[Swan-dev] added sha 2 cryptoapi support with klips

Wolfgang Nothdurft wolfgang at linogate.de
Mon May 18 21:17:05 EEST 2015


Am 18.05.2015 um 19:09 schrieb Paul Wouters:
> On Mon, 18 May 2015, Wolfgang Nothdurft wrote:
>
>>>  Thanks! I added two interop test cases between KLIPS and NETKEy as 
>>> well.
>>>
>>>  Paul
>> I added a patch to my ticket that enables the sha2-truncbug option 
>> for klips.
>>
>> In linux/net/ipsec/pfkey_v2_build.c:236 I have changed SADB_AALG_MAX 
>> to K_SADB_AALG_MAX, because I think that was a bug.
>> SADB_AALG_MAX seems not defined in kernel space and with my tests it 
>> shows a value of 251 instead 255, which prevents klips from using the 
>> truncated algo (AH_SHA2_256_TRUNC 252).
>
> Thanks! I'll test it.
>
> Could you test AH with your patch? I had modified your patch in an
> attempt to not make a change between buildin and cryptoapi default
> choices, but testing shows that AH now fails with:
>
> [ 00.00] KLIPS pfkey_add_parse: not successful for SA:  (error), 
> deleting.
> [ 00.00] KLIPS pfkey_add_parse: not successful for SA:  (error), 
> deleting.
>
> eg, see
> http://bofh.nohats.ca/results/bofh.nohats.ca/2015-05-12-bofh.nohats.ca-3.13aq6-225-g34f80a0-dirty-master/ikev2-13-ah/ 
>
>
> It would be useful to see if I made an error with merging the patch in,
> or if your patch actually introduced this problem.
>
> Paul
same here.

It seems there is some work to do in linux/net/ipsec/ipsec_ah.c

The problem is that there is no CONFIG_KLIPS_ALG part and the internal 
algos (
CONFIG_KLIPS_AUTH_HMAC_SHA1) are undefined.

I can take a look at that tomorrow.

Wolfgang


More information about the Swan-dev mailing list