[Openswan dev] out_sa in spdb.c

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


DHR, I have been looking at the algo patches to spdb.c, in the out_sa()
function.

The algo patches essentially override the proposals from spdb (rather
than extend them), and there are some bugs with the algo code when no
algo string is provided. But that's not the query I have.

The code does:

    for (pcn = 0; pcn < sadb->prop_conj_cnt; pcn++)
    {
	for (pn = 0; pn < pc->prop_cnt; pn++)
	{

		/* determine macro pieces of proposal */

		for(tn = 0; tn != p->trans_cnt; tn++) 
		{
			/* generate transforms */
		}
	}
    }

Now, we can have multiple conjuctive (OR) proposals. I.e. we can propose
ESP || AH, for instance. So the outer loop makes sense. For IKE SAs
there is only one choice anyway.

However, what is the second (pn) loop for?
Pluto doesn't permit multiple IKE or ESP proposals. Multiple transforms
within the proposal, but not multiple proposals. And the references to
IKE documents that forbid this seem quite sensible.

So the question is, what is the pn loop for? It seems that we can never
have more than one proposal anyway, and pc->prop_cnt is never > 1 in
the policies in spdb.c that I can see. 

Is it just dead logic, or is there some hidden purpose that I'm missing?

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




			




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQKF3BoqHRg3pndX9AQHp+QP9FUsRw/MSFnT9CEfkecaM9M8ienfKjy6V
TgtKkeNyFYFzc/ywYvk0MWfaiiXQ8rS6OrlkzA6k/0dBwg3HaTbpYV2dqobA42Zn
7HV1wjH3AzHEY8REU3OUCDNW4fgac2aQJS9A/ofmZCWavDzRMKckzguk7bL4FSh6
MwcqHNyzVas=
=+bdl
-----END PGP SIGNATURE-----