[Swan-dev] clanger: ikev2_resp_accept_child_ts
Paul Wouters
paul at nohats.ca
Mon Jun 11 21:03:52 UTC 2018
On Sun, 10 Jun 2018, D. Hugh Redelmeier wrote:
> (1) it isn't clear to me why the streq(best->name, t->name) is not negated
>
> Could someone add a comment expaining this? Paul? Antony?
>
> 929 if (LIN(POLICY_GROUPINSTANCE, t->policy) && (t->kind == CK_TEMPLATE)) {
> 930 /* ??? clang 6.0.0 thinks best might be NULL but I don't see how */
> 931 if (!streq(t->foodgroup, best->foodgroup) ||
> 932 streq(best->name, t->name) ||
> 933 !subnetinsubnet(&best->spd.that.client, &t->spd.that.client) ||
> 934 !sameaddr(&best->spd.this.client.addr, &t->spd.this.client.addr))
> 935 continue;
> 936
> 937 /* ??? why require best->name and t->name to be different */
You can find the explanation in the commit:
IKEv2: Allow switching between OE group instances with different protoport settings
This fixes newoe-18-poc-cop-port22-both-reorder
>From that's description.txt:
Compared to newoe-18-poc-cop-port22-both, the order of the clear-or-private
policies on east is reversed. This causes east to initiately pick the
wrong clear-or-private group to instantiate, and it needs to switch
during IKE_AUTH
The test is there to ensure if we find the _same_ conn, we do NOT select
it, but "continue" looking for something better that our current
instance or its template.
> (2) the comment in the following code explains what I don't understand.
> Can someone explain why we can assume that tsi_n and tsr_n are both one?
We simply haven't written the code to handle more than one.
Paul
More information about the Swan-dev
mailing list