current-users: Re: racoon + generate

Subject: Re: racoon + generate_policy
To: None <current-users@netbsd.org>
From: Paul Dokas <dokas@cs.umn.edu>
List: current-users
Date: 01/18/2002 15:07:54
On Thu, Jan 17, 2002 at 02:29:17PM -0600, Paul Dokas wrote:
>
>   2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDUPDATE message
>   2002-01-17 13:49:48: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
>   2002-01-17 13:49:48: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDUPDATE message
>   2002-01-17 13:49:48: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory

I think I found the problem.  Using setkey -x, I tracked the the transactions
with the kernel.  Sure enough, the kernel gives a ENOENT when racoon attempts
to do a SADB_X_SPDUPDATE to install a new policy.

To my reading, the problem appears to be related to the code near line 1581
of /sys/netkey/key.c

------------------------------snip-snip------------------------------
        /*
         * checking there is SP already or not.
         * If type is SPDUPDATE and no SP found, then error.
         * If type is either SPDADD or SPDSETIDX and SP found, then error.
         */
        newsp = key_getsp(&spidx);
        if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
                if (newsp == NULL) {
#ifdef IPSEC_DEBUG
                        printf("key_spdadd: no SP found.\n");
#endif
                        return key_senderror(so, m, ENOENT);
                }

                newsp->state = IPSEC_SPSTATE_DEAD;
                key_freesp(newsp);
        } else {
                if (newsp != NULL) {
                        key_freesp(newsp);
#ifdef IPSEC_DEBUG
                        printf("key_spdadd: a SP entry exists already.\n");
#endif
                        return key_senderror(so, m, EEXIST);
                }
        }
------------------------------snip-snip------------------------------


This says that ENOENT will be returned if there is no existing policy.
However, I've told racoon to generate the new policy since one doesn't
exist.  I want a new policy to be created.

The problem is probably with racoon.  It should be doing an SADB_X_SPDADD
and not an SADB_X_SPDUPDATE.

I'll dig through racoon's source....


Paul
-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."