[Openswan dev] [Patch] Correction to aggressive mode IKE policy error message...

Michael H. Warfield mhw at WittsEnd.com
Fri Mar 12 08:59:28 EST 2010


This is really a trivial fix to one of the error messages pointed to by
Michael and Paul wrt the aggressive mode policy errors.

On Thu, 2010-03-11 at 13:43 -0500, Michael Richardson wrote:
spdb_v1_struct.c, in the function:
> bool
> init_am_st_oakley(struct state *st, lset_t policy)
> which is called in ikev1_aggr.c, in 
>     if(init_am_st_oakley(st, policy) == FALSE) {
>         loglog(RC_AGGRALGO, "can not initiate aggressive mode, at most
one algorithm may be provided");
>         reset_globals();
>         return STF_FAIL;
>     }
> aggr_outI1(). 

Ok...  That error message is incorrect, or, at least, imprecise.  That
branch is not taken when there are multiple policies from the ike= line
at all.  It's only taken when there is no ike= policy specified.  That
needs to be clarified as it's confusing.  Instead, now, it should note
that no policy was specified and the policy should provide only one DH
group (and that only the first one will be honored if more than one is
provided).  The attached patch will do this.  The log message may be
overly long and verbose but I wanted to make it clear.  Obviously, this
goes hand in hand with the multiproposal patch posted last night.

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.6.24-aggr-err.diff
Type: text/x-patch
Size: 1158 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20100312/a8382d4c/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100312/a8382d4c/attachment-0001.bin 

More information about the Dev mailing list