[Swan] puzzled by ikev2_delete_out
Matt Rogers
mrogers at redhat.com
Tue Oct 29 16:40:40 EET 2013
----- Original Message -----
> From: "D. Hugh Redelmeier" <hugh at mimosa.com>
> To: swan at lists.libreswan.org
> Sent: Tuesday, October 29, 2013 12:10:00 AM
> Subject: Re: [Swan] puzzled by ikev2_delete_out
>
> | From: Matt Rogers <mrogers at redhat.com>
>
> | > From: "D. Hugh Redelmeier" <hugh at mimosa.com>
>
> | > At the end of ikev2_delete_out, after the label "end", there is code to
> | > delete states. It is only used if something has gone wrong with sending
> | > a
> | > delete to the other side.
> | >
> | > There is a while loop that seems to change the state of every state
> | > object
> | > on the same hash chain as the victim. What's the reason for that?
> | > Is there any meaningful relationship between state objects on a hash
> | > chain?
>
> | The hash chain should only have the Parent SA and any of its associated
> | Child SA's - it looks like the STATE_CHILDSA_DEL/STATE_IKE_DEL state
> | change is just for later use in delete_state()
>
> Why? The hash chain should have any states which hash to the same
> bucket. The hash is of cookies (IKE SA SPIs in IKEv2 terms). But
> it is the nature of a hash that distinct cookies could get hashed to
> the same bucket.
Ah, I see that now. My assumption must have been the same as the author's :D
So would it be possible that deleting states on the hash chain
could kill some unrelated SAs?
>
> I think that any deletion ought to check that the cookies match!
> Actually, just as good: check the st_cloned_from value.
>
> | But with this, I think I spot a bug in delete_state(). If we set a
> | parent SA to STATE_IKESA_DEL and delete_state() processes it,
> |
> | if (IS_IPSEC_SA_ESTABLISHED(st->st_state) ||
> | IS_CHILD_SA_ESTABLISHED(st))
> | delete_ipsec_sa(st, FALSE);
> |
> | STATE_IKESA_DEL is not included in either of these macros, only
> | STATE_CHILDSA_DEL. I'm not sure how likely we would be to reach this
> | condition, though.
>
> Could you explain the problem you see? I'm not familiar with the v2
> code.
>
> I don't think that the parent would have an ipsec_sa to delete.
>
True, I misread the code a bit.. although, setting STATE_IKESA_DEL doesn't
seem to affect anything in delete_state anyways.
_______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list