Hello, I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults: May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._ May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_ May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_ May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_ May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_ May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000] Even without chroot this crash is reproducible, with privsep completely disabled racoon works normally. I use only AH tunelling for this connection. Older racoon from ipsec-tools-0.7.3-r1 works fine under the same conditions. Bug is reported upstream, I found similar report, but with no reply: https://sourceforge.net/mailarchive/message.php?msg_id=27864382 This problem may have severe security implications: 1) This is a remote DoS. 2) Arbitrary code execution may be possible, scope is unknown. 3) Strong security measure — privsep — become unusable and useless.
Created attachment 313331 [details] racoon.conf Config file used. Any option in privsep section is sufficient to reproduce problem. Of course, racoon user and chroot environment are created properly according to the racoon.conf manual.
Created attachment 313333 [details] emerge --info
And I rebuilt it with CFLAGS="-O2" LDFLAGS="" with the same result.
I'm sorry for the delay in responding, but I've tried to reproduce this now several times with different permutations and I can't no matter what I do. Under all conditions, I get the privsep working. Can you please test again and see if you still have this problem. Please upload your emerge --info again bececause the file you attached is corrupted. In fact, don't upload it as an attachment, rather just run the following emerge --info ipsec-tools and cut and paste directly into the text area. Thanks.
Okay I'm going to close this since I can't reproduce it. If you want me to continue pursuing this issue, please reopen and we'll work through the issue.
Created attachment 318562 [details] emerge --info Hmm, sorry, original emerge --info is indeed broken somehow. I'm uploading a new file. I upload it as a file because it is rather large and I don't want to flood a discussion branch.
I'll try to reproduce this in a while. Please understand that in order to reproduce this I need to broke setup of some host and its connectability.
I still have the same issue with racoon from ipsec-tools-0.8.0-r3: Jul 19 04:01:43 [racoon] INFO: caught signal 15_ Jul 19 04:01:43 [racoon] INFO: racoon process 20687 shutdown_ Jul 19 04:01:44 [racoon] INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)_ Jul 19 04:01:44 [racoon] INFO: @(#)This product linked OpenSSL 1.0.0i 19 Apr 2012 (http://www.openssl.org/)_ Jul 19 04:01:44 [racoon] INFO: Reading configuration from "/etc/racoon/racoon.conf"_ Jul 19 04:01:44 [racoon] INFO: 10.50.0.89[500] used for NAT-T_ Jul 19 04:01:44 [racoon] INFO: 10.50.0.89[500] used as isakmp port (fd=8)_ Jul 19 04:01:44 [racoon] INFO: racoon privileged process running with PID 12236_ Jul 19 04:01:44 [racoon] INFO: racoon unprivileged process running with PID 12263_ Jul 19 04:01:59 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_ Jul 19 04:01:59 [racoon] INFO: begin Identity Protection mode._ Jul 19 04:01:59 [racoon] INFO: received Vendor ID: DPD_ Jul 19 04:01:59 [racoon] WARNING: CERT validation disabled by configuration_ Jul 19 04:01:59 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:1f1efbdbe607fd37:1c97fdd96fac9b3f_ Jul 19 04:01:59 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_ Jul 19 04:01:59 [racoon] ERROR: privsep_socket: unauthorized domain (15)_ Jul 19 04:01:59 [racoon] INFO: racoon privileged process 12236 terminated_ Jul 19 04:01:59 [kernel] racoon[12263]: segfault at 10 ip 00000000004238a8 sp 00007fff441266b0 error 4 in racoon[400000+94000] racoon.conf is the same as in the first post.
Steps to reproduce: 0) You need either third host C with non-ipsec access to A and B hosts or direct physical/kvm/ilo access to both A and B host. 1) Stop racoon on both sides (A and B) of ipsec connection. 2) rc-config start racoon on A. 3) rc-config start racoon on B. 4) on B: ping A 5) Segfault on A! I recompiled racoon with CFLAGS="-ggdb" FEATURES="splitdebug" and managed to get gdb backtrace on host A: #0 0x000000000042ee8a in rec_fd (s=11) at privsep.c:1574 #1 0x000000000042df41 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144 #2 0x000000000042fa96 in pfkey_dump_sadb (satype=0) at pfkey.c:312 #3 0x0000000000427d63 in isakmp_info_recv_initialcontact (iph1=0x19f4f20, protectedph2=0x0) at isakmp_inf.c:1305 #4 0x0000000000425fbe in isakmp_info_recv_n (iph1=0x19f4f20, notify=0x19ebc40, msgid=2587936451, encrypted=1) at isakmp_inf.c:411 #5 0x0000000000425af2 in isakmp_info_recv (iph1=0x19f4f20, msg0=0x19f54c0) at isakmp_inf.c:294 #6 0x000000000040980c in isakmp_main (msg=0x19f54c0, remote=0x7fff56e3dc90, local=0x7fff56e3dc10) at isakmp.c:652 #7 0x0000000000408dbd in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377 #8 0x0000000000408021 in session () at session.c:325 #9 0x000000000040757b in main (ac=4, av=0x7fff56e3ef18) at main.c:345
Looks like I found why you were unable to reproduce this bug. It is essential that ipsec mode between A and B host must be tunnel — it works in transport mode, though I need (and use) tunnel in my setup. Mine ipsec.conf on A host (which crashes): #!/usr/sbin/setkey -f flush; spdflush; spdadd B A any -P in ipsec ah/transport/B-A/require; spdadd A B any -P out ipsec ah/transport/A-B/require; IPs are replaced by A and B respectively. B host has the same setup with in and out policies switched.
Uhh, sorry, that was a _working_ sample from my latest test. The following sample leads to crash: #!/usr/sbin/setkey -f flush; spdflush; spdadd B A any -P in ipsec ah/tunnel/B-A/require; spdadd A B any -P out ipsec ah/tunnel/A-B/require;
Sorry again, just ignore my two previous posts: during tests I forgot to reenable privsep, so racoon have not crashed. With privsep enabled racoon crashes regardles to mode set.
(In reply to comment #6) > Created attachment 318562 [details] > emerge --info > > Hmm, sorry, original emerge --info is indeed broken somehow. > I'm uploading a new file. I upload it as a file because it is rather large > and I don't want to flood a discussion branch. Thanks, but what I need is emerge --info ipsec-tools so I can see your flags. BTW, your stack trace is useful and shows me where the seg fault occurs, but I'm not sure why and I don't hit it.
net-firewall/ipsec-tools-0.8.0-r3 was built with the following: USE="idea ipv6 kerberos ldap (multilib) nat pam rc5 readline -hybrid (-selinux) -stats"
Hmm, now on another host I have (after an update to 0.8.0-r3): Jul 25 05:01:31 localhost racoon: INFO: respond new phase 1 negotiation: 10.51.15.126[500]<=>10.50.0.89[500] Jul 25 05:01:31 localhost racoon: INFO: begin Identity Protection mode. Jul 25 05:01:31 localhost racoon: INFO: received Vendor ID: DPD Jul 25 05:01:31 localhost racoon: WARNING: CERT validation disabled by configuration Jul 25 05:01:31 localhost racoon: INFO: ISAKMP-SA established 10.51.15.126[500]-10.50.0.89[500] spi:e23d5d5f5de8e777:0a56c8a0b9188829 Jul 25 05:01:31 localhost racoon: [10.50.0.89] INFO: received INITIAL-CONTACT Jul 25 05:01:31 localhost racoon: ERROR: privsep_socket: unauthorized domain (15) Jul 25 05:01:31 localhost racoon: INFO: racoon privileged process 4985 terminated And racoon process exits.
Created attachment 319158 [details] emerge --info from another host And I have a segfault here just, it just doesn't appear in the logs, but gdb confirms this. racoon.conf is the essentially the same, the only difference is in rsa-plain keys provided.
Backtrace on the second host is the same: #0 0x000000000042b4ac in rec_fd (s=11) at privsep.c:1574 #1 0x000000000042a563 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144 #2 0x000000000042c0b6 in pfkey_dump_sadb (satype=0) at pfkey.c:312 #3 0x0000000000426447 in isakmp_info_recv_initialcontact (iph1=0x82c730, protectedph2=0x0) at isakmp_inf.c:1305 #4 0x00000000004246a2 in isakmp_info_recv_n (iph1=0x82c730, notify=0x836530, msgid=845254017, encrypted=1) at isakmp_inf.c:411 #5 0x00000000004241d6 in isakmp_info_recv (iph1=0x82c730, msg0=0x82f8e0) at isakmp_inf.c:294 #6 0x0000000000408be9 in isakmp_main (msg=0x82f8e0, remote=0x7fff1e54f820, local=0x7fff1e54f7a0) at isakmp.c:652 #7 0x000000000040819a in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377 #8 0x00000000004073fe in session () at session.c:325 #9 0x000000000040697b in main (ac=4, av=0x7fff1e550aa8) at main.c:345
I have no idea why I can't hit this. I set up two virtual machines, I even called them subaru and orion. Generated keys. Set up a user account racoon. Got the privilege drop and it worked. I don't want to give up, but I still can't see what we're doing differently. Sorry :( Nonetheless, I'm certina there's something there because you can reliably reproduce it and you've even bumped glibc during the duration of this bug. I googled in the hopes that someone else might have hit this, but the only thing I keep finding is your upstream bug.
Grasping at straws here. Can you tell me what you have at the following and how they were generated. I want to get a precise reproduction to eliminate extra factors: /etc/racoon/certs /etc/racoon/script subaru.priv orionis.pub and on the other host orionis.priv subaru.pub
Hello, (In reply to comment #18) > I have no idea why I can't hit this. I set up two virtual machines, I even > called them subaru and orion. The second one is "orionis", but this should not matter ;-) > Generated keys. Set up a user account > racoon. Got the privilege drop and it worked. I don't want to give up, but > I still can't see what we're doing differently. Sorry :( Nonetheless, I'm > certina there's something there because you can reliably reproduce it and > you've even bumped glibc during the duration of this bug. I planned to perform a full debug: not just a backtrace, but to see step-by-step what is going on, what is wrong and probably what differs from 0.7.3, where everything works for me. But ATM I'm far away from these boxes and have only a very slow and expensive ssh link to them, it is hardly possible to do debugging under such conditions. I'll be back at September, so I'll try to debug this case more thoroughly. > I googled in the hopes that someone else might have hit this, but the only > thing I keep finding is your upstream bug. As I mentioned in my first post, there is another report with a similar issue, without any solution: http://sourceforge.net/mailarchive/message.php?msg_id=27864382 At the very least I'm not the only one stumbling an this. (In reply to comment #19) > Grasping at straws here. Can you tell me what you have at the following and > how they were generated. All keys were generated using: plainrsa-gen -b 4096 -f outfile.priv Sorry, I can't upload private keys now, becuase I can't change them until September. Though, I changed them in the past and this hadn't affected this issue. > I want to get a precise reproduction to eliminate > extra factors: > > /etc/racoon/certs > /etc/racoon/script I have nothing in the scripts directory. There is one change in the certs, though: in 0.7.3 it was possible to use multiple peers_certificate options per single remote statement, so I had multiple *.pub files in the certs directory on orionis, but in 0.8.0 it is possible no longer. That's why after an upgrade on orionis I use single res.pub file with all public keys for all hosts in this file. > subaru.priv > orionis.pub > > and on the other host > > orionis.priv > subaru.pub I'll upload shortly all content of my /etc/racoon and chroot directories for both hosts, except for *.priv files, where private records were removed.
Created attachment 319808 [details] racoon.tar.xz Full /etc/racoon and chroot directories for both subaru and orionis hosts, except for *.priv files.
(In reply to comment #21) > Created attachment 319808 [details] > racoon.tar.xz > > Full /etc/racoon and chroot directories for both subaru and orionis hosts, > except for *.priv files. I still haven't forgotten about this one! Can you test ipsec-tools-0.8.1 which I added to the tree a few days ago. Let me know if this is still an issue.
(In reply to Anthony Basile from comment #22) > (In reply to comment #21) > > Created attachment 319808 [details] > > racoon.tar.xz > > > > Full /etc/racoon and chroot directories for both subaru and orionis hosts, > > except for *.priv files. > > I still haven't forgotten about this one! > > Can you test ipsec-tools-0.8.1 which I added to the tree a few days ago. > Let me know if this is still an issue. we're up to 0.8.1. I never did hit the seg fault of comment 0. Let's reopen if we get more information.