[strongSwan] IPsec and SHA-2

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 24 19:29:06 CEST 2010

Hella Micah,

Martin posted a kernel patch correctly implementing SHA2-256-128,
SHA2-384-192, and SHA2-512-256 some while ago, which was immediately
accepted and integrated into the Linux 2.6.33 and later kernels.



 On 09/24/2010 05:14 PM, Micah Anderson wrote:
> Martin Willi <martin at strongswan.org> writes:
>> Hi Joel,
>>> The Linux Kernel implementation appears to be wrong.  Has anyone
>>> experienced interoperability problems when using HMAC-SHA2-256-128 to
>>> authenticate IPsec?
>> Indeed, the kernel implementation uses an older draft version with 96
>> bit truncation. We discovered this issue due the interoperability
>> testing in Texas this year. There is no way to fix this in userland. 
>> I've sent a patch [1] to use the truncation defined in RFC4868, but it
>> has not been accepted as it would render existing setups incompatible.
>> While this is true, the current implementation of SHA2 MACs is
>> incompatible to the standard.
>> Herbert Xu suggested to extend the API by a truncation length parameter.
>> But as the trend goes to AES based MACs and combinded mode ciphers, it
>> was not worth the effort for me.
> Is the above still true in the kernel? If so, its an unfortunate
> situation.
> m

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list