[Swan-dev] Different subCA issue
Paul Wouters
paul at nohats.ca
Mon Dec 7 15:31:25 UTC 2015
Tuomo described a case that failed:
conn A
rightca=ROOTCA1
rightid=@someone
also=common
conn B
rightca=SUBROOTCA1
rightid=@someoneelse
also=common
In refine_host_connection() we have this snippit:
bool match3 = match_requested_ca(c->requested_ca,
d->spd.this.ca,
&our_pathlen);
[...]
/* match2 and match3 are required */
if (!match2 || !match3)
continue;
So we look into match_requested_ca():
while (requested_ca != NULL) {
int pathlen;
if (trusted_ca_nss(our_ca, requested_ca->name, &pathlen) &&
pathlen < *our_pathlen)
*our_pathlen = pathlen;
requested_ca = requested_ca->next;
}
return *our_pathlen <= MAX_CA_PATH_LEN;
I'm confused here that there is no break or early return. We always seem
to process the entire list and return whatever is true for the last
entry. Was this meant:
while (requested_ca != NULL) {
int pathlen;
if (trusted_ca_nss(our_ca, requested_ca->name, &pathlen) &&
pathlen < *our_pathlen) {
*our_pathlen = pathlen;
return TRUE;
}
requested_ca = requested_ca->next;
}
return FALSE;
Paul
More information about the Swan-dev
mailing list