[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-announce
Subject:    [strongSwan-dev] Race during IKE_SA negotiation?
From:       Noam Lampert <lampert () google ! com>
Date:       2015-02-10 15:31:04
Message-ID: CAP+SNUoWEdo7RAGE5Uo0yNmjy-iF=AUd+Y_GYgN06K7wi_F_cA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hey,

I suspect there is a bug here:
https://github.com/strongswan/strongswan/blob/master/src/libcharon/sa/ike_sa_manager.c#L1849

If UNIQUE_REPLACE is set, and strongswan is initiating an IKE_SA, and in
parallel a peer-initiated IKE_SA gets established, then the code pointed at
will not abort the in-progress negotiation (because its state is not
ESTABLISHED).

Combine this with the behavior that when an initiate times out (after
enough retransmits) it automatically starts retransmitting, and you get an
infinite loop of initiation attempts.

What is the logic in placing only some of the states here?

Noam

[Attachment #5 (text/html)]

<div dir="ltr"><div>Hey,</div><div><br></div><div>I suspect there is a bug \
here:</div><div><a href="https://github.com/strongswan/strongswan/blob/master/src/libc \
haron/sa/ike_sa_manager.c#L1849">https://github.com/strongswan/strongswan/blob/master/src/libcharon/sa/ike_sa_manager.c#L1849</a><br></div><div><br></div><div>If \
UNIQUE_REPLACE is set, and strongswan is initiating an IKE_SA, and in parallel a \
peer-initiated IKE_SA gets established, then the code pointed at will not abort the \
in-progress negotiation (because its state is not \
ESTABLISHED).</div><div><br></div><div>Combine this with the behavior that when an \
initiate times out (after enough retransmits) it automatically starts retransmitting, \
and you get an infinite loop of initiation attempts.</div><div><br></div><div>What is \
the logic in placing only some of the states \
here?</div><div><br></div><div>Noam</div><div><div><br></div></div></div>



_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic