diff -Naur libreswan-3.25-orig/include/pluto_constants.h libreswan-3.25/include/pluto_constants.h
--- libreswan-3.25-orig/include/pluto_constants.h 2018-06-27 11:42:26.000000000 -0400
+++ libreswan-3.25/include/pluto_constants.h 2019-02-15 17:41:06.954865678 -0500
@@ -436,6 +436,8 @@
IMPAIR_SEND_PKCS7_THINGIE_IX, /* send certificates as a PKCS7 thingie */
+ IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX,
+
IMPAIR_roof_IX /* first unassigned IMPAIR */
};
@@ -495,6 +497,7 @@
#define IMPAIR_SEND_PKCS7_THINGIE LELEM(IMPAIR_SEND_PKCS7_THINGIE_IX)
+#define IMPAIR_IKEv1_DEL_WITH_NOTIFY LELEM(IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX)
/* State of exchanges
*
* The name of the state describes the last message sent, not the
diff -Naur libreswan-3.25-orig/lib/libswan/impair.c libreswan-3.25/lib/libswan/impair.c
--- libreswan-3.25-orig/lib/libswan/impair.c 2018-06-27 11:42:26.000000000 -0400
+++ libreswan-3.25/lib/libswan/impair.c 2019-02-15 17:41:06.954865678 -0500
@@ -75,6 +75,8 @@
I(IMPAIR_ALLOW_DNS_INSECURE, "impair-allow-dns-insecure"),
I(IMPAIR_SEND_PKCS7_THINGIE, "impair-send-pkcs7-thingie"),
+
+ I(IMPAIR_IKEv1_DEL_WITH_NOTIFY, "impair-ikev1-del-with-notify"),
};
const enum_names impair_names = {
diff -Naur libreswan-3.25-orig/programs/pluto/ikev1_main.c libreswan-3.25/programs/pluto/ikev1_main.c
--- libreswan-3.25-orig/programs/pluto/ikev1_main.c 2018-06-27 11:42:26.000000000 -0400
+++ libreswan-3.25/programs/pluto/ikev1_main.c 2019-02-15 17:42:50.876885416 -0500
@@ -2491,12 +2491,36 @@
isad.isad_protoid = ns->proto;
isad.isad_nospi = 1;
+
+ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY))
+ isad.isad_np = ISAKMP_NEXT_N; /* Notify */
+
passert(out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs,
&del_pbs));
passert(out_raw(&ns->spi, sizeof(ipsec_spi_t),
&del_pbs,
"delete payload"));
close_output_pbs(&del_pbs);
+
+ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY)) {
+ pb_stream cruft_pbs;
+
+ libreswan_log("IMPAIR: adding bogus Notify payload after IKE Delete payload");
+ struct isakmp_notification isan = {
+ .isan_np = ISAKMP_NEXT_NONE,
+ .isan_doi = ISAKMP_DOI_IPSEC,
+ .isan_protoid = PROTO_ISAKMP,
+ .isan_spisize = COOKIE_SIZE * 2,
+ .isan_type = INVALID_PAYLOAD_TYPE,
+ };
+
+ passert(out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs,
+ &cruft_pbs));
+ passert(out_raw(&ns->spi, sizeof(ipsec_spi_t), &cruft_pbs,
+ "notify payload"));
+ close_output_pbs(&cruft_pbs);
+ }
+
}
}
@@ -2743,7 +2767,9 @@
rc->policy &= ~POLICY_UP;
if (!shared_phase1_connection(rc)) {
flush_pending_by_connection(rc);
+ /* This also deletes the IKE SA, clear pointer */
delete_states_by_connection(rc, FALSE);
+ md->st = NULL;
}
reset_cur_connection();
}