[Swan-dev] Algorithm parser filtering unsupported algorithms

Andrew Cagney andrew.cagney at gmail.com
Thu Aug 24 19:07:08 UTC 2017


On 22 August 2017 at 11:29, Paul Wouters <paul at nohats.ca> wrote:

> Merging them into one seems the best. If there is no different structs
> behind them
>
>
Done, and much dead code removed ...


> IKE algorithms wanted: AES_CBC-HMAC_SHA1-MODP2048
> IKE algorithms found:  AES_CBC_128-HMAC_SHA1-MODP2048

here, after some flip flopping I went with the former vis:

    AES_CBC-HMAC_SHA1-MODP2048

so it matches what the user entered; and doesn't, I think misleadingly,
show just the default key length when it is the MAX key length that will
likely be accepted.

> - for esp/ah the only difference is the addition of PFS in the first
> line (if at all):
>
> ESP algorithms wanted: AES(12)_128-SHA2_512(7); pfsgroup=MODP2048(14)
> ESP algorithms loaded: AES(12)_128-SHA2_512(7)
>
> I suspect, on both cases, the two lines can be merged into one?

and here, so that the output can be fed back into the parser, it was
changed to:

    AES_CBC_128-HMAC_SHA2_512_256-MODP2048

In the case of IKEv2, the other thing that might be interesting is a dump
of the raw proposal; but that is already is sent to pluto log.  Later.

Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170824/c5a29e8e/attachment.html>


More information about the Swan-dev mailing list