Hosting Provided By

Re: Potential bug/problem in isakmpd/exchange.c

From: Aref Taidi <ataidi(at)avaya.com>
Date: Fri Nov 15 2002 - 04:56:11 EST

That is precisely the point - if "Configuration" does not exist the code searches under [Phase 1]:Default which is the name of an <ISAKMP-peer> section and according to isakmpd.conf(5), this section will exist which is normally the case when a [Phase 1]:Default tag exists. This will then take you to <ISAKMP-peer> section which on line 768 there is a search for "EXCHANGE_TYPE" tag in this section which will not exist - so you have a perfectly legitimate isakampd.conf file which will not work.

While we are on this subject can I ask you a question please: If exchange_establish() gets called from pf_key_v2_connection_check() for phase 1 exchange, pf_key_v2_connection_check() gets called when phase 1 exchange is established - how does phase 2 exchange gets started?

Kind regards,

Aref Taidi

-----Original Message-----
From: Hakan Olsson [mailto:ho@crt.se]
Sent: 14 November 2002 14:44
To: Aref Taidi
Cc: 'bugs@openbsd.org'
Subject: Re: Potential bug/problem in isakmpd/exchange.c

On Thu, 14 Nov 2002, Aref Taidi wrote:

> Dear Sir/Madam,
view
> to port it. I have noticed that in exchange.c function
fails
> a further search is carried out under ("Phase 1", "Default") section and
> tag. If this is successful, according to your manual this gives rise to a
> <ISAKMP-peer> section . On line 768 you search for "EXCHANGE_TYPE" tag in
> this section which is none existent and the function will abort!

Do you need help?

No, it does exist. (Unless there's some error in the user's isakmpd.conf). I'm guessing you missed the "Auto-generated parts of the configuration" section in isakmpd.conf(5) ?

Either a "Configuration" tag exists in the relevant <ISAKMP-peer> section. Or, if the named <ISAKMP-peer> section does not exist, we use the value from the [Phase 1]:Default section and tag (if it's defined).

In either case, unless something is wrong in isakmpd.conf, this will give us something like a "3DES-SHA" value. This values refers to (as stated by isakmpd.conf(5)) a <ISAKMP-configuration> section, not an <ISAKMP-peer> section.

This section, [3DES-SHA], is normally automatically generated by isakmpd, although it, fully or in parts, can be overwritten manually. And in this section there should be (and is, default) an "EXCHANGE_TYPE" tag.

If the section referenced in "Configuration" (or [Þhase 1]:Default) does not exist, or has a unknown value, this is a serious configuration error and isakmpd should stop trying to negotiate it.

In fact, if this was faulty in the way you describe, isakmpd would not be able to initiate either MainMode or Aggressive mode negotiations, meaning it would not be able to initiate any VPN negotiations at all. In fact, it would only be able to send warnings (using an Informational exchange).

--
Håkan Olsson         (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Received on Fri Nov 15 04:57:23 2002

This message: [ Message body ]
Next message: Hakan Olsson: "Re: Potential bug/problem in isakmpd/exchange.c"
Previous message: David Krause: "Re: kernel panic: out of space in kmem_map"
Maybe in reply to: Aref Taidi: "Potential bug/problem in isakmpd/exchange.c"
In reply to Aref Taidi: "Potential bug/problem in isakmpd/exchange.c"
Next in thread: Hakan Olsson: "Re: Potential bug/problem in isakmpd/exchange.c"
Reply: Hakan Olsson: "Re: Potential bug/problem in isakmpd/exchange.c"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:38 EDT

Do you need more help?