[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri May 30 09:14:37 EEST 2014
New commits:
commit 68c25611eed93edd459e38deadf01916ab983115
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri May 30 01:58:15 2014 -0400
pluto: Ensure we send/require KEY_LENGTH attributes for some ciphers
This continues the work in commit b12823df59768b
- Remove unused 3rd argument of kernel_alg_esp_enc_ok()
- Remove obsoleted kernel_alg_policy_algorithms()
(obsoleted by crypto_req_keysize() and some other checks)
- Removed some #ifdef'ed out ESP attributes we don't support
(and one listed as unsupported but handled earlier)
- Use kernel_alg_esp_enc_ok() to check if we support the received ESP transform
(this should be extended with the functionality of crypto_req_keysize()
regarding valid key sizes)
The function kernel_alg_policy_algorithms() used to add ESP KEY_LENGTH
attributes for algo ESP_AES and newer if the user did not specify these
(eg user specified "aes" and not "aes128"). It used the maximum key length
instead of the default only mandatory to implement key length (usually
128). The new crypto_req_keysize() uses the mandatory to implement
key length. This means a difference in interpretation of esp=aes-sha1
(formarly we would send AES256, now we send AES128). Ideally this is
changed to send all valid AES key sizes instead (128, 192 and 256)
although in Aggressive Mode we can only send one proposal. If the
receive has esp=aes-sha1, it will accept any of the three key sizes,
so the only configuration that would break is initiator with esp=aes-sha1
and responder with esp=aes128-sha1.
There was no similar function for IKE, so we could send OKALEY_ENCRYPTION
proposals with missing OAKLEY_KEY_LENGTH attributes (violating RFC 3602).
Commit b12823df59768b already introduced the code to add the default only
mandatory to implement key sizes to insert this attribute when missing.
Interop with older functions should be verified using a new impair function.
More information about the Swan-commit
mailing list