[Swan-commit] Changes to ref refs/heads/master
cagney at vault.libreswan.fi
Fri Mar 6 15:26:44 UTC 2020
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Feb 26 10:32:44 2020 -0500
crypto: move creating pubkeys into find_and_verify_certs()
Note that, since forever, IKEv1 has been repeatedly trying to decode
the CERT payload in each aggressive exchange message. Even when
having such a payload is nonsensical (for instance in the initial
aggressive request), and even when the payload has already been
discarded. For instance:
-002 "westnet-eastnet-x509" #1: No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.
002 "westnet-eastnet-x509" #1: No Certificate Authority in NSS Certificate DB! Certificate payloads discarded.
It all mostly worked, abet inefficiently. On each call:
- any existing verified CERTs were thrown away
(they lurk in the CERT DB)
- the new certs were decoded and verified (expensive)
- the new certs were merged into the existing CERT DB
Mostly? If a broken (IMNSHO) initiator were to send a CERT payload in
only the first aggressive request, then the CERTS would be lost.
This patch tweaks things slightly - every IKEv1 decode certs call
releases both the verified cert chain and the CERT DB.
More information about the Swan-commit