1136068 – pluto crashes during 'service ipsec stop'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1136068 - pluto crashes during 'service ipsec stop'

Summary: pluto crashes during 'service ipsec stop'

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openswan
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	Jaroslav Aster
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1251377 (view as bug list)
Depends On:
Blocks:	1172231
TreeView+	depends on / blocked

Reported:	2014-09-01 14:56 UTC by Jaroslav Aster
Modified:	2023-12-15 15:47 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-08 14:09:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
patch to fix connection delete crash (564 bytes, patch) 2015-05-20 15:49 UTC, Matt Rogers	mrogers: review?	Details \| Diff
View All

Description Jaroslav Aster 2014-09-01 14:56:09 UTC

Description of problem:

Pluto crashes during 'service ispec stop', but only if there was at least one IKE rekeying.

Version-Release number of selected component (if applicable):

openswan-2.6.32-34

How reproducible:

Always.

Steps to Reproduce:
1. Configure and start ipsec on INITIATOR and RESPONDER site.

/etc/ipsec.secrets on both site:

# cat /etc/ipsec.secrets 
: PSK "RedHatEnterpriseLinux"

/etc/ipsec.conf on INITIATOR site:

# cat /etc/ipsec.conf 
config setup
    protostack=netkey
    plutodebug=all

conn test
    left=<I>
    right=<R>
    authby=secret
    auto=add
    ikelifetime=1h
    salifetime=8h


/etc/ipsec.conf on RESPONDER site:

# cat /etc/ipsec.conf
config setup
    protostack=netkey
    plutodebug=all

conn test
    left=<I>
    right=<R>
    authby=secret
    auto=add

I: service ipsec start
R: service ipsec start

2. Up test and wait at least one hour (ikelifetime).

I: ipsec auto --up test
wait 1h

3. Stop ipsec on both site

I: service ipsec stop
R: service ipsec stop

Actual results:

service ipsec stop fails with error:

# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Attempt to shut Pluto down failed!  Trying kill:
ipsec_setup: /usr/libexec/ipsec/_realsetup: line 133: kill: (10324) - No such process

and you can find abort and assert messages in /var/log/secure.

# grep -i -e assert -e abort /var/log/secure
Sep  1 10:11:58 initiator pluto[10324]: "test": ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804: sr->eroute_owner == SOS_NOBODY
Sep  1 10:11:58 initiator pluto[10324]: "test": ABORT at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804
Sep  1 10:11:58 initiator pluto[10324]: "test": ABORT at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/state.c:804

It happens on both site.

Expected results:

No fail and no assert or abort messages.

Additional info:

If you do not want wait 1h then you can decrease ikelifetime.

Comment 8 Matt Rogers 2015-05-20 15:49:09 UTC

Created attachment 1027780 [details]
patch to fix connection delete crash

For a connection with an expired IKE SA, during the connection deletion delete_ipsec_sa() in delete_state() is skipped, resulting in a trigger of the later eroute checking passert(). The state was changed to STATE_CHILDSA_DEL, which the two calls for IS_IPSEC_SA_ESTABLISHED() and IS_CHILD_SA_ESTABLISHED() do not cover.

In Libreswan, this was fixed as part of 5d6e5cea3d, this patch is essentially the bottom of that commit.

My test with this now shows a successful removal of the IPsec SA and connection deletion without the passert():

May 20 11:25:06 unused pluto[6152]: "test": deleting connection
May 20 11:25:06 unused pluto[6152]: | processing connection test
May 20 11:25:06 unused pluto[6152]: "test" #2: deleting state (STATE_QUICK_I2)
May 20 11:25:06 unused pluto[6152]: | deleting event for #2
May 20 11:25:06 unused pluto[6152]: | deleting state #2
May 20 11:25:06 unused pluto[6152]: | IKE SA does not exist for this child SA
May 20 11:25:06 unused pluto[6152]: | INFORMATIONAL exchange can not be sent, deleting state
May 20 11:25:06 unused pluto[6152]: | deleting event for #2
May 20 11:25:06 unused pluto[6152]: | no suspended cryptographic state for 2 
May 20 11:25:06 unused pluto[6152]: | ICOOKIE:  1d da b0 00  3d 85 b0 da
May 20 11:25:06 unused pluto[6152]: | RCOOKIE:  a5 4b 4d f0  16 61 ec 41
May 20 11:25:06 unused pluto[6152]: | state hash entry 24
May 20 11:25:06 unused pluto[6152]: | command executing down-host
May 20 11:25:06 unused pluto[6152]: | executing down-host: 2>&1 PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='test' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='10.13.214.230' PLUTO_ME='10.13.214.224' PLUTO_MY_ID='10.13.214.224' PLUTO_MY_CLIENT='10.13.214.224/32' PLUTO_MY_CLIENT_NET='10.13.214.224' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.13.214.230' PLUTO_PEER_ID='10.13.214.230' PLUTO_PEER_CLIENT='10.13.214.230/32' PLUTO_PEER_CLIENT_NET='10.13.214.230' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME=''  PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
May 20 11:25:06 unused pluto[6152]: | popen(): cmd is 811 chars long
May 20 11:25:06 unused pluto[6152]: | cmd(   0):2>&1 PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='test' PLUTO_IN:
May 20 11:25:06 unused pluto[6152]: | cmd(  80):TERFACE='eth0' PLUTO_NEXT_HOP='10.13.214.230' PLUTO_ME='10.13.214.224' PLUTO_MY_:
May 20 11:25:06 unused pluto[6152]: | cmd( 160):ID='10.13.214.224' PLUTO_MY_CLIENT='10.13.214.224/32' PLUTO_MY_CLIENT_NET='10.13:
May 20 11:25:06 unused pluto[6152]: | cmd( 240):.214.224' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
May 20 11:25:06 unused pluto[6152]: | cmd( 320):OCOL='0' PLUTO_PEER='10.13.214.230' PLUTO_PEER_ID='10.13.214.230' PLUTO_PEER_CLI:
May 20 11:25:06 unused pluto[6152]: | cmd( 400):ENT='10.13.214.230/32' PLUTO_PEER_CLIENT_NET='10.13.214.230' PLUTO_PEER_CLIENT_M:
May 20 11:25:06 unused pluto[6152]: | cmd( 480):ASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=:
May 20 11:25:06 unused pluto[6152]: | cmd( 560):'' PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW:
May 20 11:25:06 unused pluto[6152]: | cmd( 640):+SAREFTRACK' PLUTO_XAUTH_USERNAME=''  PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_IN:
May 20 11:25:06 unused pluto[6152]: | cmd( 720):FO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ip:
May 20 11:25:06 unused pluto[6152]: | cmd( 800):sec _updown:
May 20 11:25:06 unused pluto[6152]: | request to replace with shunt a prospective erouted policy with netkey kernel --- experimental
May 20 11:25:06 unused pluto[6152]: | delete esp.ae4f2235.214.230
...

Comment 15 Matt Rogers 2015-08-21 14:32:30 UTC

*** Bug 1251377 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.