[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Using certificates with isakmpd?


On Tue, 18 Jan 2000, Carr, Jeff N. wrote:
> when the certificates are read in (from /etc/isakmpd/certs) they have a
> slightly different subjaltname than when they are received over the wire.

Interesting, could this then explain why the certificate stuff doesn't
seem to work as expected when delegating authority to a CA key?

I have today looked a bit closer into the isakmpd crashes I still have now
and then. As expected the crashes I have now are not caused by the same
bug as the previous crashes. I have so far found out that isakmpd now
crash in sa_isakmpd_upgrade at sa.c:508. That line of code contains the
 	LIST_REMOVE (sa, link);

The definition of LIST_REMOVE can be found in /usr/include/sys/queue.h

#define LIST_REMOVE (elm, field) do {
	if ((elm)->field.le_next != NULL)
		(elm)->field.le_next->field.le_prev =
	*(elm)->field.le_prev = (elm)->field.le_next;
} while (0)

Obviously, it is no problem if sa->link.le_next is NULL here. Somehow on
somewhat rare occations (not that rare, isakmpd crashes perhaps once every
5 minutes with the configuration I am currently using), sa->link.le_next
is 0x1 when LIST_REMOVE in sa.c:508 is reached, resulting in a crash
ofcourse. The complete contents of *sa before the crash was:

(gdb) p *sa
$6 = {link = {le_next = 0x1, le_prev = 0x1}, next = {tqe_next = 0x1,
    tqe_prev = 0x1}, name = 0x1 "", transport = 0x1,   
  cookies = "\001\000\000\000\001\000\000\000\001\000\000\000\001\000\000",
  message_id = "\001\000\000", protos = {tqh_first = 0x1, tqh_last = 0x1},
  exch_type = 1 '\001', phase = 0 '\000', refcnt = 0 '\000', flags = 1,
  doi = 0x1, crypto = 0x1, key_length = 1, keystate = 0x1, id_i = 0x1 "",
  id_i_len = 1, id_r = 0x1 "", id_r_len = 1, initiator = 1, recv_certtype = 1,  
  recv_certlen = 1, recv_cert = 0x1, data = 0x1, seconds = 4294967297,
  kilobytes = 4294967297, soft_death = 0x1, death = 0x1}

I have not yet located the reason for why sa->link.le_next (or the others)
at this time has been set to 0x1 in the first place. I am not yet that
very familiar with the isakmpd source. I'll probably find the problem
eventually but if someone already knows what might be wrong it might save
me some time.

This is when running without any licensees set in the policy file. But
with certificates in /etc/isakmpd/certs and /etc/isakmpd/ca (that is
without using preshared keys).

Jörgen Granstam <Jorgen_(_dot_)_Granstam_(_at_)_abc_(_dot_)_se>

Visit your host, monkey.org