From: Alexander S. <zer...@ya...> - 2005-11-05 18:00:23
|
Hi, Racoon segfaults when trying to establish first connection if /dev/urandom and /dev/random do not exist. This seems to be the reason: In crypto_openssl.c in function eay_set_random(size) in line 2276: BN_rand fails but it's return value is not checked. In isakmp.c, this leads to buf2->v==NULL after line 2373 (BTW only buf2==NULL is checked in line 2374) and to the segfault in memcpy in line 2376: memcpy(p, buf2->v, lcconf->secret_size); BN_rand fails with the following error: In openssl-0.9.7f: md_rand.c line 512: RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " "http://www.openssl.org/support/faq.html"); return(0); ----------------------------------------------------- Details: Using Linux kernel 2.6.9 ipsec-tools-0.6.2 openssl-0.9.7f command line: racoon -v -F -f ./racoon.conf -l ./racoon.log ping -c 1 192.168.0.2 ------------ racoon.conf: path include "."; path pre_shared_key "./psk.txt"; path certificate "./certs"; remote 192.168.0.2 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo address 192.168.0.1 any address 192.168.0.2 any { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ------------ setkey script: #!/sbin/setkey -f flush; spdflush; spdadd 192.168.0.1 192.168.0.2 any -P out ipsec esp/tunnel/192.168.0.1-192.168.0.2/require; spdadd 192.168.0.2 192.168.0.1 any -P in ipsec esp/tunnel/192.168.0.2-192.168.0.1/require; ---------------------------------------------------- Reproducable also on Fedora Core 4 by renaming /dev/random and /dev/urandom to something else. Kind regards, Alex __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com |