From owner-freebsd-security@FreeBSD.ORG Wed Dec 7 14:26:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E0FE16A436 for ; Wed, 7 Dec 2005 14:26:36 +0000 (GMT) (envelope-from yelgar_priya@yahoo.co.in) Received: from web8512.mail.in.yahoo.com (web8512.mail.in.yahoo.com [202.43.219.105]) by mx1.FreeBSD.org (Postfix) with SMTP id 7926D43D79 for ; Wed, 7 Dec 2005 14:26:30 +0000 (GMT) (envelope-from yelgar_priya@yahoo.co.in) Received: (qmail 84071 invoked by uid 60001); 7 Dec 2005 14:21:48 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=c8whkOeBg17Q1T4Ww9Piu9Yor3+m2ndYc7pdEk1GnnAeMljIN/w6fWjt7Fwqm8X+Jax5dwHZXfO7rd5opRKiqRkcUZMxCT+JHLAODyU6apRYLXEflWkIWzT13x4PYTf8z5jVjjqN5hD4apsiCQ6sFQ9tMG/XobLI7c2Jjw60IBQ= ; Message-ID: <20051207142148.84069.qmail@web8512.mail.in.yahoo.com> Received: from [202.63.105.146] by web8512.mail.in.yahoo.com via HTTP; Wed, 07 Dec 2005 14:21:48 GMT Date: Wed, 7 Dec 2005 14:21:48 +0000 (GMT) From: priya yelgar To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 07 Dec 2005 14:29:41 +0000 Subject: racoon with freebsd-4.11 crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2005 14:26:38 -0000 Hi Running racoon on a Freebsd-4.11 machine gives a kernel panic. I am using the racoon from ports directory which comes with the freebsd installation. Steps followed are as shown below: racoon -f /usr/local/etc/racoon/raccon.conf setkey -f ipsec.conf ping -c 1 The ping will lead into a crash. The crash dump looks like for th ping packet it is going to apply a SA. It is going in "key_checkrequest" in key.c file and crashing there. As I know "key_checkrequest" is used to apply a exsiting SA to a outgoing packet. But in case of racoon the first ping packet is used for negotiation with other gateway to establish the SA. I am not understading as to why it is going in key_checkrequest ans crashing. Please anyone who have used racoon with hfreebsd-4.11 can guide me if i am doing something wrong. The config file is given below. I have compiled the kernel with IPSEC ,IPSEC_ESP options. I am using a preshared key file. my configuration file is given below: #!/usr/local/bin/racoon # CONFIGURATION FILE FOR 192.168.190.44 path include "/root"; path pre_shared_key "/root/psk.txt"; log debug2; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } listen { isakmp 192.168.190.43 [500]; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } remote 192.168.190.43 { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address 192.168.190.44; peers_identifier address 192.168.190.43; lifetime time 24 hour; nonce_size 16; initial_contact on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } } sainfo address 192.168.190.44 any address 192.168.190.43 any { pfs_group 1; lifetime time 2 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } Thanks in advance Priya __________________________________________________________ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com From owner-freebsd-security@FreeBSD.ORG Wed Dec 7 14:57:18 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AAB016A423 for ; Wed, 7 Dec 2005 14:57:18 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp3.mail.easynet.fr (smarthost169.mail.easynet.fr [212.180.1.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 648AD43D58 for ; Wed, 7 Dec 2005 14:56:57 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by smtp3.mail.easynet.fr with esmtp (Exim 4.50) id 1Ek0j3-0005mc-J6 for freebsd-security@freebsd.org; Wed, 07 Dec 2005 15:56:57 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id BD6B63F17; Wed, 7 Dec 2005 15:56:44 +0100 (CET) Date: Wed, 7 Dec 2005 15:56:44 +0100 From: VANHULLEBUS Yvan To: freebsd-security@freebsd.org Message-ID: <20051207145644.GA18279@zen.inc> References: <20051207142148.84069.qmail@web8512.mail.in.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051207142148.84069.qmail@web8512.mail.in.yahoo.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: racoon with freebsd-4.11 crashes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2005 14:57:18 -0000 On Wed, Dec 07, 2005 at 02:21:48PM +0000, priya yelgar wrote: > Hi Hi. > Running racoon on a Freebsd-4.11 machine gives a > kernel panic. > I am using the racoon from ports directory which comes > with the freebsd installation. It may not change lots of things for this kernel crash, but do you use port security/racoon (obsolete) or security/ipsec-tools ? > Steps followed are as shown below: > > racoon -f /usr/local/etc/racoon/raccon.conf > setkey -f ipsec.conf > > ping -c 1 It would be really interesting if we could also have your ipsec.conf file. > The ping will lead into a crash. > The crash dump looks like for th ping packet it is > going to apply a SA. > It is going in "key_checkrequest" in key.c file and > crashing there. > > As I know "key_checkrequest" is used to apply a > exsiting SA to a outgoing packet. Not exactly. It searches for an existing SA for the packet, and sends an ACQUIRE message to the IKE daemon if needed. > But in case of racoon the first ping packet is used > for negotiation with other gateway to establish the > SA. > > I am not understading as to why it is going in > key_checkrequest ans crashing. There are 3 panic() in this function, could you give us the panic message ? Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com From owner-freebsd-security@FreeBSD.ORG Sat Dec 10 23:21:29 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F90616A41F for ; Sat, 10 Dec 2005 23:21:29 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (mail.gmx.de [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A51B43D60 for ; Sat, 10 Dec 2005 23:21:27 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 10 Dec 2005 23:21:26 -0000 Received: from unknown (EHLO zi025.glh.mhn.de) [129.187.43.241] by mail.gmx.net (mp001) with SMTP; 11 Dec 2005 00:21:26 +0100 X-Authenticated: #147403 Received: by zi025.glh.mhn.de (Postfix, from userid 1000) id D3279C207; Sun, 11 Dec 2005 00:21:26 +0100 (CET) Date: Sun, 11 Dec 2005 00:21:26 +0100 From: Simon Barner To: freebsd-security@FreeBSD.org Message-ID: <20051210232126.GH1066@zi025.glh.mhn.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/Gk0KcsbyUMelFU1" Content-Disposition: inline User-Agent: Mutt/1.5.11 X-Y-GMX-Trusted: 0 Cc: Subject: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2005 23:21:29 -0000 --/Gk0KcsbyUMelFU1 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I just had some issues with unvalidated certificates after the update of the mail/fetchmail port. The solution was to add the missing certificates manually, but that involved running the c_rehash script, that currently isn't installed. Of course, I could run it directly from src/crypto/openssl/tools/, but that isn't an option for users that don't have the source installed. So, is there a reaon why the scripts are not installed, or was it just an oversight? From my (very limited) experience, c_rehash is enough, but it might be usefull to have the others available, too. Of course, they could be installed in /usr/share/openssl so /usr/bin is not spammed (but of course this has the drawback that they aren't directly available to users. Opinions? --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --/Gk0KcsbyUMelFU1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDm2L2Ckn+/eutqCoRAjXBAJ0Y3SHe9GLgnng1JUo0re1iE5PppwCg4Nh2 FgS9ekTMAB/M9rk3owQJZjU= =c/SO -----END PGP SIGNATURE----- --/Gk0KcsbyUMelFU1--