[Swan-dev] a better unified proposal matcher
Paul Wouters
paul at nohats.ca
Thu Feb 26 22:28:40 EET 2015
On Tue, 24 Feb 2015, Andrew Cagney wrote:
> Never post before lunch, or coffee, here are better O() guesses:
[ more statistics ]
Can we go through the received list of transforms and delete those we
know we do not support/allow as a preprocessing item? Before we try
to combine these bits?
In our default proposal, we would have (ignoring for now combos that are
not allowed)
ENC: aes_cbc, aes_gcm, 3des
INTEG: sha2_256_, sha2_512, sha1, md5, null
PRF: sha2_256_, sha2_512, sha1, md5
DH: 1024, 1536, 2048
If strongswan now comes with 16 PRF's, we can just delete 12 of them.
If they come with 10+ DH groups, we can just delete all but 3.
Once done, we do the combinatory explosion. Then we take good care not
to allow illegal combinations like aes_cbc-null or aes_gcm-md5.
Paul
More information about the Swan-dev
mailing list