[Swan-dev] questions about ikev2_send_auth

Andrew Cagney andrew.cagney at gmail.com
Sun Feb 3 19:37:39 UTC 2019

I don't understand null auth and try to avoid it :-)

One thing however,where ever you see AUTH_ECDSA or AUTH_RSA, think
instead in terms of AUTH_PKI - those two code paths really need to be

On Sun, 3 Feb 2019 at 13:28, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> ikev2_send_auth's internal variable "authby" has a kind of obvious
> function.
> It starts out as the value from c->spd.this.authby (the relevant
> asymmetric value).
> If st->st_peer_wants_null, it gets over-ridden to AUTH_NULL.
> Otherwise, if the asymmetric value is AUTH_UNSET, it makess up a value
> based on the POLICY bits (the symmetric authby, I guess).  Since those are
> a set, it picks the "best" one.
> Q1: why does this last-described check not consider POLICY_ECDSA?
> Something like
>                 } else if (c->policy & POLICY_ECDSA) {
>                         authby = AUTH_ECDSA;
>                 }
> Q2: since this IF cascade does not have an "} else {", could this not
> cause a bad_case in the immediately following SWITCH?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list