[Swan-dev] pluto adds an encryption key-length attribute to IKEv1 AH proposals

Andrew Cagney andrew.cagney at gmail.com
Wed Jul 25 20:24:48 UTC 2018

For instance, in ah-pluto-04/OUTPUT/west.pluto.log I'm seeing:

| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM (0x8005)
|    length/value: 6 (0x6)
|     [6 is AUTH_ALGORITHM_HMAC_SHA2_384]
| inserting default ipsec key length attribute payload of 128 bits
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: KEY_LENGTH (0x8006)
|    length/value: 128 (0x80)

I'm assuming this is just a bug?

It turns out that commit 4d7ca9553f58db408da2fc0bead64361a44d2279

    ikev1: use encrypt_desc .keylen_omitted to decide if keylen is required

    Eliminate a crypto_req_keysize() call.  Suspect entire code path
    is redundant.

triggers a pexpect because of this

| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM (0x8005)
|    length/value: 5 (0x5)
|     [5 is AUTH_ALGORITHM_HMAC_SHA2_256]
"westnet-eastnet-ah" #2: EXPECTATION FAILED: encrypt != NULL (in
ikev1_out_sa() at ikev1_spdb_struct.c:841)
| ignoring missing keylen as omitted

It's just that the old call to crypto_req_keysize(CRK_ESPorAH,
t->transid) return 0 and be ignored while the new call to
ikev1_get_kernel_encrypt_desc(t->transid) returns NULL and triggers a
pexpect.  Neither was valid.


More information about the Swan-dev mailing list