[Swan-commit] Changes to ref refs/heads/master
Andrew Cagney
cagney at vault.libreswan.fi
Wed Jun 12 18:24:23 UTC 2019
New commits:
commit adc04c701755c166bd557323c445a9b679a48a8d
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jun 12 11:28:49 2019 -0400
ikev2: don't call kernel_alg_makedb() from initiate_a_connection()
In theory, by delaying the the kernel algorithm probe until here when
the connection is being initiated, it is possible to detect kernel
algorithms that have been loaded after pluto has started or are only
loaded on-demand.
In reality, the kernel algorithm DB is "static": PFKEY is only probed
during startup(?); and XFRM, even if it does support probing, is using
static entries. See kernel_alg.c.
Consequently:
- when the connection's proposal suite is specified, the algorithm
parser will check the algorithms against the kernel algorithm DB, so
calling kernel_alg_makedb() to to perform an identical check is
redundant
- when default proposals are used (CHILD_PROPOSALS.P==NULL) (the
parser can't see these) kernel_alg_makedb(NULL) returns a static table
and skips all checks
- finally, kernel_alg_makedb() is IKEv1 only
A better fix would be to feed the proposal parser the default proposal
suite.
For moment leave call but make it IKEv1 only - for IKEv2 all it does
is give spdb.c some busy work (and log bogus stats).
More information about the Swan-commit
mailing list