[Swan-commit] Changes to ref refs/heads/main
Andrew Cagney
cagney at vault.libreswan.fi
Fri Dec 17 22:13:53 EET 2021
New commits:
commit 80558468746c09461cc2a9436bbb098a800c6ac9
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Dec 17 12:20:57 2021 -0500
connections: in refine_host_connection_on_responder() check candidate's AUTHBY
For IKEv2, when the initiator proposes DIGSIG, the authby (ECDSA/RSA)
was determined using on the connection selected during IKE_SA_INIT.
If that connection wanted RSA, it would never switch to ECDSA.
- this at least allows both RSA and ECDSA
suspect it needs to look further into the payload before making the
decision
- the required keymat check was merged in with the other AUTH checks
and ECDSA was added
- for IKEv2 and PSK, no check is performed
the IKEv1 call to get_connection_psk(d) doesn't work as, at this
point the candidate's that.id is still %any
it looks like one of the reasons for recursion is to simplfy fill in
and then test that.id; grrr
More information about the Swan-commit
mailing list