While adding tests for nss/ocsp (nss-cert-10-notyetvalid-responder) I noticed that the whack isn't released in the STF_FAIL case:
west # ipsec auto --up nss-cert 002 "nss-cert" #1: initiating Main Mode 104 "nss-cert" #1: STATE_MAIN_I1: initiate 106 "nss-cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "nss-cert" #1: I am sending my cert 002 "nss-cert" #1: I am sending a certificate request 108 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "nss-cert" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, [email protected]' 003 "nss-cert" #1: Certificate [email protected],CN=notyetvalid.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed verification 003 "nss-cert" #1: ERROR: Peer's Certificate has expired. 003 "nss-cert" #1: no RSA public key known for 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=notyetvalid.testing.libreswan.org, [email protected]' 217 "nss-cert" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION 002 "nss-cert" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.1.2.23:500 #\[root@west ]# timedout send line: ipsec auto --up nss-cert echo done I checkd with gdb, and release_whack() is called in ikev1.c in complete_v1_state_transition() if (IS_PHASE1_INIT(st->st_state)) { delete_event(st); release_whack(st); } And release_whack() itself is pretty simple: void release_whack(struct state *st) { close_any(st->st_whack_sock); } with close_any being a macro: include/constants.h:#define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } } Anyone have any theories as to what could be going on? Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
