Bug 449382 - openswan segv using RSA PKIX (x.509) mode
openswan segv using RSA PKIX (x.509) mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
All Linux
high Severity medium
: rc
: ---
Assigned To: Avesh Agarwal
:
Depends On:
Blocks: 253764
  Show dependency treegraph
 
Reported: 2008-06-02 11:25 EDT by Lawrence Lim
Modified: 2014-03-25 20:55 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:18:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
coredump from openswan (408.00 KB, application/octet-stream)
2008-06-04 12:08 EDT, Lawrence Lim
no flags Details
fix for right=%any with plutodebug=controlmore crash (1.16 KB, patch)
2008-06-09 12:15 EDT, Paul Wouters
no flags Details | Diff
Fix for generating man pages in 'make programs' (877 bytes, patch)
2008-06-09 12:28 EDT, Paul Wouters
no flags Details | Diff
don't spam logs with alloc_bytes1() warnings (754 bytes, patch)
2008-06-09 12:29 EDT, Paul Wouters
no flags Details | Diff
Added connaddrfamily entry to man page (1.18 KB, application/octet-stream)
2008-06-09 12:30 EDT, Paul Wouters
no flags Details
fix for finding right=%any conns in find_host_connection2() (827 bytes, patch)
2008-06-09 12:31 EDT, Paul Wouters
no flags Details | Diff
patch that caused leftid= behavious change with leftcert= (4.16 KB, patch)
2008-06-09 12:42 EDT, Paul Wouters
no flags Details | Diff
fix for crasher http://bugs.xelerance.com/view.php?id=928 (997 bytes, patch)
2008-06-09 13:32 EDT, Paul Wouters
no flags Details | Diff
this commit is part of the leftid= change when using certs (3.60 KB, patch)
2008-06-09 13:56 EDT, Paul Wouters
no flags Details | Diff

  None (edit)
Description Lawrence Lim 2008-06-02 11:25:53 EDT
Description of problem:
Openswan seg fault if it is setup with RSA mode. PSK is OK.
Creating this bug as a placeholder as this bug has been confirmed by Paul.

Version-Release number of selected component (if applicable):
openswan-2.6.12-2.el5
kernel-2.6.18-92.el5

How reproducible:
Always

Steps to Reproduce:
1.
config setup
        interfaces="ipsec0=eth0"
        protostack=netkey

conn tunnelipsec
        connaddrfamily=ipv6       # Important for IPv6!
        left=3ffe:501:ffff:104::29
        leftcert=/etc/ipsec.d/certs/client.pem
        right=3ffe:501:ffff:104::11
        rightcert=/etc/ipsec.d/certs/server.pem
        type=tunnel
        auto=start
  
Actual results:
May 29 17:05:21 localhost kernel: NET: Unregistered protocol family 15
May 29 17:05:21 localhost ipsec_setup: ...Openswan IPsec stopped
May 29 17:05:21 localhost ipsec_setup: Stopping Openswan IPsec...
May 29 17:05:21 localhost kernel: NET: Registered protocol family 15
May 29 17:05:21 localhost ipsec_setup: Using NETKEY(XFRM) stack
May 29 17:05:21 localhost ipsec_setup: ...Openswan IPsec started
May 29 17:05:21 localhost ipsec_setup: Starting Openswan IPsec
U2.6.12/K2.6.18-92.el5...
May 29 17:05:21 localhost ipsec_setup: Trying hardware random, this may fail,
which is okay.
May 29 17:05:21 localhost ipsec_setup: Trying to load all NETKEY
modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel
xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key
May 29 17:05:21 localhost ipsec_setup: Trying VIA padlock driver, this may fail,
which is okay.
May 29 17:05:21 localhost ipsec_setup: Trying to load Crypto API modules, some
may fail, which is okay.
May 29 17:05:21 localhost ipsec_setup: aes-x86_64 aes des sha512 sha256 md5 cbc
xcbc ecb twofish blowfish serpent ccm
May 29 17:05:21 localhost ipsec__plutorun: 002 loading certificate from
/etc/ipsec.d/certs/server.crt
May 29 17:05:21 localhost ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/server.crt' (1399 bytes)
May 29 17:05:21 localhost ipsec__plutorun: 002 loading certificate from
/etc/ipsec.d/certs/client.crt
May 29 17:05:21 localhost ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/client.crt' (1399 bytes)
May 29 17:05:21 localhost ipsec__plutorun: 002 added connection description
"tunnelipsec"
May 29 17:05:21 localhost ipsec__plutorun: 003 "/etc/ipsec.secrets" line 1:
unrecognized key format: /etc/ipsec.d/private/server.key
May 29 17:05:21 localhost ipsec__plutorun: 000 "tunnelipsec": request to add a
prospective erouted policy with netkey kernel --- not yet implemented
May 29 17:05:21 localhost ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1:
initiate
May 29 17:07:41 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line
250: 21968 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --use-netkey

Expected results:
Should not segv

Additional info:
Comment 1 RHEL Product and Program Management 2008-06-02 15:56:00 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Paul Wouters 2008-06-04 10:27:48 EDT
can i get a trace on this crash?
use dumpdir=/tmp in 'config setup' in ipsec.conf and it should probide a core.
symbols will be in the OBJ.* directory.
Comment 3 Lawrence Lim 2008-06-04 12:08:07 EDT
Created attachment 308365 [details]
coredump from openswan
Comment 4 Paul Wouters 2008-06-04 12:39:53 EDT
I'd need the gdb trace of the crash that requires the core, not the core itself :)
Comment 5 Herbert Xu 2008-06-05 00:47:52 EDT
I can't reproduce this.  Could you try to start the connection manually after
"ipsec whack --debug-all" and attach the debug output? Thanks!
Comment 6 Lawrence Lim 2008-06-05 02:15:19 EDT
Config file is as follow. Trying to get more debug info now.


# cat /etc/ipsec.conf 


#include /etc/ipsec.d/*.conf

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=all
        nat_traversal=yes
        protostack=netkey
        dumpdir=/tmp/openswan

conn tunnelrsa
        connaddrfamily=ipv6
        left=3ffe:501:ffff:104::1
        leftcert=/etc/ipsec.d/certs/client.pem
        right=3ffe:501:ffff:104::11
        rightcert=/etc/ipsec.d/certs/server.pem
        type=tunnel
        auto=add

# cat /etc/ipsec.secrets 
: RSA /etc/ipsec.d/private/client.key "Your Passphrase"
Comment 7 Lawrence Lim 2008-06-05 08:13:56 EDT
I cant get any useful debuginfo from gdb. Apart from
openswan-debuginfo-2.6.12-2.el5, anything else I need to pull in?
Comment 8 Tuomo Soini 2008-06-05 09:00:33 EDT
Use debuginfo-install from yum-utils to get all needed debuginfo packages.
Comment 10 Linda Wang 2008-06-09 11:35:44 EDT
per llim, change to SUBJECT line to be more specific, openswan segv using RSA
PKIX (x.509) mode.

Comment 11 Paul Wouters 2008-06-09 12:15:17 EDT
Created attachment 308711 [details]
fix for right=%any with plutodebug=controlmore crash

Fix a debug line causing a crasher when we attempt to lookup a
connection with right=%any with plutodebug=controlmore enabled.
Comment 12 Paul Wouters 2008-06-09 12:28:25 EDT
Created attachment 308714 [details]
Fix for generating man pages in 'make programs'

fix for pluto crash with this message when pfs=yes and Vista client connects
using pfs=no

3887: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp1536}
3888: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
3888: sending encrypted notification NO_PROPOSAL_CHOSEN to 195.246.208.9:500
packet from 195.246.208.9:500: ASSERTION FAILED at ikev1_quick.c:1847:
st->st_connection != NULL
Comment 13 Paul Wouters 2008-06-09 12:29:52 EDT
Created attachment 308715 [details]
don't spam logs with alloc_bytes1() warnings

only display text "alloc_bytes1() was mistakenly asked to malloc 0 bytes" when
LEAK_DETECTIVE is set to avoid spamming production systems.
Comment 14 Paul Wouters 2008-06-09 12:30:31 EDT
Created attachment 308716 [details]
Added connaddrfamily entry to man page

Added connaddrfamily entry to man page
Comment 15 Paul Wouters 2008-06-09 12:31:45 EDT
Created attachment 308717 [details]
fix for finding right=%any conns in find_host_connection2()

Revert af family code in find_host_pair causing some connections to not
    be found in find_host_connection2()
Comment 16 Paul Wouters 2008-06-09 12:32:50 EDT
these were some post-2.6.14 fixes we did so far.
Comment 17 Paul Wouters 2008-06-09 12:40:09 EDT
Note there is one more issue with X.509. In openswan 2.4.x when you specifief
leftcert= then it would default the id to type ID_DER_ASN1_DN.

This was changed in 2.5.x and 2.6.x to default to ID_IPV4_ADDR, while a new
value was added, leftid=%fromcert.

This will however break anyone upgrading an X.509 conn from openswan 2.4.x to
2.5.x. Attached is the patch that caused this, which you might want to revert
Comment 18 Paul Wouters 2008-06-09 12:42:36 EDT
Created attachment 308720 [details]
patch that caused leftid= behavious change with leftcert=

from my message to dev@openswan.org

> > >	My problem is in X.509 cert handling.  The problem looks like it's not
> > > handling cert DNs as the Main ID.

There is a new setting, which I did not know about:

	leftid=%fromcert

I'm strongly leaning towards undoing the code that causes this to be
neccessary, unless someone can convince me that the default when
using leftcert= should be ID_IPV4_ADDR instead of ID_DER_ASN1_DN. I
can come up with no valid reason for this.
Comment 19 Paul Wouters 2008-06-09 13:29:00 EDT
Comment on attachment 308715 [details]
don't spam logs with alloc_bytes1() warnings

already in 2.6.14....
Comment 20 Paul Wouters 2008-06-09 13:32:11 EDT
Created attachment 308729 [details]
fix for crasher http://bugs.xelerance.com/view.php?id=928

fix for pluto crash with this message when pfs=yes and Vista client connects
using pfs=no

3887: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY

cipher=aes_256 prf=oakley_sha group=modp1536}
3888: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
3888: sending encrypted notification NO_PROPOSAL_CHOSEN to 195.246.208.9:500
packet from 195.246.208.9:500: ASSERTION FAILED at ikev1_quick.c:1847:
st->st_connection != NULL
Comment 21 Paul Wouters 2008-06-09 13:56:58 EDT
Created attachment 308732 [details]
this commit is part of the leftid= change when using certs

this commit is part of the leftid= change when using certs (candidate to be
undone)
Comment 22 Steve Grubb 2008-09-19 10:00:42 EDT
This patch appears to be in the 2.6.14 release.
Comment 28 errata-xmlrpc 2009-09-02 07:18:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.