[Swan-dev] connswitch broke when using certificates

Tuomo Soini tis at foobar.fi
Thu Sep 12 22:16:26 UTC 2019


On Tue, 10 Sep 2019 19:44:04 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 10 Sep 2019, Tuomo Soini wrote:
> 
> > Switching between road warrior connections broke. Breakage is
> > between commits 96d1434..fba65db. With 96d1434 everything still
> > works, fba65db can't switch to correct connection when responding.
> >
> > Paul, my guess is rightid=%any fixes causing regression.  
> 
> It did. I reverted those and used a new different approach that I will
> push after some more testing.

I bisected which commit caused the issue.

git bisect start
# good: [96d143473dd2cdba8b5783a08bf762e76178dceb] barf: silence grep
 when file is not found
git bisect good 96d143473dd2cdba8b5783a08bf762e76178dceb
# bad: [fba65db596fb57fec5122ef9e305cf8635b49d06] pluto: remove
 temporary debug line that got committed by mistake.
git bisect bad fba65db596fb57fec5122ef9e305cf8635b49d06
# bad: [c1ce36945755ce4687ed00fbf0898e6fee58a42e] testing: add/update
 tests for wildcard ID's
git bisect bad c1ce36945755ce4687ed00fbf0898e6fee58a42e
# good: [b6d672c751346e9429cc7d5bb57f0fbd849748fd] pluto: default_end()
 did not properly apply the %any ID for wildcard conns
git bisect good b6d672c751346e9429cc7d5bb57f0fbd849748fd
# bad: [fabb5d90506113ca79c46da2e5d7fd4446200981] pluto:
 decode_peer_id_counted() if we didn't switch connections, confirm ID
 wildcard or not
git bisect bad fabb5d90506113ca79c46da2e5d7fd4446200981
# bad: [9135ef06d07f2ab257700dc6157d3fd98d90c036] pluto: in
 decode_peer_id_counted() isanyid check should also apply to initiator
git bisect bad 9135ef06d07f2ab257700dc6157d3fd98d90c036
# first bad commit: [9135ef06d07f2ab257700dc6157d3fd98d90c036] pluto: in
 decode_peer_id_counted() isanyid check should also apply to initiator

This is the issue which is not resolved yet in master.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the Swan-dev mailing list