[Swan-dev] refine_host_connection*()

Andrew Cagney andrew.cagney at gmail.com
Sun Jan 2 19:08:45 EET 2022


FYI,

I've updated/merged/cleaned out these code paths:

- only main mode responder and IKE_AUTH responder call refine_host_connection*()
  no other code path can change the connection during AUTH (not to be
confused with TS)

- all code paths use update_peer_id() to select the peer; if you've
thoughts about the following two points; please add them to the bug:
-> when %fromcert and no certs, peer ID must be a DN (some code paths
didn't enforce this)
https://github.com/libreswan/libreswan/issues/600
-> when ALLOW_NO_SAN ID is not updated (some did, some didn't)
https://github.com/libreswan/libreswan/issues/597

- Aggressive Mode responder selects the peer ID during the first
request (before it was pretty vague)
-> if no certs arrive during the first request and %fromcert, ID is
updated; then
-> if certs arrive during the second request, they get checked at that point

I see zero fails.  But I'm sure we've WIP tests lurking that perhaps
should be updated and checked?


More information about the Swan-dev mailing list