[Swan] SHA2 support for ESP in KLIPS?
Paul Wouters
pwouters at redhat.com
Tue Jun 25 17:29:04 EEST 2013
On Tue, 25 Jun 2013, Elison Niven wrote:
> I never had KERNEL_ALG undefined.
> This if condition never passed :
>
> #ifdef KERNEL_ALG
> if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
>
> So it went to the default case below.
> Changing it to
>
> if (!kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
>
> worked and pluto no longer gives the assertion.
But that's wrong:
err_t kernel_alg_esp_auth_ok(int auth,
struct alg_info_esp *alg_info __attribute__(
(unused)))
{
int ret = (ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth)));
if (ret)
return NULL;
else
return "bad auth alg";
}
The function (misleadingly) returns NULL on success, and non-NULL on
failure.
> After doing this however, I still get the same error in KLIPS as earlier.
>
> This patch proposed here also does the same change in ikev1_quick.c :
> https://www.openswan.org/issues/331
It was wrong there too :)
While we could adopt the patch to add sha2 to klips, I really feel we
should only extend ciphers/algorithms in klips using cryptoapi. In fact,
I wish we could drop the native md5/sha1/3des/aes from klips as well,
but I understand that would currently break OCF.
Paul
> On Tuesday 25 June 2013 09:12:12 AM IST, Paul Wouters wrote:
>> On Tue, 25 Jun 2013, David McCullough wrote:
>>
>>>> Looking at IKE_ALG, it seems that we always need it and the #ifdef
>>>> should just be killed. The same for KERNEL_ALG too?
>>>>
>>>> In fact, this one even seems to have mixed up the two:
>>>>
>>>> #ifdef KERNEL_ALG
>>>> alg_info_addref(IKETOINFO(c->alg_info_ike));
>>>> #endif
>>>>
>>>>
>>>> So I'd like to suggest we clean these defines up and remove them, as
>>>> the
>>>> code seems to be always required.
>>>
>>> Agreed.
>>
>> Done and tested with netkey and klips (though it should not have
>> affected the kernel stack)
>>
>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>>
>
> --
> Best Regards,
> Elison Niven
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list