Bug #1171
Bug in setting source IP for IKE packets causes failure to install IPv6 CHILD_SA when built with certain compilers
Description
Hi,
I have a regression since upgrading to 5.3.3. My client has AES-NI and uses:
esp = aes256gcm16-ecp384!
ike = aes256gcm16-sha256-ecp384!
which works in 5.3.2 since issue #341 is fixed in kernel 4.0+ (I run 4.2 on both ends):
molly[2]: IKEv2 SPIs: 18a3897c8da51675_i* 87ce1f293bbd8c7f_r, public key reauthentication in 5 hours
molly[2]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_384
molly{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c8a3fce1_i cd5e580e_o
molly{2}: AES_GCM_16_256, 0 bytes_i, 0 bytes_o, rekeying in 54 minutes
In 5.3.3, I get:
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
and looking at the gateway logs, I get the same errors there as the error #431:
Oct 22 21:43:10 molly charon: 15[KNL] adding SAD entry with SPI cd9e2905 and reqid {11} (mark 0/0x00000000) Oct 22 21:43:10 molly charon: 15[KNL] using encryption algorithm AES_GCM_16 with key size 288 Oct 22 21:43:10 molly charon: 15[KNL] using replay window of 32 packets Oct 22 21:43:10 molly charon: 15[KNL] sending XFRM_MSG_UPDSA: => 380 bytes @ 0x372c6c1d5d0 Oct 22 21:43:10 molly charon: 15[KNL] 0: 7C 01 00 00 1A 00 05 00 13 01 00 00 05 5D 00 00 |............].. Oct 22 21:43:10 molly charon: 15[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 64: 00 00 00 00 00 00 00 00 2A 01 0E 34 EC 2F 4E 20 ........*..4./N Oct 22 21:43:10 molly charon: 15[KNL] 80: 00 00 00 00 00 00 00 02 CD 9E 29 05 32 00 00 00 ..........).2... Oct 22 21:43:10 molly charon: 15[KNL] 96: 2A 01 0E 34 EC 2F 4E 20 68 F0 51 BC F9 41 CB A3 *..4./N h.Q..A.. Oct 22 21:43:10 molly charon: 15[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:43:10 molly charon: 15[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:43:10 molly charon: 15[KNL] 144: 17 0D 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 224: 0B 00 00 00 0A 00 01 20 20 00 00 00 00 00 00 00 ....... ....... Oct 22 21:43:10 molly charon: 15[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( Oct 22 21:43:10 molly charon: 15[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... Oct 22 21:43:10 molly charon: 15[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 8B 33 31 F4 .... ........31. Oct 22 21:43:10 molly charon: 15[KNL] 320: F2 E2 AC 38 E2 6B 1C 3B CC 74 94 68 60 05 D1 76 ...8.k.;.t.h`..v Oct 22 21:43:10 molly charon: 15[KNL] 336: 82 8D A1 A1 FA 4F C1 9C 52 FA 22 3F 1C 88 08 2F .....O..R."?.../ Oct 22 21:43:10 molly charon: 15[KNL] 352: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 ............ Oct 22 21:43:10 molly charon: 15[KNL] received netlink error: Invalid argument (22) Oct 22 21:43:10 molly charon: 15[KNL] unable to add SAD entry with SPI cd9e2905 Oct 22 21:43:10 molly charon: 15[KNL] adding SAD entry with SPI c2cb74ad and reqid {11} (mark 0/0x00000000) Oct 22 21:43:10 molly charon: 15[KNL] using encryption algorithm AES_GCM_16 with key size 288 Oct 22 21:43:10 molly charon: 15[KNL] using replay window of 32 packets Oct 22 21:43:10 molly charon: 15[KNL] sending XFRM_MSG_NEWSA: => 380 bytes @ 0x372c6c1d5d0 Oct 22 21:43:10 molly charon: 15[KNL] 0: 7C 01 00 00 10 00 05 00 14 01 00 00 05 5D 00 00 |............].. Oct 22 21:43:10 molly charon: 15[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 64: 00 00 00 00 00 00 00 00 2A 01 0E 34 EC 2F 4E 20 ........*..4./N Oct 22 21:43:10 molly charon: 15[KNL] 80: 68 F0 51 BC F9 41 CB A3 C2 CB 74 AD 32 00 00 00 h.Q..A....t.2... Oct 22 21:43:10 molly charon: 15[KNL] 96: 2A 01 0E 34 EC 2F 4E 20 00 00 00 00 00 00 00 02 *..4./N ........ Oct 22 21:43:10 molly charon: 15[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:43:10 molly charon: 15[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:43:10 molly charon: 15[KNL] 144: B2 0C 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 224: 0B 00 00 00 0A 00 01 20 20 00 00 00 00 00 00 00 ....... ....... Oct 22 21:43:10 molly charon: 15[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( Oct 22 21:43:10 molly charon: 15[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... Oct 22 21:43:10 molly charon: 15[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 A4 85 E8 C3 .... ........... Oct 22 21:43:10 molly charon: 15[KNL] 320: A6 3B 72 89 49 D7 4D 46 28 71 0E 64 A4 F0 41 1B .;r.I.MF(q.d..A. Oct 22 21:43:10 molly charon: 15[KNL] 336: 63 08 B0 7E 72 48 76 EC 68 F6 BD CB 8C 41 27 E0 c..~rHv.h....A'. Oct 22 21:43:10 molly charon: 15[KNL] 352: 1C 00 04 00 02 00 11 94 11 94 00 00 00 00 00 00 ................ Oct 22 21:43:10 molly charon: 15[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 ............ Oct 22 21:43:10 molly charon: 15[KNL] received netlink error: Invalid argument (22) Oct 22 21:43:10 molly charon: 15[KNL] unable to add SAD entry with SPI c2cb74ad Oct 22 21:43:10 molly charon: 15[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Here's a gw log with the client using 5.3.2:
Oct 22 21:45:05 molly charon: 14[KNL] adding SAD entry with SPI ca5b0e3c and reqid {12} (mark 0/0x00000000) Oct 22 21:45:05 molly charon: 14[KNL] using encryption algorithm AES_GCM_16 with key size 288 Oct 22 21:45:05 molly charon: 14[KNL] using replay window of 32 packets Oct 22 21:45:06 molly charon: 14[KNL] sending XFRM_MSG_UPDSA: => 352 bytes @ 0x372c74b15d0 Oct 22 21:45:06 molly charon: 14[KNL] 0: 60 01 00 00 1A 00 05 00 18 01 00 00 05 5D 00 00 `............].. Oct 22 21:45:06 molly charon: 14[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 64: 00 00 00 00 00 00 00 00 2A 01 0E 34 EC 2F 4E 20 ........*..4./N Oct 22 21:45:06 molly charon: 14[KNL] 80: 00 00 00 00 00 00 00 02 CA 5B 0E 3C 32 00 00 00 .........[.<2... Oct 22 21:45:06 molly charon: 14[KNL] 96: 2A 01 0E 34 EC 2F 4E 20 62 57 18 FF FE 7F 0E 13 *..4./N bW...... Oct 22 21:45:06 molly charon: 14[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:45:06 molly charon: 14[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:45:06 molly charon: 14[KNL] 144: F3 0C 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 224: 0C 00 00 00 0A 00 01 20 20 00 00 00 00 00 00 00 ....... ....... Oct 22 21:45:06 molly charon: 14[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( Oct 22 21:45:06 molly charon: 14[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... Oct 22 21:45:06 molly charon: 14[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 23 4D 67 E2 .... .......#Mg. Oct 22 21:45:06 molly charon: 14[KNL] 320: 3F A9 6F 97 BB 41 1C AE 61 42 28 C2 FB B6 61 91 ?.o..A..aB(...a. Oct 22 21:45:06 molly charon: 14[KNL] 336: CD 43 C3 BF 24 20 B4 22 B3 7F 83 A0 4A CA 19 0B .C..$ ."....J... Oct 22 21:45:06 molly charon: 14[KNL] adding SAD entry with SPI c569e9cf and reqid {12} (mark 0/0x00000000) Oct 22 21:45:06 molly charon: 14[KNL] using encryption algorithm AES_GCM_16 with key size 288 Oct 22 21:45:06 molly charon: 14[KNL] using replay window of 32 packets Oct 22 21:45:06 molly charon: 14[KNL] sending XFRM_MSG_NEWSA: => 352 bytes @ 0x372c74b15d0 Oct 22 21:45:06 molly charon: 14[KNL] 0: 60 01 00 00 10 00 05 00 19 01 00 00 05 5D 00 00 `............].. Oct 22 21:45:06 molly charon: 14[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 64: 00 00 00 00 00 00 00 00 2A 01 0E 34 EC 2F 4E 20 ........*..4./N Oct 22 21:45:06 molly charon: 14[KNL] 80: 62 57 18 FF FE 7F 0E 13 C5 69 E9 CF 32 00 00 00 bW.......i..2... Oct 22 21:45:06 molly charon: 14[KNL] 96: 2A 01 0E 34 EC 2F 4E 20 00 00 00 00 00 00 00 02 *..4./N ........ Oct 22 21:45:06 molly charon: 14[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:45:06 molly charon: 14[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ Oct 22 21:45:06 molly charon: 14[KNL] 144: C5 0C 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 224: 0C 00 00 00 0A 00 01 20 20 00 00 00 00 00 00 00 ....... ....... Oct 22 21:45:06 molly charon: 14[KNL] 240: 70 00 12 00 72 66 63 34 31 30 36 28 67 63 6D 28 p...rfc4106(gcm( Oct 22 21:45:06 molly charon: 14[KNL] 256: 61 65 73 29 29 00 00 00 00 00 00 00 00 00 00 00 aes))........... Oct 22 21:45:06 molly charon: 14[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Oct 22 21:45:06 molly charon: 14[KNL] 304: 00 00 00 00 20 01 00 00 80 00 00 00 56 6C BA EF .... .......Vl.. Oct 22 21:45:06 molly charon: 14[KNL] 320: 3A 74 4F 20 82 A3 24 0E 13 3E 50 CC DD 59 7F 5F :tO ..$..>P..Y._ Oct 22 21:45:06 molly charon: 14[KNL] 336: 3D 49 84 86 E6 A4 DD D5 A7 15 6E 6C 51 D6 E5 7C =I........nlQ..|
Note that the XFRM_MSG_UPDSA message length is larger in first case, unsure why.
Associated revisions
History
#1 Updated by Yves-Alexis Perez about 5 years ago
Some more information:
client runs strongSwan 5.3.3 on Linux 4.2.3, distribution Debian sid
gw runs strongSwan 5.2.1 on Linux 4.2.3, distribution Debian Jessie
#2 Updated by Yves-Alexis Perez about 5 years ago
So after a chat with Tobias on IRC, it seems that part of the problem lies in the NAT detection (by the gw). Here's a log from the gw (running 5.2.1), when the client (running 5.3.3) tries to connect:
Nov 1 14:40:47 molly charon: 04[NET] received packet: from 2a01:xxx:xxxx:xxxx:2995:3e78:8d89:4498[500] to 2a01:xxx:xxxx:xxxx::2[500] (288 bytes)
Nov 1 14:40:47 molly charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16431)) ]
Nov 1 14:40:47 molly charon: 04[IKE] 2a01:xxx:xxxx:xxxx:2995:3e78:8d89:4498 is initiating an IKE_SA
Nov 1 14:40:47 molly charon: 04[IKE] remote host is behind NAT
Nov 1 14:40:47 molly charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 1 14:40:47 molly charon: 04[NET] sending packet: from 2a01:xxx:xxxx:xxxx::2[500] to 2a01:xxx:xxxx:xxxx:2995:3e78:8d89:4498[500] (272 bytes)
Note that the connection uses IPv6, but charon still thinks there's NAT involved, which doesn't really make sense.
Here's the gw log (same 5.2.1 version) when the client uses 5.3.2:
Nov 1 14:45:47 molly charon: 08[NET] received packet: from 2a01:xxx:xxxx:xxxx:6257:18ff:fe7f:e13[500] to 2a01:e34:ec2f:4e20::2[500] (288 bytes)
Nov 1 14:45:47 molly charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16431)) ]
Nov 1 14:45:47 molly charon: 08[IKE] 2a01:xxx:xxxx:xxxx:6257:18ff:fe7f:e13 is initiating an IKE_SA
Nov 1 14:45:47 molly charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov 1 14:45:47 molly charon: 08[NET] sending packet: from 2a01:xxx:xxxx:xxxx::2[500] to 2a01:xxx:xxxx:xxxx:6257:18ff:fe7f:e13[500] (272 bytes)
Note that the client IPs are different between 5.3.2 and 5.3.3, but both are real. The :4498 one is a temporary address (the underlying device is a wireless one, managed by NetworkManager, which creates privacy specific addresses), while the :e13 is the “standard” address.
I don't really know why that would mess up NAT detection though.
#3 Updated by Tobias Brunner about 5 years ago
- Tracker changed from Issue to Bug
- Subject changed from [regression] Can't establish AES_GCM_16_256 CHILD_SA in 5.3.3 to Bug in setting source IP for IKE packets causes failure to install IPv6 CHILD_SA when built with certain compilers
- Status changed from New to Feedback
Further discussions, tests (thanks Yves-Alexis!) and research showed that this was caused by a bug in the socket-default plugin that manifested itself with newer versions of GCC.
In this particular case (IPv6) the problematic code looks like this:
else
{
char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
struct in6_pktinfo *pktinfo;
struct sockaddr_in6 *sin;
memset(buf, 0, sizeof(buf));
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
sin = (struct sockaddr_in6*)src->get_sockaddr(src);
memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
}
The problem is that msg
is defined and used (via sendmsg
) outside the scope of this else
-block.
Newer versions of GCC (5.2.1 in the tests) optimized the memcpy()
call away, the rest of the generated program code remained the same as with earlier versions, though. But without the address being set via IPV6_PKTINFO, the packets were not sent from the address intended by the IKE daemon.
Why this caused the failure to install the CHILD_SA is because of the source address selection done by the daemon. Due to the option charon.prefer_temporary_addresses=no (default) the daemon intended to send the IKE packets from the static IPv6 address. But because of the issue above this address was not set, so the default source address selection kicked in, with which temporary addresses are preferred by default. Therefore, the packets were sent from the temporary address instead.
However, to build the NAT_DETECTION_SOURCE_IP payload the daemon also used its intended source address (i.e. the static address). This consequently caused mismatch on the responder, which concluded that the initiator is behind a NAT. Because the Linux kernel currently does not support UDP encapsulation for IPv6 this resulted in the failure to install the IPsec SA.
A fix for the bug can be found in the 1171-socket-default-scope branch. A workaround in this particular case is to configure charon.prefer_temporary_addresses=yes, which causes charon to internally use the same source address as the kernel.
#4 Updated by Yves-Alexis Perez about 5 years ago
And I can confirm the patch fixes the issue for me.
#5 Updated by Tobias Brunner about 5 years ago
- Category set to libcharon
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.3.4
- Resolution set to Fixed
socket-default: Refactor setting source address when sending messages
This ensures we don't pass data (via msg_control) defined in a different
scope to sendmsg(). Actually, some compilers (e.g. GCC 5.2.1) might
optimize the memcpy() call away causing the packets not to get sent from
the intended source address.
It also makes the code clearer than with all these ifdefs.
Fixes #1171.