[Openswan dev] process_v2_packet() makes wrong assumption on md->hdr.isa_icookie?

Paul Wouters paul at nohats.ca
Thu Feb 2 20:41:18 EST 2012

Hi Michael,

I have a question regarding process_v2_packet()

You changed some code related to ISAKMP_FLAGS_I and ISAKMP_FLAGS_R.
If I read the IKEv2 spec, those are the IKE SPI's (a.k.a cookies)
So only on the first packet on the initiator is the rcookie (or
md->hdr.isa_flags & ISAKMP_FLAGS_R) zero.

I do not understand this chunk from commit b7c26a49faf7:

-    st = find_state_ikev2(md->hdr.isa_icookie, md->hdr.isa_rcookie);
-    if(st == NULL) {
-       st = find_state_ikev2(md->hdr.isa_icookie, zero_cookie);
+    md->msgid_received = ntohl(md->hdr.isa_msgid);
+    if(md->hdr.isa_flags & ISAKMP_FLAGS_I) {
+       /* then I am the responder */
         rcookiezero = is_zero_cookie(md->hdr.isa_rcookie);
-       if(st && !rcookiezero) {
-           unhash_state(st);
-           memcpy(st->st_rcookie, md->hdr.isa_rcookie, COOKIE_SIZE);
-           insert_state(st);
+       md->role = RESPONDER;

You basically say if there is an icookie, then we must be a responder,
but if we are initiator, on our return packet we also see (our!)
icookie? In fact, every valid IKEv2 packet must have the icookie set?

The code you deleted seems to be correct. First try and match
on the icookie/rcookie, in case this is not a "first packet". Then try
with zero rcookie, I gues in case this is a re-transmit and we already
have a state for it?

I am also not sure why we are setting md->role? Shouldn't any state we
find already know its role? And if it is a new state we know when we are
initiator (we create the icookie and setrcookie to zero) and we know the
1 case (rcookie = 0) on a new state that we are supposed to be the responder?


More information about the Dev mailing list