[Swan-dev] added sha 2 cryptoapi support with klips

Paul Wouters paul at nohats.ca
Mon May 18 20:09:06 EEST 2015

On Mon, 18 May 2015, Wolfgang Nothdurft wrote:

>>  Thanks! I added two interop test cases between KLIPS and NETKEy as well.
>>  Paul
> I added a patch to my ticket that enables the sha2-truncbug option for klips.
> In linux/net/ipsec/pfkey_v2_build.c:236 I have changed SADB_AALG_MAX to 
> K_SADB_AALG_MAX, because I think that was a bug.
> SADB_AALG_MAX seems not defined in kernel space and with my tests it shows a 
> value of 251 instead 255, which prevents klips from using the truncated algo 
> (AH_SHA2_256_TRUNC 252).

Thanks! I'll test it.

Could you test AH with your patch? I had modified your patch in an
attempt to not make a change between buildin and cryptoapi default
choices, but testing shows that AH now fails with:

[ 00.00] KLIPS pfkey_add_parse: not successful for SA:  (error), deleting.
[ 00.00] KLIPS pfkey_add_parse: not successful for SA:  (error), deleting.

eg, see

It would be useful to see if I made an error with merging the patch in,
or if your patch actually introduced this problem.


More information about the Swan-dev mailing list