[Openswan dev] CK_INSTANCE for clear
Michael Richardson
mcr at xelerance.com
Sun Apr 16 00:47:27 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At line 4613 of connecitons.c, in:
add_group_instance():
t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy)
? CK_TEMPLATE : CK_INSTANCE;
I can't understand why "CK_INSTANCE" is the right value for when
it can be negotiated, but it isn't the any address.
Specifically the "clear-or-private" type conn has it's policy members
set to CK_INSTANCE, which confuses things later on in decode_peer_id(),
when we find a more suitable conn from refine_host_connection().
The bug I was investigating is that we fail to create an instance
properly of the clear-or-private#0.0.0.0/0 conn, and use the "group"
itself, and it therefore isn't instantiated, and the remote id is
"(none)", which screwed up the DNS lookup.
Somehow this leads to an unhash_state() eventually acting on a state
that has been modified since it was hashed, and it no longer is in the
same bucket.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBREG9+ICLcPvd0N1lAQIwqQgAvgK8Ct5iyd4c8Iv2Vgg9N4zXK9YD/9pY
Nhua7SCS46Hq6k6HooJhVeiqZq3ee0APtR6+r5ouc0H+jigxtFl3nFS/FJffFcfM
1fT5OI2aeyb3wQ78e/gBu/gRZ9s7GuN21ne+1DXS5II2LSNHmK++KXUWtHvCvum5
T8+WTlXkVNlDqoMQM/PQuaUg3MyYFfPA99hU/3YIBpCodKO+aPqc+XJs5useHbg6
tepNYYGaqoOtCH4ytWRXqCsrUhe+kI7ggdzL+ezZROVh4mBdeRd0KD91XNSTSnpr
PR52COgTCSQ5QifXy3UxeFgy7b4Nfxi3dxiOFGA0suluyerHxHNq0A==
=JVJI
-----END PGP SIGNATURE-----
More information about the Dev
mailing list