From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 19 Sep 2017 09:01:04 +0000 (+0200)
Subject: proposal: Remove MD5 from default IKE proposal
X-Git-Tag: 5.6.1rc1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10da451fc38c31476c26c5aa78ad3decc01e3a1f;p=thirdparty%2Fstrongswan.git

proposal: Remove MD5 from default IKE proposal

RFC 8247 demoted MD5 to MUST NOT.

References #2427.
---

diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index b0be951ab6..b4245d3de4 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -872,9 +872,10 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				case AUTH_AES_XCBC_96:
 				case AUTH_AES_CMAC_96:
 				case AUTH_HMAC_SHA1_96:
-				case AUTH_HMAC_MD5_96:
 					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
 					break;
+				case AUTH_HMAC_MD5_96:
+					/* no, thanks */
 				default:
 					break;
 			}
@@ -908,9 +909,11 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 		switch (prf)
 		{
 			case PRF_HMAC_SHA1:
-			case PRF_HMAC_MD5:
 				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
 				break;
+			case PRF_HMAC_MD5:
+				/* no, thanks */
+				break;
 			default:
 				break;
 		}