From efc9b61f59844a255e97afdb0f2128529ade6cc2 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 30 Nov 2024 18:44:29 +0900 Subject: [PATCH] pluto: make sure to release whack FD after CREATE_CHILD_SA When a Child SA is created with "ipsec auto --add --asynchronous", do not share the logging with the parent IKE SA in submit_v2_CREATE_CHILD_SA_new_child, as well as make sure to release whack FD after a successful completion of the async task. Signed-off-by: Daiki Ueno --- programs/pluto/crypt_ke.c | 12 ++++++++++++ programs/pluto/crypt_ke.h | 4 ++++ programs/pluto/ikev2_create_child_sa.c | 16 ++++++++++------ programs/pluto/ikev2_create_child_sa.h | 3 ++- programs/pluto/initiate.c | 3 ++- programs/pluto/pending.c | 3 ++- 6 files changed, 32 insertions(+), 9 deletions(-) diff --git a/programs/pluto/crypt_ke.c b/programs/pluto/crypt_ke.c index 46c05b8aed..1117a684ec 100644 --- a/programs/pluto/crypt_ke.c +++ b/programs/pluto/crypt_ke.c @@ -59,6 +59,7 @@ struct task { chunk_t nonce; struct dh_local_secret *local_secret; ke_and_nonce_cb *cb; + bool detach_whack; }; static void compute_ke_and_nonce(struct logger *logger, @@ -92,6 +93,9 @@ static stf_status complete_ke_and_nonce(struct state *st, stf_status status = task->cb(st, md, task->local_secret, &task->nonce); + if (task->detach_whack) { + release_whack(st->st_logger, HERE); + } return status; } @@ -104,10 +108,18 @@ static const struct task_handler ke_and_nonce_handler = { void submit_ke_and_nonce(struct state *st, const struct dh_desc *dh, ke_and_nonce_cb *cb, where_t where) +{ + submit_ke_and_nonce_detach_whack(st, dh, cb, where, false); +} + +void submit_ke_and_nonce_detach_whack(struct state *st, const struct dh_desc *dh, + ke_and_nonce_cb *cb, where_t where, + bool detach_whack) { struct task *task = alloc_thing(struct task, "dh"); task->dh = dh; task->cb = cb; + task->detach_whack = detach_whack; submit_task(st->st_logger, st, task, &ke_and_nonce_handler, where); } diff --git a/programs/pluto/crypt_ke.h b/programs/pluto/crypt_ke.h index 806dc7bbdb..74f2eff09d 100644 --- a/programs/pluto/crypt_ke.h +++ b/programs/pluto/crypt_ke.h @@ -38,6 +38,10 @@ typedef stf_status (ke_and_nonce_cb)(struct state *st, struct msg_digest *md, void submit_ke_and_nonce(struct state *st, const struct dh_desc *dh, ke_and_nonce_cb *cb, where_t where); +void submit_ke_and_nonce_detach_whack(struct state *st, const struct dh_desc *dh, + ke_and_nonce_cb *cb, where_t where, + bool detach_whack); + /* * KE and NONCE */ diff --git a/programs/pluto/ikev2_create_child_sa.c b/programs/pluto/ikev2_create_child_sa.c index ff2cf3a016..9e0824d918 100644 --- a/programs/pluto/ikev2_create_child_sa.c +++ b/programs/pluto/ikev2_create_child_sa.c @@ -714,7 +714,8 @@ stf_status process_v2_CREATE_CHILD_SA_rekey_child_request(struct ike_sa *ike, void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike, struct connection *c, /* for child */ lset_t policy, int try, - struct fd *whackfd) + struct fd *whackfd, + bool background) { struct child_sa *larval_child = new_v2_child_state(c, ike, IPSEC_SA, SA_INITIATOR, @@ -725,9 +726,11 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike, free_chunk_content(&larval_child->sa.st_nr); /* this is from the parent. */ larval_child->sa.st_try = try; - /* share the love; XXX: something better? */ - fd_delref(&ike->sa.st_logger->object_whackfd); - ike->sa.st_logger->object_whackfd = fd_addref(whackfd); + if (!background) { + /* share the love; XXX: something better? */ + fd_delref(&ike->sa.st_logger->object_whackfd); + ike->sa.st_logger->object_whackfd = fd_addref(whackfd); + } larval_child->sa.st_policy = policy; llog_sa(RC_LOG, larval_child, @@ -752,8 +755,9 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike, str_policy(policy, &pb), larval_child->sa.st_pfs_group == NULL ? "no-pfs" : larval_child->sa.st_pfs_group->common.fqn); - submit_ke_and_nonce(&larval_child->sa, larval_child->sa.st_pfs_group /*possibly-null*/, - queue_v2_CREATE_CHILD_SA_new_child_request, HERE); + submit_ke_and_nonce_detach_whack(&larval_child->sa, larval_child->sa.st_pfs_group /*possibly-null*/, + queue_v2_CREATE_CHILD_SA_new_child_request, HERE, + background); } static void llog_v2_success_new_child_request(struct ike_sa *ike) diff --git a/programs/pluto/ikev2_create_child_sa.h b/programs/pluto/ikev2_create_child_sa.h index bd9c0d6505..b032738e86 100644 --- a/programs/pluto/ikev2_create_child_sa.h +++ b/programs/pluto/ikev2_create_child_sa.h @@ -31,7 +31,8 @@ extern ikev2_state_transition_fn process_v2_CREATE_CHILD_SA_rekey_ike_response; extern void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike, struct connection *c, /*child*/ lset_t policy, int try, - struct fd *whackfd); + struct fd *whackfd, + bool background); extern ikev2_state_transition_fn initiate_v2_CREATE_CHILD_SA_new_child_request; extern ikev2_state_transition_fn process_v2_CREATE_CHILD_SA_new_child_request; diff --git a/programs/pluto/initiate.c b/programs/pluto/initiate.c index 21821400d1..e9529247ad 100644 --- a/programs/pluto/initiate.c +++ b/programs/pluto/initiate.c @@ -367,7 +367,8 @@ void ipsecdoi_initiate(struct connection *c, cc = c; } submit_v2_CREATE_CHILD_SA_new_child(ike, cc, policy, try, - logger->global_whackfd); + logger->global_whackfd, + background); } break; } diff --git a/programs/pluto/pending.c b/programs/pluto/pending.c index b022740c3e..120a196e65 100644 --- a/programs/pluto/pending.c +++ b/programs/pluto/pending.c @@ -325,7 +325,8 @@ void unpend(struct ike_sa *ike, struct connection *cc) } else if (!already_has_larval_v2_child(ike, p->connection)) { submit_v2_CREATE_CHILD_SA_new_child(ike, p->connection, p->policy, p->try, - p->whack_sock); + p->whack_sock, + /*background*/false); } break; case IKEv1: -- 2.47.0