[Swan-dev] why ikev2-20-ikesa-reauth forgets to detach whack
andrew.cagney at gmail.com
Wed Nov 6 03:12:35 UTC 2019
Let me see ...
"west" #1: Failed to find our RSA key
ok, so STF_FATAL is returned, it releases all pending whacks
associated with #1, and life is good; except ...
.. in addition to creating #2 the child, it's switched MD.ST from #1
to #2 which causes complete_v2_state_transtition(md->st) to:
| suspend processing: state #1 connection "west" from 18.104.22.168:500
(in complete_v2_state_transition() at ikev2.c:3383)
| start processing: state #2 connection "west" from 22.214.171.124:500 (in
complete_v2_state_transition() at ikev2.c:3383)
which is the first problem - switching global state midway through a
transition isn't going to go well; nor is blatting md.st ...
this is also the second problem - per below, #2 doesn't inherit #1's
whack FD so none of the below is seen by whack!
-> lets stop (ab)using md.st; failing that ...
-> let's abuse md.st and set it back to the IKE SA before returning STF_FATAL!?!
-> is there a reason to not have #2 inherit #1's whack-fd (but I
wonder if it would leak)
| #2 complete_v2_state_transition() md.from_state=PARENT_I1
md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status
"west" #2: encountered fatal error in state STATE_UNDEFINED
so now its trying to kill #2; and release whacks ...
| release_any_whack: state #2 has no whack fd; releasing pending
whacks (in release_pending_whacks() at pending.c:131)
| release_pending_whacks: IKE SA #1 fd-fd at 0x7fef409bb028 has pending
CHILD SA with socket fd-fd at 0x7fef409bb028
and the next problem - the code goes through the pending list looking
for whacks to kill and, per that line, even finds them
except it compares pending's "isakmp_sa" against the _child_, not IKE,
and pending's whackfd against the null-fd (remember the child hasn't
-> so add more checks; or just not switch SAs.
| pstats #2 ikev2.child deleted other
| [RE]START processing: state #2 connection "west" from 126.96.36.199:500
(in delete_state() at state.c:874)
"west" #2: deleting state (STATE_UNDEFINED) aged 0.131s and NOT
| child state #2: UNDEFINED(ignore) => delete
things for state #1 then seem to wonder around in the weeds for a bit,
but eventually there's an expire:
| handling event EVENT_SA_EXPIRE for parent state #1
| start processing: state #1 connection "west" from 188.8.131.52:500 (in
timer_event_cb() at timer.c:250)
which leads to the next problem - it doesn't release related whacks
(but if any of the above worked it wouldn't matter).
| release_any_whack: state #1 release fd-fd at 0x7fef409bb028; deleting
state (in delete_state() at state.c:1112)
| stop processing: state #1 from 184.108.40.206:500 (in delete_state() at
More information about the Swan-dev