current-users: Re: racoon + generate

Subject: Re: racoon + generate_policy
To: None <current-users@netbsd.org>
From: Paul Dokas <dokas@cs.umn.edu>
List: current-users
Date: 01/21/2002 16:15:55
On Fri, Jan 18, 2002 at 03:07:54PM -0600, Paul Dokas wrote:
> 
> I think I found the problem.  Using setkey -x, I tracked the the transactions
> with the kernel.  Sure enough, the kernel gives a ENOENT when racoon attempts
> to do a SADB_X_SPDUPDATE to install a new policy.
> 
> To my reading, the problem appears to be related to the code near line 1581
> of /sys/netkey/key.c
> 
> ------------------------------snip-snip------------------------------
>         /*
>          * checking there is SP already or not.
>          * If type is SPDUPDATE and no SP found, then error.
>          * If type is either SPDADD or SPDSETIDX and SP found, then error.
>          */
>         newsp = key_getsp(&spidx);
>         if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
>                 if (newsp == NULL) {
> #ifdef IPSEC_DEBUG
>                         printf("key_spdadd: no SP found.\n");
> #endif
>                         return key_senderror(so, m, ENOENT);
>                 }
> 
>                 newsp->state = IPSEC_SPSTATE_DEAD;
>                 key_freesp(newsp);
>         } else {
>                 if (newsp != NULL) {
>                         key_freesp(newsp);
> #ifdef IPSEC_DEBUG
>                         printf("key_spdadd: a SP entry exists already.\n");
> #endif
>                         return key_senderror(so, m, EEXIST);
>                 }
>         }
> ------------------------------snip-snip------------------------------

Following up my own email....


This bit of code definitely appears to be the problem.

Checking the KAME 2002-01-21 snapshot, this same bit of code looks like this:

------------------------------snip-snip------------------------------
        /*
         * checking there is SP already or not.
         * SPDUPDATE doesn't depend on whether there is a SP or not.
         * If the type is either SPDADD or SPDSETIDX AND a SP is found,
         * then error.
         */
        newsp = key_getsp(&spidx);
        if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
                if (newsp) {
                        newsp->state = IPSEC_SPSTATE_DEAD;
                        key_freesp(newsp);
                }
        } else {
                if (newsp != NULL) {
                        key_freesp(newsp);
                        ipseclog((LOG_DEBUG, "key_spdadd: a SP entry exists already.\n"));
                        return key_senderror(so, m, EEXIST);
                }
        }
------------------------------snip-snip------------------------------

It will delete any existing SPD entry, if one exists, and then create
a new SPD entry.  In other words, an SPDUPDATE in recent versions of
KAME means:

   + delete any old SPD entries, if any
   + create a new SPD entry.

While the older version of the KAME code, as found in NetBSD-current
means:

   + delete any old SPD entries, return ENOENT if one doesn't exist
   + create a new one, if one


Given that the code in /sys/netkey/ in -current is really old and obviously
doesn't work for some cases (racoon + generate_policy) is there any chance
of getting a more recent version of /sys/netkey/ folded into -current?


Paul
-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."