New commits:
commit 80558468746c09461cc2a9436bbb098a800c6ac9
Author: Andrew Cagney <[email protected]>
Date: Fri Dec 17 12:20:57 2021 -0500
connections: in refine_host_connection_on_responder() check candidate's
AUTHBY
For IKEv2, when the initiator proposes DIGSIG, the authby (ECDSA/RSA)
was determined using on the connection selected during IKE_SA_INIT.
If that connection wanted RSA, it would never switch to ECDSA.
- this at least allows both RSA and ECDSA
suspect it needs to look further into the payload before making the
decision
- the required keymat check was merged in with the other AUTH checks
and ECDSA was added
- for IKEv2 and PSK, no check is performed
the IKEv1 call to get_connection_psk(d) doesn't work as, at this
point the candidate's that.id is still %any
it looks like one of the reasons for recursion is to simplfy fill in
and then test that.id; grrr
_______________________________________________
Swan-commit mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-commit
