[Swan-dev] DH group naming

Oleg Rosowiecki orosowiecki at gmail.com
Fri Jun 23 06:39:45 UTC 2017

Thanks! I noticed recent changes to this code but didn't have a chance to
analyze them.

There is another similar problem with the parser: ealg_getbyname_or_alias()
has these aliases for AEAD algorithms:

aes_ccm_a -- aes_ccm_8
aes_ccm_b -- aes_ccm_12
aes_gcm_c -- aes_gcm_16

If you try to use any of these aliases, parser_machine() will complain. The
reason is that the parser immediately switches to key length processing
(ST_EK) if it encounters a digit right after the algorithm name ("bravely
switch to enc keylen" is the comment :)).

This is probably not as important as fixing the DH group, but still it
doesn't work as intended. Worth fixing, too, IMO.

On Fri, Jun 23, 2017 at 2:36 AM, Andrew Cagney <andrew.cagney at gmail.com>

> On 22 June 2017 at 19:04, Oleg Rosowiecki <orosowiecki at gmail.com> wrote:
> > Speaking of the algorithm rename... Is there any reason behind accepting
> > only the value of "dh21" for ike= and allowing only "ecp_521" for
> phase2alg?
> I didn't know about that quirk - the recent changes have been unifying
> the lookup while largely ignoring the parser.  The final round will be
> merged post 3.21.
> A quick test shows the current code behaves as follows:
> ike:
> [       aes-sha1;dh21]    OK: AES_CBC(7)_000-SHA1(2)-ECP_521(21)
> esp:
> [       aes-sha1;dh21]    OK: AES(12)_000-SHA1(2); pfsgroup=ECP_521(21)
> but:
> ike/esp:
> [    aes-sha1;ecp_521] ERROR: Non alphanum char found after in modp
> string, just after "aes-sha1;ecp" (state=ST_AK)
> [    aes-sha1;ecp_521] ERROR: Non alphanum char found after in modp
> string, just after "aes-sha1;ecp" (state=ST_AK)
> so things are at least consistent (and dh21 is the preferred name).
> I'll tweak the parser.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170623/2183400d/attachment-0001.html>

More information about the Swan-dev mailing list