Bug#644157: racoon: kerberos authentication when responder to windows causes segfault at end of phase 1

Mon, 03 Oct 2011 05:21:34 -0700 

Package: racoon
Version: 1:0.8.0-8
Severity: normal
Tags: upstream

Dear Maintainer,

Configured for kerberos authentication with Windows 2008R2.
When sending traffic from windows to linux a segfault is raised.
Windows is configured with an additional setting of ESP and AH with AES-128 and 
SHA-1 first.


2011-10-04 00:46:53: DEBUG: begin.
2011-10-04 00:46:53: DEBUG: seen nptype=2(prop)
2011-10-04 00:46:53: DEBUG: succeed.
2011-10-04 00:46:53: DEBUG: proposal #1 len=108
2011-10-04 00:46:53: DEBUG: begin.
2011-10-04 00:46:53: DEBUG: seen nptype=3(trns)
2011-10-04 00:46:53: DEBUG: seen nptype=3(trns)
2011-10-04 00:46:53: DEBUG: succeed.
2011-10-04 00:46:53: DEBUG: transform #1 len=52
2011-10-04 00:46:53: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2011-10-04 00:46:53: DEBUG: encryption(aes)
2011-10-04 00:46:53: DEBUG: type=Key Length, flag=0x8000, lorv=128
2011-10-04 00:46:53: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2011-10-04 00:46:53: DEBUG: hash(sha1)
2011-10-04 00:46:53: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit 
MODP group
2011-10-04 00:46:53: DEBUG: hmac(modp1024)
2011-10-04 00:46:53: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth 
pskey client
2011-10-04 00:46:53: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2011-10-04 00:46:53: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2011-10-04 00:46:53: DEBUG: type=GSS-API endpoint name, flag=0x0000, lorv=8
2011-10-04 00:46:53: DEBUG: transform #2 len=48
2011-10-04 00:46:53: DEBUG: type=Encryption Algorithm, flag=0x8000, 
lorv=3DES-CBC
2011-10-04 00:46:53: DEBUG: encryption(3des)
2011-10-04 00:46:53: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2011-10-04 00:46:53: DEBUG: hash(sha1)
2011-10-04 00:46:53: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit 
MODP group
2011-10-04 00:46:53: DEBUG: hmac(modp1024)
2011-10-04 00:46:53: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth 
pskey client
2011-10-04 00:46:53: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2011-10-04 00:46:53: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2011-10-04 00:46:53: DEBUG: type=GSS-API endpoint name, flag=0x0000, lorv=8
2011-10-04 00:46:53: DEBUG: pair 1:
2011-10-04 00:46:53: DEBUG:  0x7f9d34e071b0: next=(nil) tnext=0x7f9d34e071e0
2011-10-04 00:46:53: DEBUG:   0x7f9d34e071e0: next=(nil) tnext=(nil)
2011-10-04 00:46:53: DEBUG: proposal #1: 2 transform
2011-10-04 00:46:53: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
2011-10-04 00:46:53: DEBUG: type=Key Length, flag=0x8000, lorv=128
2011-10-04 00:46:53: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2011-10-04 00:46:53: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit 
MODP group
2011-10-04 00:46:53: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth 
pskey client
2011-10-04 00:46:53: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2011-10-04 00:46:53: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2011-10-04 00:46:53: DEBUG: type=GSS-API endpoint name, flag=0x0000, lorv=8
2011-10-04 00:46:53: DEBUG: received gss id 'IKE' (len 4)
2011-10-04 00:46:53: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=2
2011-10-04 00:46:53: DEBUG: trns#=1, trns-id=IKE
2011-10-04 00:46:53: DEBUG:   lifetime = 28800
2011-10-04 00:46:53: DEBUG:   lifebyte = 0
2011-10-04 00:46:53: DEBUG:   enctype = AES-CBC
2011-10-04 00:46:53: DEBUG:   encklen = 128
2011-10-04 00:46:53: DEBUG:   hashtype = SHA
2011-10-04 00:46:53: DEBUG:   authmethod = GSS-API on Kerberos 5
2011-10-04 00:46:53: DEBUG:   dh_group = 1024-bit MODP group
2011-10-04 00:46:53: [172.22.22.111] DEBUG2: Checking remote conf "anonymous" 
anonymous.
2011-10-04 00:46:53: DEBUG2: enumrmconf: "anonymous" matches.
2011-10-04 00:46:53: DEBUG2: checkisakmpsa:
authmethod: 130537 / 130537
2011-10-04 00:46:53: DEBUG: an acceptable proposal found.
2011-10-04 00:46:53: DEBUG: hmac(modp1024)
2011-10-04 00:46:53: DEBUG: gss id in new sa 'wheezy1$@XXXXXX'


line 692 from src/racoon/gssapi.c has a null value for iph1->rmconf

vchar_t *
gssapi_get_id(struct ph1handle *iph1)
{
        gss_buffer_desc id_buffer;
        gss_buffer_t id = &id_buffer;
        gss_name_t defname, canon_name;
        OM_uint32 min_stat, maj_stat;
        vchar_t *vmbuf;

        if (iph1->rmconf->proposal->gssid != NULL)
                return (vdup(iph1->rmconf->proposal->gssid));

from src/racoon/ipsec_doi.c
I think check for iph1->rmconf doesn't account for being the responder.

   276                                  if (iph1->rmconf != NULL) {
   277                                          if 
(get_ph1approvalx(iph1->rmconf, &ctx))
   278                                                  goto found;
   279                                  } else {
   280                                          if (enumrmconf(&rmsel, 
get_ph1approvalx, &ctx))
   281                                                  goto found;
   282                                  }


which causes a later call to gssapi_get_id() with a null rmconf at line 327.

   315  #ifdef HAVE_GSSAPI
   316          if (sa->gssid != NULL)
   317                  plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa 
'%.*s'\n",
   318                      (int)sa->gssid->l, sa->gssid->v);
   319          if (iph1->side == INITIATOR) {
   320                  if (iph1->rmconf->proposal->gssid != NULL)
   321                          iph1->gi_i = 
vdup(iph1->rmconf->proposal->gssid);
   322                  if (sa->gssid != NULL)
   323                          iph1->gi_r = vdup(sa->gssid);
   324          } else {
   325                  if (sa->gssid != NULL) {
   326                          iph1->gi_r = vdup(sa->gssid);
   327                          iph1->gi_i = gssapi_get_id(iph1);
   328                  }
   329          }



-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages racoon depends on:
ii  debconf [debconf-2.0]  1.5.40               
ii  ipsec-tools            1:0.8.0-8            
ii  libc6                  2.13-21              
ii  libcomerr2             1.42~WIP-2011-07-02-1
ii  libgssapi-krb5-2       1.9.1+dfsg-1+b1      
ii  libk5crypto3           1.9.1+dfsg-1+b1      
ii  libkrb5-3              1.9.1+dfsg-1+b1      
ii  libldap-2.4-2          2.4.25-3             
ii  libpam0g               1.1.3-2              
ii  libssl1.0.0            1.0.0e-2             
ii  perl                   5.12.4-4             

racoon recommends no packages.

racoon suggests no packages.

-- Configuration Files:
/etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt'
/etc/racoon/racoon.conf changed:
log info;
remote anonymous {
        exchange_mode main;
        lifetime time 480 minute;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method gssapi_krb;
                gss_id "wheezy1$@XXXX";
                dh_group 2;
        }
}
 
sainfo anonymous {
        lifetime time 60 minute;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
/etc/ipsec-tools.conf changed:
#!/usr/sbin/setkey -f
flush;
spdflush;
## security policy
spdadd 172.22.22.111 172.22.22.123 any -P in ipsec esp/transport//require 
ah/transport//require;
spdadd 172.22.22.123 172.22.22.111 any -P out ipsec esp/transport//require 
ah/transport//require;


-- debconf information:
* racoon/config_mode: direct



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to