CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/07/15 08:45:15
Modified files:
sbin/iked : ca.c iked.h ikev2.c
Log message:
Make CERT and CERTREQ payloads optional for public key authentication.
When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.
With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.
Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.
This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.
ok and tested by kn@
ok patrick@
