Package: racoon
Version: 1:0.8.0-14.1
Severity: normal
Tags: patch ipv6
While setting up IPSec to function with IPv6 hosts, racoon kept
throwing up on the certificates even when they had correct
subjectAltName specified to a literal IP address.
racoon: ERROR:
racoon: ERROR: failed to get subjectAltName
racoon: ERROR: no peer's CERT payload found.
The problem was tracked down to unimplemented IPv6 address parsing in
racoon. This is fixed in the attached patch.
- Adam
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages racoon depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.52
ii ipsec-tools 1:0.8.0-14.1
ii libc6 2.17-97
ii libcomerr2 1.42.9-2
ii libgssapi-krb5-2 1.11.3+dfsg-3+nmu1
ii libk5crypto3 1.11.3+dfsg-3+nmu1
ii libkrb5-3 1.11.3+dfsg-3+nmu1
ii libldap-2.4-2 2.4.31-1+nmu2+b1
ii libpam0g 1.1.3-10
ii libssl1.0.0 1.0.1e-6
ii perl 5.18.1-5
racoon recommends no packages.
racoon suggests no packages.
-- Configuration Files:
/etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt'
-- debconf information excluded
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.c 2014-02-09 02:13:39.998141719 -0600
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.c 2014-02-10 02:14:43.646357678 -0600
@@ -714,26 +714,47 @@
/* read IP address */
else if (gen->type == GEN_IPADD)
{
- unsigned char p[5], *ip;
- ip = p;
-
- /* only support IPv4 */
- if (gen->d.ip->length != 4)
- goto end;
-
- /* convert Octet String to String
- * XXX ???????
- */
- /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = gen->d.ip->data;
-
- /* XXX Magic, enough for an IPv4 address
- */
- *altname = racoon_malloc(20);
- if (!*altname)
+ switch (gen->d.iPAddress->length) {
+ case 4: /* IPv4 */
+ *altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+ if (!*altname)
+ goto end;
+
+ snprintf(*altname, 12+3+1, "%u.%u.%u.%u",
+ (unsigned)gen->d.iPAddress->data[0],
+ (unsigned)gen->d.iPAddress->data[1],
+ (unsigned)gen->d.iPAddress->data[2],
+ (unsigned)gen->d.iPAddress->data[3]);
+ break;
+ case 16: { /* IPv6 */
+ int i;
+
+ *altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+ if (!*altname)
+ goto end;
+
+ /* Make NULL terminated IPv6 address */
+ for (i=0; i<16; ++i) {
+ int pos = i*2 + i/2;
+
+ if (i>0 && i%2==0)
+ (*altname)[pos-1] = ':';
+
+ snprintf(*altname + pos, 3, "%02x",
+ (unsigned)gen->d.iPAddress->data[i]);
+
+ }
+ plog(LLV_INFO, LOCATION, NULL,
+ "Remote X509 IPv6 addr: %s", *altname);
+ break;
+ }
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Unknown IP address length: %u octects.",
+ gen->d.iPAddress->length);
goto end;
-
- sprintf(*altname, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
+ }
+
*type = gen->type;
error = 0;
}
