[Swan-dev] libreswan 3.9rc1 Release Candidate: please test!
Paul Wouters
paul at nohats.ca
Sun Jul 6 04:15:22 EEST 2014
On Sat, 5 Jul 2014, Bernhard Held wrote:
> I'm applying the attached patch to turn the "connection list" message
>
> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
> ESP algorithms loaded: none
>
> into:
>
> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
> ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
>
> The problem is that kernel_alg_esp_enc_ok() is called several times with
> key_len = 0, which causes a failure of the check of the AES_GCM key length. A
> few lines further down in kernel_alg_esp_enc_ok() a comment even tells us
> that "if key_len specified, it must be in range". This is what my patch is
> introducing for the first test too.
>
> It's just a cosmetic problem, libreswan can establish a SA. However, it's
> very misleading and makes finding the right key length pretty hard.
I ran into the same issue and had included a patch for it as well:
https://github.com/libreswan/libreswan/commit/2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
commit 2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jul 3 12:37:21 2014 -0400
kernel_alg_esp_enc_ok(): improve key size handling
- If ealg is not registered, don't return "ok" (also already spotted
by Hugh)
- If key_len is specified, enforce some size restrictions
(this duplicates code elsewhere and should be split off in a
separate function)
Paul
More information about the Swan-dev
mailing list