[strongSwan] Confusing SHA256 truncation
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jun 8 22:23:53 CEST 2016
Hi Harald,
before the 2.6.33 kernel, Linux used a non-compliant truncation of the
SHA256 HMAC to 96 bits. RFC 4868 requires truncation to be exactly n/2
bits where n is the size of the hash value.
https://tools.ietf.org/html/rfc4868#section-2.3
In the case of SHA256 this must be 128 bits. Why 96 bit truncation is
still occurring in an ARM 3.10 kernel is really weird. It might be
that the extra xfrm_algo_auth struct needed to configure SHA256_128
truncation in the kernel is missing.
Best regards
Andreas
On 06/08/2016 09:54 PM, Harald Krammer wrote:
>
> Hi all,
> Currently I use Strongswan 5.2.2 (Debian 8). So far, everything is fine.
> Only with SHA256 there are weird things.
>
> On my PC with Kernel 3.16 I got a length of 128 bits for SHA256 and the
> same version on my ARM board with Kernel 3.10 I got a length pf 96 bits.
>
> Why does this happen?
>
> Any notes are welcome. Below is the output of ip xfrm state and the
> configuration.
>
> Nice greetings
> Harald
>
>
>
> Setup:
> ######
> PC with Debian 8 x86_64 with Kernel 3.16
> <----->
> ARM Board imX28 Kernel 3.10 also Strongswan 5.2.2
>
>
> ARM Board imX28 Kernel 3.10 also Strongswan 5.2.2:
> / # ip xfrm state
> src 10.1.8.241 dst 10.1.8.240
> proto esp spi 0xc86e8c86 reqid 1 mode tunnel
> replay-window 32
> auth-trunc hmac(sha256)
> 0x9954ce2e14cbf9c68ec72178859d377da19899688df13783fd728ddd9648bcb7 96
> enc ecb(cipher_null)
> sel src 0.0.0.0/0 dst 0.0.0.0/0
> src 10.1.8.240 dst 10.1.8.241
> proto esp spi 0xc31d24ed reqid 1 mode tunnel
> replay-window 32
> auth-trunc hmac(sha256)
> 0x0549596a5249d0ae333b9f2e56db47923aedc69252289d27796167d64db151de 96
> enc ecb(cipher_null)
> sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> PC with Debian 8 x86_64 with Kernel 3.16:
> root at saturn:/home/hk# ip xfrm state
> src 10.1.8.240 dst 10.1.8.241
> proto esp spi 0xc31d24ed reqid 10 mode tunnel
> replay-window 32 flag af-unspec
> auth-trunc hmac(sha256)
> 0x0549596a5249d0ae333b9f2e56db47923aedc69252289d27796167d64db151de 128
> enc ecb(cipher_null)
> src 10.1.8.241 dst 10.1.8.240
> proto esp spi 0xc86e8c86 reqid 10 mode tunnel
> replay-window 32 flag af-unspec
> auth-trunc hmac(sha256)
> 0x9954ce2e14cbf9c68ec72178859d377da19899688df13783fd728ddd9648bcb7 128
> enc ecb(cipher_null)
>
>
>
> Config: (is working without SHA256)
> #######
> conn %default
> ikelifetime=28800
> keylife=60m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
>
> conn test
> left=10.1.8.240
> leftsubnet=10.1.0.0/8
> leftid=10.1.8.240
> leftfirewall=yes
> leftsourceip=%config
> right=10.1.8.241
> rightsubnet=10.1.8.241/32
> rightid=10.1.8.241
> auto=add
> type=tunnel
> ike=null-sha256-modp2048! # null for wireshark
> esp=null-sha256-modp2048! # null for wireshark
> dpdaction=restart
> dpddelay=20s
> dpdtimeout=10s
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160608/6b93bd21/attachment-0001.bin>
More information about the Users
mailing list