Bug 449725 - Openswan seg fault using manual keying.
Openswan seg fault using manual keying.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Avesh Agarwal
:
Depends On:
Blocks: 253764
  Show dependency treegraph
 
Reported: 2008-06-03 02:53 EDT by Yang Ren
Modified: 2009-09-02 07:18 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The parser in lib/libipsecconf/ does not correctly interpret values supplied in manual keyring, and the use of the manual keyring could therefore result in a segmentation fault in Openswan. Because the manual keyring is no longer supported, Openswan will now exit with an error when ipsec manual up <connection-name> is used.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:18:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yang Ren 2008-06-03 02:53:49 EDT
Description of problem:
When I set the spi=0x200 option in ipsec.conf it said "valid keywork,but value
is not a number [0x200]"
So I use spi=200
refer to `man ipsec_manual` I type command 'ipsec manual'
but it is unknow.Then I using `ipsec auto` command to up the tunnel
Openswan seg fault if it is setup with manual keying.

Version-Release number of selected component (if applicable):
openswan-2.6.12-2.el5
kernel-2.6.18-92.el5

How reproducible:
Always

Steps to Reproduce:
1.
ipsec.conf

config setup
        interfaces="ipsec0=eth0"
        protostack=netkey

conn tunnelipsec
        connaddrfamily=ipv6
        left=3ffe:501:ffff:104::10
        right=3ffe:501:ffff:104::11
        spi=200
        esp=3des-md5-96
    
espenckey=0x8b993469_76cc7b2a_ec76b665_e0d27a3c_0ae177ab_f81d2d6c_4728ace1_36ea2261_97e6ae10_77ba0e86_25008728_1a47507f_2512262d_4693baf1_36c2a84e_f1a5f800_167dda7a_ecbcca1a_c5596359_7c356aa4_dc0b25c4_82958020_e249c030_c0b15a07_fd6e955f_c177b9ec_8d9b02ba_ee9fa71f_7b1a9368_774d95cf_31e3661f_922f87c6_e5ed540b_88149cab_39726bab_72815d8e_ec394b38_0dba709b_217187e6_25d11f68_bda3b0d8_7e5a10b4_ddf099e2_3a33c014_4edf3dce_0c7c12be_cddaf18a_c2baf56d
       
espauthkey=0x424b8199_0daf8bbe_46370215_f80c0242_93b699fe_59ea331d_64af67cc_ee089b57_db3eacd4_1ce36a23_1da7d844_2d083c77_7d8f4538_ef8072ba_d1ef9d77_4d1ed24a_3f311939_b6dbbddf_6ec13228_02f9884e_a236cba6_2dc59a9c_77f5af9c_e66c2f22_a652c18a_caf50396_3e1640f7_42030bfd_f25f0a1f_07bb84f4_56ac4f95_09d9d346
        type=tunnel
        auto=start

  
Actual results:
Jun  3 10:25:31 localhost ipsec_setup: ...Openswan IPsec stopped
Jun  3 10:25:31 localhost ipsec_setup: Stopping Openswan IPsec...
Jun  3 10:25:31 localhost ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
Jun  3 10:25:31 localhost kernel: NET: Registered protocol family 15
Jun  3 10:25:31 localhost ipsec_setup: Using NETKEY(XFRM) stack
Jun  3 10:25:31 localhost ipsec_setup: ...Openswan IPsec started
Jun  3 10:25:31 localhost ipsec_setup: Starting Openswan IPsec
U2.6.12/K2.6.18-92.el5...
Jun  3 10:25:31 localhost ipsec_setup: Trying hardware random, this may fail,
which is okay.
Jun  3 10:25:31 localhost ipsec_setup: Trying to load all NETKEY
modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel
xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key 
Jun  3 10:25:31 localhost ipsec_setup: Trying VIA padlock driver, this may fail,
which is okay.
Jun  3 10:25:31 localhost ipsec_setup: Trying to load Crypto API modules, some
may fail, which is okay.
Jun  3 10:25:31 localhost ipsec_setup: aes-x86_64 aes des sha512 sha256 md5 cbc
xcbc ecb twofish blowfish serpent ccm 
Jun  3 10:25:31 localhost ipsec__plutorun: 002 added connection description
"tunnelipsec"
Jun  3 10:25:31 localhost ipsec__plutorun: 000 "tunnelipsec": request to add a
prospective erouted policy with netkey kernel --- not yet implemented
Jun  3 10:25:31 localhost ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1:
initiate
Jun  3 10:51:52 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line
250:  8595 Segmentation fault      /usr/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --use-netkey

Expected results:
Should not segv

Additional info:
Comment 1 Yang Ren 2008-06-03 03:42:19 EDT
I use two long value in espenckey and espauthkey in the config file at beginning.
And I correct ipsec.conf with input espenckey and espauthkey with one 192 bits
and one 128 bits key but it still show Segmentation fault.

Comment 2 RHEL Product and Program Management 2008-06-03 06:37:10 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Paul Wouters 2008-06-04 11:30:44 EDT
the new parser in lib/libipsecconf/ has not been tested at all with manual
keying. I am surprised it even accepts the keywords, as these were going to get
phased out.

My guess is the parser does know it needs a number value, but does not support
the 0x notation for hex.
Comment 4 Steve Grubb 2008-09-19 10:03:25 EDT
Is this bug still a problem in 2.6.14?
Comment 5 Paul Wouters 2008-09-19 14:31:27 EDT
yes it is still present.
Comment 10 Ruediger Landmann 2009-05-15 03:10:52 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
The parser in lib/libipsecconf/ does not correctly interpret values supplied in manual keyring, and the use of the manual keyring could therefore result in a segmentation fault in Openswan. Because the manual keyring is no longer supported, Openswan will now exit with an error when ipsec manual up <connection-name> is used.
Comment 13 errata-xmlrpc 2009-09-02 07:18:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.