[Swan-dev] libreswan 3.9rc1 Release Candidate: please test!
Paul
paul at nohats.ca
Mon Jul 7 02:32:11 EEST 2014
Note we found a compress=yes regression bug. We fixed it but are rerunning all test cases now...
Sent from my iPhone
> On Jul 6, 2014, at 16:57, Bernhard Held <berny156 at gmx.de> wrote:
>
> Am 06.07.2014 03:15, schrieb Paul Wouters:
>> On Sat, 5 Jul 2014, Bernhard Held wrote:
>>
>>> I'm applying the attached patch to turn the "connection list" message
>>>
>>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>>> pfsgroup=MODP2048(14)
>>> ESP algorithms loaded: none
>>>
>>> into:
>>>
>>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>>> pfsgroup=MODP2048(14)
>>> ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
>>>
>>> The problem is that kernel_alg_esp_enc_ok() is called several times
>>> with key_len = 0, which causes a failure of the check of the AES_GCM
>>> key length. A few lines further down in kernel_alg_esp_enc_ok() a
>>> comment even tells us that "if key_len specified, it must be in
>>> range". This is what my patch is introducing for the first test too.
>>>
>>> It's just a cosmetic problem, libreswan can establish a SA. However,
>>> it's very misleading and makes finding the right key length pretty hard.
>>
>> I ran into the same issue and had included a patch for it as well:
>>
>> https://github.com/libreswan/libreswan/commit/2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
>>
>>
>> commit 2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
>> Author: Paul Wouters <pwouters at redhat.com>
>> Date: Thu Jul 3 12:37:21 2014 -0400
>>
>> kernel_alg_esp_enc_ok(): improve key size handling
>>
>> - If ealg is not registered, don't return "ok" (also already spotted
>> by Hugh)
>> - If key_len is specified, enforce some size restrictions
>> (this duplicates code elsewhere and should be split off in a
>> separate function)
>>
>> Paul
>
> Ok, I missed this one.
>
> The support and maintenance of libreswan & xl2tpd are outstanding. Thanks a lot for the excellent work!
>
> Bernhard
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list