Am 06.07.2014 03:15, schrieb Paul Wouters:
On Sat, 5 Jul 2014, Bernhard Held wrote:
I'm applying the attached patch to turn the "connection list" message
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
pfsgroup=MODP2048(14)
ESP algorithms loaded: none
into:
ESP algorithms wanted: AES_GCM_C(20)_256-NONE(0)_000;
pfsgroup=MODP2048(14)
ESP algorithms loaded: AES_GCM_C(20)_256-NONE(0)_000
The problem is that kernel_alg_esp_enc_ok() is called several times
with key_len = 0, which causes a failure of the check of the AES_GCM
key length. A few lines further down in kernel_alg_esp_enc_ok() a
comment even tells us that "if key_len specified, it must be in
range". This is what my patch is introducing for the first test too.
It's just a cosmetic problem, libreswan can establish a SA. However,
it's very misleading and makes finding the right key length pretty hard.
I ran into the same issue and had included a patch for it as well:
https://github.com/libreswan/libreswan/commit/2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
commit 2be652fea52eaf3e25671c4b2ddd5ff4f1a10342
Author: Paul Wouters <[email protected]>
Date: Thu Jul 3 12:37:21 2014 -0400
kernel_alg_esp_enc_ok(): improve key size handling
- If ealg is not registered, don't return "ok" (also already spotted
by Hugh)
- If key_len is specified, enforce some size restrictions
(this duplicates code elsewhere and should be split off in a
separate function)
Paul
Ok, I missed this one.
The support and maintenance of libreswan & xl2tpd are outstanding.
Thanks a lot for the excellent work!
Bernhard
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
