[Swan-dev] why ikev2-20-ikesa-reauth forgets to detach whack

Andrew Cagney andrew.cagney at gmail.com
Fri Nov 8 15:23:54 UTC 2019


On Tue, 5 Nov 2019 at 22:12, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> Let me see ...
>
> "west" #1: Failed to find our RSA key
>
> ok, so STF_FATAL is returned, it releases all pending whacks
> associated with #1, and life is good; except ...
>
> .. in addition to creating #2 the child, it's switched MD.ST from #1
> to #2 which causes complete_v2_state_transtition(md->st) to:
>
> | suspend processing: state #1 connection "west" from 192.1.2.23:500
> (in complete_v2_state_transition() at ikev2.c:3383)
> | start processing: state #2 connection "west" from 192.1.2.23:500 (in
> complete_v2_state_transition() at ikev2.c:3383)
>
> which is the first problem - switching global state midway through a
> transition isn't going to go well; nor is blatting md.st ...
> this is also the second problem - per below, #2 doesn't inherit #1's
> whack FD so none of the below is seen by whack!
>
> -> lets stop (ab)using md.st; failing that ...
> -> let's abuse md.st and set it back to the IKE SA before returning STF_FATAL!?!

So this went really really sideways. It did seem to fix the visible
problem - whack detached - but because it only deleted the IKE SA it
kept accumulating children (every retry ...).  The really troubling
thing is that we've other code paths trying to do the same thing :-/

Zombie time.

> -> is there a reason to not have #2 inherit #1's whack-fd (but I
> wonder if it would leak)
>
> | #2 complete_v2_state_transition() md.from_state=PARENT_I1
> md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status
> STF_FATAL
> "west" #2: encountered fatal error in state STATE_UNDEFINED
>
> so now its trying to kill #2; and release whacks ...
>
> | release_any_whack: state #2 has no whack fd; releasing pending
> whacks (in release_pending_whacks() at pending.c:131)
>
> | release_pending_whacks: IKE SA #1 fd-fd at 0x7fef409bb028 has pending
> CHILD SA with socket fd-fd at 0x7fef409bb028
>
> and the next problem - the code goes through the pending list looking
> for whacks to kill and, per that line, even finds them
> except it compares pending's "isakmp_sa" against the _child_, not IKE,
> and pending's whackfd against the null-fd (remember the child hasn't
> got one)
>
> -> so add more checks; or just not switch SAs.
>
> | pstats #2 ikev2.child deleted other
> | [RE]START processing: state #2 connection "west" from 192.1.2.23:500
> (in delete_state() at state.c:874)
> "west" #2: deleting state (STATE_UNDEFINED) aged 0.131s and NOT
> sending notification
> | child state #2: UNDEFINED(ignore) => delete
> ...
>
> things for state #1 then seem to wonder around in the weeds for a bit,
> but eventually there's an expire:
>
> | handling event EVENT_SA_EXPIRE for parent state #1
> | start processing: state #1 connection "west" from 192.1.2.23:500 (in
> timer_event_cb() at timer.c:250)
> ...
>
> which leads to the next problem - it doesn't release related whacks
> (but if any of the above worked it wouldn't matter).
>
> | release_any_whack: state #1 release fd-fd at 0x7fef409bb028; deleting
> state (in delete_state() at state.c:1112)
> | stop processing: state #1 from 192.1.2.23:500 (in delete_state() at
> state.c:1138)


More information about the Swan-dev mailing list