On Mon, 18 May 2015, Wolfgang Nothdurft wrote:
Thanks! I added two interop test cases between KLIPS and NETKEy as well.
Paul
I added a patch to my ticket that enables the sha2-truncbug option for klips.
In linux/net/ipsec/pfkey_v2_build.c:236 I have changed SADB_AALG_MAX to
K_SADB_AALG_MAX, because I think that was a bug.
SADB_AALG_MAX seems not defined in kernel space and with my tests it shows a
value of 251 instead 255, which prevents klips from using the truncated algo
(AH_SHA2_256_TRUNC 252).
Thanks! I'll test it.
Could you test AH with your patch? I had modified your patch in an
attempt to not make a change between buildin and cryptoapi default
choices, but testing shows that AH now fails with:
[ 00.00] KLIPS pfkey_add_parse: not successful for SA: (error), deleting.
[ 00.00] KLIPS pfkey_add_parse: not successful for SA: (error), deleting.
eg, see
http://bofh.nohats.ca/results/bofh.nohats.ca/2015-05-12-bofh.nohats.ca-3.13aq6-225-g34f80a0-dirty-master/ikev2-13-ah/
It would be useful to see if I made an error with merging the patch in,
or if your patch actually introduced this problem.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
