Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals #447

Closed
wants to merge 1 commit into from
Closed

pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals #447

wants to merge 1 commit into from

Conversation

evelikov
Copy link

Earlier commit, introduced checking for self-proposals. Yet the commit
did not add the ALLOW_MICROSOFT_BAD_PROPOSAL workaround in said case.

Add the workaround, since it's required in a number of cases:
https://bbs.archlinux.org/viewtopic.php?id=253434

Fixes: 3a9afb0 ("wo#6211 . the check on the peers reply should also use localaddr when checking")

/cc @mcr @shussain

@evelikov-work @evelikov
pluto: add ALLOW_MICROSOFT_BAD_PROPOSAL for self-proposals
d3ee7ca 
Earlier commit, introduced checking for self-proposals. Yet the commit
did not add the ALLOW_MICROSOFT_BAD_PROPOSAL workaround in said case.

Add the workaround, since it's required in a number of cases:
https://bbs.archlinux.org/viewtopic.php?id=253434

Cc: Michael Richardson <mcr@credil.org>
Fixes: 3a9afb0 ("wo#6211 . the check on the peers reply should also use localaddr when checking")
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
mcr
mcr suggested changes Oct 2, 2020
View reviewed changes
programs/pluto/ikev1_quick.c
@@ -602,7 +602,12 @@ check_net_id(struct isakmp_ipsec_id *id
} else if(!end->has_client && !subnetisaddr(&net_temp, endip)) {
loglog(RC_LOG_SERIOUS, "%s subnet returned does not match my self-proposal - us:%s vs them:%s",
which,subxmt,subrec);
bad_proposal = TRUE;
#ifdef ALLOW_MICROSOFT_BAD_PROPOSAL
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since both sides of this if()/else if(), result in the same exception being applied, the overall affect of ALLOW_MICROSOFT_BAD_PROPOSAL is to do nothing, and log the same thing, please just surround the entire if/else of an #ifdef, and don't even do the test.
Please document what versions of which Microsoft products do this.
This should be set on a per-conn basis, I think. Or perhaps, enabled by a vendor-based impairment.
I would have removed this #ifdef had I noticed it before.

Copy link
Author

@evelikov evelikov Oct 2, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a subtle difference between the messages in the if/elseif branches, which clearly highlights which is the offending section. Grouping them together would make that harder, so if anything it's better to keep it as-is.

The device is Ubiquiti/UniFi (don't know further details sorry), plus a search through the webs shows many other vendors which need the workaround. So yes, the name is misleading, yet considering it has been enabled by default for years, removing it sounds like a terrible move.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Humble poke?

@shussain
Copy link
Collaborator

Cherry picked into the master branch.

@shussain shussain closed this Oct 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcr mcr mcr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@evelikov @shussain @mcr @evelikov-work