New commits:
commit 15f1993ea9888e242357bd931dac216feb3c25df
Author: Andrew Cagney <cag...@gnu.org>
Date: Mon Jul 23 21:56:12 2018 -0400
ikev1: fix optional key-length regression in an ESP proposal
Merge ESP algorithm checks that were scattered across
check_kernel_encrypt_alg, parse_ipsec_transform() and
parse_ipsec_sa_body() into ikev1_verify_esp(). For key-length, just
check it is valid, and that earlier code handled the missing /
optional cases.
In parse_ipsec_transform() remove all but the checks for a missing or
optional key-length. When optional, force .enckeylen to .keydeflen
(it will remain 0 when 'null' encryption). This way latter code can
assume .enckeylen is correct and check it.
In parse_ipsec_sa_body() use ikev1_verify_esp() to verify each
proposal as it is parsed and not at the end after it has been sort of
accepted.
Delete check_kernel_encrypt_alg() as no longer used.
Delete crypto_req_keysize(CRK_ESPorAH,...) as no longer used.
Regression in 6e1368a4a51ab42ffa0e229e6c6b1b649776fd6e spotted
by Hugh.
_______________________________________________
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
