Reading the RFC, I can see CERT in:
- the aggressive initial response
- the second aggressive request
but not for the initial request (but pluto still tries to unpack it).
However, the state machine comments:
/* STATE_AGGR_R0:
* SMF_PSK_AUTH: HDR, SA, KE, Ni, IDii
* --> HDR, SA, KE, Nr, IDir, HASH_R
* SMF_DS_AUTH: HDR, SA, KE, Nr, IDii
* --> HDR, SA, KE, Nr, IDir, [CERT,] SIG_R
*/
seem to imply that it is (the code seems to deliberately allow CERT anywhere).
Andrew
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
