Am 30.06.2014 21:28, schrieb The Libreswan Project:>
> The Libreswan Project is about to release libreswan-3.9. It includes a
> very large bugfix and enhancement patch set. Therefor, we would really
> like people to do some additional testing before we release it.
>
> You can find the 3.9rc1 pre-release at:
>
> https://download.libreswan.org/development/
3.9rc1 seems to be different from the git repository at
https://github.com/libreswan/libreswan/
Is there another repository to review the changes?
> Please send any issues you find to the development list at
> [email protected]
I'm applying the attached patch to turn the "connection list" message
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
ESP algorithms loaded: none
into:
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000; pfsgroup=MODP2048(14)
ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
The problem is that kernel_alg_esp_enc_ok() is called several times with
key_len = 0, which causes a failure of the check of the AES_GCM key
length. A few lines further down in kernel_alg_esp_enc_ok() a comment
even tells us that "if key_len specified, it must be in range". This is
what my patch is introducing for the first test too.
It's just a cosmetic problem, libreswan can establish a SA. However,
it's very misleading and makes finding the right key length pretty hard.
Bernhard
--- a/lib/libswan/kernel_alg.c.orig 2014-06-27 20:55:02.989241587 +0200
+++ b/lib/libswan/kernel_alg.c 2014-06-27 20:56:29.357237787 +0200
@@ -165,9 +165,10 @@ err_t kernel_alg_esp_enc_ok(int alg_id,
struct sadb_alg *alg_p = &esp_ealg[alg_id];
passert(alg_p != NULL);
- if (alg_id == ESP_AES_GCM_8 ||
- alg_id == ESP_AES_GCM_12 ||
- alg_id == ESP_AES_GCM_16) {
+ if (key_len != 0 &&
+ (alg_id == ESP_AES_GCM_8 ||
+ alg_id == ESP_AES_GCM_12 ||
+ alg_id == ESP_AES_GCM_16)) {
if (key_len != 128 && key_len != 192 &&
key_len != 256) {
ugh = builddiag("kernel_alg_db_add() key_len is incorrect: alg_id=%d, key_len=%d, alg_minbits=%d, alg_maxbits=%d",
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
