Bug 449382
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. can i get a trace on this crash? use dumpdir=/tmp in 'config setup' in ipsec.conf and it should probide a core. symbols will be in the OBJ.* directory. Created attachment 308365 [details]
coredump from openswan
I'd need the gdb trace of the crash that requires the core, not the core itself :) I can't reproduce this. Could you try to start the connection manually after "ipsec whack --debug-all" and attach the debug output? Thanks! Config file is as follow. Trying to get more debug info now.
# cat /etc/ipsec.conf
#include /etc/ipsec.d/*.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=all
nat_traversal=yes
protostack=netkey
dumpdir=/tmp/openswan
conn tunnelrsa
connaddrfamily=ipv6
left=3ffe:501:ffff:104::1
leftcert=/etc/ipsec.d/certs/client.pem
right=3ffe:501:ffff:104::11
rightcert=/etc/ipsec.d/certs/server.pem
type=tunnel
auto=add
# cat /etc/ipsec.secrets
: RSA /etc/ipsec.d/private/client.key "Your Passphrase"
I cant get any useful debuginfo from gdb. Apart from openswan-debuginfo-2.6.12-2.el5, anything else I need to pull in? Use debuginfo-install from yum-utils to get all needed debuginfo packages. per llim, change to SUBJECT line to be more specific, openswan segv using RSA PKIX (x.509) mode. Created attachment 308711 [details]
fix for right=%any with plutodebug=controlmore crash
Fix a debug line causing a crasher when we attempt to lookup a
connection with right=%any with plutodebug=controlmore enabled.
Created attachment 308714 [details]
Fix for generating man pages in 'make programs'
fix for pluto crash with this message when pfs=yes and Vista client connects
using pfs=no
3887: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp1536}
3888: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
3888: sending encrypted notification NO_PROPOSAL_CHOSEN to 195.246.208.9:500
packet from 195.246.208.9:500: ASSERTION FAILED at ikev1_quick.c:1847:
st->st_connection != NULL
Created attachment 308715 [details]
don't spam logs with alloc_bytes1() warnings
only display text "alloc_bytes1() was mistakenly asked to malloc 0 bytes" when
LEAK_DETECTIVE is set to avoid spamming production systems.
Created attachment 308716 [details]
Added connaddrfamily entry to man page
Added connaddrfamily entry to man page
Created attachment 308717 [details]
fix for finding right=%any conns in find_host_connection2()
Revert af family code in find_host_pair causing some connections to not
be found in find_host_connection2()
these were some post-2.6.14 fixes we did so far. Note there is one more issue with X.509. In openswan 2.4.x when you specifief leftcert= then it would default the id to type ID_DER_ASN1_DN. This was changed in 2.5.x and 2.6.x to default to ID_IPV4_ADDR, while a new value was added, leftid=%fromcert. This will however break anyone upgrading an X.509 conn from openswan 2.4.x to 2.5.x. Attached is the patch that caused this, which you might want to revert Created attachment 308720 [details] patch that caused leftid= behavious change with leftcert= from my message to dev > > > My problem is in X.509 cert handling. The problem looks like it's not > > > handling cert DNs as the Main ID. There is a new setting, which I did not know about: leftid=%fromcert I'm strongly leaning towards undoing the code that causes this to be neccessary, unless someone can convince me that the default when using leftcert= should be ID_IPV4_ADDR instead of ID_DER_ASN1_DN. I can come up with no valid reason for this. Comment on attachment 308715 [details]
don't spam logs with alloc_bytes1() warnings
already in 2.6.14....
Created attachment 308729 [details] fix for crasher http://bugs.xelerance.com/view.php?id=928 fix for pluto crash with this message when pfs=yes and Vista client connects using pfs=no 3887: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536} 3888: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION 3888: sending encrypted notification NO_PROPOSAL_CHOSEN to 195.246.208.9:500 packet from 195.246.208.9:500: ASSERTION FAILED at ikev1_quick.c:1847: st->st_connection != NULL Created attachment 308732 [details]
this commit is part of the leftid= change when using certs
this commit is part of the leftid= change when using certs (candidate to be
undone)
This patch appears to be in the 2.6.14 release. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html |
Description of problem: Openswan seg fault if it is setup with RSA mode. PSK is OK. Creating this bug as a placeholder as this bug has been confirmed by Paul. Version-Release number of selected component (if applicable): openswan-2.6.12-2.el5 kernel-2.6.18-92.el5 How reproducible: Always Steps to Reproduce: 1. config setup interfaces="ipsec0=eth0" protostack=netkey conn tunnelipsec connaddrfamily=ipv6 # Important for IPv6! left=3ffe:501:ffff:104::29 leftcert=/etc/ipsec.d/certs/client.pem right=3ffe:501:ffff:104::11 rightcert=/etc/ipsec.d/certs/server.pem type=tunnel auto=start Actual results: May 29 17:05:21 localhost kernel: NET: Unregistered protocol family 15 May 29 17:05:21 localhost ipsec_setup: ...Openswan IPsec stopped May 29 17:05:21 localhost ipsec_setup: Stopping Openswan IPsec... May 29 17:05:21 localhost kernel: NET: Registered protocol family 15 May 29 17:05:21 localhost ipsec_setup: Using NETKEY(XFRM) stack May 29 17:05:21 localhost ipsec_setup: ...Openswan IPsec started May 29 17:05:21 localhost ipsec_setup: Starting Openswan IPsec U2.6.12/K2.6.18-92.el5... May 29 17:05:21 localhost ipsec_setup: Trying hardware random, this may fail, which is okay. May 29 17:05:21 localhost ipsec_setup: Trying to load all NETKEY modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key May 29 17:05:21 localhost ipsec_setup: Trying VIA padlock driver, this may fail, which is okay. May 29 17:05:21 localhost ipsec_setup: Trying to load Crypto API modules, some may fail, which is okay. May 29 17:05:21 localhost ipsec_setup: aes-x86_64 aes des sha512 sha256 md5 cbc xcbc ecb twofish blowfish serpent ccm May 29 17:05:21 localhost ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/server.crt May 29 17:05:21 localhost ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/server.crt' (1399 bytes) May 29 17:05:21 localhost ipsec__plutorun: 002 loading certificate from /etc/ipsec.d/certs/client.crt May 29 17:05:21 localhost ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/client.crt' (1399 bytes) May 29 17:05:21 localhost ipsec__plutorun: 002 added connection description "tunnelipsec" May 29 17:05:21 localhost ipsec__plutorun: 003 "/etc/ipsec.secrets" line 1: unrecognized key format: /etc/ipsec.d/private/server.key May 29 17:05:21 localhost ipsec__plutorun: 000 "tunnelipsec": request to add a prospective erouted policy with netkey kernel --- not yet implemented May 29 17:05:21 localhost ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1: initiate May 29 17:07:41 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 21968 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --use-netkey Expected results: Should not segv Additional info: