Your message dated Fri, 11 Jul 2014 09:36:54 +0000
with message-id <[email protected]>
and subject line Bug#738573: fixed in ipsec-tools 1:0.8.2+20140711-1
has caused the Debian Bug report #738573,
regarding Add IPv6 IP address support to X509 certificates in subjectAltName
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
738573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738573
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: racoon
Version: 1:0.8.0-14.1
Severity: normal
Tags: patch ipv6
While setting up IPSec to function with IPv6 hosts, racoon kept
throwing up on the certificates even when they had correct
subjectAltName specified to a literal IP address.
racoon: ERROR:
racoon: ERROR: failed to get subjectAltName
racoon: ERROR: no peer's CERT payload found.
The problem was tracked down to unimplemented IPv6 address parsing in
racoon. This is fixed in the attached patch.
- Adam
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages racoon depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.52
ii ipsec-tools 1:0.8.0-14.1
ii libc6 2.17-97
ii libcomerr2 1.42.9-2
ii libgssapi-krb5-2 1.11.3+dfsg-3+nmu1
ii libk5crypto3 1.11.3+dfsg-3+nmu1
ii libkrb5-3 1.11.3+dfsg-3+nmu1
ii libldap-2.4-2 2.4.31-1+nmu2+b1
ii libpam0g 1.1.3-10
ii libssl1.0.0 1.0.1e-6
ii perl 5.18.1-5
racoon recommends no packages.
racoon suggests no packages.
-- Configuration Files:
/etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt'
-- debconf information excluded
Index: ipsec-tools-0.8.0/src/racoon/crypto_openssl.c
===================================================================
--- ipsec-tools-0.8.0.orig/src/racoon/crypto_openssl.c 2014-02-09 02:13:39.998141719 -0600
+++ ipsec-tools-0.8.0/src/racoon/crypto_openssl.c 2014-02-10 02:14:43.646357678 -0600
@@ -714,26 +714,47 @@
/* read IP address */
else if (gen->type == GEN_IPADD)
{
- unsigned char p[5], *ip;
- ip = p;
-
- /* only support IPv4 */
- if (gen->d.ip->length != 4)
- goto end;
-
- /* convert Octet String to String
- * XXX ???????
- */
- /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = gen->d.ip->data;
-
- /* XXX Magic, enough for an IPv4 address
- */
- *altname = racoon_malloc(20);
- if (!*altname)
+ switch (gen->d.iPAddress->length) {
+ case 4: /* IPv4 */
+ *altname = racoon_malloc(4*3 + 3 + 1); /* digits + decimals + null */
+ if (!*altname)
+ goto end;
+
+ snprintf(*altname, 12+3+1, "%u.%u.%u.%u",
+ (unsigned)gen->d.iPAddress->data[0],
+ (unsigned)gen->d.iPAddress->data[1],
+ (unsigned)gen->d.iPAddress->data[2],
+ (unsigned)gen->d.iPAddress->data[3]);
+ break;
+ case 16: { /* IPv6 */
+ int i;
+
+ *altname = racoon_malloc(16*2 + 7 + 1); /* digits + colons + null */
+ if (!*altname)
+ goto end;
+
+ /* Make NULL terminated IPv6 address */
+ for (i=0; i<16; ++i) {
+ int pos = i*2 + i/2;
+
+ if (i>0 && i%2==0)
+ (*altname)[pos-1] = ':';
+
+ snprintf(*altname + pos, 3, "%02x",
+ (unsigned)gen->d.iPAddress->data[i]);
+
+ }
+ plog(LLV_INFO, LOCATION, NULL,
+ "Remote X509 IPv6 addr: %s", *altname);
+ break;
+ }
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Unknown IP address length: %u octects.",
+ gen->d.iPAddress->length);
goto end;
-
- sprintf(*altname, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
+ }
+
*type = gen->type;
error = 0;
}
--- End Message ---
--- Begin Message ---
Source: ipsec-tools
Source-Version: 1:0.8.2+20140711-1
We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
[email protected] (supplier of updated ipsec-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Jul 2014 00:52:38 -0700
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.8.2+20140711-1
Distribution: unstable
Urgency: medium
Maintainer: pkg-ipsec-tools team <[email protected]>
Changed-By: [email protected]
Description:
ipsec-tools - IPsec utilities
racoon - IPsec Internet Key Exchange daemon
Closes: 738573
Changes:
ipsec-tools (1:0.8.2+20140711-1) unstable; urgency=medium
.
* Repackage upstream release 0.8.2 for real. Previous releases were
based on an incomplete import and were essentially 0.8.0.
* Remove patch debian/patches/gcc-4.8.diff, which has been incorportated
upstream.
* Remove patch debian/patches/patch-to-support-cast128, which has
been incorportated upstream.
* Import patch for x509 IPv6 literal address subjectAltName support from
Adam Majer <[email protected]> (Closes: #738573)
Checksums-Sha1:
1b9894af4d559c8d13b2837784d193ef56158f71 2289 ipsec-tools_0.8.2+20140711-1.dsc
f342ec3e0d5d0eb505f06f6772b31100cacac8bf 1102890
ipsec-tools_0.8.2+20140711.orig.tar.gz
aa4bab758339bbfb8a66c741917f4cb0987b4e2a 59724
ipsec-tools_0.8.2+20140711-1.debian.tar.xz
096ac7abf586dbf545227db03fc97a94c389f769 92602
ipsec-tools_0.8.2+20140711-1_amd64.deb
d5a1a4ec55889749ac275619d0c50acaa61e3632 380624
racoon_0.8.2+20140711-1_amd64.deb
Checksums-Sha256:
e6ea9828661dda628b4729fc1fe9ec0120ccea5b73bc8e422999486f51235a11 2289
ipsec-tools_0.8.2+20140711-1.dsc
5e702549103d4cffb73d5bcd3a9b4cb75c398e7988f2421b2901cc0e15915785 1102890
ipsec-tools_0.8.2+20140711.orig.tar.gz
6dbecbe7c1c0a08ebdd7d39c0a0766f836133547e3fc872d034c26f06197bc80 59724
ipsec-tools_0.8.2+20140711-1.debian.tar.xz
167be85e989dec92b1b03ab172449238ce0a155be79e657afbd1f8f4ea6396ca 92602
ipsec-tools_0.8.2+20140711-1_amd64.deb
037a80d8445269903ee80dda7109e27508fdaeba33aaf58961e9f5d4e7399624 380624
racoon_0.8.2+20140711-1_amd64.deb
Files:
ef4869093b925a95dadb3abb7a122174 92602 net extra
ipsec-tools_0.8.2+20140711-1_amd64.deb
77d5c834aaa7cdf26b3f75f1fa7c63d7 380624 net extra
racoon_0.8.2+20140711-1_amd64.deb
5a37e6d8cc1d5af0ccccae6ed91839de 2289 net extra
ipsec-tools_0.8.2+20140711-1.dsc
8c222aedb897820e946aac203113b650 1102890 net extra
ipsec-tools_0.8.2+20140711.orig.tar.gz
6d4aecd27f67df0fcd42616db9c45659 59724 net extra
ipsec-tools_0.8.2+20140711-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBU7+htPYw89L1q13TAQghAhAAq67zkRVpkv/7qKK2VCLrBs7XskLuIdGA
pl+Q+doi9Khwr9dzWqACEUErJ95SNUYLE3cnnxpveXzfYPdyW8yt3fpB75JmeibY
JuA2qDPgdXXYWBIG5k47xGer9GoISbW/vqAM3MLpcrjT3uizwGMgmIp4fo4km0XP
0TWub+LZKa4G+q4qhdKt7sGuPl8vjNo3vT5q0rmEjEapoyuFGLsbIoB8Xke2eRTH
wwpt1cKYtvwUGq93fB8NV9Q1v5n3LbK1VttqdVZquNYCOPhVVNdQUajSF5yuYqOn
ML/YfkJCjAxHYc6SIpTuIkdo4hh8wguP0JzduQNP5ff1sDEmkcvSLgxOLq9JLyFV
5LhCzD/da+pSBAzH9fxVo2Q+13IiKF5u1H0NkPormigLnlJ+Hv404nuadKu285lN
HprTvClVm4ZEVynRHnRanLb9w2Xatr6jNNXKOo9IBMAf9YTmXbRvCdKq7wcjbY5Y
kvzaX/3bZYxmpGmnP07Cj+p8VmrwkRWNrZiXHToLfXnnR7jE4UyDgsaA6kGzyTdb
iLi3pK8dzqEMuYCC4JqOQsRQu8j8AoEGBLZb4rGfvxq/LcNtxkxAzM7FNKZ8WkVm
iw5rnY+MTyG4EdoN/Xq9/EkIgO+x1Qody6XcQKKfOakj5mAqgNEMU5FGhzr0xzz5
0kLDUDbV2ic=
=we1G
-----END PGP SIGNATURE-----
--- End Message ---
