Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-125174

Failure to import libreswan connection with rsa keys ending in '=='

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Important
    • ZStream
    • rhel-net-mgmt
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Regression Exception
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given a RHEL 10 system with NetworkManager-libreswan-1.2.26 or later and a valid libreswan config file (subnet4.conf from the description) containing RSA keys ending with '==', 

      When a sysadmin executes: nmcli connection import type libreswan file subnet4.conf,

      Then, the import succeeds with exit code 0, displaying "Connection 'subnet4' successfully added.

      We need to run nmcli connection show subnet4 to confirm:

      • The rightrsasigkey value ends with '==' (not truncated)
      • The leftrsasigkey value ends with '==' (not truncated)
      • The authby property is set to 'rsasig' (not rejected as invalid)

        Given a libreswan config file with: customvalue=abc=def,

      When the file is imported via nmcli,

      Then, the parser extracts key='customvalue' and value='abc=def', not the incorrect key='customvalue=abc' and value='def'.

      This should be backported to rhel-9.7 and rhel-10.1.

      ( ) Integration test case is available upstream.

      ( ) Code is reviewed and merged upstream.

      ( ) Preliminary testing is done.

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given a RHEL 10 system with NetworkManager-libreswan-1.2.26 or later and a valid libreswan config file (subnet4.conf from the description) containing RSA keys ending with '==',  When a sysadmin executes: nmcli connection import type libreswan file subnet4.conf, Then, the import succeeds with exit code 0, displaying "Connection 'subnet4' successfully added. We need to run nmcli connection show subnet4 to confirm: The rightrsasigkey value ends with '==' (not truncated) The leftrsasigkey value ends with '==' (not truncated) The authby property is set to 'rsasig' (not rejected as invalid) – Given a libreswan config file with: customvalue=abc=def, When the file is imported via nmcli, Then, the parser extracts key='customvalue' and value='abc=def', not the incorrect key='customvalue=abc' and value='def'. This should be backported to rhel-9.7 and rhel-10.1. ( ) Integration test case is available upstream. ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done. ( ) A demo is recorded
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Import a Libreswan IPsec connection containing an rsa key ending in '=='. See example connection at the end.

      What is the impact of this issue to you?

      I can't import an existing valid Libreswan connection.

      Please provide the package NVR for which the bug is seen:

      NetworkManager-libreswan-1.2.26-2.el10

      NetworkManager-libreswan-1.2.27-4.el10

      How reproducible is this bug?:

      always.

      It's a regression introduced in 1.2.26 since the import was successful in 1.2.24

      Steps to reproduce

      # rpm -q NetworkManager-libreswan
NetworkManager-libreswan-1.2.24-2.el10.x86_64

# nmcli connection import type libreswan file subnet4.conf 
Connection 'subnet4' (b3419683-9ab1-4da5-b8b8-c9f4554d9b17) successfully added.

# dnf upgrade NetworkManager-libreswan

# rpm -q NetworkManager-libreswan 
NetworkManager-libreswan-1.2.27-4.el10.x86_64

# nmcli connection import type libreswan file subnet4.conf 
Error: failed to import 'subnet4.conf': property 'authby' invalid or not supported.

       

      # cat subnet4.conf 
conn subnet4
    rightid=@west
    right=172.16.1.10
    rightrsasigkey=0sAwEAAc5pWRLBf4rak+AAkOEVTdi3tC7bkQoTD5DPKqh0awz4x1586LozPfV8dzAJCXTwWKyXUEsEWjs6MraX+U9tlH2WvpLy86LrncRGKSz4NY9tF9/hi9hcgrhP+yCtzrm52MMpjjYkb0nnugj1aV82Y+ti819xHxefMUDAHDw6GhlactB8UtrDqkdG0JpAygMfw2UmhfkHonlp8j+QJM9ZT2QcF6UQknLLpRAD+x3ftsQcFbONC0wKeHWUHqu6qgon2qaD/QRtzrhqvZvGVCnjm9d53Au/AXY++GWvitUF82IUy3VB4E9HD1ZDjSBxQnikR4G9hTjV/dMG/9c1ykytWMlYqLXuQlYrEEe3BXNXdUKpEw3QXo8R1jjHM0988j3ZU/g4LduXH0dSRBvF1emrrarHviNrc5tiFi3x37cvEygpyOj8SwCSoqeoKBImRDeXC/Qw1u5Fk1sNraKLuTcmg/NhfyUoNE5ZBnmzN4gGfyBywoRQTJPQBhS0mt7md5ft9KgMJJIlcI7xkyfUUuOy9Db8vNzt6SNS/dSbChxjL+TCVXYg56bkSEipSniacZJ0ljEVCDnTQCDlP6szvI4Q6BJ5rf12DL2BpgeteQiBkaJWMOU=
    rightsubnet=192.0.1.0/24
    leftid=@east
    left=172.16.2.20
    leftrsasigkey=0sAwEAAbleti0anEMyX1m9S6npBwkLhtqvJh1HSGz4ODoM6/tbA0g4Fm1nggJxlYaeT5FKW5SZiUsTfZAqEKZCa6cRXflNDWAxUKlh6ldfiEjYKmFdTc17QN4ns75AvnJ2rYLdySs0BH1b/DbL0sMt5Zo/EgNSCrXTFB8ZooYhkKLQE53UloUFHrvwnoObESv83Wl9vuXtj3Q8qv035Qs7la6ApYs0Dcid96xyUS8ku4gHzm3WGgDaKoq2rsijAuRxfiafESSeG6RdLU22GFCGS/A8OX5z8p/glg6/rOZGfTOIM1BkPhATaZNE12/iyO+lPFEB66VJzejV2FqaZPmTWztHPY00qjdq/CQKQBRVQ5pGhSvrXjkF62wK1GtSXP7ZnVvjpgAcoeqibtl1S4l0Q4ORZDOJUj/9nggSK2RFfKCGx/tREA1fR+zPUsTRWOtKpUdOVFW+X1QvLnJNZK/kHws6gi68W/Qedd0mB4gFWna4eYuu8IgC9sTu80XM+sKeQQk2Aw==
    leftsubnet=192.0.2.0/24
    leftmodecfgclient=no
    authby=rsasig

       

       

       

       

              nm-team Network Management Team
              bgalvani@redhat.com Beniamino Galvani
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: