1734060 – libreswan false positive on duplicate acquires leads to ignored IKE requests and packet loss

Bug 1734060 - libreswan false positive on duplicate acquires leads to ignored IKE requests and packet loss [NEEDINFO]

Summary: libreswan false positive on duplicate acquires leads to ignored IKE requests ...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1734058
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-29 14:34 UTC by Paul Wouters
Modified:	2019-11-07 13:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1734058
Environment:
Last Closed:
Target Upstream Version:
Flags:	tjaros: needinfo? (pwouters)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Paul Wouters 2019-07-29 14:34:55 UTC

+++ This bug was initially created as a clone of Bug #1734058 +++

There are some (as of yet unknown) scenario's where pluto receives a kernel ACQUIRE for which it already detects it has a valid STATE object. Thus, it interprets these as a "duplicate acquire" and no action is taken. However, the state found does not belong to a valid IPsec SA, and so the tunnel is down and cannot be started because it is deemed up based on the "duplicate" check.

When this happens, packets are dropped for a lack of IPsec SA - or leaked in the clear, depending on whether this was a "private" or "private-or-clear" group state.

Note You need to log in before you can comment on or make changes to this bug.