Description of problem:
When enabling dcookies using force_busy=yes to counter DDoS attacks, a wrong pointer size causes the pluto daemon to restart
diff -Naur openswan-2.6.32-orig/programs/pluto/ikev2_parent.c openswan-2.6.32/programs/pluto/ikev2_parent.c
--- openswan-2.6.32-orig/programs/pluto/ikev2_parent.c 2014-08-01 14:12:10.031000000 -0400
+++ openswan-2.6.32/programs/pluto/ikev2_parent.c 2014-08-01 14:13:09.299000000 -0400
@@ -2219,7 +2219,7 @@
SHA1Update(&ctx_sha1, st_ni.ptr, st_ni.len);
SHA1Update(&ctx_sha1, addr_buff, addr_length);
- SHA1Update(&ctx_sha1, spiI, sizeof(spiI));
+ SHA1Update(&ctx_sha1, spiI, spiI.len);
As this is not enabled per default, this is a low priority bug
Created attachment 923400 [details]
Updated patch attached. This changes the function to use a chunk_t (same as upstream)
could you provide me any reproducer? I tried it with simple configuration, but I failed. There was no pluto restart.
ps: Option force_busy is not in ipsec.conf man page in openswan.
You need to specify ikev2=insist on both sides.
Then you'll see:
| state hash entry 12
| inserting state object #1 on chain 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection westnet-eastnet-ikev2
Assertion failure: status==SECSuccess, at /root/rpmbuild/BUILD/openswan-2.6.32/lib/libcrypto/libsha1/sha1.c:145
the option force_busy is a developer/test option only. So I would not worry too much about it (although we have since documented it in libreswan)
it did not help :-(. If I have force_busy=yes and ikev2=insist on both site then connection is not established. I tried all combinations but nothing helped.
Could you provide me your full configuration file? Thanks.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.