Merge branch 'sha2-no-trunc'

Closes strongswan/strongswan#215.
2025-12-07 00:00:13 -05:00 · 2021-02-23 17:30:11 +01:00 · 2021-02-23 17:30:11 +01:00 · 88c4d8cb22
commit 88c4d8cb22
parent 7a8cd5d6d0 875813c055
3 changed files with 18 additions and 2 deletions
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -242,8 +242,11 @@ static kernel_algorithm_t integrity_algs[] = {
 	{AUTH_HMAC_SHA1_160,		"hmac(sha1)"		},
 	{AUTH_HMAC_SHA2_256_96,		"sha256"			},
 	{AUTH_HMAC_SHA2_256_128,	"hmac(sha256)"		},
+	{AUTH_HMAC_SHA2_256_256,	"hmac(sha256)"		},
 	{AUTH_HMAC_SHA2_384_192,	"hmac(sha384)"		},
+	{AUTH_HMAC_SHA2_384_384,	"hmac(sha384)"		},
 	{AUTH_HMAC_SHA2_512_256,	"hmac(sha512)"		},
+	{AUTH_HMAC_SHA2_512_512,	"hmac(sha512)"		},
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
@ -1763,6 +1766,15 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			case AUTH_HMAC_SHA1_160:
 				trunc_len = 160;
 				break;
+			case AUTH_HMAC_SHA2_256_256:
+				trunc_len = 256;
+				break;
+			case AUTH_HMAC_SHA2_384_384:
+				trunc_len = 384;
+				break;
+			case AUTH_HMAC_SHA2_512_512:
+				trunc_len = 512;
+				break;
 			default:
 				break;
 		}
@ -1773,7 +1785,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,

 			/* the kernel uses SHA256 with 96 bit truncation by default,
 			 * use specified truncation size supported by newer kernels.
-			 * also use this for untruncated MD5 and SHA1. */
+			 * also use this for untruncated MD5, SHA1 and SHA2. */
 			algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
 								   sizeof(*algo) + data->int_key.len);
 			if (!algo)
--- a/src/libcharon/plugins/save_keys/save_keys_listener.c
+++ b/src/libcharon/plugins/save_keys/save_keys_listener.c
@ -234,6 +234,7 @@ static algo_map_t esp_integ[] = {
 	{ AUTH_HMAC_SHA2_384_192,  -1, "HMAC-SHA-384-192 [RFC4868]"               },
 	{ AUTH_HMAC_SHA2_512_256,  -1, "HMAC-SHA-512-256 [RFC4868]"               },
 	{ AUTH_HMAC_SHA2_256_96,   -1, "HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]" },
+	{ AUTH_HMAC_SHA2_256_256,  -1, "ANY 256 bit authentication [no checking]" },
 	{ AUTH_UNDEFINED,          64, "ANY 64 bit authentication [no checking]"  },
 	{ AUTH_UNDEFINED,          96, "ANY 96 bit authentication [no checking]"  },
 	{ AUTH_UNDEFINED,         128, "ANY 128 bit authentication [no checking]" },
@ -263,7 +264,7 @@ static inline void esp_names(proposal_t *proposal, const char **enc,
 				len = 64;
 				break;
 			case ENCR_AES_GCM_ICV12:
-				len = 64;
+				len = 96;
 				break;
 			case ENCR_AES_GCM_ICV16:
 				len = 128;
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@ -91,8 +91,11 @@ int keymat_get_keylen_integ(integrity_algorithm_t alg)
 		{AUTH_HMAC_SHA1_160,		160},
 		{AUTH_HMAC_SHA2_256_96,		256},
 		{AUTH_HMAC_SHA2_256_128,	256},
+		{AUTH_HMAC_SHA2_256_256,	256},
 		{AUTH_HMAC_SHA2_384_192,	384},
+		{AUTH_HMAC_SHA2_384_384,	384},
 		{AUTH_HMAC_SHA2_512_256,	512},
+		{AUTH_HMAC_SHA2_512_512,	512},
 		{AUTH_AES_XCBC_96,			128},
 		{AUTH_AES_CMAC_96,			128},
 	};