On Wed, 28 Oct 2020 at 23:14, Paul Wouters <[email protected]> wrote: > > On Wed, 28 Oct 2020, Andrew Cagney wrote: > > > in ikev2-x509-20-multicert-rightid-san-wildcard, this causes right to > > leak "issuer ca": > > https://testing.libreswan.org/v4.1-83-g9d775e57d4-main/ikev2-x509-20-multicert-rightid-san-wildcard/OUTPUT/east.console.diff > > - right.ca=%same, so remember to set right.ca to left.ca > > - rightcert=north, so set right.ca to clone(north.der, "issuer ca") > > - oh, just remembered, set right.ca to clone(left.ca), leaking old value > > (vis-à-vis left) > > So is the above valid? > > The configuration is valid. Although rightca=%same is likely not needed > there, as %same is also the default. So this should show up too in cases > without leftca=%same or rightca=%same.
So whack is defaulting *ca=%same and sending it over? See the start of extract_end() where it sets same_ca IFF ca=%same. anyway, if this is valid, I'm guessing the middle step in the above is wrong These tests seem to have the leak: ikev2-x509-16-multicert ikev2-x509-17-multicert-02 ikev2-x509-17-multicert-rightid-san-wildcard ikev2-x509-18-multicert-rightid ikev2-x509-19-multicert-rightid-san ikev2-x509-20-multicert-rightid-san-wildcard nat-pluto-10 x509-ikev2-frag-01-ike-aes_gcm x509-pluto-frag-01 x509-pluto-frag-02 x509-pluto-frag-03 x509-pluto-frag-04 _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
