From: Nathan H. <na...@mi...> - 2005-12-07 19:03:00
|
I am a developer in the Macintosh Business Unit at Microsoft, and I've been working with Apple to try and address similar issues in the Mac OS X version of racoon. We found that the Mac OS X Kerberos' GSSAPI implementation would assume that the various gss_XXX_t pointers would be non-NULL and indirect off of them without checking. It certainly didn't expect the various Null values defined in gssapi.h. As a workaround, we passed in non-null values, when it was obvious what they were, and it got us further, but we didn't quite make it all the way there. GSS_KRB5_NT_PRINCIPAL_NAME is exported by the Kerberos implementation, in this case /usr/lib/libgssapi_krb5.dylib -- does your Kerberos implementation export that symbol? If not, you should request it -- there's no reason to have to build it yourself. However you can create one yourself using gss_str_to_oid using the text form of the OID. "1.2.840.113554.1.2.2.1" (it's in gssapi_krb5.h in the comments next to the declaration of GSS_KRB5_NT_PRINCIPAL_NAME.) =20 Since Apple has its own version of racoon, which is in some nebulous state of porting changes from the ipsec-tools distro, and is using MIT Kerberos, YMMV. =20 Hope this helps. ________________________________ From: ips...@li... [mailto:ips...@li...] On Behalf Of sandy s Sent: Wednesday, December 07, 2005 6:50 AM To: Aidas Kasparas Cc: ips...@li... Subject: Re: [Ipsec-tools-devel] Problem of racoon and GSS API: segmentation fault exists from past one year ??? Hi , I saw in the function "krb5_gss_cannicalize_name" that the mech types are getting compared.I dont see any issue with the code. The IPSec GSS API code is passing GSS_C_NO_OID. For testing purpose, I want to use kerberos mechanism type to be hardcoded. Could anybody let me know how to do it ? I tried putting GSS_KRB5_NT_PRINCIPAL_NAME, it says it is undefined. Thanks, Sandy. On 12/7/05, sandy s <san...@gm...> wrote:=20 Yes, It crashes on the fisrt call to gss api :( =09 - Sandy.=20 =09 =09 =09 On 12/7/05, Aidas Kasparas < a.k...@gm... <mailto:a.k...@gm...> > wrote:=20 Sandy, =09 First, the only (afaik) developer of ipsec-tools who is familar with kerberos is Derek, but he contributed code to ipsec-tools for the last time long ago. So, help from the person who knows kerberos would be very=20 helpful. =09 On the other hand, by searching web for faults and gss/kerberos, I found =09 http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1.4.2-t327263 .html#a931954=20 which is not directly related, but lets me believe, that bugs in kerberos library is not an uncommon thing. So, could you plese run gsstest program to make sure library you have installed is not buggy and there are no problems in your GSS setup. =09 One more thing. You said, that racoon crashes after some time. Is he failing on first try to use gss functionality, or sometimes it goes through and later fails?=20 =09 sandy s wrote: > Hi all, > > I found that the issue of seg fault exists from past one year. > > Please see the link below: > > http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html > > What could be the fix for this ? > > - Sandy > > On 12/7/05, *sandy s* < san...@gm... <mailto:san...@gm...>=20 > <mailto:san...@gm...>> wrote: > > Hi,=20 > > Here is more info using gdb. Could you please let me know what could=20 > be the error ? > > - Sandy > > --------------------------------------------------- > 2005-12-07 09:10:16: DEBUG: (lifebyte =3D 0:0) > 2005-12-07 09:10:16: DEBUG: enctype =3D 3DES-CBC:3DES-CBC=20 > 2005-12-07 09:10:16: DEBUG: (encklen =3D 0:0) > 2005-12-07 09:10:16: DEBUG: hashtype =3D SHA:SHA > 2005-12-07 09:10:16: DEBUG: authmethod =3D GSS-API on Kerberos > 5:GSS-API on Kerberos 5=20 > 2005-12-07 09:10:16: DEBUG: dh_group =3D 768-bit MODP group:768-bit > MODP group > 2005-12-07 09:10:16: DEBUG: an acceptable proposal found. > 2005-12-07 09:10:16: DEBUG: hmac(modp768)=20 > 2005-12-07 09:10:16: DEBUG: gss id in new sa 'host/kdc.kerb.com' > 2005-12-07 09:10:16: DEBUG: GIi is host/kdc.kerb.com > 2005-12-07 09:10:16: DEBUG: GIr is host/linux.kerb.com > 2005-12-07 09:10:16: DEBUG: =3D=3D=3D=20 > 2005-12-07 09:10:16: DEBUG: compute DH's private. > 2005-12-07 09:10:16: DEBUG: > 5be41b2e b85ff069 680b30ce 46defd9e a0a50432 7393023c c814aa68 b824c1c1 > 4e8d536f 55714020 9a12d8b8 9c467374 88f6b4ec 8919a92b d349255b 4dee5265=20 > 7250baec 8ae579a3 e621f3c4 00b5450f 19192aba c7220771 9250d320 58477695 > 2005-12-07 09:10:16: DEBUG: compute DH's public. > 2005-12-07 09:10:16: DEBUG: > 921bcc59 d771190a a09a607c 84bbd005 e53b91dd e8b42579 b8b97609 1f2f6cba=20 > d8910bde 68fdab19 ff108509 45a710e3 a137601b 0032ff0b ca86ede2 41b7ec1d > e8fe34dc 2b0915f8 28e8b616 ea15d265 da31d72c ef5e5066 3bb7d04b 8e84030f > > Program received signal SIGSEGV, Segmentation fault.=20 > 0x00d530fb in krb5_gss_canonicalize_name () from > /usr/lib/libgssapi_krb5.so.2 > (gdb) bt > #0 0x00d530fb in krb5_gss_canonicalize_name () from > /usr/lib/libgssapi_krb5.so.2=20 > #1 0x00d59b02 in gss_canonicalize_name () from > /usr/lib/libgssapi_krb5.so.2 > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214 > #3 0x0805cd71 in gssapi_get_itoken (iph1=3D0x9896af8, lenp=3D0x0) at=20 > gssapi.c:279 > #4 0x0805362a in ident_i2send (iph1=3D0x9896af8, msg=3D0x9896538) at > isakmp_ident.c:320 > #5 0x0804e5d2 in ph1_main (iph1=3D0x9896af8, msg=3D0x9896538) at > isakmp.c:788 > #6 0x0804e9a7 in isakmp_main (msg=3D0x9896538, remote=3D0xbfc34f68, > local=3D0xbfc34ee8) at isakmp.c:570 > #7 0x0804f9bf in isakmp_handler (so_isakmp=3D9) at isakmp.c:359 > #8 0x0804c40e in session () at session.c:209 > #9 0x0804bdd4 in main (ac=3D5, av=3D0xbfc36234) at main.c:247 > (gdb) frame 2 > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214 > 214 maj_stat =3D gss_canonicalize_name(&min_stat, princ, > GSS_C_NO_OID, > (gdb) p princ > $1 =3D 0x9897590 > (gdb) > > ------------------------------------------------------------------------ ------------------------------=20 > here is my racoon.conf file used: > > Racoon IKE daemon configuration file. > # See 'man racoon.conf' for a description of the format and entries. > remote anonymous { > exchange_mode main; > lifetime time 24 hour; > proposal { > encryption_algorithm des; > hash_algorithm md5; > authentication_method gssapi_krb;=20 > dh_group 1; > } > } > sainfo anonymous > { > pfs_group 2; > lifetime time 1 hour; > encryption_algorithm des; > authentication_algorithm hmac_sha1, hmac_md5 ; > compression_algorithm deflate ; > } > > =09 -- Aidas Kasparas IT administrator GM Consult Group, UAB =09 |