[Swan-dev] release_whack() not causing whack fd to be released?

Paul Wouters paul at nohats.ca
Wed Oct 12 20:33:31 UTC 2016


While adding tests for nss/ocsp (nss-cert-10-notyetvalid-responder) I
noticed that the whack isn't released in the STF_FAIL case:

west #
  ipsec auto --up nss-cert
002 "nss-cert" #1: initiating Main Mode
104 "nss-cert" #1: STATE_MAIN_I1: initiate
106 "nss-cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "nss-cert" #1: I am sending my cert
002 "nss-cert" #1: I am sending a certificate request
108 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "nss-cert" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, E=testing at libreswan.org'
003 "nss-cert" #1: Certificate E=testing at libreswan.org,CN=notyetvalid.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed verification
003 "nss-cert" #1: ERROR: Peer's Certificate has expired.
003 "nss-cert" #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, E=testing at libreswan.org'
217 "nss-cert" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
002 "nss-cert" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.1.2.23:500
#\[root at west ]#  timedout send line: ipsec auto --up nss-cert
echo done

I checkd with gdb, and release_whack() is called in ikev1.c in complete_v1_state_transition()

if (IS_PHASE1_INIT(st->st_state)) {
                         delete_event(st);
                         release_whack(st);
                 }

And release_whack() itself is pretty simple:

void release_whack(struct state *st)
{
         close_any(st->st_whack_sock);
}

with close_any being a macro:

include/constants.h:#define close_any(fd)  { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }


Anyone have any theories as to what could be going on?

Paul


More information about the Swan-dev mailing list