[Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"

Matt Rogers mrogers at redhat.com
Sat May 2 01:24:51 EEST 2015 

On 05/01, Herbert Xu wrote:
> When refine_host_connection tests against a %fromcert RW connection
> followed by other right=%any connections with fixed IDs (e.g.,
> @hostname), it will lose the fromcert setting.  So when it does
> eventually return with the %fromcert RW connection fromcert will
> be set to false and therefore the actual certificate ID won't be
> copied into spd.that.id, resulting in a bogus "no RSA public key
> known for '%fromcert'".
>     
> This error won't happen if the order of matching is reversed and
> the %fromcert connection gets tested last.  So that's why the
> conencton sometimes works but often fails with an authentication
> error.
>     
> This patch fixes it by keeping the fromcert setting of the best
> match.
>     
> Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> 
> diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
> index 292b3b1..9140673 100644
> --- a/programs/pluto/connections.c
> +++ b/programs/pluto/connections.c
> @@ -2621,6 +2621,7 @@ struct connection *refine_host_connection(const struct state *st,
>  	d = c->host_pair->connections;
>  	for (wcpip = FALSE;; wcpip = TRUE) {
>  		for (; d != NULL; d = d->hp_next) {
> +			bool d_fromcert = FALSE;
>  			bool match1 = match_id(peer_id, &d->spd.that.id,
>  					&wildcards);
>  			bool match2 = trusted_ca_nss(peer_ca, d->spd.that.ca,
> @@ -2659,9 +2660,10 @@ struct connection *refine_host_connection(const struct state *st,
>  			 * the %fromcert + peer id match result. - matt
>  			 */
>  			if (!match1) {
> -			    *fromcert = id_kind(&d->spd.that.id) == ID_FROMCERT;
> -			    if (!*fromcert)
> -				continue;
> +				d_fromcert = id_kind(&d->spd.that.id) ==
> +					     ID_FROMCERT;
> +				if (!d_fromcert)
> +					continue;
>  			}
>  
>  			/* if initiator, our ID must match exactly */
> @@ -2764,8 +2766,10 @@ struct connection *refine_host_connection(const struct state *st,
>  			 * We'll go with it if the Peer ID was an exact match.
>  			 */
>  			if (match1 && wildcards == 0 &&
> -			    peer_pathlen == 0 && our_pathlen == 0)
> +			    peer_pathlen == 0 && our_pathlen == 0) {
> +				*fromcert = d_fromcert;
>  				return d;
> +			}
>  
>  			/*
>  			 * If it was a non-exact (wildcard) match, we'll
> @@ -2786,6 +2790,7 @@ struct connection *refine_host_connection(const struct state *st,
>  						d->name,
>  						wildcards, peer_pathlen,
>  						our_pathlen));
> +				*fromcert = d_fromcert;
>  				best_found = d;
>  				best_wildcards = wildcards;
>  				best_peer_pathlen = peer_pathlen;
> -- 
> Email: Herbert Xu <herbert at gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

Thanks again, applied to nss_pkix.

Regards,
Matt

More information about the Swan-dev mailing list