[Swan-dev] questions about ikev2_send_auth
Andrew Cagney
andrew.cagney at gmail.com
Sun Feb 3 19:37:39 UTC 2019
I don't understand null auth and try to avoid it :-)
One thing however,where ever you see AUTH_ECDSA or AUTH_RSA, think
instead in terms of AUTH_PKI - those two code paths really need to be
merged.
On Sun, 3 Feb 2019 at 13:28, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
>
> ikev2_send_auth's internal variable "authby" has a kind of obvious
> function.
>
> It starts out as the value from c->spd.this.authby (the relevant
> asymmetric value).
>
> If st->st_peer_wants_null, it gets over-ridden to AUTH_NULL.
>
> Otherwise, if the asymmetric value is AUTH_UNSET, it makess up a value
> based on the POLICY bits (the symmetric authby, I guess). Since those are
> a set, it picks the "best" one.
>
>
> Q1: why does this last-described check not consider POLICY_ECDSA?
> Something like
> } else if (c->policy & POLICY_ECDSA) {
> authby = AUTH_ECDSA;
> }
>
> Q2: since this IF cascade does not have an "} else {", could this not
> cause a bad_case in the immediately following SWITCH?
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list