Description of problem: When I set the spi=0x200 option in ipsec.conf it said "valid keywork,but value is not a number [0x200]" So I use spi=200 refer to `man ipsec_manual` I type command 'ipsec manual' but it is unknow.Then I using `ipsec auto` command to up the tunnel Openswan seg fault if it is setup with manual keying. Version-Release number of selected component (if applicable): openswan-2.6.12-2.el5 kernel-2.6.18-92.el5 How reproducible: Always Steps to Reproduce: 1. ipsec.conf config setup interfaces="ipsec0=eth0" protostack=netkey conn tunnelipsec connaddrfamily=ipv6 left=3ffe:501:ffff:104::10 right=3ffe:501:ffff:104::11 spi=200 esp=3des-md5-96 espenckey=0x8b993469_76cc7b2a_ec76b665_e0d27a3c_0ae177ab_f81d2d6c_4728ace1_36ea2261_97e6ae10_77ba0e86_25008728_1a47507f_2512262d_4693baf1_36c2a84e_f1a5f800_167dda7a_ecbcca1a_c5596359_7c356aa4_dc0b25c4_82958020_e249c030_c0b15a07_fd6e955f_c177b9ec_8d9b02ba_ee9fa71f_7b1a9368_774d95cf_31e3661f_922f87c6_e5ed540b_88149cab_39726bab_72815d8e_ec394b38_0dba709b_217187e6_25d11f68_bda3b0d8_7e5a10b4_ddf099e2_3a33c014_4edf3dce_0c7c12be_cddaf18a_c2baf56d espauthkey=0x424b8199_0daf8bbe_46370215_f80c0242_93b699fe_59ea331d_64af67cc_ee089b57_db3eacd4_1ce36a23_1da7d844_2d083c77_7d8f4538_ef8072ba_d1ef9d77_4d1ed24a_3f311939_b6dbbddf_6ec13228_02f9884e_a236cba6_2dc59a9c_77f5af9c_e66c2f22_a652c18a_caf50396_3e1640f7_42030bfd_f25f0a1f_07bb84f4_56ac4f95_09d9d346 type=tunnel auto=start Actual results: Jun 3 10:25:31 localhost ipsec_setup: ...Openswan IPsec stopped Jun 3 10:25:31 localhost ipsec_setup: Stopping Openswan IPsec... Jun 3 10:25:31 localhost ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid: Jun 3 10:25:31 localhost kernel: NET: Registered protocol family 15 Jun 3 10:25:31 localhost ipsec_setup: Using NETKEY(XFRM) stack Jun 3 10:25:31 localhost ipsec_setup: ...Openswan IPsec started Jun 3 10:25:31 localhost ipsec_setup: Starting Openswan IPsec U2.6.12/K2.6.18-92.el5... Jun 3 10:25:31 localhost ipsec_setup: Trying hardware random, this may fail, which is okay. Jun 3 10:25:31 localhost ipsec_setup: Trying to load all NETKEY modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key Jun 3 10:25:31 localhost ipsec_setup: Trying VIA padlock driver, this may fail, which is okay. Jun 3 10:25:31 localhost ipsec_setup: Trying to load Crypto API modules, some may fail, which is okay. Jun 3 10:25:31 localhost ipsec_setup: aes-x86_64 aes des sha512 sha256 md5 cbc xcbc ecb twofish blowfish serpent ccm Jun 3 10:25:31 localhost ipsec__plutorun: 002 added connection description "tunnelipsec" Jun 3 10:25:31 localhost ipsec__plutorun: 000 "tunnelipsec": request to add a prospective erouted policy with netkey kernel --- not yet implemented Jun 3 10:25:31 localhost ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1: initiate Jun 3 10:51:52 localhost ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 8595 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --use-netkey Expected results: Should not segv Additional info:
I use two long value in espenckey and espauthkey in the config file at beginning. And I correct ipsec.conf with input espenckey and espauthkey with one 192 bits and one 128 bits key but it still show Segmentation fault.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
the new parser in lib/libipsecconf/ has not been tested at all with manual keying. I am surprised it even accepts the keywords, as these were going to get phased out. My guess is the parser does know it needs a number value, but does not support the 0x notation for hex.
Is this bug still a problem in 2.6.14?
yes it is still present.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The parser in lib/libipsecconf/ does not correctly interpret values supplied in manual keyring, and the use of the manual keyring could therefore result in a segmentation fault in Openswan. Because the manual keyring is no longer supported, Openswan will now exit with an error when ipsec manual up <connection-name> is used.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html