[Openswan dev] Multiple RW in Aggressive Mode with different PSK

D. Hugh Redelmeier hugh at mimosa.com
Sun Jul 5 21:23:42 EDT 2009 

| From: hiren joshi <joshihirenn at gmail.com>
| Date: Fri, 3 Apr 2009 14:50:37 +0530

Note date.

| --- programs/pluto/connections.c.orig	2009-04-03 13:07:46.000000000 +0530
| +++ programs/pluto/connections.c	2009-04-03 13:08:46.000000000 +0530
| @@ -2196,10 +2196,12 @@ find_host_connection2(const char *func
|  	 * if we have requirements for the policy, choose the first matching
|  	 * connection.
|  	 */
| +	DBG(DBG_CONTROLMORE,
| +		DBG_log("searching for connection with policy = %s"
| +			, bitnamesof(sa_policy_bit_names, policy)));
|  	for (; c != NULL; c = c->hp_next) {
|  	    DBG(DBG_CONTROLMORE,
| -		DBG_log("searching for policy=%s, found=%s (%s)"
| -			, bitnamesof(sa_policy_bit_names, policy)
| +		DBG_log("found policy = %s (%s)"
|  			, bitnamesof(sa_policy_bit_names, c->policy)
|  			, c->name));
|  	    if(NEVER_NEGOTIATE(c->policy)) continue;
| @@ -2448,7 +2450,7 @@ refine_host_connection(const struct stat
|  		    if (dpsk == NULL)
|  			continue;	/* no secret */
| 
| -		    if (psk != dpsk)
| +		    if (!aggrmode && psk != dpsk)
|  			if (psk->len != dpsk->len
|  			|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
|  			    continue;	/* different secret */
| 
| First hunk of this patch is to take care of an entirely different issue.
| As bitnamesbuf (lib/libopenswan/constants.c::1228) is shared,
| bitnamesof(sa_policy_bit_names, policy) and
| bitnamesof(sa_policy_bit_names, c->policy) prints the same thing.

It is true that you should not have two uses of bitnamesof in the same
statement (roughly speaking).  More accurately, only the latest result
from bitnamesof is available at any one time so trying to use two at
once won't work.

The first two changes fix a misuse of bitnamesof, at the cost of
another line of debugging output.

I guess that this comment on the definition of bitnamesof isn't
explicit enough and should be expanded:
 * Result may be in STATIC buffer!


I don't know what the !aggrmode change does.  I had nothing to do with
adding Aggressive Mode to Pluto.  It is a Bad Thing in my opinion (I
seem to remember that there are effective attacks on Aggressive Mode).

More information about the Dev mailing list