While adding tests for nss/ocsp (nss-cert-10-notyetvalid-responder) I
noticed that the whack isn't released in the STF_FAIL case:

west #
 ipsec auto --up nss-cert
002 "nss-cert" #1: initiating Main Mode
104 "nss-cert" #1: STATE_MAIN_I1: initiate
106 "nss-cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "nss-cert" #1: I am sending my cert
002 "nss-cert" #1: I am sending a certificate request
108 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "nss-cert" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, 
L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, 
E=test...@libreswan.org'
003 "nss-cert" #1: Certificate 
E=test...@libreswan.org,CN=notyetvalid.testing.libreswan.org,OU=Test 
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed verification
003 "nss-cert" #1: ERROR: Peer's Certificate has expired.
003 "nss-cert" #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, 
O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, 
E=test...@libreswan.org'
217 "nss-cert" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
002 "nss-cert" #1: sending encrypted notification INVALID_KEY_INFORMATION to 
192.1.2.23:500
#\[root@west ]#  timedout send line: ipsec auto --up nss-cert
echo done

I checkd with gdb, and release_whack() is called in ikev1.c in 
complete_v1_state_transition()

if (IS_PHASE1_INIT(st->st_state)) {
                        delete_event(st);
                        release_whack(st);
                }

And release_whack() itself is pretty simple:

void release_whack(struct state *st)
{
        close_any(st->st_whack_sock);
}

with close_any being a macro:

include/constants.h:#define close_any(fd)  { if ((fd) != NULL_FD) { close(fd); 
(fd) = NULL_FD; } }


Anyone have any theories as to what could be going on?

Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to