[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Wed Jan 24 19:25:28 EET 2024
New commits:
commit 1e657146b210ea22c60639963cdecfc2bd7038bc
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jan 24 10:06:45 2024 -0500
initiate ikev1: drop call rebuilding the kernel algorithm DB
I've included the comments around the code below, they provide some
useful history (this likely should have been deleted as part of
deleting KLIPS):
We will only request an IPsec SA if policy isn't empty (ignoring Main
Mode items). This is a fudge, but not yet important.
XXX: Is this still useful?
In theory, by delaying the the kernel algorithm probe until here when
the connection is being initiated, it is possible to detect kernel
algorithms that have been loaded after pluto has started or are only
loaded on-demand.
In reality, the kernel algorithm DB is "static": PFKEY is only probed
during startup(?); and XFRM, even if it does support probing, is using
static entries. See kernel_alg.c.
Consequently:
- when the connection's proposal suite is specified, the algorithm
parser will check the algorithms against the kernel algorithm DB, so
calling kernel_alg_makedb() to to perform an identical check is
redundant
- when default proposals are used (CHILD_PROPOSALS.P==NULL) (the
parser can't see these) kernel_alg_makedb(NULL) returns a static
table and skips all checks
- finally, kernel_alg_makedb() is IKEv1 only
A better fix would be to feed the proposal parser the default proposal
suite.
For moment leave call but make it IKEv1 only - for IKEv2 all it does
is give spdb.c some busy work (and log bogus stats).
XXX: mumble something about c->config->ike_version
More information about the Swan-commit
mailing list