CVSROOT: /cvs
Module name: src
Changes by: to...@cvs.openbsd.org 2020/03/10 12:54:52
Modified files:
sbin/iked : iked.h ikev2.c policy.c
Log message:
Relookup policy based on received cryptographic parameter proposal.
The IKEv2 responder does not know which policy is negotiated until
the ID payload is received in the IKE_AUTH exchange.
iked therefore chooses a default policy until the final policy is
selected. This change adds a policy relookup during the IKE_SA_INIT.
If the received proposal is not compatible with the default policy
we switch to the next highest ranked policy that is compatible
with the received proposal.
ok kn@ markus@
