[Swan-dev] libreswan 3.9rc1 Release Candidate: please test!
Bernhard Held
berny156 at gmx.de
Sat Jul 5 21:16:45 EEST 2014
Am 30.06.2014 21:28, schrieb The Libreswan Project:>
> The Libreswan Project is about to release libreswan-3.9. It includes a
> very large bugfix and enhancement patch set. Therefor, we would really
> like people to do some additional testing before we release it.
>
> You can find the 3.9rc1 pre-release at:
>
> https://download.libreswan.org/development/
3.9rc1 seems to be different from the git repository at
https://github.com/libreswan/libreswan/
Is there another repository to review the changes?
> Please send any issues you find to the development list at
> swan-dev at lists.libreswan.org
I'm applying the attached patch to turn the "connection list" message
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
ESP algorithms loaded: none
into:
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
The problem is that kernel_alg_esp_enc_ok() is called several times with
key_len = 0, which causes a failure of the check of the AES_GCM key
length. A few lines further down in kernel_alg_esp_enc_ok() a comment
even tells us that "if key_len specified, it must be in range". This is
what my patch is introducing for the first test too.
It's just a cosmetic problem, libreswan can establish a SA. However,
it's very misleading and makes finding the right key length pretty hard.
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-check-keylen.patch
Type: text/x-patch
Size: 683 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20140705/c55c9896/attachment.bin>
More information about the Swan-dev
mailing list