[Swan-dev] pluto adds an encryption key-length attribute to IKEv1 AH proposals
Andrew Cagney
andrew.cagney at gmail.com
Wed Jul 25 20:24:48 UTC 2018
For instance, in ah-pluto-04/OUTPUT/west.pluto.log I'm seeing:
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM (0x8005)
| length/value: 6 (0x6)
| [6 is AUTH_ALGORITHM_HMAC_SHA2_384]
| inserting default ipsec key length attribute payload of 128 bits
| ******emit ISAKMP IPsec DOI attribute:
| af+type: KEY_LENGTH (0x8006)
| length/value: 128 (0x80)
I'm assuming this is just a bug?
It turns out that commit 4d7ca9553f58db408da2fc0bead64361a44d2279
ikev1: use encrypt_desc .keylen_omitted to decide if keylen is required
Eliminate a crypto_req_keysize() call. Suspect entire code path
is redundant.
triggers a pexpect because of this
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM (0x8005)
| length/value: 5 (0x5)
| [5 is AUTH_ALGORITHM_HMAC_SHA2_256]
"westnet-eastnet-ah" #2: EXPECTATION FAILED: encrypt != NULL (in
ikev1_out_sa() at ikev1_spdb_struct.c:841)
| ignoring missing keylen as omitted
It's just that the old call to crypto_req_keysize(CRK_ESPorAH,
t->transid) return 0 and be ignored while the new call to
ikev1_get_kernel_encrypt_desc(t->transid) returns NULL and triggers a
pexpect. Neither was valid.
Andrew
More information about the Swan-dev
mailing list