--- Begin Message ---
- To: gnats-bugs@gnats.netbsd.org
- Subject: bin/20704: racoon crashes when negotiating with WinXP
- From: mlelstv@serpens.de
- Date: Fri, 14 Mar 2003 18:58:19 +0100 (MET)
- Delivered-to: itojun@itojun.org
- Delivered-to: itojun@netbsd.org
- Delivered-to: netbsd-bugs@netbsd.org
- Reply-to: mlelstv@serpens.de
- Sender: netbsd-bugs-owner@netbsd.org
>Number: 20704 >Category: bin >Synopsis: racoon crashes when negotiating with WinXP >Confidential: no >Severity: serious >Priority: high >Responsible: bin-bug-people >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Fri Mar 14 09:59:00 PST 2003 >Closed-Date: >Last-Modified: >Originator: Michael van Elst >Release: NetBSD 1.6.1_RC1 >Organization: not me >Environment: System: NetBSD pepew 1.6.1_RC1 NetBSD 1.6.1_RC1 (PEPEW) #5: Sun Feb 9 22:58:16 MET 2003 src@pepew:/amd/fud-wave/d/0/src/sys/arch/i386/compile/PEPEW i386 Architecture: i386 Machine: i386 >Description: racoon crashes _sometimes_ when negotiating an ESP tunnel with WinXP. The same configuration works if the other side is NetBSD/racoon instead of WinXP. The coredump shows: #0 0x804f07f in isakmp_send (iph1=0x0, sbuf=0x80bb990) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/isakmp.c:1409 1409 s = getsockmyaddr(iph1->local); (gdb) where #0 0x804f07f in isakmp_send (iph1=0x0, sbuf=0x80bb990) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/isakmp.c:1409 #1 0x804f329 in isakmp_ph2resend (iph2=0x80b4400) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/isakmp.c:1483 #2 0x804f26e in isakmp_ph2resend_stub (p=0x80b4400) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/isakmp.c:1466 #3 0x8084291 in schedular () at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/schedule.c:96 #4 0x804bb82 in session () at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/session.c:133 #5 0x804b7cf in main (ac=1, av=0xbfbfdb78) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/main.c:244 #6 0x804b160 in ___start () (gdb) whatis iph1 type = struct ph1handle * (gdb) print iph1 $1 = (struct ph1handle *) 0x0 (gdb) up #1 0x804f329 in isakmp_ph2resend (iph2=0x80b4400) at /d/0/src/usr.sbin/racoon/racoon/../../../crypto/dist/kame/racoon/isakmp.c:1483 1483 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) (gdb) print *iph2 $1 = {src = 0x80bb720, dst = 0x80bb4b0, src_id = 0x0, dst_id = 0x0, spid = 40, status = 9, side = 0 '\000', sce = 0x80ba300, scr = 0x80ba480, retry_counter = 4, sendbuf = 0x80bb990, msg1 = 0x0, retry_checkph1 = 0, seq = 368, satype = 3 '\003', flags = 1 '\001', msgid = 1902323596, sainfo = 0x80ba100, proposal = 0x80b1440, approval = 0x80b1660, spidx_gen = 0x0, pfsgrp = 0x80b15c0, dhpriv = 0x80bb910, dhpub = 0x80bb7f0, dhpub_p = 0x80bb9d0, dhgxy = 0x80bba30, id = 0x80bb7e0, id_p = 0x80bb930, nonce = 0x80bb740, nonce_p = 0x80bb9e0, sa = 0x80bb730, sa_ret = 0x80bb9c0, ivm = 0x80bb750, ph1 = 0x0, chain = {le_next = 0x0, le_prev = 0x80ae5c4}, ph1bind = {le_next = 0x0, le_prev = 0x80b46b0}} So, somewhere racoon loses or doesn't initialize a phase1 handle. The isakmp.c file says: /* $KAME: isakmp.c,v 1.172 2002/01/02 09:06:53 jinmei Exp $ */ CVS reports the following version: File: isakmp.c Status: Up-to-date Working revision: 1.8.2.2 Repository revision: 1.8.2.2 /cvsroot/src/crypto/dist/kame/racoon/isakmp.c,v Sticky Tag: netbsd-1-6 (branch: 1.8.2) Sticky Date: (none) Sticky Options: (none) I have configured the following policy in ipsec.conf: spdflush; # wavenet to volans spdadd 10.27.5.5 0.0.0.0/0 any -P in ipsec esp/tunnel/10.27.5.5-10.27.5.1/require; spdadd 0.0.0.0/0 10.27.5.5 any -P out ipsec esp/tunnel/10.27.5.1-10.27.5.5/require; racoon.conf is fairly standard: ----------------------- snip -------------------- # $KAME: racoon.conf.sample,v 1.20 2000/11/03 15:08:03 sakane Exp $ # "path" affects "include" directive. "path" must be specified before any # "include" directive with relative file path. # you can overwrite "path" directive afterwards, however, doing so may add # more confusion. #path include "/etc/racoon" ; #include "remote.conf" ; # the file should contain key ID/key pairs, for pre-shared key authentication. path pre_shared_key "/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. #path certificate "/usr/pkg/certs" ; # "log" specifies logging level. It is followed by either "info", "notify", # "debug" or "debug2". #log notify; remote anonymous { #exchange_mode main,aggressive,base; exchange_mode aggressive,main,base; my_identifier fqdn "fud.1st.de"; #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; lifetime time 24 hour ; # sec,min,hour #initial_contact off ; #passive on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } # the configuration makes racoon (as a responder) to obey the # initiator's lifetime and PFS group proposal. # this makes testing so much easier. #proposal_check obey; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } ----------------------- snip -------------------- >How-To-Repeat: Dunno. Happened 3 times in 2 days so far, always when WinXP tried to set up the tunnel. >Fix: Dunno. >Release-Note: >Audit-Trail: >Unformatted:
--- End Message ---