[Swan-commit] Changes to ref refs/heads/master

Andrew Cagney cagney at vault.libreswan.fi
Sun Apr 22 01:47:27 UTC 2018


New commits:
commit 4d8b5208772c31fdc9f90dc213ff8ed94d4f660f
Merge: 050397c 6957b3c
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sat Apr 21 21:24:12 2018 -0400

    algparse: when PFS=yes, reject esp=aes,3des;dh21 - instead all or no proposals must specify DH
    
    For ESP/AH, and when PFS=yes, require either all proposals or no proposals
    specify a DH algorithm.  This makes things consistent with ike= and
    eliminates a loosly defined piece of syntax.
    
    IKEv1 also requires the same algorithm.
    IKEv2 allows one algorithm + none for now.
    
    For instance, the above should be changed to esp=aes;dh21,3des;dh21.
    
    Merge commit '6957b3cf11ea54c3668b5454d465901308ba0306'

commit 6957b3cf11ea54c3668b5454d465901308ba0306
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sat Apr 21 20:29:13 2018 -0400

    testing: expect an error when esp=aes,3des;modp2048 et.al.

commit 95db0b62418f60d13cbc5f6413b4599f022042d6
Author: Andrew Cagney <cagney at gnu.org>
Date:   Sat Apr 21 20:23:26 2018 -0400

    algparse: when pfs=yes, reject aes,3des;modp2048
    
    Instead require explict DH be added to each proposal, i.e.
    aes;modp2048,3des;modp2048.  This way flipping between IKEv1
    and IKEv2 doesn't change the proposal choice.



More information about the Swan-commit mailing list