letoams
commented
4 years ago Pleas use libreswan. It is a drop in replacement of openswan that passes FIPS certification and doesn’t have these kind of bugs.
openswan has not been developed in almost ten years now.
Libreswan has obsoleted openswan in all main Linux distributions
Sent from my iPhone
On Jun 2, 2020, at 07:53, jimmy876 notifications@github.com wrote:
Hi! If I have 3des-sha2_512;modp1024 in conn (peer is cisco) I have got: "IPSec_TUN_5" #1: received Hash Payload does not match computed value
But, with 3des-sha2_256;modp1024 everything is ok!
I track the code, and find that:
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi! If I have ike=3des-sha2_512;modp1024 in conn (peer is cisco) I have got: "IPSec_TUN_5" #1: received Hash Payload does not match computed value
But, with ike=3des-sha2_256;modp1024 everything is ok!
I track the code, and find this in hmac_final() of hmac.c : h->hash_update(&ctx->hash_ctx, ctx->buf2, HMAC_BUFSIZE);
HMAC_BUFSIZE is defined as a static value 64(bytes), which is the length of chunk in sha256. However, in my understanding, sha512 takes 128 bytes as a chunk.
What do you think? Or, how do you define the HMAC_BUFSIZE?