New commits: commit 15f1993ea9888e242357bd931dac216feb3c25df Author: Andrew Cagney <cag...@gnu.org> Date: Mon Jul 23 21:56:12 2018 -0400
ikev1: fix optional key-length regression in an ESP proposal Merge ESP algorithm checks that were scattered across check_kernel_encrypt_alg, parse_ipsec_transform() and parse_ipsec_sa_body() into ikev1_verify_esp(). For key-length, just check it is valid, and that earlier code handled the missing / optional cases. In parse_ipsec_transform() remove all but the checks for a missing or optional key-length. When optional, force .enckeylen to .keydeflen (it will remain 0 when 'null' encryption). This way latter code can assume .enckeylen is correct and check it. In parse_ipsec_sa_body() use ikev1_verify_esp() to verify each proposal as it is parsed and not at the end after it has been sort of accepted. Delete check_kernel_encrypt_alg() as no longer used. Delete crypto_req_keysize(CRK_ESPorAH,...) as no longer used. Regression in 6e1368a4a51ab42ffa0e229e6c6b1b649776fd6e spotted by Hugh. _______________________________________________ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit