[Openswan dev] Multiple RW in Aggressive Mode with different PSK

hiren joshi joshihirenn at gmail.com
Fri Apr 3 05:20:37 EDT 2009


This is somewhat old thread
(starts with: http://lists.openswan.org/pipermail/dev/2008-December/002010.html).
However I found this behavior in openswan-2.6.20 also,
so sending patch (second hunk) for the same.

--- programs/pluto/connections.c.orig	2009-04-03 13:07:46.000000000 +0530
+++ programs/pluto/connections.c	2009-04-03 13:08:46.000000000 +0530
@@ -2196,10 +2196,12 @@ find_host_connection2(const char *func
 	 * if we have requirements for the policy, choose the first matching
 	 * connection.
 	 */
+	DBG(DBG_CONTROLMORE,
+		DBG_log("searching for connection with policy = %s"
+			, bitnamesof(sa_policy_bit_names, policy)));
 	for (; c != NULL; c = c->hp_next) {
 	    DBG(DBG_CONTROLMORE,
-		DBG_log("searching for policy=%s, found=%s (%s)"
-			, bitnamesof(sa_policy_bit_names, policy)
+		DBG_log("found policy = %s (%s)"
 			, bitnamesof(sa_policy_bit_names, c->policy)
 			, c->name));
 	    if(NEVER_NEGOTIATE(c->policy)) continue;
@@ -2448,7 +2450,7 @@ refine_host_connection(const struct stat
 		    if (dpsk == NULL)
 			continue;	/* no secret */

-		    if (psk != dpsk)
+		    if (!aggrmode && psk != dpsk)
 			if (psk->len != dpsk->len
 			|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
 			    continue;	/* different secret */

First hunk of this patch is to take care of an entirely different issue.
As bitnamesbuf (lib/libopenswan/constants.c::1228) is shared,
bitnamesof(sa_policy_bit_names, policy) and
bitnamesof(sa_policy_bit_names, c->policy) prints the same thing.

Before patch:
| searching for policy=PSK+AGGRESSIVE, found=PSK+AGGRESSIVE (main_rw-1)
| searching for policy=PSK+AGGRESSIVE, found=PSK+AGGRESSIVE (aggr_rw-1)
| find_host_connection returns aggr_rw-1

After patch:
| searching for connection with policy = PSK+AGGRESSIVE
| found policy = PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+FAILSHUNT1+DONTREKEY
(main_rw-1)
| found policy =
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+FAILSHUNT1+DONTREKEY+AGGRESSIVE
(aggr_rw-1)
| find_host_connection returns aggr_rw-1

Regards,
Hiren

On Wed, Jan 7, 2009 at 7:43 PM, hiren joshi <joshihirenn at gmail.com> wrote:
> I tested it and it switches connections as needed.
> A minor modification in the patch:
>
> --- connections.c.orig  2008-12-30 18:42:26.000000000 +0530
> +++ connections.c       2009-01-02 12:51:31.000000000 +0530
> @@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
>                     if (dpsk == NULL)
>                         continue;       /* no secret */
>
> -                   if (psk != dpsk)
> +                   if (!aggrmode && psk != dpsk)
>                         if (psk->len != dpsk->len
>                         || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
>                             continue;   /* different secret */
>
> Regards,
> -hiren
>
>>
>> > Should I bypass the check for Aggressive mode?
>> >
>> > --- connections.c.orig  2008-12-30 18:42:26.000000000 +0530
>> > +++ connections.c       2008-12-30 21:28:10.000000000 +0530
>> > @@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
>> >                     if (dpsk == NULL)
>> >                         continue;       /* no secret */
>> >
>> > -                   if (psk != dpsk)
>> > +                   if (!(d->policy & POLICY_AGGRESSIVE) && psk != dpsk)
>> >                         if (psk->len != dpsk->len
>> >                         || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
>> >                             continue;   /* different secret */
>>
>> That looks like a proper fix. Did you do any testing?
>>
>> Paul


More information about the Dev mailing list