[Swan-commit] Changes to ref refs/heads/master
paul at vault.libreswan.fi
Thu Jan 3 03:22:59 UTC 2019
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 2 22:22:20 2019 -0500
documentation: update CHANGES
Author: wuwei29 <wuwei29 at baidu.com>
Date: Wed Jan 2 22:11:46 2019 -0500
IKEv1: Allow final message in Aggressive Mode to not be encrypted
Fixes an interop issue with Volans gateway from Volans Technology, Inc.
The relevant part of RFC 2409 Section 5 specifying this behaviour:
Similarly, Aggressive Mode is an instantiation of the ISAKMP
Aggressive Exchange. The first two messages negotiate policy,
exchange Diffie-Hellman public values and ancillary data necessary
for the exchange, and identities. In addition the second message
authenticates the responder. The third message authenticates the
initiator and provides a proof of participation in the exchange. The
XCHG for Aggressive Mode is ISAKMP Aggressive. The final message MAY
NOT be sent under protection of the ISAKMP SA allowing each party to
postpone exponentiation, if desired, until negotiation of this
exchange is complete. The graphic depictions of Aggressive Mode show
the final payload in the clear; it need not be.
Note the "MAY NOT be sent under protection" really means "MAY be sent not
under protection of"
Before this patch, hosts that implemented the MAY would be rejected by
libreswan with "packet rejected: should have been encrypted"
Signed-off-by: Paul Wouters <pwouters at redhat.com>
More information about the Swan-commit