[Swan-dev] libreswan 3.9rc1 Release Candidate: please test!

Paul paul at nohats.ca
Mon Jul 7 02:32:11 EEST 2014 

Note we found a compress=yes regression bug. We fixed it but are rerunning all test cases now...

Sent from my iPhone

> On Jul 6, 2014, at 16:57, Bernhard Held <berny156 at gmx.de> wrote:
> 
> Am 06.07.2014 03:15, schrieb Paul Wouters:
>> On Sat, 5 Jul 2014, Bernhard Held wrote:
>> 
>>> I'm applying the attached patch to turn the "connection list" message
>>> 
>>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>>> pfsgroup=MODP2048(14)
>>> ESP algorithms loaded: none
>>> 
>>> into:
>>> 
>>> ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
>>> pfsgroup=MODP2048(14)
>>> ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
>>> 
>>> The problem is that kernel_alg_esp_enc_ok() is called several times
>>> with key_len = 0, which causes a failure of the check of the AES_GCM
>>> key length. A few lines further down in kernel_alg_esp_enc_ok() a
>>> comment even tells us that "if key_len specified, it must be in
>>> range". This is what my patch is introducing for the first test too.
>>> 
>>> It's just a cosmetic problem, libreswan can establish a SA. However,
>>> it's very misleading and makes finding the right key length pretty hard.
>> 
>> I ran into the same issue and had included a patch for it as well:
>> 
>> https://github.com/libreswan/libreswan/commit/2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
>> 
>> 
>> commit 2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
>> Author: Paul Wouters <pwouters at redhat.com>
>> Date:   Thu Jul 3 12:37:21 2014 -0400
>> 
>>     kernel_alg_esp_enc_ok(): improve key size handling
>> 
>>     - If ealg is not registered, don't return "ok" (also already spotted
>>       by Hugh)
>>     - If key_len is specified, enforce some size restrictions
>>       (this duplicates code elsewhere and should be split off in a
>>        separate function)
>> 
>> Paul
> 
> Ok, I missed this one.
> 
> The support and maintenance of libreswan & xl2tpd are outstanding. Thanks a lot for the excellent work!
> 
> Bernhard
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list