[Swan-dev] why ikev2-20-ikesa-reauth forgets to detach whack

Andrew Cagney andrew.cagney at gmail.com
Wed Nov 6 03:12:35 UTC 2019 

Let me see ...

"west" #1: Failed to find our RSA key

ok, so STF_FATAL is returned, it releases all pending whacks
associated with #1, and life is good; except ...

.. in addition to creating #2 the child, it's switched MD.ST from #1
to #2 which causes complete_v2_state_transtition(md->st) to:

| suspend processing: state #1 connection "west" from 192.1.2.23:500
(in complete_v2_state_transition() at ikev2.c:3383)
| start processing: state #2 connection "west" from 192.1.2.23:500 (in
complete_v2_state_transition() at ikev2.c:3383)

which is the first problem - switching global state midway through a
transition isn't going to go well; nor is blatting md.st ...
this is also the second problem - per below, #2 doesn't inherit #1's
whack FD so none of the below is seen by whack!

-> lets stop (ab)using md.st; failing that ...
-> let's abuse md.st and set it back to the IKE SA before returning STF_FATAL!?!
-> is there a reason to not have #2 inherit #1's whack-fd (but I
wonder if it would leak)

| #2 complete_v2_state_transition() md.from_state=PARENT_I1
md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status
STF_FATAL
"west" #2: encountered fatal error in state STATE_UNDEFINED

so now its trying to kill #2; and release whacks ...

| release_any_whack: state #2 has no whack fd; releasing pending
whacks (in release_pending_whacks() at pending.c:131)

| release_pending_whacks: IKE SA #1 fd-fd at 0x7fef409bb028 has pending
CHILD SA with socket fd-fd at 0x7fef409bb028

and the next problem - the code goes through the pending list looking
for whacks to kill and, per that line, even finds them
except it compares pending's "isakmp_sa" against the _child_, not IKE,
and pending's whackfd against the null-fd (remember the child hasn't
got one)

-> so add more checks; or just not switch SAs.

| pstats #2 ikev2.child deleted other
| [RE]START processing: state #2 connection "west" from 192.1.2.23:500
(in delete_state() at state.c:874)
"west" #2: deleting state (STATE_UNDEFINED) aged 0.131s and NOT
sending notification
| child state #2: UNDEFINED(ignore) => delete
...

things for state #1 then seem to wonder around in the weeds for a bit,
but eventually there's an expire:

| handling event EVENT_SA_EXPIRE for parent state #1
| start processing: state #1 connection "west" from 192.1.2.23:500 (in
timer_event_cb() at timer.c:250)
...

which leads to the next problem - it doesn't release related whacks
(but if any of the above worked it wouldn't matter).

| release_any_whack: state #1 release fd-fd at 0x7fef409bb028; deleting
state (in delete_state() at state.c:1112)
| stop processing: state #1 from 192.1.2.23:500 (in delete_state() at
state.c:1138)

More information about the Swan-dev mailing list