[Openswan dev] Multiple RW in Aggressive Mode with different PSK
hiren joshi
joshihirenn at gmail.com
Fri Apr 3 05:20:37 EDT 2009
This is somewhat old thread
(starts with: http://lists.openswan.org/pipermail/dev/2008-December/002010.html).
However I found this behavior in openswan-2.6.20 also,
so sending patch (second hunk) for the same.
--- programs/pluto/connections.c.orig 2009-04-03 13:07:46.000000000 +0530
+++ programs/pluto/connections.c 2009-04-03 13:08:46.000000000 +0530
@@ -2196,10 +2196,12 @@ find_host_connection2(const char *func
* if we have requirements for the policy, choose the first matching
* connection.
*/
+ DBG(DBG_CONTROLMORE,
+ DBG_log("searching for connection with policy = %s"
+ , bitnamesof(sa_policy_bit_names, policy)));
for (; c != NULL; c = c->hp_next) {
DBG(DBG_CONTROLMORE,
- DBG_log("searching for policy=%s, found=%s (%s)"
- , bitnamesof(sa_policy_bit_names, policy)
+ DBG_log("found policy = %s (%s)"
, bitnamesof(sa_policy_bit_names, c->policy)
, c->name));
if(NEVER_NEGOTIATE(c->policy)) continue;
@@ -2448,7 +2450,7 @@ refine_host_connection(const struct stat
if (dpsk == NULL)
continue; /* no secret */
- if (psk != dpsk)
+ if (!aggrmode && psk != dpsk)
if (psk->len != dpsk->len
|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
continue; /* different secret */
First hunk of this patch is to take care of an entirely different issue.
As bitnamesbuf (lib/libopenswan/constants.c::1228) is shared,
bitnamesof(sa_policy_bit_names, policy) and
bitnamesof(sa_policy_bit_names, c->policy) prints the same thing.
Before patch:
| searching for policy=PSK+AGGRESSIVE, found=PSK+AGGRESSIVE (main_rw-1)
| searching for policy=PSK+AGGRESSIVE, found=PSK+AGGRESSIVE (aggr_rw-1)
| find_host_connection returns aggr_rw-1
After patch:
| searching for connection with policy = PSK+AGGRESSIVE
| found policy = PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+FAILSHUNT1+DONTREKEY
(main_rw-1)
| found policy =
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+FAILSHUNT1+DONTREKEY+AGGRESSIVE
(aggr_rw-1)
| find_host_connection returns aggr_rw-1
Regards,
Hiren
On Wed, Jan 7, 2009 at 7:43 PM, hiren joshi <joshihirenn at gmail.com> wrote:
> I tested it and it switches connections as needed.
> A minor modification in the patch:
>
> --- connections.c.orig 2008-12-30 18:42:26.000000000 +0530
> +++ connections.c 2009-01-02 12:51:31.000000000 +0530
> @@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
> if (dpsk == NULL)
> continue; /* no secret */
>
> - if (psk != dpsk)
> + if (!aggrmode && psk != dpsk)
> if (psk->len != dpsk->len
> || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
> continue; /* different secret */
>
> Regards,
> -hiren
>
>>
>> > Should I bypass the check for Aggressive mode?
>> >
>> > --- connections.c.orig 2008-12-30 18:42:26.000000000 +0530
>> > +++ connections.c 2008-12-30 21:28:10.000000000 +0530
>> > @@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
>> > if (dpsk == NULL)
>> > continue; /* no secret */
>> >
>> > - if (psk != dpsk)
>> > + if (!(d->policy & POLICY_AGGRESSIVE) && psk != dpsk)
>> > if (psk->len != dpsk->len
>> > || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
>> > continue; /* different secret */
>>
>> That looks like a proper fix. Did you do any testing?
>>
>> Paul
More information about the Dev
mailing list