[Swan-dev] new policies and keywords

[Paul Wouters]

On Thu, 23 Jan 2014, D. Hugh Redelmeier wrote:

> | From: Paul Wouters <paul at nohats.ca>
>
> | There is still a weird whack/policy mismatch:
>
> fix committed.

Awesome!

We have a branch toad-demo on swantest.libreswan.fi that can now do
limited forms of assymetric authentication using PSK/RSA (the one we
needed for the OE case). We have been talking a bit about how to expose
this into the configuration file and policy bits.  But we have not fully
agreed on how to handle this.

Some requirements, suggestions and unresolved questions:

- Allow for new ecc authentication (eg authby=ecc)
- Allow for combo's (eg authby=rsa|secret or authby=rsa|ecc)
- Allow for none authentication (eg authby=none)
- Allow for assymetry (eg leftauthby=rsa ; rightauthby=none)
- How to deal with "nonsense" combo (like authby+leftauthby or
   authby=secret with leftrsasigkey=
- How to deal with ecc style keys? (have "rsasigkey" be legacy and move
   to "sigkey=" and have format indicative of type?)
- How to add ECC keys into ipsec.secrets / NSS
- Phasing out 'requirement' of RSA values in ipsec.secrets that are
   unused? (eg modulues= and all which is within nss?) But how about
   non-nss?

How to map this? Currently we have two polic bits, POLICY_PSK and
POLICY_RSA, which are implicitely exclusive.

- Add POLICY_ASSYMETRIC_AUTH? Add POLICY_AUTH_NONE? This does not
   address left/right cases.
- Remove POLICY_PSK and POLICY_RSA and place these policies into a
   seperate "policy" storage in the struct end so it becomes left/right?
- Keep POLICY_PSK and POLICY_RSA but only use these for symmetric auth?

Paul