[Openswan dev] Assertion failed at packet.c:1672

Albert Veli albert.veli at gmail.com
Fri Feb 26 13:54:40 EST 2010


Hello everybody!


I found another problem with the packet.c/packet.h code. It works
perfectly when connecting two openswan peers after the following patch
is applied:

 http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git/.git;a=commit;h=ab19ef909c32c449b4ef4ceec522902969855b39

Now I tried to connect against a Cisco ASA using aggressive mode and
nat-t (but I did not have "remote_peer_type=cisco" set) and it hit
another assert.


 ASSERTION FAILED at .../openswan-2.6.24/lib/libpluto/packet.c:1672:
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE


The code around the assert looks like this:

    if (left == NSIZEOF_isakmp_hdr) {
	/* no payloads, just the isakmp_hdr: insert np here */
	passert(pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE);
	pl[NOFFSETOF_isa_np] = np;
    }

Then I found two problems. First one in packet.h, it looks like this:

#define NOFFSETOF_isa_np        8       /* on-the-wire offset of
isa_np (one octet) */

struct isakmp_hdr
{
    u_int8_t    isa_icookie[COOKIE_SIZE];
    u_int8_t    isa_rcookie[COOKIE_SIZE];
    u_int8_t    isa_np;                 /* Next payload */
...
};

Well COOKIE_SIZE is 8 (found it in ietf_constants.h) so
NOFFSETOF_isa_np should be 16.

After recompiling with NOFFSETOF_isa_np set to 16 I still got the same
assertion. Firing up the debugger gave me:

(gdb) x /32x pl
0x108a80 <reply_buffer>:	0xfd79f768	0xa038c971	0x3a773d46	0x8758162a
0x108a90 <reply_buffer+16>:	0x08100401	0x00000000	0x000001c8	0x04000038
0x108aa0 <reply_buffer+32>:	0x00000001	0x00000001	0x0000002c	0x00010001
0x108ab0 <reply_buffer+48>:	0x00000024	0x00010000	0x800b0001	0x800c0e10
0x108ac0 <reply_buffer+64>:	0x80010007	0x80020002	0x80030001	0x80040002
0x108ad0 <reply_buffer+80>:	0x800e0080	0x0a000084	0x7ded304e	0x573c17a1
0x108ae0 <reply_buffer+96>:	0xc0bc8842	0x68a9f076	0x4c70ddb3	0xebb3db38
0x108af0 <reply_buffer+112>:	0xaed9acd1	0x93f72351	0xb07da630	0xe0efae13

I tried it several times and pl[16] is always 0x08, which in
ietf_constants.h is defined as ISAKMP_NEXT_HASH.

So now I changed the assert to:

 passert(pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE ||
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_HASH);

That seems to work. Well, at least it dodges the assert. If it is
correct is another question ;-)


Summary. In packet.h at line 170, change to:

#define NOFFSETOF_isa_np       16       /* on-the-wire offset of
isa_np (two octets) */

And in packet.c at line 1672, allow for pl[NOFFSETOF_isa_np] to be
ISAKMP_NEXT_HASH.

The change in packet.h seems bullet proof to me. But the change in
packet.c needs review by somebody who are familiar with ipsec. Why is
isa_np == ISAKMP_NEXT_HASH? Is that normal?


BR,

Albert


PS Here is some more debug info from the log file:

ipsec__plutorun: Starting Pluto subsystem...
pluto[625]: Setting NAT-Traversal port-4500 floating to on
pluto[625]:    port floating activation criteria nat_t=1/port_float=1
pluto[625]:    NAT-Traversal support  [enabled]
pluto[625]: using /dev/urandom as source of random entropy
pluto[625]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[625]: starting up 1 cryptographic helpers
pluto[625]: started helper pid=629 (fd:5)
pluto[629]: using /dev/urandom as source of random entropy
pluto[625]: Using Linux 2.6 IPsec interface code on 2.6.32.9 (experimental code)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[625]: ike_alg_add(): ERROR: Algorithm already exists
pluto[625]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[625]: Changed path to directory '/etc/ipsec.d'
last message repeated 2 times
pluto[625]: Changing to directory '/etc/ipsec.d'
pluto[625]: Changing to directory '/etc/ipsec.d'
pluto[625]: added connection description "ipsec6"
pluto[625]: listening for IKE messages
pluto[625]: NAT-Traversal: Trying new style NAT-T
pluto[625]: NAT-Traversal: ESPINUDP(1) setup failed for new style
NAT-T family IPv4 (errno=19)
pluto[625]: NAT-Traversal: Trying old style NAT-T
pluto[625]: adding interface vlan2/vlan2 192.168.131.134:500
pluto[625]: adding interface vlan2/vlan2 192.168.131.134:4500
pluto[625]: adding interface vlan1/vlan1 192.168.20.200:500
pluto[625]: adding interface vlan1/vlan1 192.168.20.200:4500
pluto[625]: adding interface lo/lo 127.0.0.1:500
pluto[625]: adding interface lo/lo 127.0.0.1:4500
pluto[625]: "ipsec6" #1: initiating Aggressive Mode #1, connection "ipsec6"
pluto[625]: "ipsec6" #1: received Vendor ID payload [Cisco-Unity]
pluto[625]: "ipsec6" #1: received Vendor ID payload [XAUTH]
pluto[625]: "ipsec6" #1: received Vendor ID payload [Dead Peer Detection]
pluto[625]: "ipsec6" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[625]: "ipsec6" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
pluto[625]: "ipsec6" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
pluto[625]: "ipsec6" #1: Aggressive mode peer ID is ID_FQDN:
'@xxxxx.bredband2.net'
pluto[625]: "ipsec6" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
pluto[625]: "ipsec6" #1: ASSERTION FAILED at
/home/albert/trunk/packages/openswan/openswan-2.6.24/lib/libpluto/packet.c:1672:
pl[NOFFSETOF_isa_np] == ISAKMP_NEXT_NONE


More information about the Dev mailing list