Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Minor
Fix Version/s: rhel-8.6.0.z
Affects Version/s: rhel-8.6.0
Component/s: libreswan
Labels:
- Accepted
- sustaining

Fixed in Build:
libreswan-4.5-1.el8_6.5
Regression:
No
Severity:
Low

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Testable Builds:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=3382346
Errata Link:
https://errata.engineering.redhat.com/advisory/142302
Gating Tests:

Enabled
Test Coverage:

Automated

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When authby= option is used in %default connection configuration, it is not interpreted correctly.

What is the impact of this issue to you?

%default connection is used to propagate system-wide crypto policy to libreswan and because of this the libreswan peer authentication does not work as it was intended by crypto policies.

Please provide the package NVR for which the bug is seen:

libreswan-4.5-1.el8

How reproducible is this bug?:

100%

Steps to reproduce

1. Configure /etc/ipsec.conf with %default connection and two additional ones as follows:

conn %default
  authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512

conn test-1
  left=%defaultroute
  right=1.2.3.4
  auto=add

conn test-2
  left=%defaultroute
  right=1.2.3.5
  authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
  auto=add

Notice that test-1 is using authby from the %default while test-2 is using the very same value but not from the %default. So essentially both test-1 and test-2 should have the same authby setting.

2. Start the ipsec service and look in ipsec status, look for policy and hash policy values, they should be the same (containing all three hashes and policy should have both ecdsa and rsasig)

# service ipsec restart
# ipsec status | grep 'policy: '

Expected results

000 "test-1":   policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO;
000 "test-1":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 
000 "test-2":   policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO;
000 "test-2":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;

Actual results

000 "test-1":   policy: IKEv2+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO;
000 "test-1":   v2-auth-hash-policy: SHA2_256;
000 "test-2":   policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO;
000 "test-2":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;

Additional information

This problem is still present in libreswan-4.6 but it is longer present in libreswan-4.9.

links to

RHBA-2024:142302 libreswan bug fix update

mentioned on

Commit - Resolves: RHEL-65418 authby option incorrectly interpreted when used in %default conn

Merge request - Regression/Singlehost-RHEL-65418: created

Assignee:: Stepan Broz

Reporter:: Ondrej Moris

Developer:: Daiki Ueno

QA Contact:: Maurizio Barbaro

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/10/31 2:19 PM

Updated:: 2024/11/19 2:10 PM

Resolved:: 2024/11/18 1:35 AM

Release Date:: 2024/11/18

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Additional information

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates