=Comment: #0================================================= TYLER C. HICKS <tchicks.com> - 2008-04-17 12:22 EDT ---Problem Description--- openswan segfaults while logging when esp encryption is null. Contact Information = Tyler Hicks <tyhicks.ibm.com> ---uname output--- Linux eal3.ltc.austin.ibm.com 2.6.18-87.el5 #1 SMP Tue Mar 25 17:28:02 EDT 2008 i686 i686 i386 GNU/Linux Machine Type = 335 xSeries ---Debugger--- A debugger is not configured ---Steps to Reproduce--- /etc/ipsec.conf: ---------------------------- version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="none" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes conn i386-i386 left=9.3.190.198 right=9.3.190.196 ikev2=insist phase2=esp phase2alg=null authby=secret auto=add ---------------------------- On initiator run: ---------------------------- [root@eal5 ~]# ipsec auto --verbose --up i386-i386 002 "i386-i386" #1: initiating v2 parent SA 133 "i386-i386" #1: STATE_PARENT_I1: initiate 002 "i386-i386" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1 133 "i386-i386" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 002 "i386-i386" #2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 134 "i386-i386" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1 prf=oakley_sha group=modp1536} ---------------------------- On responder run: ---------------------------- [root@eal3 ~]# tail /var/log/secure Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386": newest ISAKMP SA: #1; newest IPsec SA: #0; Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386": IKE algorithm newest: _128-SHA1-MODP1536 Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386": ESP algorithms wanted: NULL(11)_000-MD5(1), NULL(11)_000-SHA1(2); flags=-strict Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386": ESP algorithms loaded: NULL(11)_000-MD5(1)_128, NULL(11)_000-SHA1(2)_160 Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386-v6": fc00::105:0:0:0:24<fc00:0:0:105::24>[S=C]...fc00::105:0:0:0:22<fc00:0:0:105::22>[S=C]; unrouted; eroute owner: #0 Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386-v6": myip=unset; hisip=unset; Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386-v6": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386-v6": policy: PSK+ENCRYPT+TUNNEL+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+lKOD+rKOD; prio: 128,128; interface: eth0; Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: "i386-i386-v6": newest ISAKMP SA: #0; newest IPsec SA: #0; Apr 17 11:15:17 eal3 pluto[3722]: "i386-i386" #1: ---------------------------- Backtrace on eal3's pluto process ---------------------------- Program received signal SIGSEGV, Segmentation fault. 0x002ebfab in strlen () from /lib/libc.so.6 (gdb) bt #0 0x002ebfab in strlen () from /lib/libc.so.6 #1 0x002bc77e in vfprintf () from /lib/libc.so.6 #2 0x00361911 in __vsnprintf_chk () from /lib/libc.so.6 #3 0x00361837 in __snprintf_chk () from /lib/libc.so.6 #4 0x00e59b1a in fmt_state (st=0x900dab8, n=1208448917, state_buf=0xbfd0f2b8 "#2: \"i386-i386\":500 (null) (648} attrs={0,1,864} ", state_buf_len=1024, state_buf2=0xbfd0eeb8 "ÔîпÎr.", state_buf2_len=1024) at /usr/src/debug/openswan-2.6.11/programs/pluto/state.c:1202 #5 0x00e5a35a in show_states_status () at /usr/src/debug/openswan-2.6.11/programs/pluto/state.c:1348 #6 0x00e587d6 in show_status () at /usr/src/debug/openswan-2.6.11/programs/pluto/log.c:803 #7 0x00e58aef in passert_fail (pred_str=0xef7ca5 "ta.encrypter != NULL", file_str=0xef796c "/usr/src/redhat/BUILD/openswan-2.6.11/programs/pluto/spd _v2_struct.c", line_no=1245) at /usr/src/debug/openswan-2.6.11/programs/pluto/log.c:621 #8 0x00e7c8f0 in ikev2_parse_child_sa_body (sa_pbs=0x900c314, sa_prop=0x900c334, r_sa_pbs=0xbfd10400, st=0x900dab8, selection=0) at /usr/src/debug/openswan-2.6.11/programs/pluto/spdb_v2_struct.c:1245 #9 0x00e7aa3b in ikev2_child_sa_respond (md=0x900c160, role=RESPONDER, outpbs=0xbfd105d0) at /usr/src/debug/openswan-2.6.11/programs/pluto/ikev2_child.c:368 #10 0x00e771c6 in ikev2_parent_inI2outR2_tail (pcrc=<value optimized out>, r=<value optimized out>) at /usr/src/debug/openswan-2.6.11/programs/pluto/ikev2_parent.c:1738 #11 0x00e772aa in ikev2_parent_inI2outR2_continue (pcrc=0x900ae98, r=0xbfd10bf4, ugh=0x0) at /usr/src/debug/openswan-2.6.11/programs/pluto/ikev2_parent.c:1476 #12 0x00e902f5 in pluto_crypto_helper_ready (readfds=0xbfd13714) at /usr/src/debug/openswan-2.6.11/programs/pluto/pluto_crypt.c:649 #13 0x00e6000d in call_server () at /usr/src/debug/openswan-2.6.11/programs/pluto/server.c:790 #14 0x00e5cd8e in main (argc=2136884559, argv=0x4b57794c) at /usr/src/debug/openswan-2.6.11/programs/pluto/plutomain.c:830 ---------------------------- ---Security Component Data--- Userspace tool common name: openswan The userspace tool has the following bit modes: 32 Userspace rpm: openswan-2.6.11-1.el5 =Comment: #2================================================= TYLER C. HICKS <tchicks.com> - 2008-04-17 12:28 EDT RFC 4305 declares that phase2alg=null MUST be available: -------------------------- 3.1.1. ESP Encryption and Authentication Algorithms These tables list encryption and authentication algorithms for the IPsec Encapsulating Security Payload protocol. Requirement Encryption Algorithm (notes) ----------- -------------------- MUST NULL (1) MUST- TripleDES-CBC [RFC2451] SHOULD+ AES-CBC with 128-bit keys [RFC3602] SHOULD AES-CTR [RFC3686] SHOULD NOT DES-CBC [RFC2405] (3) <snip> Notes: (1) Since ESP encryption and authentication are optional, support for the two "NULL" algorithms is required to maintain consistency with the way these services are negotiated. Note that while authentication and encryption can each be "NULL", they MUST NOT both be "NULL". --------------------------
------- Comment From tchicks.com 2008-04-30 17:12 EDT------- Red Hat - Can we get confirmation that a fix for this bug is targeted for the zstream release? Thanks!
Created attachment 304844 [details] Allow NULL encryption with ESP Please apply all my pervious patches from 439771 and 442955, then this patch. This lets me run null encryption between two Openswan machines.
This was merged into 2.6.13
2.6.14rc7-1 was built to address the problem being reported.
------- Comment From tchicks.com 2008-06-05 18:11 EDT------- I have verified this bug fix between i386 and ppc using openswan-2.6.14rc10, built from source from openswan.org.
can you provide a new trace, since the old trace had: #7 0x00e58aef in passert_fail (pred_str=0xef7ca5 "ta.encrypter != NULL", file_str=0xef796c "/usr/src/redhat/BUILD/openswan-2.6.11/programs/pluto/spd _v2_struct.c", line_no=1245) which was resolved, so this is crashing at another place now
------- Comment From tchicks.com 2008-06-05 19:09 EDT------- Hey Paul - I'm not seeing any crashes. I reported that I had verified your fix using i386 and ppc machines. It works great. Thanks!
------- Comment From tchicks.com 2008-06-18 18:18 EDT------- Changing status to FIXEDAWAITINGTEST on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:19 EDT------- Changing status to TESTED on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:20 EDT------- Changing status to ACCEPTED on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:22 EDT------- Setting status to CLOSED on IBM's side. I verified the official openswan-2.6.14-1.el5_2.1 rpm from RH between i386 and ppc.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html