[Swan-dev] the great algorithm rename
Andrew Cagney
andrew.cagney at gmail.com
Fri Jun 23 00:52:51 UTC 2017
On 22 June 2017 at 15:05, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 22 Jun 2017, Andrew Cagney wrote:
>
>> A two part "trivial" change I've had sitting here for some time is to
>> update logging so that algorithm names are more consistently qualified
>> and upper case. For instance:
>>
>> cipher: camellia -> CAMELLIA_CBC
>> prf: sha -> HMAC_SHA1
>> integ: sha2_256 -> HMAC_SHA2_256_128 (lets ignore truncbug for now)
>
>
> works for me, might need some prefix_stripping for readability.
I'd really like to get away from stripping prefixes and suffixes in
the output logs as it leads to ambiguous names.
>> -134 "ikev2-ike=aes128-sha1" #4: STATE_PARENT_I2: sent v2I2, expected
>> v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
>> +134 "ikev2-ike=aes128-sha1" #4: STATE_PARENT_I2: sent v2I2, expected
>> v2R2 {auth=IKEv2 cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1
>> dh=MODP2048}
>
>
> While we are at it, I think "sent v2I2" should be replaced with "sent
> IKE_AUTH request" and similarly "sent IKE_AUTH reply" and that we use
> the exchange names properly.
I'll look, I suspect it is a different printf.
>> (I've got to wonder if the meaningless auth=IKEv2 should also be stripped
>> out)
>
>
> That is legacy mostly. In IKEv1, the IKE header told you if you were
> doing RSA or PSK, and that info displayed there. In IKEv2, that information
> is not in the IKE header, but inside the IKE_AUTH payload, so the code
> just writes "IKEv2" there. It should really pull the data from elsewhere
> and put in PSK, RSA, NULL or even NULL|RSA for asymmetric auth.
Does it know? Only the INIT packets have been exchanged.
>> - for IKEv1 things are similar:
>>
>> -004 "westnet-eastnet-aggr" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA
>> established {auth=RSA_SIG cipher=3des_cbc_192 integ=sha
>> group=MODP1536}
>> +004 "westnet-eastnet-aggr" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA
>> established {auth=RSA_SIG cipher=3DES_CBC_192 integ=HMAC_SHA1_96
>> dh=MODP1536}
The above example is wrong, the new output for IKEv1 would be ... prf=HMAC_SHA1
but I'm not sure how IKEv1 that term is.
> Okau.
>
>> Part 2 then follows this up by replacing the IKEv1 centric
>> enum_show_shortb() calls found in ike_info.c and esp_info.c:
>>
>> "%s(%d)_%03d-%s(%d)-%s(%d)",
>> enum_show_shortb(&oakley_enc_names,
>>
>> ike_info->ike_encrypt->common.ikev1_oakley_id,
>> &enc_buf),
>> ike_info->ike_encrypt->common.ikev1_oakley_id
>>
>> with ike_info->encrypt->common.name (et.al.). The result is:
>>
>> -IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)-MODP2048(14)
>> +IKE algorithms found: AES_CBC_256-HMAC_SHA2_256-MODP2048
>>
>> and, unlike before, the new output can be fed straight back into the
>> parser!
>
>
> Sounds good.
>
>> Hopefully I'll be able to push this in a few weeks,
>
>
> After v3.21 would be nice :)
Yea.
More information about the Swan-dev
mailing list