RHBA-2011:0652 - Bug Fix Advisory

Topic

Updated openswan package that fix various bugs and provide several enhancements
are now available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for
Linux. This package contains the daemons and user space tools for setting up
Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the
default Linux kernel.

Openswan 2.6.x also supports IKEv2 (RFC4306)

The openswan packages have been upgraded to upstream version 2.6.32, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#642724)

These updated openswan packages provide fixes for the following bugs:

• Openswan was previously unable to negotiate using the HMAC-SHA2-256 algorithm

in transport mode. With this update, Openswan is able to set up IPsec in using
HMAC-SHA2-256 in transport mode. (BZ#621790)

• The Openswan init script accessed the current working directory, which led to

an SELinux AVC Denial. This update ensures that the current working directory is
set to the root ("/") directory, and thus Openswan's pluto daemon starts without
incurring an SELinux denial. (BZ#628879)

• Previously, the Openswan packages were not compiled with the "-Wl,-z,relro"

parameter. These updated openswan packages have been compiled with the
"-Wl,-z,relro" parameter. (BZ#642722)

• The IPsec NETKEY kernel code sent thousands of ACQUIRE messages which led to a

segmentation fault. With this update, ACQUIRE messages are now properly
processed with the result that Openswan does not crash. (BZ#658121)

• When the system's IP address was renewed using DHCP, the Openswan IPsec

connection failed. This update ensures that the IPsec connection continues to
operate across DHCP IP address renewals. (BZ#658253)

• Entering an incorrect IKE Extended Authentication (Xauth) password during IKE

negotiation leads to a failure to connect. However, the failure was not
communicated to NetworkManager, with the result that NetworkManager continued to
wait for a timeout. With this update, Openswan sends a failure message to
NetworkManager over the D-Bus system message bus, informing it of the failure to
connect. As a result, NetworkManager knows about the failure as soon as it
happens, and is able to inform the user about it immediately. (BZ#668785)

• Internet Control Message Protocol (ICMP)-specific IPsec connections were set

up incorrectly, with incorrect "Type" and "Code" fields, in the code. This has
been fixed so that ICMP selectors are now processed correctly according to the
IKEv2 protocol specification (RFC 4306). (BZ#681974)

• Configuring a second IPsec policy using a different host behind the same

gateway caused Openswan to crash due to the policy not being set up correctly.
With this update, Openswan's IKEv2 implementation processes the traffic
selectors correctly so that the correct definition is picked up during the key
exchange. As a result, a second IPsec policy using a different host behind the
same gateway can successfully set up. (BZ#683604)

In addition, these updated packages provide the following enhancements:

• Openswan's IKEv1 implementation and NETKEY interactions now understand SELinux

labeled flows, and Openswan has been integrated with SELinux. As a result, it's
now possible to exchange SELinux labels in IKE, and set up labeled IPsec
policies and Security Associations (SAs) in SELinux Multi-Level Security (MLS)
mode. (BZ#235720)

• Previously, Openswan did not support the Internet Key Exchange version 2

(IKEv2) USE_TRANSPORT_MODE functionality, with the result that Openswan could
not interoperate with racoon2 in transport mode. With this update, Openswan's
IKEv2 protocol support has been enhanced so that it now works in transport mode,
and interoperate with racoon2. (BZ#646718)

Users are advised to upgrade to these updated openswan packages, which resolve
these issues and add these enhancements.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 621790 - [TAHI]openswan doesn't support auth alg with "ESP=3DES-CBC HMAC-SHA2-256" in transport mode
• BZ - 628879 - init script searches cwd which can cause SELinux denials
• BZ - 642722 - Openswan does not have RELRO ELF flag set
• BZ - 642724 - Openswan rebase to the latest upstream version
• BZ - 646718 - [IPv6][TAHI]interoperation issue in transport mode between openswan and racoon2
• BZ - 668785 - Openswan modifications needed for bz 659709
• BZ - 681974 - Openswan's current IKEv2 implementation does not correctly process ICMPv6 Selectors for Type and Code
• BZ - 683604 - Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway.

CVEs

(none)

References

(none)