[Swan-dev] rightcert=north rightca=%same
Andrew Cagney
andrew.cagney at gmail.com
Thu Oct 29 12:43:33 UTC 2020
On Wed, 28 Oct 2020 at 23:14, Paul Wouters <paul at nohats.ca> wrote:
>
> On Wed, 28 Oct 2020, Andrew Cagney wrote:
>
> > in ikev2-x509-20-multicert-rightid-san-wildcard, this causes right to
> > leak "issuer ca":
> > https://testing.libreswan.org/v4.1-83-g9d775e57d4-main/ikev2-x509-20-multicert-rightid-san-wildcard/OUTPUT/east.console.diff
> > - right.ca=%same, so remember to set right.ca to left.ca
> > - rightcert=north, so set right.ca to clone(north.der, "issuer ca")
> > - oh, just remembered, set right.ca to clone(left.ca), leaking old value
> > (vis-à-vis left)
> > So is the above valid?
>
> The configuration is valid. Although rightca=%same is likely not needed
> there, as %same is also the default. So this should show up too in cases
> without leftca=%same or rightca=%same.
So whack is defaulting *ca=%same and sending it over?
See the start of extract_end() where it sets same_ca IFF ca=%same.
anyway, if this is valid, I'm guessing the middle step in the above is wrong
These tests seem to have the leak:
ikev2-x509-16-multicert
ikev2-x509-17-multicert-02
ikev2-x509-17-multicert-rightid-san-wildcard
ikev2-x509-18-multicert-rightid
ikev2-x509-19-multicert-rightid-san
ikev2-x509-20-multicert-rightid-san-wildcard
nat-pluto-10
x509-ikev2-frag-01-ike-aes_gcm
x509-pluto-frag-01
x509-pluto-frag-02
x509-pluto-frag-03
x509-pluto-frag-04
More information about the Swan-dev
mailing list