 02:31:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ann Marie Rubin 2012-03-28 12:46:29 EDT
Description of problem:

rebase OpenSwan in RHEL 5.9 with all fixes to the oepnswan bugs listed in Bug 573526 - (USGv6Cert) [RHEL6 DoC] USGv6 Certification.
 
Version-Release number of selected component (if applicable):
RHEL 6.1 to be rebased for RHEL 5.9

How reproducible:
n/a

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 5 Avesh Agarwal 2012-09-05 10:50:52 EDT
Bug BZ#768442 is dependent on following kernel bug:
https://bugzilla.redhat.com/show_bug.cgi?id=768460

If the above fix is not there in 5.9 kernel, that means you cant you sha2_truncbug=yes, so just remove this from the ipsec conf file and it should work.
Comment 6 Patrik Kis 2012-09-06 03:34:10 EDT
Ok, that helps, but like this the test is passing also with old version of openswan. So it seems it is not testing what it suppose to.
Comment 7 Patrik Kis 2012-09-06 11:38:37 EDT
I think I see the point now (as it is described here https://bugzilla.redhat.com/show_bug.cgi?id=768442#c10), the test is failing/passing because the bug fix requires not only fix on openswan but also in kernel, which is missing. Moreover, the openswan part is optional and can be switched on/off with sha2_truncbug.
Comment 8 Ondrej Moriš 2012-09-11 04:29:54 EDT
Avesh, recently we found out that there is also a problem with Bug 768162. Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that this bug contained two issues: 

1. openswan generated a KE payload with 1 less byte occasionally.

This issue is correctly resolved in openswan-2.6.32-4.el5
  
2. openswan generated DH shared key that was 1 byte short because nss did not add leading zero bytes when needed
 
Unfortunately this problems is still present on rhel5.9 (with openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809).

So, how to handle this? If nss will no be fixed (and it might be already too late), I suggest to add a technical note that the second part of Bug 768162 is still present. Is there any workaround for it (I do not see any)?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
Comment 9 Avesh Agarwal 2012-09-11 10:26:36 EDT
(In reply to comment #8)
> Avesh, recently we found out that there is also a problem with Bug 768162.
> Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that
> this bug contained two issues: 
> 
> 1. openswan generated a KE payload with 1 less byte occasionally.
> 
> This issue is correctly resolved in openswan-2.6.32-4.el5
>   
> 2. openswan generated DH shared key that was 1 byte short because nss did
> not add leading zero bytes when needed
>  
> Unfortunately this problems is still present on rhel5.9 (with
> openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809).
> 
> So, how to handle this? If nss will no be fixed (and it might be already too
> late), I suggest to add a technical note that the second part of Bug 768162
> is still present. Is there any workaround for it (I do not see any)?

I am OK with adding a technical note about it. However, I am just thinking if some customer looks at it and wonder why it has not been fixed.
 
Yes, even I do not know any work around. 

> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
Comment 10 Patrik Kis 2012-09-11 10:58:55 EDT
(In reply to comment #9)
> (In reply to comment #8)

Hi Avesh,
shouldn't there be a technical note also for missing kernel fix that you mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix of other component on which the openswan fix depends.
Comment 11 Avesh Agarwal 2012-09-11 11:09:28 EDT
(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #8)
> 
> Hi Avesh,
> shouldn't there be a technical note also for missing kernel fix that you
> mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix
> of other component on which the openswan fix depends.

Yes right I agree with you, and a note saying something like that sha2_truncbug is not supported on 5.9, simply because kernel support for this does not exist.
Comment 15 errata-xmlrpc 2013-01-08 02:31:51 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0077.html

Note You need to log in before you can comment on or make changes to this bug.