Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1126066 - dcookie code enabled with force_busy=yes uses bad pointer causing restart
dcookie code enabled with force_busy=yes uses bad pointer causing restart
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity low
: rc
: ---
Assigned To: Paul Wouters
Jaroslav Aster
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-01 14:19 EDT by Paul Wouters
Modified: 2014-10-14 04:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 04:19:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dcookie-bad-pointer patch (1.91 KB, patch)
2014-08-01 14:44 EDT, Paul Wouters
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1588 normal SHIPPED_LIVE openswan bug fix and enhancement update 2014-10-13 21:39:53 EDT

  None (edit)
Description Paul Wouters 2014-08-01 14:19:37 EDT
Description of problem:
When enabling dcookies using force_busy=yes to counter DDoS attacks, a wrong pointer size causes the pluto daemon to restart

Fix:

diff -Naur openswan-2.6.32-orig/programs/pluto/ikev2_parent.c openswan-2.6.32/programs/pluto/ikev2_parent.c
--- openswan-2.6.32-orig/programs/pluto/ikev2_parent.c	2014-08-01 14:12:10.031000000 -0400
+++ openswan-2.6.32/programs/pluto/ikev2_parent.c	2014-08-01 14:13:09.299000000 -0400
@@ -2219,7 +2219,7 @@
 	SHA1Init(&ctx_sha1);
 	SHA1Update(&ctx_sha1, st_ni.ptr, st_ni.len);
 	SHA1Update(&ctx_sha1, addr_buff, addr_length);
-	SHA1Update(&ctx_sha1, spiI, sizeof(spiI));
+	SHA1Update(&ctx_sha1, spiI, spiI.len);
 	SHA1Update(&ctx_sha1, ikev2_secret_of_the_day
 		 , SHA1_DIGEST_SIZE);
 	SHA1Final(dcookie, &ctx_sha1);

As this is not enabled per default, this is a low priority bug
Comment 2 Paul Wouters 2014-08-01 14:44:44 EDT
Created attachment 923400 [details]
dcookie-bad-pointer patch

Updated patch attached. This changes the function to use a chunk_t (same as upstream)
Comment 4 Jaroslav Aster 2014-08-07 11:51:46 EDT
Hi Paul,

could you provide me any reproducer? I tried it with simple configuration, but I failed. There was no pluto restart.

config setup
    protostack=netkey
    force_busy=yes

conn test
    left=MACHINE0
    right=MACHINE1
    authby=secret
    auto=add

ps: Option force_busy is not in ipsec.conf man page in openswan.
Comment 5 Paul Wouters 2014-08-07 15:07:53 EDT
You need to specify ikev2=insist on both sides.

Then you'll see:

| state hash entry 12
| inserting state object #1 on chain 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection westnet-eastnet-ikev2
Assertion failure: status==SECSuccess, at /root/rpmbuild/BUILD/openswan-2.6.32/lib/libcrypto/libsha1/sha1.c:145


the option force_busy is a developer/test option only. So I would not worry too much about it (although we have since documented it in libreswan)
Comment 7 Jaroslav Aster 2014-08-08 11:00:55 EDT
Hi Paul,

it did not help :-(. If I have force_busy=yes and ikev2=insist on both site then connection is not established. I tried all combinations but nothing helped.

Could you provide me your full configuration file? Thanks.
Comment 10 errata-xmlrpc 2014-10-14 04:19:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html

Note You need to log in before you can comment on or make changes to this bug.