RHBA-2013:1743 - Bug Fix Advisory

Topic

Updated openswan packages that fix several bugs and add two enhancements are now
available for Red Hat Enterprise Linux 6.

Description

Openswan is a free implementation of Internet Protocol Security (IPsec) and
Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both
authentication and encryption services. These services allow you to build secure
tunnels through untrusted networks.

This update fixes the following bugs:

• Previously, when the IPsec daemon (pluto) attempted to verify the signature of

a Certificate Revocation List (CRL), if the signature value began with a zero
byte and had another zero as padding, the mpz() functions stripped out all
leading zeros. This resulted in the Network Security Services (NSS) data input
being one byte short and consequently failing verification when NSS compared its
length to the modulus length. This update removes the conversions into
arbitrary-precision arithmetic (bignum) objects and handles the leading zero by
moving the pointer one position forward and reducing the length of the signature
by 1. As a result, verification of CRLs now works as expected even with leading
zeros in the signature. (BZ#1012735)

• Previously, the order of the load_crls() and load_authcerts_from_nss()

functions in the plutomain.c file was incorrect. As a consequence, when the
IPsec daemon (pluto) attempted to load the Certificate Revocation Lists (CRLs)
from the /etc/ipsec.d/crls/ directory during startup, loading failed because
pluto checked for a loaded Certification Authority (CA) when there was none
available. This update swaps the order of the aforementioned functions in the
plutomain.c file, and now pluto no longer fails during startup and loads the
CRLs successfully. (BZ#1012736)

• Previously, when the "xauth" option was enabled and the "leftmodecfgclient"

option was disabled in the /etc/ipsec.conf file, the re-key between Openswan and
certain Cisco products, did not work. As a consequence, the Internet Key
Exchange (IKE) tunnel could not be established. This bug has now been fixed and
an IKE tunnel can be successfully established in the described scenario.
(BZ#1013925)

• Initial support for passing traffic selectors to an XFRM IPsec stack for

transport mode was incomplete and did not include the necessary work-arounds for
NAT-traversal support. As a consequence, Openswan could not establish an L2TP
connection with devices which use NAT-Traversal. After this update, the
direction of IPsec Security Association (SA) is now passed to the
netlink_setup_sa() function so that the client IP is substituted with the host
IP and the selector works for NAT transport mode. (BZ#1013984)

• Previously, when in FIPS mode, Openswan did not allow the use of SHA2

algorithms. This update enables the use of SHA2 algorithms in FIPS mode.
(BZ#1015810)

In addition, this update adds the following enhancements:

• With this update, Openswan now supports Internet Key Exchage (IKE)

fragmentation. Openswan can now successfully connect to devices which support
IKE fragmentation. (BZ#1013971)

• Support for the Internet Key Exchage version 1 (IKEv1) INITIAL-CONTACT IPsec

message, as per RFC2407 Section 4.6.3.3, has been added to Openswan. This
addresses an interoperability issue where a peer does not replace an existing
IPsec Security Association (SA) with a newly negotiated one unless a
Notification Payload message is present. (BZ#1013985)

Users of openswan are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.4 i386
• Red Hat Enterprise Linux Server - AUS 6.4 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.4 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.4 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Gluster Storage Server for On-premise 2.1 x86_64
• Red Hat Storage for Public Cloud (via RHUI) 2.1 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

CVEs

(none)

References

(none)