[Swan-dev] Algorithm parser filtering unsupported algorithms
Paul Wouters
paul at nohats.ca
Tue Aug 22 15:29:47 UTC 2017
Merging them into one seems the best. If there is no different structs behind them
Paul
Sent from my iPhone
> On Aug 21, 2017, at 14:06, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>
> The algorithm parser been changed to reject, up-front, algorithms that
> aren't supported. For instance, a configuration containing:
>
> ike=aes-aes_cmac,3des-md5
>
> is rejected outright because AES_CMAC isn't implemented in NSS.
> ESP/AH is similar (as determined by kernel_alg.c). This is different
> to the old code which tried to discard combinations it didn't like;
> while still using the ones it did. It isn't clear how well it
> worked, I suspect the above could lead to:
>
> - just 3des-md5 being proposed
> - both aes-aes_cmac and 3des-md5 being proposed and then the
> connection (or even pluto?) failing because the other end selected the
> first
> - an empty proposal (if fips was enabled say)
>
> I think the new behaviour is correct. It prevents garbage getting
> into the proposal et.al. code.
>
> This, however does lead to some quirky log output when the "wanted" vs
> "found/loaded" algorithms are listed vis:
>
> - for ike the only difference is that 'found' includes the default key size
>
> IKE algorithms wanted: AES_CBC-HMAC_SHA1-MODP2048
> IKE algorithms found: AES_CBC_128-HMAC_SHA1-MODP2048
>
> - for esp/ah the only difference is the addition of PFS in the first
> line (if at all):
>
> ESP algorithms wanted: AES(12)_128-SHA2_512(7); pfsgroup=MODP2048(14)
> ESP algorithms loaded: AES(12)_128-SHA2_512(7)
>
> I suspect, on both cases, the two lines can be merged into one?
>
> Andrew
>
> PS: The alternative, would be to do this in two steps:
>
> - just parse - wanted
> - just filter - found/loaded
>
> and display the result from both, but only feed the filtered list into
> the proposal code.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list