Bug 1126066 - dcookie code enabled with force_busy=yes uses bad pointer causing restart
Summary: dcookie code enabled with force_busy=yes uses bad pointer causing restart
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-01 18:19 UTC by Paul Wouters
Modified: 2014-10-14 08:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 08:19:42 UTC


Attachments (Terms of Use)
dcookie-bad-pointer patch (1.91 KB, patch)
2014-08-01 18:44 UTC, Paul Wouters
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1588 normal SHIPPED_LIVE openswan bug fix and enhancement update 2014-10-14 01:39:53 UTC

Description Paul Wouters 2014-08-01 18:19:37 UTC
Description of problem:
When enabling dcookies using force_busy=yes to counter DDoS attacks, a wrong pointer size causes the pluto daemon to restart

Fix:

diff -Naur openswan-2.6.32-orig/programs/pluto/ikev2_parent.c openswan-2.6.32/programs/pluto/ikev2_parent.c
--- openswan-2.6.32-orig/programs/pluto/ikev2_parent.c	2014-08-01 14:12:10.031000000 -0400
+++ openswan-2.6.32/programs/pluto/ikev2_parent.c	2014-08-01 14:13:09.299000000 -0400
@@ -2219,7 +2219,7 @@
 	SHA1Init(&ctx_sha1);
 	SHA1Update(&ctx_sha1, st_ni.ptr, st_ni.len);
 	SHA1Update(&ctx_sha1, addr_buff, addr_length);
-	SHA1Update(&ctx_sha1, spiI, sizeof(spiI));
+	SHA1Update(&ctx_sha1, spiI, spiI.len);
 	SHA1Update(&ctx_sha1, ikev2_secret_of_the_day
 		 , SHA1_DIGEST_SIZE);
 	SHA1Final(dcookie, &ctx_sha1);

As this is not enabled per default, this is a low priority bug

Comment 2 Paul Wouters 2014-08-01 18:44:44 UTC
Created attachment 923400 [details]
dcookie-bad-pointer patch

Updated patch attached. This changes the function to use a chunk_t (same as upstream)

Comment 4 Jaroslav Aster 2014-08-07 15:51:46 UTC
Hi Paul,

could you provide me any reproducer? I tried it with simple configuration, but I failed. There was no pluto restart.

config setup
    protostack=netkey
    force_busy=yes

conn test
    left=MACHINE0
    right=MACHINE1
    authby=secret
    auto=add

ps: Option force_busy is not in ipsec.conf man page in openswan.

Comment 5 Paul Wouters 2014-08-07 19:07:53 UTC
You need to specify ikev2=insist on both sides.

Then you'll see:

| state hash entry 12
| inserting state object #1 on chain 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection westnet-eastnet-ikev2
Assertion failure: status==SECSuccess, at /root/rpmbuild/BUILD/openswan-2.6.32/lib/libcrypto/libsha1/sha1.c:145


the option force_busy is a developer/test option only. So I would not worry too much about it (although we have since documented it in libreswan)

Comment 7 Jaroslav Aster 2014-08-08 15:00:55 UTC
Hi Paul,

it did not help :-(. If I have force_busy=yes and ikev2=insist on both site then connection is not established. I tried all combinations but nothing helped.

Could you provide me your full configuration file? Thanks.

Comment 10 errata-xmlrpc 2014-10-14 08:19:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html


Note You need to log in before you can comment on or make changes to this bug.