[Swan] puzzled by ikev2_delete_out

Matt Rogers mrogers at redhat.com
Tue Oct 29 16:40:40 EET 2013


----- Original Message -----
> From: "D. Hugh Redelmeier" <hugh at mimosa.com>
> To: swan at lists.libreswan.org
> Sent: Tuesday, October 29, 2013 12:10:00 AM
> Subject: Re: [Swan] puzzled by ikev2_delete_out
> 
> | From: Matt Rogers <mrogers at redhat.com>
> 
> | > From: "D. Hugh Redelmeier" <hugh at mimosa.com>
> 
> | > At the end of ikev2_delete_out, after the label "end", there is code to
> | > delete states.  It is only used if something has gone wrong with sending
> | > a
> | > delete to the other side.
> | > 
> | > There is a while loop that seems to change the state of every state
> | > object
> | > on the same hash chain as the victim.  What's the reason for that?
> | > Is there any meaningful relationship between state objects on a hash
> | > chain?
> 
> | The hash chain should only have the Parent SA and any of its associated
> | Child SA's - it looks like the STATE_CHILDSA_DEL/STATE_IKE_DEL state
> | change is just for later use in delete_state()
> 
> Why?  The hash chain should have any states which hash to the same
> bucket.  The hash is of cookies (IKE SA SPIs in IKEv2 terms).  But
> it is the nature of a hash that distinct cookies could get hashed to
> the same bucket.

Ah, I see that now. My assumption must have been the same as the author's :D 
So would it be possible that deleting states on the hash chain
could kill some unrelated SAs?

> 
> I think that any deletion ought to check that the cookies match!
> Actually, just as good: check the st_cloned_from value.
> 
> | But with this, I think I spot a bug in delete_state(). If we set a
> | parent SA to STATE_IKESA_DEL and delete_state() processes it,
> | 
> |         if (IS_IPSEC_SA_ESTABLISHED(st->st_state) ||
> |             IS_CHILD_SA_ESTABLISHED(st))
> |                 delete_ipsec_sa(st, FALSE);
> | 
> | STATE_IKESA_DEL is not included in either of these macros, only
> | STATE_CHILDSA_DEL. I'm not sure how likely we would be to reach this
> | condition, though.
> 
> Could you explain the problem you see?  I'm not familiar with the v2
> code.
> 
> I don't think that the parent would have an ipsec_sa to delete.
> 

True, I misread the code a bit.. although, setting STATE_IKESA_DEL doesn't 
seem to affect anything in delete_state anyways.

_______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 


More information about the Swan mailing list