163 lines
6.1 KiB
Diff
163 lines
6.1 KiB
Diff
From efc9b61f59844a255e97afdb0f2128529ade6cc2 Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <dueno@redhat.com>
|
|
Date: Sat, 30 Nov 2024 18:44:29 +0900
|
|
Subject: [PATCH] pluto: make sure to release whack FD after CREATE_CHILD_SA
|
|
|
|
When a Child SA is created with "ipsec auto --add --asynchronous", do
|
|
not share the logging with the parent IKE SA in
|
|
submit_v2_CREATE_CHILD_SA_new_child, as well as make sure to release
|
|
whack FD after a successful completion of the async task.
|
|
|
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|
---
|
|
programs/pluto/crypt_ke.c | 12 ++++++++++++
|
|
programs/pluto/crypt_ke.h | 4 ++++
|
|
programs/pluto/ikev2_create_child_sa.c | 16 ++++++++++------
|
|
programs/pluto/ikev2_create_child_sa.h | 3 ++-
|
|
programs/pluto/initiate.c | 3 ++-
|
|
programs/pluto/pending.c | 3 ++-
|
|
6 files changed, 32 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/programs/pluto/crypt_ke.c b/programs/pluto/crypt_ke.c
|
|
index 46c05b8aed..1117a684ec 100644
|
|
--- a/programs/pluto/crypt_ke.c
|
|
+++ b/programs/pluto/crypt_ke.c
|
|
@@ -59,6 +59,7 @@ struct task {
|
|
chunk_t nonce;
|
|
struct dh_local_secret *local_secret;
|
|
ke_and_nonce_cb *cb;
|
|
+ bool detach_whack;
|
|
};
|
|
|
|
static void compute_ke_and_nonce(struct logger *logger,
|
|
@@ -92,6 +93,9 @@ static stf_status complete_ke_and_nonce(struct state *st,
|
|
stf_status status = task->cb(st, md,
|
|
task->local_secret,
|
|
&task->nonce);
|
|
+ if (task->detach_whack) {
|
|
+ release_whack(st->st_logger, HERE);
|
|
+ }
|
|
return status;
|
|
}
|
|
|
|
@@ -104,10 +108,18 @@ static const struct task_handler ke_and_nonce_handler = {
|
|
|
|
void submit_ke_and_nonce(struct state *st, const struct dh_desc *dh,
|
|
ke_and_nonce_cb *cb, where_t where)
|
|
+{
|
|
+ submit_ke_and_nonce_detach_whack(st, dh, cb, where, false);
|
|
+}
|
|
+
|
|
+void submit_ke_and_nonce_detach_whack(struct state *st, const struct dh_desc *dh,
|
|
+ ke_and_nonce_cb *cb, where_t where,
|
|
+ bool detach_whack)
|
|
{
|
|
struct task *task = alloc_thing(struct task, "dh");
|
|
task->dh = dh;
|
|
task->cb = cb;
|
|
+ task->detach_whack = detach_whack;
|
|
submit_task(st->st_logger, st, task, &ke_and_nonce_handler, where);
|
|
}
|
|
|
|
diff --git a/programs/pluto/crypt_ke.h b/programs/pluto/crypt_ke.h
|
|
index 806dc7bbdb..74f2eff09d 100644
|
|
--- a/programs/pluto/crypt_ke.h
|
|
+++ b/programs/pluto/crypt_ke.h
|
|
@@ -38,6 +38,10 @@ typedef stf_status (ke_and_nonce_cb)(struct state *st, struct msg_digest *md,
|
|
void submit_ke_and_nonce(struct state *st, const struct dh_desc *dh,
|
|
ke_and_nonce_cb *cb, where_t where);
|
|
|
|
+void submit_ke_and_nonce_detach_whack(struct state *st, const struct dh_desc *dh,
|
|
+ ke_and_nonce_cb *cb, where_t where,
|
|
+ bool detach_whack);
|
|
+
|
|
/*
|
|
* KE and NONCE
|
|
*/
|
|
diff --git a/programs/pluto/ikev2_create_child_sa.c b/programs/pluto/ikev2_create_child_sa.c
|
|
index ff2cf3a016..9e0824d918 100644
|
|
--- a/programs/pluto/ikev2_create_child_sa.c
|
|
+++ b/programs/pluto/ikev2_create_child_sa.c
|
|
@@ -714,7 +714,8 @@ stf_status process_v2_CREATE_CHILD_SA_rekey_child_request(struct ike_sa *ike,
|
|
void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike,
|
|
struct connection *c, /* for child */
|
|
lset_t policy, int try,
|
|
- struct fd *whackfd)
|
|
+ struct fd *whackfd,
|
|
+ bool background)
|
|
{
|
|
struct child_sa *larval_child = new_v2_child_state(c, ike, IPSEC_SA,
|
|
SA_INITIATOR,
|
|
@@ -725,9 +726,11 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike,
|
|
free_chunk_content(&larval_child->sa.st_nr); /* this is from the parent. */
|
|
larval_child->sa.st_try = try;
|
|
|
|
- /* share the love; XXX: something better? */
|
|
- fd_delref(&ike->sa.st_logger->object_whackfd);
|
|
- ike->sa.st_logger->object_whackfd = fd_addref(whackfd);
|
|
+ if (!background) {
|
|
+ /* share the love; XXX: something better? */
|
|
+ fd_delref(&ike->sa.st_logger->object_whackfd);
|
|
+ ike->sa.st_logger->object_whackfd = fd_addref(whackfd);
|
|
+ }
|
|
larval_child->sa.st_policy = policy;
|
|
|
|
llog_sa(RC_LOG, larval_child,
|
|
@@ -752,8 +755,9 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike,
|
|
str_policy(policy, &pb),
|
|
larval_child->sa.st_pfs_group == NULL ? "no-pfs" : larval_child->sa.st_pfs_group->common.fqn);
|
|
|
|
- submit_ke_and_nonce(&larval_child->sa, larval_child->sa.st_pfs_group /*possibly-null*/,
|
|
- queue_v2_CREATE_CHILD_SA_new_child_request, HERE);
|
|
+ submit_ke_and_nonce_detach_whack(&larval_child->sa, larval_child->sa.st_pfs_group /*possibly-null*/,
|
|
+ queue_v2_CREATE_CHILD_SA_new_child_request, HERE,
|
|
+ background);
|
|
}
|
|
|
|
static void llog_v2_success_new_child_request(struct ike_sa *ike)
|
|
diff --git a/programs/pluto/ikev2_create_child_sa.h b/programs/pluto/ikev2_create_child_sa.h
|
|
index bd9c0d6505..b032738e86 100644
|
|
--- a/programs/pluto/ikev2_create_child_sa.h
|
|
+++ b/programs/pluto/ikev2_create_child_sa.h
|
|
@@ -31,7 +31,8 @@ extern ikev2_state_transition_fn process_v2_CREATE_CHILD_SA_rekey_ike_response;
|
|
extern void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike,
|
|
struct connection *c, /*child*/
|
|
lset_t policy, int try,
|
|
- struct fd *whackfd);
|
|
+ struct fd *whackfd,
|
|
+ bool background);
|
|
extern ikev2_state_transition_fn initiate_v2_CREATE_CHILD_SA_new_child_request;
|
|
extern ikev2_state_transition_fn process_v2_CREATE_CHILD_SA_new_child_request;
|
|
|
|
diff --git a/programs/pluto/initiate.c b/programs/pluto/initiate.c
|
|
index 21821400d1..e9529247ad 100644
|
|
--- a/programs/pluto/initiate.c
|
|
+++ b/programs/pluto/initiate.c
|
|
@@ -367,7 +367,8 @@ void ipsecdoi_initiate(struct connection *c,
|
|
cc = c;
|
|
}
|
|
submit_v2_CREATE_CHILD_SA_new_child(ike, cc, policy, try,
|
|
- logger->global_whackfd);
|
|
+ logger->global_whackfd,
|
|
+ background);
|
|
}
|
|
break;
|
|
}
|
|
diff --git a/programs/pluto/pending.c b/programs/pluto/pending.c
|
|
index b022740c3e..120a196e65 100644
|
|
--- a/programs/pluto/pending.c
|
|
+++ b/programs/pluto/pending.c
|
|
@@ -325,7 +325,8 @@ void unpend(struct ike_sa *ike, struct connection *cc)
|
|
} else if (!already_has_larval_v2_child(ike, p->connection)) {
|
|
submit_v2_CREATE_CHILD_SA_new_child(ike, p->connection,
|
|
p->policy, p->try,
|
|
- p->whack_sock);
|
|
+ p->whack_sock,
|
|
+ /*background*/false);
|
|
}
|
|
break;
|
|
case IKEv1:
|
|
--
|
|
2.47.0
|
|
|