[Swan-dev] simplifying default IKEv1 IKE algorithms

Paul Wouters paul at nohats.ca
Mon Feb 6 17:54:35 UTC 2017


On Mon, 6 Feb 2017, Andrew Cagney wrote:

>> But as responder, there is no reason why not to accept the better
>> values.
>
> Here, things get a little weird, but mostly do what you want.  If
> there is an ike= line then the code checks that list.  If there isn't
> then:
>
> - PRF (i.e., hash) is ok provided ikev1_get_ike_prf_desc() succeeds
> (i.e., FIPS didn't clobber the algorithm)
> - ENCRYPT is ok provided ikev1_get_ike_encrypt_desc() succeeds (i.e.,
> ...); well almost, there's a strange else clause attached to a
> ike_alg_enc_ok() class that I suspect can be deleted

I'm confused, this is IKEv1 specific?

If there is no ike line, then MD5 gets rejected right? And serpent
or twofish or cast?

Paul


More information about the Swan-dev mailing list