[strongSwan] Default PRF algorithm selection

Emeric POUPON emeric.poupon at stormshield.eu
Fri Oct 31 11:50:23 CET 2014


Sorry, I meant cast, not serpent!

----- Mail original -----
De: "Emeric POUPON" <emeric.poupon at stormshield.eu>
À: "Martin Willi" <martin at strongswan.org>
Cc: users at lists.strongswan.org
Envoyé: Vendredi 31 Octobre 2014 11:27:05
Objet: Re: [strongSwan] Default PRF algorithm selection

Hello,

Thanks for you support, I do agree these algorithms are very exotic!

If you want to be exhaustive, there is the same issue for the pfkey's algorithms (did not check other plugins):

--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c	2014-10-30 16:18:20.000000000 +0100
+++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c	2014-10-30 16:16:49.535620541 +0100
@@ -850,7 +850,10 @@ static kernel_algorithm_t encryption_alg
  */
 static kernel_algorithm_t integrity_algs[] = {
 	{AUTH_HMAC_MD5_96,			SADB_AALG_MD5HMAC			},
+	{AUTH_HMAC_MD5_128,			SADB_AALG_MD5HMAC			},
 	{AUTH_HMAC_SHA1_96,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA1_128,			SADB_AALG_SHA1HMAC			},
+	{AUTH_HMAC_SHA1_160,			SADB_AALG_SHA1HMAC			},
 	{AUTH_HMAC_SHA2_256_128,	SADB_X_AALG_SHA2_256HMAC	},
 	{AUTH_HMAC_SHA2_384_192,	SADB_X_AALG_SHA2_384HMAC	},
 	{AUTH_HMAC_SHA2_512_256,	SADB_X_AALG_SHA2_512HMAC	},


I have another question: why only very well-know key size are implemented for variable-length key algorithms (blowfish, serpent) ?
For example blowfish can be used with keysize that range from 32 to 448, and only 128, 192 and 256 are available.
Is there a way to handle them? Maybe just add all entries in the  ./src/libstrongswan/crypto/proposal/proposal_keywords_static.c file ?

Best Regards,

Emeric



----- Mail original -----
De: "Martin Willi" <martin at strongswan.org>
À: "Emeric POUPON" <emeric.poupon at stormshield.eu>
Cc: users at lists.strongswan.org
Envoyé: Vendredi 31 Octobre 2014 10:34:22
Objet: Re: [strongSwan] Default PRF algorithm selection

Hi,

> > Sounds like a regression: how was this supposed to work before the 5.0.2 version?
> 
> It never did.  Apparently, you are the first one to use these algorithms
> (at least without specifying an explicit PRF).

Note that these algorithms are very exotic, and most likely not even
supported by other implementations. I don't see much benefit from
actually using them. They have IANA identifiers, but only because they
are used in a Fiber Channel context, as specified by RFC4595.

Regards
Martin

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


More information about the Users mailing list