Bug 1126066

Summary: dcookie code enabled with force_busy=yes uses bad pointer causing restart
Product: Red Hat Enterprise Linux 6 Reporter: Paul Wouters <pwouters>
Component: openswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Jaroslav Aster <jaster>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.7CC: jaster, pwouters
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:19:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
dcookie-bad-pointer patch none

Description Paul Wouters 2014-08-01 18:19:37 UTC 
Description of problem:
When enabling dcookies using force_busy=yes to counter DDoS attacks, a wrong pointer size causes the pluto daemon to restart

Fix:

diff -Naur openswan-2.6.32-orig/programs/pluto/ikev2_parent.c openswan-2.6.32/programs/pluto/ikev2_parent.c
--- openswan-2.6.32-orig/programs/pluto/ikev2_parent.c	2014-08-01 14:12:10.031000000 -0400
+++ openswan-2.6.32/programs/pluto/ikev2_parent.c	2014-08-01 14:13:09.299000000 -0400
@@ -2219,7 +2219,7 @@
 	SHA1Init(&ctx_sha1);
 	SHA1Update(&ctx_sha1, st_ni.ptr, st_ni.len);
 	SHA1Update(&ctx_sha1, addr_buff, addr_length);
-	SHA1Update(&ctx_sha1, spiI, sizeof(spiI));
+	SHA1Update(&ctx_sha1, spiI, spiI.len);
 	SHA1Update(&ctx_sha1, ikev2_secret_of_the_day
 		 , SHA1_DIGEST_SIZE);
 	SHA1Final(dcookie, &ctx_sha1);

As this is not enabled per default, this is a low priority bug
Comment 2 Paul Wouters 2014-08-01 18:44:44 UTC 
Created attachment 923400 [details]
dcookie-bad-pointer patch

Updated patch attached. This changes the function to use a chunk_t (same as upstream)
Comment 4 Jaroslav Aster 2014-08-07 15:51:46 UTC 
Hi Paul,

could you provide me any reproducer? I tried it with simple configuration, but I failed. There was no pluto restart.

config setup
    protostack=netkey
    force_busy=yes

conn test
    left=MACHINE0
    right=MACHINE1
    authby=secret
    auto=add

ps: Option force_busy is not in ipsec.conf man page in openswan.
Comment 5 Paul Wouters 2014-08-07 19:07:53 UTC 
You need to specify ikev2=insist on both sides.

Then you'll see:

| state hash entry 12
| inserting state object #1 on chain 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection westnet-eastnet-ikev2
Assertion failure: status==SECSuccess, at /root/rpmbuild/BUILD/openswan-2.6.32/lib/libcrypto/libsha1/sha1.c:145


the option force_busy is a developer/test option only. So I would not worry too much about it (although we have since documented it in libreswan)
Comment 7 Jaroslav Aster 2014-08-08 15:00:55 UTC 
Hi Paul,

it did not help :-(. If I have force_busy=yes and ikev2=insist on both site then connection is not established. I tried all combinations but nothing helped.

Could you provide me your full configuration file? Thanks.
Comment 8 Paul Wouters 2014-08-08 16:25:08 UTC 
https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-06-6msg
Comment 10 errata-xmlrpc 2014-10-14 08:19:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html