[strongSwan] Default PRF algorithm selection
Emeric POUPON
emeric.poupon at stormshield.eu
Fri Oct 31 11:27:05 CET 2014
Hello,
Thanks for you support, I do agree these algorithms are very exotic!
If you want to be exhaustive, there is the same issue for the pfkey's algorithms (did not check other plugins):
--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2014-10-30 16:18:20.000000000 +0100
+++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2014-10-30 16:16:49.535620541 +0100
@@ -850,7 +850,10 @@ static kernel_algorithm_t encryption_alg
*/
static kernel_algorithm_t integrity_algs[] = {
{AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_MD5_128, SADB_AALG_MD5HMAC },
{AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
+ {AUTH_HMAC_SHA1_128, SADB_AALG_SHA1HMAC },
+ {AUTH_HMAC_SHA1_160, SADB_AALG_SHA1HMAC },
{AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
{AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
{AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
I have another question: why only very well-know key size are implemented for variable-length key algorithms (blowfish, serpent) ?
For example blowfish can be used with keysize that range from 32 to 448, and only 128, 192 and 256 are available.
Is there a way to handle them? Maybe just add all entries in the ./src/libstrongswan/crypto/proposal/proposal_keywords_static.c file ?
Best Regards,
Emeric
----- Mail original -----
De: "Martin Willi" <martin at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: users at lists.strongswan.org
Envoyé: Vendredi 31 Octobre 2014 10:34:22
Objet: Re: [strongSwan] Default PRF algorithm selection
Hi,
> > Sounds like a regression: how was this supposed to work before the 5.0.2 version?
>
> It never did. Apparently, you are the first one to use these algorithms
> (at least without specifying an explicit PRF).
Note that these algorithms are very exotic, and most likely not even
supported by other implementations. I don't see much benefit from
actually using them. They have IANA identifiers, but only because they
are used in a Fiber Channel context, as specified by RFC4595.
Regards
Martin
More information about the Users
mailing list