[Openswan dev] "pass == 2" is always false

[D. Hugh Redelmeier]

I noticed that in openswan-2.6.15dr2/programs/pluto/state.c, function 
same_phase1_no_phase2, line 661, there is a test "pass == 2" that has 
never succeeded.  I wonder what would happen if the test were changed to 
one that did succeed during the second pass (pass == 1).  I have no idea 
if the code that has never executed has bugs that would thus be exposed.

    if(pass == 2) return FALSE;

I have no idea if this has since been eliminated.

==================================

This is like the code that Paul found in foreach_states_by_connection_func
(an ungrammatical name):

                if(pass == 2 && IS_ISAKMP_SA_ESTABLISHED(this->st_state)) {
                    continue;
                }

The correct fix for the case that Paul found is NOT a simple change to
"pass == 1".  The probably intention is something like this:

	if (pass == 1 || can_have_no_children(this)) {
		... the rest of the loop body ...
	}
The intention is that we delete parents AFTER their children.  This
is to avoid deleting the keying channel before the children that
should send a delete notification down the keying channel.  One
implicit assumption is that family trees are at most 2 high, hence the
2 passes.

The test IS_ISAKMP_SA_ESTABLISHED is like !can_have_no_children but it
fails to handle IKEv2 states properly.