ike=3des-sha2_512;modp1024 dosen't work #436
Comments
|
Pleas use libreswan. It is a drop in replacement of openswan that passes FIPS certification and doesn’t have these kind of bugs.
openswan has not been developed in almost ten years now.
Libreswan has obsoleted openswan in all main Linux distributions
…Sent from my iPhone
On Jun 2, 2020, at 07:53, jimmy876 ***@***.***> wrote:
Hi!
If I have 3des-sha2_512;modp1024 in conn (peer is cisco) I have got:
"IPSec_TUN_5" #1: received Hash Payload does not match computed value
But, with 3des-sha2_256;modp1024 everything is ok!
I track the code, and find that:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi!
If I have ike=3des-sha2_512;modp1024 in conn (peer is cisco) I have got:
"IPSec_TUN_5" #1: received Hash Payload does not match computed value
But, with ike=3des-sha2_256;modp1024 everything is ok!
I track the code, and find this in hmac_final() of hmac.c :
h->hash_update(&ctx->hash_ctx, ctx->buf2, HMAC_BUFSIZE);
HMAC_BUFSIZE is defined as a static value 64(bytes), which is the length of chunk in sha256. However, in my understanding, sha512 takes 128 bytes as a chunk.
What do you think? Or, how do you define the HMAC_BUFSIZE?
The text was updated successfully, but these errors were encountered: