There is a regression when calculating the connection priority in refine_host_connection(). It was introduced with commit 17722d44 that made pluto use identification_t.
libstrongswan allows a maximum of 17 wildcards in a DN while pluto allowed 15 previously. This leads to prio being 2559 for connections which allow %any IDs and in turn to full matching connections not being selected as best_found because 2559 is greater than PRIO_NO_MATCH_FOUND (2048). Before commit 17722d44 the value 2047 was calulated. This patch restores this behavior simply by lowering a magic constant used during calculation of prio. Signed-off-by: Heiko Hund <[email protected]> --- src/pluto/connections.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 400f98c..3c6d13a 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -3551,9 +3551,7 @@ connection_t *refine_host_connection(const struct state *st, , d->spd.this.ca, &our_pathlen); bool match = matching_id && matching_auth && matching_trust; - int prio = (ID_MATCH_PERFECT) * !matching_request + - ID_MATCH_PERFECT - match_level; - + int prio = 12 * !matching_request + ID_MATCH_PERFECT - match_level; prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen; prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen; -- tg: (c07812d..) t/0035/fix_refine_host_connection_prio (depends on: t/0034/delay_pluto_ctl_socket_creation) _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
