[Swan-commit] Changes to ref refs/heads/main

Andrew Cagney cagney at vault.libreswan.fi
Fri Dec 17 22:13:53 EET 2021

New commits:
commit 80558468746c09461cc2a9436bbb098a800c6ac9
Author: Andrew Cagney <cagney at gnu.org>
Date:   Fri Dec 17 12:20:57 2021 -0500

    connections: in refine_host_connection_on_responder() check candidate's AUTHBY
    For IKEv2, when the initiator proposes DIGSIG, the authby (ECDSA/RSA)
    was determined using on the connection selected during IKE_SA_INIT.
    If that connection wanted RSA, it would never switch to ECDSA.
    - this at least allows both RSA and ECDSA
      suspect it needs to look further into the payload before making the
    - the required keymat check was merged in with the other AUTH checks
      and ECDSA was added
    - for IKEv2 and PSK, no check is performed
      the IKEv1 call to get_connection_psk(d) doesn't work as, at this
      point the candidate's that.id is still %any
      it looks like one of the reasons for recursion is to simplfy fill in
      and then test that.id; grrr

More information about the Swan-commit mailing list