[Openswan Users] pluto segfaults when using SHA2 256 hash

Abhinav Bhagwat bhagwatav at yahoo.com
Thu Feb 2 02:31:35 EST 2012


Hi when I use sha2 hash to connect using openswan 2.6.37 the pluto daemon seg faults with a message 

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx kernel: pluto[25450]: egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: restarting IPsec after pause...
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Stopping Openswan IPsec...
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx kernel: NET: Unregistered protocol family 15


Putting in debug mode the crash is found to be at 
~/openswan-2.6.37/programs/pluto/spdb_struct.c:316


The connection is defined in ipsec.conf file as


conn test
        type=transport
        right=10.1.3.18
        rightprotoport=tcp/any
        left=10.1.2.48
        leftprotoport=tcp/23
        pfs=yes
        phase2=esp
        phase2alg=aes128-sha2_256;modp1024
        ike=aes128-sha2_256;modp1024
        authby=secret
        auto=add

Everything works fine if I replace sha2_256 with sha1.

Here is the output of ipsec setup status where it does not show OAKLEY sha2_256 getting loaded.

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=30

With openswan 2.6.33 OAKLEY SHA2_256 is shown and the connection gets established I can see the SP using setkey. But the telnet connection is not established. Again everything works fine if I replace sha2 with sha1. 

Am I missing something here or this is a bug?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120201/05df5df0/attachment.html>


More information about the Users mailing list