On Mon, 26 Jun 2017, Antony Antony wrote:
We should have rejected the ESP transform before getting to the AUTH
payload. We used to do this, and it did depend on the stack choice
because it checked the "registered" esp/ah algorithms, which are
also shown in "ipsec status".
in this test case the initiator, road, klips stack, is proposing
GCM to the responder east, netkey stack. When east respond with gcm road can
not install SA.
A similar thing is true for initiating. We should not propose any
transform that is not "registered" for ESP/AH.
/*
* also open the pfkey socket, since we need it to get a list of
* algorithms.
is this comment still true? with crypto api, post 2010? or a dated comment.
Above part go back to 2007. Next lines are added in 2012. I would imagine
netlink can get a list such as the /proc/crypto
There might be a native call, but we currently don't know about it. It
would be good if we can skip relying on the PFKEY call since the kernel
deems it legacy.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
