[Swan-dev] switching to longer IKEv2 names in logs
Andrew Cagney
andrew.cagney at gmail.com
Tue Nov 22 17:21:38 UTC 2016
For instance, when describing integrity, log:
hmac_sha2_256_96
instead of:
SHA2_256 or SHA2_256-128 or ...
(no the 96 isn't a typo, see trunkbug :-)
The rationale is two fold:
- IKEv1 assumes (see nat_traversal.c) that all IKE (phase 1) PRFs are
implemented using a MAC (hash) and the HMAC construct and so referring
to the MAC is hopefully sufficient; in IKEv2 that is not true.
Instead IKEv2 uses longer, less ambiguous names (for instance,
aes_cmac{,_96}, and hmac_sha2_256{,_96,_128}) and we should be using
those.
- Internally, pluto still has entrenched assumptions that all
algorithms have an IKEv1 number/name. Specifically, for the case in
hand, generic code uses:
enum_short_name(&oakley_hash_names, ike_info->ike_halg)
or
enum_short_name(&oakley_hash_names, ike_info->ike_prf->ikev1_oakley_id)
to print algorithm names.
Instead it should use ike_info->ike_prf->common.name
Unfortunately, common.name is a mess so making this change means both
cleaning up common.name and changing log output.
Andrew
More information about the Swan-dev
mailing list