Reported by: Jörg Kost <joerg.kost@gmx.com>
Date: Sun, 26 Aug 2007 22:24:01 UTC
Severity: normal
Tags: patch, wontfix
Found in version ipsec-tools/1:0.6.7-1
Fixed in version ipsec-tools/1:0.7.1-1.1
Done: Stefan Bauer <stefan.bauer@cubewerk.de>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#439729; Package racoon.
(full text, mbox, link).
Acknowledgement sent to Jörg Kost <joerg.kost@gmx.com>:
New Bug report received and forwarded. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: racoon
Version: 1:0.6.7-1
Severity: normal
racoon 0.6.7-1 in testing and 0.6.6 in etch seem to have a bug for
handling out phase II. the original racoon package from sf in version
0.6.6/0.6.7 works fine with the following config, the debian version
complains about failing to get the sainfo.
shortcut form racoon.conf:
remote 172.16.128.21 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 172.16.128.31 any address 172.16.128.21 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
from ipsec.conf:
flush;
spdflush;
spdadd 172.16.128.31 172.16.128.21 any -P out ipsec
esp/transport//require;
spdadd 172.16.128.21 172.16.128.31 any -P in ipsec
esp/transport//require;
Now after the ISAKMP-SA is established, the debian version went on
like this:
2007-08-26 23:35:19: INFO: ISAKMP-SA established 172.16.128.31
[500]-172.16.128.21[500] spi:7cc1b306fd24cd02:7d868e936f5019db
2007-08-26 23:35:19: DEBUG: ===
2007-08-26 23:35:20: DEBUG: ===
2007-08-26 23:35:20: DEBUG: 124 bytes message received from
172.16.128.21[500] to 172.16.128.31[500]
2007-08-26 23:35:20: DEBUG:
7cc1b306 fd24cd02 7d868e93 6f5019db 08102001 f0ecac9b 0000007c 3c7c74e3
e43dba89 fab316d7 c4e01a80 cf0cf486 27bba696 7d103713 0a3f8c13 eda5986d
bdb63997 94b40b4d a685f322 1ad5fe69 a138ed92 2fcee7d3 43a2b9d4 be72a902
4e00de0b 4cc856cf 84a5c88f 6422d989 19d3f0cb 5394801a 2f9bd2af
2007-08-26 23:35:20: DEBUG: compute IV for phase2
2007-08-26 23:35:20: DEBUG: phase1 last IV:
2007-08-26 23:35:20: DEBUG:
b566ac89 dc920136 f0ecac9b
2007-08-26 23:35:20: DEBUG: hash(md5)
2007-08-26 23:35:20: DEBUG: encryption(3des)
2007-08-26 23:35:20: DEBUG: phase2 IV computed:
2007-08-26 23:35:20: DEBUG:
ba7ed423 15aa2b3a
2007-08-26 23:35:20: DEBUG: ===
2007-08-26 23:35:20: INFO: respond new phase 2 negotiation:
172.16.128.31[500]<=>172.16.128.21[500]
2007-08-26 23:35:20: DEBUG: begin decryption.
2007-08-26 23:35:20: DEBUG: encryption(3des)
2007-08-26 23:35:20: DEBUG: IV was saved for next processing:
2007-08-26 23:35:20: DEBUG:
5394801a 2f9bd2af
2007-08-26 23:35:20: DEBUG: encryption(3des)
2007-08-26 23:35:20: DEBUG: with key:
2007-08-26 23:35:20: DEBUG:
789536c6 2387c93a f8a4d5b7 2734be98 1678c6c9 2ce8a0c3
2007-08-26 23:35:20: DEBUG: decrypted payload by IV:
2007-08-26 23:35:20: DEBUG:
ba7ed423 15aa2b3a
2007-08-26 23:35:20: DEBUG: decrypted payload, but not trimed.
2007-08-26 23:35:20: DEBUG:
01000014 b05512cf 0e398c04 d1e6ad28 945d88e7 0a000030 00000001 00000001
00000024 01030401 029dafda 00000018 01030000 80010001 80027080 80040002
80050001 00000014 d77d53c7 c48378f9 19a47033 55e4d8be 00000000 00000008
2007-08-26 23:35:20: DEBUG: padding len=8
2007-08-26 23:35:20: DEBUG: skip to trim padding.
2007-08-26 23:35:20: DEBUG: decrypted.
2007-08-26 23:35:20: DEBUG:
7cc1b306 fd24cd02 7d868e93 6f5019db 08102001 f0ecac9b 0000007c 01000014
b05512cf 0e398c04 d1e6ad28 945d88e7 0a000030 00000001 00000001 00000024
01030401 029dafda 00000018 01030000 80010001 80027080 80040002 80050001
00000014 d77d53c7 c48378f9 19a47033 55e4d8be 00000000 00000008
2007-08-26 23:35:20: DEBUG: begin.
2007-08-26 23:35:20: DEBUG: seen nptype=8(hash)
2007-08-26 23:35:20: DEBUG: seen nptype=1(sa)
2007-08-26 23:35:20: DEBUG: seen nptype=10(nonce)
2007-08-26 23:35:20: DEBUG: succeed.
2007-08-26 23:35:20: DEBUG: HASH(1) validate:2007-08-26 23:35:20: DEBUG:
b05512cf 0e398c04 d1e6ad28 945d88e7
2007-08-26 23:35:20: DEBUG: HASH with:
2007-08-26 23:35:20: DEBUG:
f0ecac9b 0a000030 00000001 00000001 00000024 01030401 029dafda 00000018
01030000 80010001 80027080 80040002 80050001 00000014 d77d53c7 c48378f9
19a47033 55e4d8be
2007-08-26 23:35:20: DEBUG: hmac(hmac_md5)
2007-08-26 23:35:20: DEBUG: HASH computed:
2007-08-26 23:35:20: DEBUG:
b05512cf 0e398c04 d1e6ad28 945d88e7
2007-08-26 23:35:20: ERROR: failed to get sainfo.
2007-08-26 23:35:20: ERROR: failed to get sainfo.
2007-08-26 23:35:20: ERROR: failed to pre-process packet
while the original version goes on and sets up the ipsec-transport
(output truncated):
2007-08-26 23:34:18: DEBUG: ===
2007-08-26 23:34:18: DEBUG: ===
2007-08-26 23:34:18: DEBUG: 84 bytes message received from
172.16.128.21[500] to 172.16.128.31[500]
2007-08-26 23:34:18: DEBUG:
893dc5b9 de0d38fa b13b3e90 df6c9faa 08100501 c19a3627 00000054 c9c9af23
9143afa4 f4bce8ee ce090999 34641a5f c9096d46 7ab369ba ead4ccab f41adeb4
59a0365a c56c839a 349df162 3ab06c32 439baa88
2007-08-26 23:34:18: DEBUG: receive Information.
2007-08-26 23:34:18: DEBUG: compute IV for phase2
2007-08-26 23:34:18: DEBUG: phase1 last IV:
2007-08-26 23:34:18: DEBUG:
ae8c986e 4aadb77f c19a3627
2007-08-26 23:34:18: DEBUG: hash(md5)
2007-08-26 23:34:18: DEBUG: encryption(3des)
2007-08-26 23:34:18: DEBUG: phase2 IV computed:
2007-08-26 23:34:18: DEBUG:
5e1864e8 9ff972c0
2007-08-26 23:34:18: DEBUG: begin decryption.
2007-08-26 23:34:18: DEBUG: encryption(3des)
2007-08-26 23:34:18: DEBUG: IV was saved for next processing:
2007-08-26 23:34:18: DEBUG:
3ab06c32 439baa88
2007-08-26 23:34:18: DEBUG: encryption(3des)
2007-08-26 23:34:18: DEBUG: with key:
2007-08-26 23:34:18: DEBUG:
6a93b985 9ba41828 483d52ac 49c76888 29d69fc0 4af2d293
2007-08-26 23:34:18: DEBUG: decrypted payload by IV:
2007-08-26 23:34:18: DEBUG:
5e1864e8 9ff972c0
2007-08-26 23:34:18: DEBUG: decrypted payload, but not trimed.
2007-08-26 23:34:18: DEBUG:
0b000014 a7e11868 73de6136 c52176b0 31dca94c 0000001c 00000001 01106002
893dc5b9 de0d38fa b13b3e90 df6c9faa 00000000 00000008
2007-08-26 23:34:18: DEBUG: padding len=8
2007-08-26 23:34:18: DEBUG: skip to trim padding.
2007-08-26 23:34:18: DEBUG: decrypted.
2007-08-26 23:34:18: DEBUG:
893dc5b9 de0d38fa b13b3e90 df6c9faa 08100501 c19a3627 00000054 0b000014
a7e11868 73de6136 c52176b0 31dca94c 0000001c 00000001 01106002 893dc5b9
de0d38fa b13b3e90 df6c9faa 00000000 00000008
2007-08-26 23:34:18: DEBUG: HASH with:
2007-08-26 23:34:18: DEBUG:
c19a3627 0000001c 00000001 01106002 893dc5b9 de0d38fa b13b3e90 df6c9faa
2007-08-26 23:34:18: DEBUG: hmac(hmac_md5)
2007-08-26 23:34:18: DEBUG: HASH computed:
2007-08-26 23:34:18: DEBUG:
a7e11868 73de6136 c52176b0 31dca94c
2007-08-26 23:34:18: DEBUG: hash validated.
2007-08-26 23:34:18: DEBUG: begin.
2007-08-26 23:34:18: DEBUG: seen nptype=8(hash)
2007-08-26 23:34:18: DEBUG: seen nptype=11(notify)
2007-08-26 23:34:18: DEBUG: succeed.
2007-08-26 23:34:18: DEBUG: call pfkey_send_dump
2007-08-26 23:34:18: DEBUG: notification message 24578:INITIAL-
CONTACT, doi=1 proto_id=1 spi=893dc5b9de0d38fa b13b3e90df6c9faa
(size=16).
2007-08-26 23:34:19: DEBUG: ===
2007-08-26 23:34:19: DEBUG: 124 bytes message received from
172.16.128.21[500] to 172.16.128.31[500]
2007-08-26 23:34:19: DEBUG:
893dc5b9 de0d38fa b13b3e90 df6c9faa 08102001 3aecdcde 0000007c 825afbd7
b5411b4b 3219d715 8ca39e7b 4f3fe4bd 946df4ab 64024af5 51908966 c1221570
cf9e697f e9c9c698 07ae88eb 184123ce aebb9dc9 bc9a3629 2807b5fd a24f8df8
ef05af95 9cf852da 2f88555b d2609b5d 991397d0 54089018 7fb97264
2007-08-26 23:34:19: DEBUG: compute IV for phase2
2007-08-26 23:34:19: DEBUG: phase1 last IV:
2007-08-26 23:34:19: DEBUG:
ae8c986e 4aadb77f 3aecdcde
2007-08-26 23:34:19: DEBUG: hash(md5)
2007-08-26 23:34:19: DEBUG: encryption(3des)
2007-08-26 23:34:19: DEBUG: phase2 IV computed:
2007-08-26 23:34:19: DEBUG:
51ce0e11 d9a15dab
2007-08-26 23:34:19: DEBUG: ===
2007-08-26 23:34:19: INFO: respond new phase 2 negotiation:
172.16.128.31[0]<=>172.16.128.21[0]
2007-08-26 23:34:19: DEBUG: begin decryption.
2007-08-26 23:34:19: DEBUG: encryption(3des)
2007-08-26 23:34:19: DEBUG: IV was saved for next processing:
2007-08-26 23:34:19: DEBUG:
54089018 7fb97264
2007-08-26 23:34:19: DEBUG: encryption(3des)
2007-08-26 23:34:19: DEBUG: with key:
2007-08-26 23:34:19: DEBUG:
6a93b985 9ba41828 483d52ac 49c76888 29d69fc0 4af2d293
2007-08-26 23:34:19: DEBUG: decrypted payload by IV:
2007-08-26 23:34:19: DEBUG:
51ce0e11 d9a15dab
2007-08-26 23:34:19: DEBUG: decrypted payload, but not trimed.
2007-08-26 23:34:19: DEBUG:
01000014 17e68cb6 ff8a666e bad84c87 88e67b22 0a000030 00000001 00000001
00000024 01030401 004e1853 00000018 01030000 80010001 80027080 80040002
80050001 00000014 a6c9e691 26935792 99fb07eb e2b9377a 00000000 00000008
2007-08-26 23:34:19: DEBUG: padding len=8
2007-08-26 23:34:19: DEBUG: skip to trim padding.
2007-08-26 23:34:19: DEBUG: decrypted.
2007-08-26 23:34:19: DEBUG:
893dc5b9 de0d38fa b13b3e90 df6c9faa 08102001 3aecdcde 0000007c 01000014
17e68cb6 ff8a666e bad84c87 88e67b22 0a000030 00000001 00000001 00000024
01030401 004e1853 00000018 01030000 80010001 80027080 80040002 80050001
00000014 a6c9e691 26935792 99fb07eb e2b9377a 00000000 00000008
2007-08-26 23:34:19: DEBUG: begin.
2007-08-26 23:34:19: DEBUG: seen nptype=8(hash)
2007-08-26 23:34:19: DEBUG: seen nptype=1(sa)
2007-08-26 23:34:19: DEBUG: seen nptype=10(nonce)
2007-08-26 23:34:19: DEBUG: succeed.
2007-08-26 23:34:19: DEBUG: HASH(1) validate:2007-08-26 23:34:19: DEBUG:
17e68cb6 ff8a666e bad84c87 88e67b22
2007-08-26 23:34:19: DEBUG: HASH with:
2007-08-26 23:34:19: DEBUG:
3aecdcde 0a000030 00000001 00000001 00000024 01030401 004e1853 00000018
01030000 80010001 80027080 80040002 80050001 00000014 a6c9e691 26935792
99fb07eb e2b9377a
2007-08-26 23:34:19: DEBUG: hmac(hmac_md5)
2007-08-26 23:34:19: DEBUG: HASH computed:
2007-08-26 23:34:19: DEBUG:
17e68cb6 ff8a666e bad84c87 88e67b22
2007-08-26 23:34:19: DEBUG: get sa info:
2007-08-26 23:34:19: DEBUG: get a destination address of SP index
from phase1 address due to no ID payloads found OR because ID type is
not address.
2007-08-26 23:34:19: DEBUG: get a source address of SP index from
phase1 address due to no ID payloads found OR because ID type is not
address.
2007-08-26 23:34:19: DEBUG: get a src address from ID payload
172.16.128.21[0] prefixlen=32 ul_proto=0
2007-08-26 23:34:19: DEBUG: get dst address from ID payload
172.16.128.31[0] prefixlen=32 ul_proto=0
2007-08-26 23:34:19: DEBUG: sub:0xbf9278c0: 172.16.128.21/32[0]
172.16.128.31/32[0] proto=any dir=in
2007-08-26 23:34:19: DEBUG: db: 0x80b1fb8: 172.16.128.21/32[0]
172.16.128.31/32[0] proto=any dir=in
2007-08-26 23:34:19: DEBUG: 0xbf9278c0 masked with /32: 172.16.128.21[0]
2007-08-26 23:34:19: DEBUG: 0x80b1fb8 masked with /32: 172.16.128.21[0]
2007-08-26 23:34:19: DEBUG: 0xbf9278c0 masked with /32: 172.16.128.31[0]
2007-08-26 23:34:19: DEBUG: 0x80b1fb8 masked with /32: 172.16.128.31[0]
2007-08-26 23:34:19: DEBUG: sub:0xbf9278c0: 172.16.128.31/32[0]
172.16.128.21/32[0] proto=any dir=out
2007-08-26 23:34:19: DEBUG: db: 0x80b1fb8: 172.16.128.21/32[0]
172.16.128.31/32[0] proto=any dir=in
2007-08-26 23:34:19: DEBUG: sub:0xbf9278c0: 172.16.128.31/32[0]
172.16.128.21/32[0] proto=any dir=out
2007-08-26 23:34:19: DEBUG: db: 0x80b21f8: 172.16.128.31/32[0]
172.16.128.21/32[0] proto=any dir=out
2007-08-26 23:34:19: DEBUG: 0xbf9278c0 masked with /32: 172.16.128.31[0]
2007-08-26 23:34:19: DEBUG: 0x80b21f8 masked with /32: 172.16.128.31[0]
2007-08-26 23:34:19: DEBUG: 0xbf9278c0 masked with /32: 172.16.128.21[0]
2007-08-26 23:34:19: DEBUG: 0x80b21f8 masked with /32: 172.16.128.21[0]
2007-08-26 23:34:19: DEBUG: suitable SP found:172.16.128.31/32[0]
172.16.128.21/32[0] proto=any dir=out
2007-08-26 23:34:19: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Transport reqid=0:0)
2007-08-26 23:34:19: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
2007-08-26 23:34:19: DEBUG: total SA len=44
2007-08-26 23:34:19: DEBUG:
00000001 00000001 00000024 01030401 004e1853 00000018 01030000 80010001
80027080 80040002 80050001
2007-08-26 23:34:19: DEBUG: begin.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages racoon depends on:
ii debconf 1.5.11 Debian configuration
management sy
ii ipsec-to 1:0.6.7-1 IPsec tools for Linux
ii libc6 2.6.1-1+b1 GNU C Library: Shared
libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description
library
ii libkrb53 1.6.dfsg.1-6 MIT Kerberos runtime
libraries
ii libpam0g 0.79-4 Pluggable Authentication
Modules l
ii libssl0. 0.9.8e-6 SSL shared libraries
ii perl 5.8.8-7 Larry Wall's Practical
Extraction
racoon recommends no packages.
-- debconf information:
* racoon/config_mode: direct
Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#439729; Package racoon.
(full text, mbox, link).
Acknowledgement sent to Jörg Kost <joerg.kost@gmx.com>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #10 received at 439729@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, for better understanding i included the whole logfiles - one with selfcompiled racoon, one with debians version. greetings, joerg
[racoondeb.rtf (text/rtf, attachment)]
[racoondebnicht.rtf (text/rtf, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#439729; Package racoon.
(full text, mbox, link).
Acknowledgement sent to Philipp Matthias Hahn <pmhahn@debian.org>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>.
(full text, mbox, link).
Message #15 received at 439729@bugs.debian.org (full text, mbox, reply):
Package: racoon
Followup-For: Bug #439729
While experimenting with an IPSec-setup, I had the same problem of
racoon not finding the SAinfo, when the a ipsec-0.7.1 site initiated the
connection. The reverse direction with ipsec-0.6.6 starting the
connection works fine.
I added some debugging-output in src/racoon/sainfo.c:getsainfo() and
found the following findings:
if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0
&& memcmp(dst->v, s->iddst->v, s->iddst->l) == 0)
src->v[0..7] vs. s->idsrc->v[0..7]:
2008-09-15 10:04:36: DEBUG: PMH 0: 01 01
2008-09-15 10:04:36: DEBUG: PMH 1: 00 00
2008-09-15 10:04:36: DEBUG: PMH 2: 01 00 <=
2008-09-15 10:04:36: DEBUG: PMH 3: f4 00 <=
2008-09-15 10:04:36: DEBUG: PMH 4: 86 86
2008-09-15 10:04:36: DEBUG: PMH 5: 6a 6a
2008-09-15 10:04:36: DEBUG: PMH 6: 16 16
2008-09-15 10:04:36: DEBUG: PMH 7: 01 01
dst->v[0..7] vs. s->iddst->v[0..7]:
2008-09-15 10:04:36: DEBUG: PMH 0: 01 01
2008-09-15 10:04:36: DEBUG: PMH 1: 00 00
2008-09-15 10:04:36: DEBUG: PMH 2: 01 00 <=
2008-09-15 10:04:36: DEBUG: PMH 3: f4 00 <=
2008-09-15 10:04:36: DEBUG: PMH 4: 86 86
2008-09-15 10:04:36: DEBUG: PMH 5: 6a 6a
2008-09-15 10:04:36: DEBUG: PMH 6: 0d 0d
2008-09-15 10:04:36: DEBUG: PMH 7: aa aa
0x01f4 stands for udp-port 500, which is part of the received
identifier. The local configuration doesn't have this information, thus
having 0s in that location.
In 0.7.1 the comparison is changed to use ipsecdoi_chkcmpids(), which
excludes the ports and thus correctly compares the addresses.
--- ipsec-tools-0.6.6.orig/src/racoon/ipsec_doi.h
+++ ipsec-tools-0.6.6/src/racoon/ipsec_doi.h
@@ -201,6 +201,7 @@
extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *));
extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
+extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
extern int ipsecdoi_checkid1 __P((struct ph1handle *));
extern int ipsecdoi_setid1 __P((struct ph1handle *));
extern int set_identifier __P((vchar_t **, int, vchar_t *));
--- ipsec-tools-0.6.6.orig/src/racoon/ipsec_doi.c
+++ ipsec-tools-0.6.6/src/racoon/ipsec_doi.c
@@ -3241,6 +3241,259 @@
}
/*
+ * Check if a subnet id is valid for comparison
+ * with an address id ( address length mask )
+ * and compare them
+ * Return value
+ * = 0 for match
+ * = 1 for mismatch
+ */
+
+int
+ipsecdoi_subnetisaddr_v4( subnet, address )
+ const vchar_t *subnet;
+ const vchar_t *address;
+{
+ struct in_addr *mask;
+
+ if (address->l != sizeof(struct in_addr))
+ return 1;
+
+ if (subnet->l != (sizeof(struct in_addr)*2))
+ return 1;
+
+ mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
+
+ if (mask->s_addr!=0xffffffff)
+ return 1;
+
+ return memcmp(subnet->v,address->v,address->l);
+}
+
+#ifdef INET6
+
+int
+ipsecdoi_subnetisaddr_v6( subnet, address )
+ const vchar_t *subnet;
+ const vchar_t *address;
+{
+ struct in6_addr *mask;
+ int i;
+
+ if (address->l != sizeof(struct in6_addr))
+ return 1;
+
+ if (subnet->l != (sizeof(struct in6_addr)*2))
+ return 1;
+
+ mask = (struct in6_addr*)(subnet->v + sizeof(struct in6_addr));
+
+ for (i=0; i<16; i++)
+ if(mask->s6_addr[i]!=0xff)
+ return 1;
+
+ return memcmp(subnet->v,address->v,address->l);
+}
+
+#endif
+
+/*
+ * Check and Compare two IDs
+ * - specify 0 for exact if wildcards are allowed
+ * Return value
+ * = 0 for match
+ * = 1 for misatch
+ * = -1 for integrity error
+ */
+
+int
+ipsecdoi_chkcmpids( idt, ids, exact )
+ const vchar_t *idt; /* id cmp target */
+ const vchar_t *ids; /* id cmp source */
+ int exact;
+{
+ struct ipsecdoi_id_b *id_bt;
+ struct ipsecdoi_id_b *id_bs;
+ vchar_t ident_t;
+ vchar_t ident_s;
+ int result;
+
+ /* handle wildcard IDs */
+
+ if (idt == NULL || ids == NULL)
+ {
+ if( !exact )
+ {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : values matched (ANONYMOUS)\n" );
+ return 0;
+ }
+ else
+ {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : value mismatch (ANONYMOUS)\n" );
+ return -1;
+ }
+ }
+
+ /* make sure the ids are of the same type */
+
+ id_bt = (struct ipsecdoi_id_b *) idt->v;
+ id_bs = (struct ipsecdoi_id_b *) ids->v;
+
+ ident_t.v = idt->v + sizeof(*id_bt);
+ ident_t.l = idt->l - sizeof(*id_bt);
+ ident_s.v = ids->v + sizeof(*id_bs);
+ ident_s.l = ids->l - sizeof(*id_bs);
+
+ if (id_bs->type != id_bt->type)
+ {
+ /*
+ * special exception for comparing
+ * address to subnet id types when
+ * the netmask is address length
+ */
+
+ if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
+ (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
+ result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
+ goto cmpid_result;
+ }
+
+ if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
+ (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
+ result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
+ goto cmpid_result;
+ }
+
+#ifdef INET6
+ if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
+ (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
+ result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
+ goto cmpid_result;
+ }
+
+ if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
+ (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
+ result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
+ goto cmpid_result;
+ }
+#endif
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : id type mismatch %s != %s\n",
+ s_ipsecdoi_ident(id_bs->type),
+ s_ipsecdoi_ident(id_bt->type));
+
+ return 1;
+ }
+
+ if(id_bs->proto_id != id_bt->proto_id){
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : proto_id mismatch %d != %d\n",
+ id_bs->proto_id, id_bt->proto_id);
+
+ return 1;
+ }
+
+ /* compare the ID data. */
+
+ switch (id_bt->type) {
+ case IPSECDOI_ID_DER_ASN1_DN:
+ case IPSECDOI_ID_DER_ASN1_GN:
+ /* compare asn1 ids */
+ result = eay_cmp_asn1dn(&ident_t, &ident_s);
+ goto cmpid_result;
+
+ case IPSECDOI_ID_IPV4_ADDR:
+ /* validate lengths */
+ if ((ident_t.l != sizeof(struct in_addr))||
+ (ident_s.l != sizeof(struct in_addr)))
+ goto cmpid_invalid;
+ break;
+
+ case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+ case IPSECDOI_ID_IPV4_ADDR_RANGE:
+ /* validate lengths */
+ if ((ident_t.l != (sizeof(struct in_addr)*2))||
+ (ident_s.l != (sizeof(struct in_addr)*2)))
+ goto cmpid_invalid;
+ break;
+
+#ifdef INET6
+ case IPSECDOI_ID_IPV6_ADDR:
+ /* validate lengths */
+ if ((ident_t.l != sizeof(struct in6_addr))||
+ (ident_s.l != sizeof(struct in6_addr)))
+ goto cmpid_invalid;
+ break;
+
+ case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+ case IPSECDOI_ID_IPV6_ADDR_RANGE:
+ /* validate lengths */
+ if ((ident_t.l != (sizeof(struct in6_addr)*2))||
+ (ident_s.l != (sizeof(struct in6_addr)*2)))
+ goto cmpid_invalid;
+ break;
+#endif
+ case IPSECDOI_ID_FQDN:
+ case IPSECDOI_ID_USER_FQDN:
+ case IPSECDOI_ID_KEY_ID:
+ break;
+
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Unhandled id type %i specified for comparison\n",
+ id_bt->type);
+ return -1;
+ }
+
+ /* validate matching data and length */
+ if (ident_t.l == ident_s.l)
+ result = memcmp(ident_t.v,ident_s.v,ident_t.l);
+ else
+ result = 1;
+
+cmpid_result:
+
+ /* debug level output */
+ if(loglevel >= LLV_DEBUG) {
+ char *idstrt = ipsecdoi_id2str(idt);
+ char *idstrs = ipsecdoi_id2str(ids);
+
+ if (!result)
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : values matched (%s)\n",
+ s_ipsecdoi_ident(id_bs->type) );
+ else
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "check and compare ids : value mismatch (%s)\n",
+ s_ipsecdoi_ident(id_bs->type));
+
+ plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: \'%s\'\n", idstrt );
+ plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: \'%s\'\n", idstrs );
+
+ racoon_free(idstrs);
+ racoon_free(idstrt);
+ }
+
+ /* return result */
+ if( !result )
+ return 0;
+ else
+ return 1;
+
+cmpid_invalid:
+
+ /* id integrity error */
+ plog(LLV_DEBUG, LOCATION, NULL, "check and compare ids : %s integrity error\n",
+ s_ipsecdoi_ident(id_bs->type));
+ plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: length = \'%zu\'\n", ident_t.l );
+ plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: length = \'%zu\'\n", ident_s.l );
+
+ return -1;
+}
+
+/*
* check the following:
* - In main mode with pre-shared key, only address type can be used.
* - if proper type for phase 1 ?
--- ipsec-tools-0.6.6.orig/src/racoon/sainfo.c
+++ ipsec-tools-0.6.6/src/racoon/sainfo.c
@@ -93,7 +93,7 @@
if (s->id_i != NULL) {
if (pass == 2)
continue;
- if (memcmp(peer->v, s->id_i->v, s->id_i->l) != 0)
+ if (ipsecdoi_chkcmpids(peer, s->id_i, 0))
continue;
} else if (pass == 1)
continue;
@@ -109,8 +198,9 @@
continue;
}
- if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0
- && memcmp(dst->v, s->iddst->v, s->iddst->l) == 0)
+ /* compare the ids */
+ if (!ipsecdoi_chkcmpids(src, s->idsrc, 0) &&
+ !ipsecdoi_chkcmpids(dst, s->iddst, 0))
return s;
}
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (989, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages racoon depends on:
ii debconf [debconf-2.0] 1.5.23 Debian configuration management sy
ii ipsec-tools 1:0.7.1-1.1 IPsec tools for Linux
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcomerr2 1.41.1-3 common error description library
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii perl 5.10.0-14 Larry Wall's Practical Extraction
racoon recommends no packages.
racoon suggests no packages.
-- debconf information:
* racoon/config_mode: direct
Bug no longer marked as found in version 0.7.1-1.1.
Request was from Philipp Matthias Hahn <pmhahn@debian.org>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 14:24:54 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.7.1-1.1.
Request was from Philipp Matthias Hahn <pmhahn@debian.org>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 14:24:55 GMT) (full text, mbox, link).
Tags added: patch
Request was from Philipp Matthias Hahn <pmhahn@debian.org>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 14:24:56 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#439729; Package racoon.
(Wed, 24 Feb 2010 19:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Bauer <stefan.bauer@cubewerk.de>:
Extra info received and forwarded to list.
(Wed, 24 Feb 2010 19:36:03 GMT) (full text, mbox, link).
Message #26 received at 439729@bugs.debian.org (full text, mbox, reply):
tags 439729 wontfix close 439729 Hi, as this is already fixed in the current stable distribution and as there will be only security related fixes for oldstable distribution (not to mention, that etch is already end-of-life) this will not be fixed. thank you for your contribution stefan -- Stefan Bauer ----------------------------------------- PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34 -------- plzk.de - Linux - because it works ----------
Added tag(s) wontfix.
Request was from Stefan Bauer <stefan.bauer@cubewerk.de>
to control@bugs.debian.org.
(Wed, 24 Feb 2010 19:36:08 GMT) (full text, mbox, link).
Bug closed, send any further explanations to Jörg Kost <joerg.kost@gmx.com>
Request was from Stefan Bauer <stefan.bauer@cubewerk.de>
to control@bugs.debian.org.
(Wed, 24 Feb 2010 19:36:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions 0.7.1-1.1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 02 Nov 2013 15:57:49 GMT) (full text, mbox, link).
Marked as fixed in versions ipsec-tools/1:0.7.1-1.1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 02 Nov 2013 15:57:49 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Dec 2013 07:32:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.