Bug 1313821

Summary: pluto crashes with --ctlbase option
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Aster <jaster>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1313816 Environment:
Last Closed: 2018-03-07 18:01:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaroslav Aster 2016-03-02 12:09:40 UTC 
The same issue on rhel-7.

libreswan-3.15-5.el7_1.x86_64

+++ This bug was initially created as a clone of Bug #1313816 +++

Description of problem:

Pluto crashes with --ctlbase option. It appears only on x86_64.

Version-Release number of selected component (if applicable):


How reproducible:

mostly, but not 100%

Steps to Reproduce:

# yum install -y libreswan

# rm -rf /etc/ipsec.d/*.db /etc/ipsec.d/pkcs11.txt

# mkdir /tmp/pluto

# ipsec initnss
Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password

# ipsec pluto --ctlbase /tmp/pluto

# dmesg | grep pluto | grep segfault
pluto[11944]: segfault at 0 ip 00007f79c6069d36 sp 00007fff2379fdf0 error 4 in pluto[7f79c6002000+10a000]

Actual results:

Pluto crashes.

Expected results:

Pluto does not crash.

Additional info:
Comment 4 Paul Wouters 2018-02-08 15:44:04 UTC 
This is fixed in 3.23. pluto no longer crashes and shuts down cleanly because there is no valid nss db in /tmp/pluto. The logs show:

Pluto initialized
Feb  8 10:41:42.466182: FIPS Product: NO
Feb  8 10:41:42.466342: FIPS Kernel: NO
Feb  8 10:41:42.466445: FIPS Mode: NO
Feb  8 10:41:42.466551: NSS DB directory: sql:/etc/ipsec.d
Feb  8 10:41:42.466782: Initializing NSS
Feb  8 10:41:42.466871: Opening NSS database "sql:/etc/ipsec.d" read-only
Feb  8 10:41:42.500884: Initialization of NSS with read-only database "sql:/etc/ipsec.d" failed (-8174)
Feb  8 10:41:42.501006: FATAL: NSS initialization failure