Re: [Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

[D. Hugh Redelmeier]

| From: Paul Wouters <p...@nohats.ca>

| On Tue, 3 Mar 2020, Paul Wouters wrote:
| 
| > Current shunt handling cannot deal with this, as the second keyingtries
| > sometimes tries to install a second shunt, which sometimes “works” due to
| > not being widened. This is causing customer issues that at resolved by
| > setting it to 0.
| 
| I meant "resolved by setting it to 1".

I don't really understand the issues.

Do we have a bug report for the shunt issue?

If the shunts fail, except in special cases, and those cases are 
undocumented, we should

- fix the shunts issue (hard, I assume), or

- document the cases that work and forbid the others, or

- forbid OE & tries != 1 (simplest to document)

Here's an add-on to Paul's code [UNTESTED].

Since it changes starterwhack, something I'm not an expert in, the code is 
particularly suspect.

It implements that last policy, I hope.
If one were to delete one line, it would only change a defaulted 
keyingtries.

Why do this?  Because (I hope) the error is generated in a way that is 
easier for the user to observe.  But I'm not even sure of that.


diff --git a/lib/libipsecconf/starterwhack.c b/lib/libipsecconf/starterwhack.c
index ca94639038..2a7b1def5a 100644
--- a/lib/libipsecconf/starterwhack.c
+++ b/lib/libipsecconf/starterwhack.c
@@ -551,6 +551,21 @@ static int starter_whack_basic_add_conn(struct 
starter_config *cfg,
        msg.sa_rekey_margin = deltatime(conn->options[KNCF_REKEYMARGIN]);
        msg.sa_rekey_fuzz = conn->options[KNCF_REKEYFUZZ];
        msg.sa_keying_tries = conn->options[KNCF_KEYINGTRIES];
+       if (conn->policy & POLICY_OPPORTUNISTIC) {
+               /* opportunistic should default keyingries to 1 */
+               if (!conn->options_set[KNCF_KEYINGTRIES])
+                       msg.sa_keying_tries = 1;
+               /*
+                * ??? Furthermore, any different value is actually an error
+                * until we straighten out shunt handling.
+                */
+               if (msg.sa_keying_tries != 1) {
+                       starter_log(LOG_LEVEL_ERR,
+                               "the connection is Opportunistic, but used 
keyingtries = %lu. The specified value was changed to 1",
+                               msg.sa_keying_tries);
+                       msg.sa_keying_tries = 1;
+               }
+       }
        msg.sa_replay_window = conn->options[KNCF_REPLAY_WINDOW];
        msg.xfrm_if_id = conn->options[KNCF_XFRM_IF_ID];
 

_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev