proposal: Make sure non-AEAD IKE proposals contain integrity algorithms
This commit is contained in:
parent
42a6b187f7
commit
ee019ab321
|
@ -710,6 +710,14 @@ static bool check_proposal(private_proposal_t *this)
|
|||
* we MUST NOT propose any integrity algorithms */
|
||||
remove_transform(this, INTEGRITY_ALGORITHM);
|
||||
}
|
||||
else if (this->protocol == PROTO_IKE &&
|
||||
!get_algorithm(this, INTEGRITY_ALGORITHM, NULL, NULL))
|
||||
{
|
||||
DBG1(DBG_CFG, "an integrity algorithm is mandatory in %N proposals "
|
||||
"with classic (non-AEAD) encryption algorithms",
|
||||
protocol_id_names, this->protocol);
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{ /* AES-GMAC is parsed as encryption algorithm, so we map that to the
|
||||
|
|
|
@ -29,6 +29,8 @@ static struct {
|
|||
{ PROTO_IKE, "aes128", NULL },
|
||||
{ PROTO_IKE, "aes128-sha256", NULL },
|
||||
{ PROTO_IKE, "aes128-sha256-modpnone", NULL },
|
||||
{ PROTO_IKE, "aes128-prfsha256", NULL },
|
||||
{ PROTO_IKE, "aes128-prfsha256-modp2048", NULL },
|
||||
{ PROTO_IKE, "aes128-sha256-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072" },
|
||||
{ PROTO_IKE, "aes128-sha256-prfsha384-modp3072", "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_384/MODP_3072" },
|
||||
{ PROTO_IKE, "aes128gcm16-modp3072", NULL },
|
||||
|
|
Loading…
Reference in New Issue