[Swan-dev] simplifying default IKEv1 IKE algorithms
Andrew Cagney
andrew.cagney at gmail.com
Mon Feb 6 18:50:23 UTC 2017
On 6 February 2017 at 12:54, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 6 Feb 2017, Andrew Cagney wrote:
>
>>> But as responder, there is no reason why not to accept the better
>>> values.
>>
>>
>> Here, things get a little weird, but mostly do what you want. If
>> there is an ike= line then the code checks that list. If there isn't
>> then:
>>
>> - PRF (i.e., hash) is ok provided ikev1_get_ike_prf_desc() succeeds
>> (i.e., FIPS didn't clobber the algorithm)
>> - ENCRYPT is ok provided ikev1_get_ike_encrypt_desc() succeeds (i.e.,
>> ...); well almost, there's a strange else clause attached to a
>> ike_alg_enc_ok() class that I suspect can be deleted
>
>
> I'm confused, this is IKEv1 specific?
Yes, IKEv1 IKE specific.
> If there is no ike line, then MD5 gets rejected right?
By the responder, in FIPS mode, yes, it would be rejected. The call
to ikev1_get_ike_prf_desc() would fail.
> And serpent
> or twofish or cast?
By the responder, in FIPS mode, yes, it would be rejected. The call
to ikev1_get_ike_encrypt_desc() would fail.
For reference, here's the call to ike_alg_enc_ok() (which called
ikev1_get_ike_encrypt_desc()) I eliminated:
if (ike_alg_enc_ok(val, 0, c->alg_info_ike,
- &ugh, ugh_buf,
- sizeof(ugh_buf))) {
- /* if (ike_alg_enc_present(val)) { */
ta.encrypt = val;
- ta.encrypter =
ikev1_get_ike_encrypt_desc(val);
ta.enckeylen = ta.encrypter->keydeflen;
- } else switch (val) {
- case OAKLEY_3DES_CBC:
- ta.encrypt = val;
- ta.encrypter =
ikev1_get_ike_encrypt_desc(val);
- break;
-
- case OAKLEY_DES_CBC:
- libreswan_log("1DES is not encryption");
- /* FALL THROUGH */
- default:
ugh = builddiag("%s is not supported",
enum_show(&oakley_enc_names,
val));
More information about the Swan-dev
mailing list