[Openswan dev] out_sa in spdb.c
mcr at sandelman.ottawa.on.ca
Tue May 11 21:59:57 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
DHR, I have been looking at the algo patches to spdb.c, in the out_sa()
The algo patches essentially override the proposals from spdb (rather
than extend them), and there are some bugs with the algo code when no
algo string is provided. But that's not the query I have.
The code does:
for (pcn = 0; pcn < sadb->prop_conj_cnt; pcn++)
for (pn = 0; pn < pc->prop_cnt; pn++)
/* determine macro pieces of proposal */
for(tn = 0; tn != p->trans_cnt; tn++)
/* generate transforms */
Now, we can have multiple conjuctive (OR) proposals. I.e. we can propose
ESP || AH, for instance. So the outer loop makes sense. For IKE SAs
there is only one choice anyway.
However, what is the second (pn) loop for?
Pluto doesn't permit multiple IKE or ESP proposals. Multiple transforms
within the proposal, but not multiple proposals. And the references to
IKE documents that forbid this seem quite sensible.
So the question is, what is the pn loop for? It seems that we can never
have more than one proposal anyway, and pc->prop_cnt is never > 1 in
the policies in spdb.c that I can see.
Is it just dead logic, or is there some hidden purpose that I'm missing?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev