[Openswan dev] Multiple RW in Aggressive Mode with different PSK
Paul Wouters
paul at xelerance.com
Thu Jan 1 19:34:22 EST 2009
On Tue, 30 Dec 2008, hiren joshi wrote:
> Version: openswan-2.4.9
Please try to move to openswan 2.6.x :)
> I found it not working as it does not allow the newly chosen connection to
> have different PSK than the current one.
>
> programs/pluto/connections.c::3778
>
> switch (auth)
> {
> case OAKLEY_PRESHARED_KEY:
> /* secret must match the one we already used */
> {
> const chunk_t *dpsk = get_preshared_secret(d);
>
> if (dpsk == NULL)
> continue; /* no secret */
>
> if (psk != dpsk)
> if (psk->len != dpsk->len
> || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
> continue; /* different secret */
> }
> break;
>
>
> Should I bypass the check for Aggressive mode?
>
> --- connections.c.orig 2008-12-30 18:42:26.000000000 +0530
> +++ connections.c 2008-12-30 21:28:10.000000000 +0530
> @@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
> if (dpsk == NULL)
> continue; /* no secret */
>
> - if (psk != dpsk)
> + if (!(d->policy & POLICY_AGGRESSIVE) && psk != dpsk)
> if (psk->len != dpsk->len
> || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
> continue; /* different secret */
That looks like a proper fix. Did you do any testing?
Paul
More information about the Dev
mailing list