Skip to content

Commit 4c74fb9

Browse files
philljjphilljj
committed
esp: add sha256 hmac.
1 parent 1f08590 commit 4c74fb9

2 files changed

Lines changed: 29 additions & 13 deletions

File tree

scripts/ip-xfrm/hmac_auth

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,20 @@
33
# hmac-[md5,sha1]-96 example.
44
#
55

6+
print_usage_and_die() {
7+
echo "usage:"
8+
echo " hmac_auth [auth]"
9+
echo " auth = md5, sha1, sha256"
10+
exit 1
11+
}
12+
613
alg=sha1
714
ip_proto=tcp
815

16+
if [ $# -eq 0 ]; then
17+
print_usage_and_die
18+
fi
19+
920
if [ $# -eq 1 ]; then
1021
alg=$1
1122
fi

src/wolfesp.c

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,17 @@
66
#define ESP_PADDING_LEN 1
77
#define ESP_NEXT_HEADER_LEN 1
88
#define ESP_ICV_ALIGNMENT 4
9-
/* hmac-[sha1, md5]-96*/
9+
/* hmac-[sha256, sha1, md5]-96*/
1010
#define ESP_ICVLEN_HMAC_96 12
1111
#define WOLFIP_ESP_NUM_SA 1
1212

1313
typedef enum {
1414
ESP_AUTH_NONE = 0,
15-
ESP_AUTH_SHA1, /* hmac(sha1)-96 */
16-
ESP_AUTH_MD5, /* hmac(md5)-96 */
17-
ESP_AUTH_GCM_RFC4106, /* placeholder to indicate gcm auth. */
18-
ESP_AUTH_GCM_RFC4543 /* rfc4543 gmac */
15+
ESP_AUTH_MD5_RFC2403, /* hmac(md5)-96 */
16+
ESP_AUTH_SHA1_RFC2404, /* hmac(sha1)-96 */
17+
ESP_AUTH_SHA256_RFC4868, /* hmac(sha256)-96 */
18+
ESP_AUTH_GCM_RFC4106, /* placeholder to indicate gcm auth. */
19+
ESP_AUTH_GCM_RFC4543 /* rfc4543 gmac */
1920
} esp_auth_t;
2021

2122
/* Minimal ESP Security Association structure.
@@ -44,7 +45,7 @@ struct wolfIP_esp_sa in_sa_list[WOLFIP_ESP_NUM_SA] =
4445
0x020A0A0A, /* dst */
4546
0,0, /* oseq, seq */
4647
0, /* iv len */
47-
ESP_AUTH_MD5,
48+
ESP_AUTH_SHA256_RFC4868,
4849
{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
4950
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
5051
16,
@@ -60,7 +61,7 @@ struct wolfIP_esp_sa out_sa_list[WOLFIP_ESP_NUM_SA] =
6061
0x010A0A0A, /* dst */
6162
0,0, /* oseq, seq */
6263
0, /* iv len */
63-
ESP_AUTH_MD5,
64+
ESP_AUTH_SHA256_RFC4868,
6465
{0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
6566
0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02},
6667
16,
@@ -223,11 +224,14 @@ esp_calc_icv_hmac(uint8_t * hash, const struct wolfIP_esp_sa * esp_sa,
223224
uint32_t auth_len = esp_len;
224225

225226
switch (esp_sa->auth) {
226-
case ESP_AUTH_SHA1:
227+
case ESP_AUTH_MD5_RFC2403:
228+
type = WC_MD5;
229+
break;
230+
case ESP_AUTH_SHA1_RFC2404:
227231
type = WC_SHA;
228232
break;
229-
case ESP_AUTH_MD5:
230-
type = WC_MD5;
233+
case ESP_AUTH_SHA256_RFC4868:
234+
type = WC_SHA256;
231235
break;
232236
case ESP_AUTH_NONE:
233237
default:
@@ -295,12 +299,13 @@ esp_check_icv_hmac(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
295299
uint32_t esp_len)
296300
{
297301
/* SHA1 and MD5 have these digest sizes:
298-
* - WC_SHA_DIGEST_SIZE 20 bytes
299-
* - WC_MD5_DIGEST_SIZE 16 bytes
302+
* - WC_MD5_DIGEST_SIZE 16 bytes
303+
* - WC_SHA_DIGEST_SIZE 20 bytes
304+
* - WC_SHA256_DIGEST_SIZE 32 bytes
300305
* */
301306
int rc = 0;
302307
const uint8_t * icv = NULL;
303-
byte hash[WC_SHA_DIGEST_SIZE];
308+
byte hash[WC_SHA256_DIGEST_SIZE];
304309

305310
rc = esp_calc_icv_hmac(hash, esp_sa, esp_data, esp_len);
306311
if (rc) {

0 commit comments

Comments
 (0)