I've pushed the following changes:
- only allow both <integ> and <prf> when impaired (this "feature" was
never announced in CHANGES)
- only show a proposals integrity when it, encryption, and PRF aren't consistent
(and the only way to do that is with --impair)
And I've parked a change so things are pretty much always ordered
<encr>-<integ>-... vis:
algparse -v2 'ike=aes_gcm-sha1-dh14'
AES_GCM_16-HMAC_SHA1-MODP2048
algparse -v2 'ike=aes_gcm-none-sha1-dh14'
AES_GCM_16-HMAC_SHA1-MODP2048
(I suspect it should print AES_GCM-none-... to)
> > so what happens now with ike=aes-sha2-sha2-dh14 ?
>
> algparse -v2 'ike=aes-sha2-sha2-dh14'
> AES_CBC-HMAC_SHA2_256-MODP2048
>
> i.e., it hides integrity HMAC_SHA2_256_128 because it was derived from the
> PRF.
>
> I'll change fmt_proposal() to do this more generally - provided all
> the integrity algorithms are 1:1 derived from a PRF then they are
> hidden.
>
> (I tried hacking things so <aead>-none-<prf>-... <aead>-<prf>- and
> <encr>-<integ>-... work but it gets messy)
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
