[Openswan dev] CK_INSTANCE for clear

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


At line 4613 of connecitons.c, in:

add_group_instance():

        t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy) 
            ? CK_TEMPLATE : CK_INSTANCE; 

I can't understand why "CK_INSTANCE" is the right value for when
it can be negotiated, but it isn't the any address.

Specifically the "clear-or-private" type conn has it's policy members 
set to CK_INSTANCE, which confuses things later on in decode_peer_id(),
when we find a more suitable conn from refine_host_connection().

The bug I was investigating is that we fail to create an instance
properly of the clear-or-private#0.0.0.0/0 conn, and use the "group"
itself, and it therefore isn't instantiated, and the remote id is
"(none)", which screwed up the DNS lookup. 

Somehow this leads to an unhash_state() eventually acting on a state
that has been modified since it was hashed, and it no longer is in the
same bucket. 

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBREG9+ICLcPvd0N1lAQIwqQgAvgK8Ct5iyd4c8Iv2Vgg9N4zXK9YD/9pY
Nhua7SCS46Hq6k6HooJhVeiqZq3ee0APtR6+r5ouc0H+jigxtFl3nFS/FJffFcfM
1fT5OI2aeyb3wQ78e/gBu/gRZ9s7GuN21ne+1DXS5II2LSNHmK++KXUWtHvCvum5
T8+WTlXkVNlDqoMQM/PQuaUg3MyYFfPA99hU/3YIBpCodKO+aPqc+XJs5useHbg6
tepNYYGaqoOtCH4ytWRXqCsrUhe+kI7ggdzL+ezZROVh4mBdeRd0KD91XNSTSnpr
PR52COgTCSQ5QifXy3UxeFgy7b4Nfxi3dxiOFGA0suluyerHxHNq0A==
=JVJI
-----END PGP SIGNATURE-----