ERROR - ipv6 sendmsg --> "Invalid argument"


Bug in setting source IP for IKE packets causes failure to install IPv6 CHILD_SA when built with certain compilers

https://wiki.strongswan.org/issues/1171


Further discussions, tests (thanks Yves-Alexis!) and research showed that this was caused by a bug in the socket-default plugin that manifested itself with newer versions of GCC.

In this particular case (IPv6) the problematic code looks like this:

else
{
    char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
    struct in6_pktinfo *pktinfo;
    struct sockaddr_in6 *sin;

    memset(buf, 0, sizeof(buf));
    msg.msg_control = buf;
    msg.msg_controllen = sizeof(buf);
    cmsg = CMSG_FIRSTHDR(&msg);
    cmsg->cmsg_level = SOL_IPV6;
    cmsg->cmsg_type = IPV6_PKTINFO;
    cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
    pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
    sin = (struct sockaddr_in6*)src->get_sockaddr(src);
    memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
}

The problem is that msg is defined and used (via sendmsg) outside the scope of this else-block.

Newer versions of GCC (5.2.1 in the tests) optimized the memcpy() call away, the rest of the generated program code remained the same as with earlier versions, though. But without the address being set via IPV6_PKTINFO, the packets were not sent from the address intended by the IKE daemon.

Why this caused the failure to install the CHILD_SA is because of the source address selection done by the daemon. Due to the option charon.prefer_temporary_addresses=no (default) the daemon intended to send the IKE packets from the static IPv6 address. But because of the issue above this address was not set, so the default source address selection kicked in, with which temporary addresses are preferred by default. Therefore, the packets were sent from the temporary address instead.

However, to build the NAT_DETECTION_SOURCE_IP payload the daemon also used its intended source address (i.e. the static address). This consequently caused mismatch on the responder, which concluded that the initiator is behind a NAT. Because the Linux kernel currently does not support UDP encapsulation for IPv6 this resulted in the failure to install the IPsec SA.

A fix for the bug can be found in the 1171-socket-default-scope branch. A workaround in this particular case is to configure charon.prefer_temporary_addresses=yes, which causes charon to internally use the same source address as the kernel.


posted @ 2017-05-01 17:34  张同光  阅读(583)  评论(0编辑  收藏  举报