[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Mon Sep 15 19:25:20 EEST 2014
New commits:
commit 5ed28e521bbe1d5dd543a05510c9fb0bccf60496
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Sep 15 12:21:06 2014 -0400
updated changes
commit 2352d0cb63fa26e8987d002bdac8e12f9394841a
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Sep 15 12:06:33 2014 -0400
pluto: filter PF_KEY registrations for KLIPS and NETKEY
The kernel PF_KEY interface returns the ciphers supported by the
kernel. We currently use this for KLIPS and NETKEY, although for
NETKEY some registrations not announced via the PF_KEY API are
added manually (AES_GCM, AES_CCM, AES_CTR, etc).
The kernel allows ESP_CAST with variable keysizes, and we only want to
support 128bit. This patch overrides the minkeysize for CAST to be 128.
The kernel also advertises ESP_BLOWFISH (with variable keysize), but its
inventor Bruce Schneier has said to stop using blowfish and use twofish
instead. So this registration is now ignored.
Finally, the kernel advertises ESP_DES, which is simply too weak to
be allowed. While we already disallowed it elsewhere in the pluto code,
with this patch it is no longer registered.
TODO: Check if we are running in FIPS mode, and if so, disallow ciphers
not allowed while in FIPS mode (md5, twofish, serpent, ripemd160)
More information about the Swan-commit
mailing list