Let me see ... "west" #1: Failed to find our RSA key
ok, so STF_FATAL is returned, it releases all pending whacks associated with #1, and life is good; except ... .. in addition to creating #2 the child, it's switched MD.ST from #1 to #2 which causes complete_v2_state_transtition(md->st) to: | suspend processing: state #1 connection "west" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3383) | start processing: state #2 connection "west" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3383) which is the first problem - switching global state midway through a transition isn't going to go well; nor is blatting md.st ... this is also the second problem - per below, #2 doesn't inherit #1's whack FD so none of the below is seen by whack! -> lets stop (ab)using md.st; failing that ... -> let's abuse md.st and set it back to the IKE SA before returning STF_FATAL!?! -> is there a reason to not have #2 inherit #1's whack-fd (but I wonder if it would leak) | #2 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_FATAL "west" #2: encountered fatal error in state STATE_UNDEFINED so now its trying to kill #2; and release whacks ... | release_any_whack: state #2 has no whack fd; releasing pending whacks (in release_pending_whacks() at pending.c:131) | release_pending_whacks: IKE SA #1 fd-fd@0x7fef409bb028 has pending CHILD SA with socket fd-fd@0x7fef409bb028 and the next problem - the code goes through the pending list looking for whacks to kill and, per that line, even finds them except it compares pending's "isakmp_sa" against the _child_, not IKE, and pending's whackfd against the null-fd (remember the child hasn't got one) -> so add more checks; or just not switch SAs. | pstats #2 ikev2.child deleted other | [RE]START processing: state #2 connection "west" from 192.1.2.23:500 (in delete_state() at state.c:874) "west" #2: deleting state (STATE_UNDEFINED) aged 0.131s and NOT sending notification | child state #2: UNDEFINED(ignore) => delete ... things for state #1 then seem to wonder around in the weeds for a bit, but eventually there's an expire: | handling event EVENT_SA_EXPIRE for parent state #1 | start processing: state #1 connection "west" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) ... which leads to the next problem - it doesn't release related whacks (but if any of the above worked it wouldn't matter). | release_any_whack: state #1 release fd-fd@0x7fef409bb028; deleting state (in delete_state() at state.c:1112) | stop processing: state #1 from 192.1.2.23:500 (in delete_state() at state.c:1138) _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
