[strongSwan-dev] [PATCH] fix refine_host_connection() prio

Heiko Hund heiko.hund at sophos.com
Thu Feb 23 13:23:13 CET 2012


There is a regression when calculating the connection priority in
refine_host_connection(). It was introduced with commit 17722d44
that made pluto use identification_t.

libstrongswan allows a maximum of 17 wildcards in a DN while pluto
allowed 15 previously. This leads to prio being 2559 for connections
which allow %any IDs and in turn to full matching connections not 
being selected as best_found because 2559 is greater than
PRIO_NO_MATCH_FOUND (2048).

Before commit 17722d44 the value 2047 was calulated. This patch
restores this behavior simply by lowering a magic constant used
during calculation of prio.

Signed-off-by: Heiko Hund <heiko.hund at sophos.com>

---
 src/pluto/connections.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 400f98c..3c6d13a 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -3551,9 +3551,7 @@ connection_t *refine_host_connection(const struct state *st,
 										, d->spd.this.ca, &our_pathlen);
 			bool match = matching_id && matching_auth && matching_trust;
 
-			int prio = (ID_MATCH_PERFECT) * !matching_request +
-						ID_MATCH_PERFECT - match_level;
-
+			int prio = 12 * !matching_request + ID_MATCH_PERFECT - match_level;
 			prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen;
 			prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen;
 
-- 
tg: (c07812d..) t/0035/fix_refine_host_connection_prio (depends on: t/0034/delay_pluto_ctl_socket_creation)




More information about the Dev mailing list