[Swan-dev] added sha 2 cryptoapi support with klips
Paul Wouters
paul at nohats.ca
Mon May 18 20:09:06 EEST 2015
On Mon, 18 May 2015, Wolfgang Nothdurft wrote:
>> Thanks! I added two interop test cases between KLIPS and NETKEy as well.
>>
>> Paul
> I added a patch to my ticket that enables the sha2-truncbug option for klips.
>
> In linux/net/ipsec/pfkey_v2_build.c:236 I have changed SADB_AALG_MAX to
> K_SADB_AALG_MAX, because I think that was a bug.
> SADB_AALG_MAX seems not defined in kernel space and with my tests it shows a
> value of 251 instead 255, which prevents klips from using the truncated algo
> (AH_SHA2_256_TRUNC 252).
Thanks! I'll test it.
Could you test AH with your patch? I had modified your patch in an
attempt to not make a change between buildin and cryptoapi default
choices, but testing shows that AH now fails with:
[ 00.00] KLIPS pfkey_add_parse: not successful for SA: (error), deleting.
[ 00.00] KLIPS pfkey_add_parse: not successful for SA: (error), deleting.
eg, see
http://bofh.nohats.ca/results/bofh.nohats.ca/2015-05-12-bofh.nohats.ca-3.13aq6-225-g34f80a0-dirty-master/ikev2-13-ah/
It would be useful to see if I made an error with merging the patch in,
or if your patch actually introduced this problem.
Paul
More information about the Swan-dev
mailing list