[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Tue Jun 4 21:16:49 UTC 2019
New commits:
commit e11afb13d47483602c78ef32885e297dec3dc4e7
Author: Andrew Cagney <cagney at gnu.org>
Date: Tue Jun 4 14:22:19 2019 -0400
ikev2: explicitly include the IKE's SA ROLE in searches
Instead of grabbing the first IKE SA with matching IKE SPIs and then
(much later) checking the role is as expected, use the IKE SA role as
part of the search key.
Fixes the largely theoretical problem of, when two IKE SAs have
identical IKE SPIs but flipped roles, a lookup for the second IKE SA
fails. This preventing the second IKE SA from establishing. For this
to happen pluto must have generated "random" SPIr and SPIr values that
are identical (ditto for the other end, but lets assume that is
broken), and even if it did a re-try should generate non-matching
SPIs.
More useful is that the SMF2_IKE_I_{SET,CLEAR} flags in the state
table are made redundant.
"--impair ike-spi:100" anyone?
More information about the Swan-commit
mailing list