[Openswan dev] Assertion failed at packet.c:1672
Albert Veli
albert.veli at gmail.com
Fri Feb 26 13:54:40 EST 2010
Hello everybody!
I found another problem with the packet.c/packet.h code. It works
perfectly when connecting two openswan peers after the following patch
is applied:
http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git/.git;a=commit;h=ab19ef909c32c449b4ef4ceec522902969855b39
Now I tried to connect against a Cisco ASA using aggressive mode and
nat-t (but I did not have "remote_peer_type=cisco" set) and it hit
another assert.
ASSERTION FAILED at .../openswan-2.6.24/lib/libpluto/packet.c:1672:
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE
The code around the assert looks like this:
if (left == NSIZEOF_isakmp_hdr) {
/* no payloads, just the isakmp_hdr: insert np here */
passert(pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE);
pl[NOFFSETOF_isa_np] = np;
}
Then I found two problems. First one in packet.h, it looks like this:
#define NOFFSETOF_isa_np 8 /* on-the-wire offset of
isa_np (one octet) */
struct isakmp_hdr
{
u_int8_t isa_icookie[COOKIE_SIZE];
u_int8_t isa_rcookie[COOKIE_SIZE];
u_int8_t isa_np; /* Next payload */
...
};
Well COOKIE_SIZE is 8 (found it in ietf_constants.h) so
NOFFSETOF_isa_np should be 16.
After recompiling with NOFFSETOF_isa_np set to 16 I still got the same
assertion. Firing up the debugger gave me:
(gdb) x /32x pl
0x108a80 <reply_buffer>: 0xfd79f768 0xa038c971 0x3a773d46 0x8758162a
0x108a90 <reply_buffer+16>: 0x08100401 0x00000000 0x000001c8 0x04000038
0x108aa0 <reply_buffer+32>: 0x00000001 0x00000001 0x0000002c 0x00010001
0x108ab0 <reply_buffer+48>: 0x00000024 0x00010000 0x800b0001 0x800c0e10
0x108ac0 <reply_buffer+64>: 0x80010007 0x80020002 0x80030001 0x80040002
0x108ad0 <reply_buffer+80>: 0x800e0080 0x0a000084 0x7ded304e 0x573c17a1
0x108ae0 <reply_buffer+96>: 0xc0bc8842 0x68a9f076 0x4c70ddb3 0xebb3db38
0x108af0 <reply_buffer+112>: 0xaed9acd1 0x93f72351 0xb07da630 0xe0efae13
I tried it several times and pl[16] is always 0x08, which in
ietf_constants.h is defined as ISAKMP_NEXT_HASH.
So now I changed the assert to:
passert(pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE ||
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_HASH);
That seems to work. Well, at least it dodges the assert. If it is
correct is another question ;-)
Summary. In packet.h at line 170, change to:
#define NOFFSETOF_isa_np 16 /* on-the-wire offset of
isa_np (two octets) */
And in packet.c at line 1672, allow for pl[NOFFSETOF_isa_np] to be
ISAKMP_NEXT_HASH.
The change in packet.h seems bullet proof to me. But the change in
packet.c needs review by somebody who are familiar with ipsec. Why is
isa_np == ISAKMP_NEXT_HASH? Is that normal?
BR,
Albert
PS Here is some more debug info from the log file:
ipsec__plutorun: Starting Pluto subsystem...
pluto[625]: Setting NAT-Traversal port-4500 floating to on
pluto[625]: port floating activation criteria nat_t=1/port_float=1
pluto[625]: NAT-Traversal support [enabled]
pluto[625]: using /dev/urandom as source of random entropy
pluto[625]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[625]: starting up 1 cryptographic helpers
pluto[625]: started helper pid=629 (fd:5)
pluto[629]: using /dev/urandom as source of random entropy
pluto[625]: Using Linux 2.6 IPsec interface code on 2.6.32.9 (experimental code)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: Changed path to directory '/etc/ipsec.d'
last message repeated 2 times
pluto[625]: Changing to directory '/etc/ipsec.d'
pluto[625]: Changing to directory '/etc/ipsec.d'
pluto[625]: added connection description "ipsec6"
pluto[625]: listening for IKE messages
pluto[625]: NAT-Traversal: Trying new style NAT-T
pluto[625]: NAT-Traversal: ESPINUDP(1) setup failed for new style
NAT-T family IPv4 (errno=19)
pluto[625]: NAT-Traversal: Trying old style NAT-T
pluto[625]: adding interface vlan2/vlan2 192.168.131.134:500
pluto[625]: adding interface vlan2/vlan2 192.168.131.134:4500
pluto[625]: adding interface vlan1/vlan1 192.168.20.200:500
pluto[625]: adding interface vlan1/vlan1 192.168.20.200:4500
pluto[625]: adding interface lo/lo 127.0.0.1:500
pluto[625]: adding interface lo/lo 127.0.0.1:4500
pluto[625]: "ipsec6" #1: initiating Aggressive Mode #1, connection "ipsec6"
pluto[625]: "ipsec6" #1: received Vendor ID payload [Cisco-Unity]
pluto[625]: "ipsec6" #1: received Vendor ID payload [XAUTH]
pluto[625]: "ipsec6" #1: received Vendor ID payload [Dead Peer Detection]
pluto[625]: "ipsec6" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[625]: "ipsec6" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
pluto[625]: "ipsec6" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
pluto[625]: "ipsec6" #1: Aggressive mode peer ID is ID_FQDN:
'@xxxxx.bredband2.net'
pluto[625]: "ipsec6" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[625]: "ipsec6" #1: ASSERTION FAILED at
/home/albert/trunk/packages/openswan/openswan-2.6.24/lib/libpluto/packet.c:1672:
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE
More information about the Dev
mailing list