Bug 1136068
| Summary: | pluto crashes during 'service ipsec stop' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jaroslav Aster <jaster> | ||||
| Component: | openswan | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Jaroslav Aster <jaster> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 6.6 | CC: | azelinka, blentz, cww, dirk.hamilton, ffotorel, jkurik, ksrot, mmatsuya, mrogers, msrivast, pwouters, salmy, sbroz, ssahani, tfrazier, zpytela | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-02-08 14:09:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1172231 | ||||||
| Attachments: |
|
||||||
Created attachment 1027780 [details]
patch to fix connection delete crash
For a connection with an expired IKE SA, during the connection deletion delete_ipsec_sa() in delete_state() is skipped, resulting in a trigger of the later eroute checking passert(). The state was changed to STATE_CHILDSA_DEL, which the two calls for IS_IPSEC_SA_ESTABLISHED() and IS_CHILD_SA_ESTABLISHED() do not cover.
In Libreswan, this was fixed as part of 5d6e5cea3d, this patch is essentially the bottom of that commit.
My test with this now shows a successful removal of the IPsec SA and connection deletion without the passert():
May 20 11:25:06 unused pluto[6152]: "test": deleting connection
May 20 11:25:06 unused pluto[6152]: | processing connection test
May 20 11:25:06 unused pluto[6152]: "test" #2: deleting state (STATE_QUICK_I2)
May 20 11:25:06 unused pluto[6152]: | deleting event for #2
May 20 11:25:06 unused pluto[6152]: | deleting state #2
May 20 11:25:06 unused pluto[6152]: | IKE SA does not exist for this child SA
May 20 11:25:06 unused pluto[6152]: | INFORMATIONAL exchange can not be sent, deleting state
May 20 11:25:06 unused pluto[6152]: | deleting event for #2
May 20 11:25:06 unused pluto[6152]: | no suspended cryptographic state for 2
May 20 11:25:06 unused pluto[6152]: | ICOOKIE: 1d da b0 00 3d 85 b0 da
May 20 11:25:06 unused pluto[6152]: | RCOOKIE: a5 4b 4d f0 16 61 ec 41
May 20 11:25:06 unused pluto[6152]: | state hash entry 24
May 20 11:25:06 unused pluto[6152]: | command executing down-host
May 20 11:25:06 unused pluto[6152]: | executing down-host: 2>&1 PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='test' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='10.13.214.230' PLUTO_ME='10.13.214.224' PLUTO_MY_ID='10.13.214.224' PLUTO_MY_CLIENT='10.13.214.224/32' PLUTO_MY_CLIENT_NET='10.13.214.224' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.13.214.230' PLUTO_PEER_ID='10.13.214.230' PLUTO_PEER_CLIENT='10.13.214.230/32' PLUTO_PEER_CLIENT_NET='10.13.214.230' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
May 20 11:25:06 unused pluto[6152]: | popen(): cmd is 811 chars long
May 20 11:25:06 unused pluto[6152]: | cmd( 0):2>&1 PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='test' PLUTO_IN:
May 20 11:25:06 unused pluto[6152]: | cmd( 80):TERFACE='eth0' PLUTO_NEXT_HOP='10.13.214.230' PLUTO_ME='10.13.214.224' PLUTO_MY_:
May 20 11:25:06 unused pluto[6152]: | cmd( 160):ID='10.13.214.224' PLUTO_MY_CLIENT='10.13.214.224/32' PLUTO_MY_CLIENT_NET='10.13:
May 20 11:25:06 unused pluto[6152]: | cmd( 240):.214.224' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
May 20 11:25:06 unused pluto[6152]: | cmd( 320):OCOL='0' PLUTO_PEER='10.13.214.230' PLUTO_PEER_ID='10.13.214.230' PLUTO_PEER_CLI:
May 20 11:25:06 unused pluto[6152]: | cmd( 400):ENT='10.13.214.230/32' PLUTO_PEER_CLIENT_NET='10.13.214.230' PLUTO_PEER_CLIENT_M:
May 20 11:25:06 unused pluto[6152]: | cmd( 480):ASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=:
May 20 11:25:06 unused pluto[6152]: | cmd( 560):'' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW:
May 20 11:25:06 unused pluto[6152]: | cmd( 640):+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_IN:
May 20 11:25:06 unused pluto[6152]: | cmd( 720):FO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ip:
May 20 11:25:06 unused pluto[6152]: | cmd( 800):sec _updown:
May 20 11:25:06 unused pluto[6152]: | request to replace with shunt a prospective erouted policy with netkey kernel --- experimental
May 20 11:25:06 unused pluto[6152]: | delete esp.ae4f2235.214.230
...
*** Bug 1251377 has been marked as a duplicate of this bug. *** |
Description of problem: Pluto crashes during 'service ispec stop', but only if there was at least one IKE rekeying. Version-Release number of selected component (if applicable): openswan-2.6.32-34 How reproducible: Always. Steps to Reproduce: 1. Configure and start ipsec on INITIATOR and RESPONDER site. /etc/ipsec.secrets on both site: # cat /etc/ipsec.secrets : PSK "RedHatEnterpriseLinux" /etc/ipsec.conf on INITIATOR site: # cat /etc/ipsec.conf config setup protostack=netkey plutodebug=all conn test left=<I> right=<R> authby=secret auto=add ikelifetime=1h salifetime=8h /etc/ipsec.conf on RESPONDER site: # cat /etc/ipsec.conf config setup protostack=netkey plutodebug=all conn test left=<I> right=<R> authby=secret auto=add I: service ipsec start R: service ipsec start 2. Up test and wait at least one hour (ikelifetime). I: ipsec auto --up test wait 1h 3. Stop ipsec on both site I: service ipsec stop R: service ipsec stop Actual results: service ipsec stop fails with error: # service ipsec stop ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Attempt to shut Pluto down failed! Trying kill: ipsec_setup: /usr/libexec/ipsec/_realsetup: line 133: kill: (10324) - No such process and you can find abort and assert messages in /var/log/secure. # grep -i -e assert -e abort /var/log/secure Sep 1 10:11:58 initiator pluto[10324]: "test": ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804: sr->eroute_owner == SOS_NOBODY Sep 1 10:11:58 initiator pluto[10324]: "test": ABORT at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804 Sep 1 10:11:58 initiator pluto[10324]: "test": ABORT at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804 It happens on both site. Expected results: No fail and no assert or abort messages. Additional info: If you do not want wait 1h then you can decrease ikelifetime.