Hey all, I pushed the branch for this so I can start getting some eyes on it. Test cases are on the way. A summary of the changes:
- Added load_end_ca_path() to load the available intermediate CA certs into the connection - Added the connection option "sendca=none|issuer|all". This is a very basic way of choosing the delivery policy, so I'd like some ideas here. I chose none as the default which is the previous behavior. Should this change? - This still just uses the CERTREQ as an indication to send an end cert, and the sendca= policy and availability of the end cert's CA chain dictates how much of its chain to send. ikev1_ship_ca_chain() would need improvement to incorporate the CERTREQ contents into the decision as defined by RFC4945 - ikev1_ship_CERT()'s code was floating out there, and it just needed to be turned into a real function. - receiving certs needed improvements to ikev1_decode_cert() and store_x509certs(). Received CA certs are added to the global authcert list and removed when the connection is deleted. Added an alternate cert list to verify_x509cert() so recieved CAs can be verified through their own chain first before adding them to the global list. Among other small changes. Thanks! Matt _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
