support esp sha256 with diff truncated lengths.

philljj · philljj · commit f7725bf108d9 · 2025-09-18T16:24:00.000-05:00
diff --git a/scripts/ip-xfrm/esp_sa.txt b/scripts/ip-xfrm/esp_sa.txt
@@ -1,3 +1,3 @@
 # This file is automatically generated, DO NOT MODIFY.
-"IPv4","10.10.10.2","10.10.10.1","0xf6e9b80d","NULL","","HMAC-MD5-96 [RFC2403]","0x02020202020202020202020202020202","32-bit","0"
-"IPv4","10.10.10.1","10.10.10.2","0x2fa9d8c8","NULL","","HMAC-MD5-96 [RFC2403]","0x01010101010101010101010101010101","32-bit","0"
+"IPv4","10.10.10.2","10.10.10.1","0xf6e9b80d","NULL","","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
+"IPv4","10.10.10.1","10.10.10.2","0x2fa9d8c8","NULL","","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
diff --git a/scripts/ip-xfrm/hmac_auth b/scripts/ip-xfrm/hmac_auth
@@ -12,6 +12,7 @@ print_usage_and_die() {
 
 alg=sha1
 ip_proto=tcp
+len=96
 
 if [ $# -eq 0 ]; then
   print_usage_and_die
@@ -23,7 +24,7 @@ fi
 
 if [ $# -eq 2 ]; then
   alg=$1
-  ip_proto=$2
+  len=$2
 fi
 
 # State
@@ -34,7 +35,7 @@ sudo ip xfrm state add \
   spi 0x2fa9d8c8 \
   mode transport \
   replay-window 64 \
-  auth $alg 0x01010101010101010101010101010101 \
+  auth-trunc $alg 0x01010101010101010101010101010101 $len \
   enc cipher_null "" \
   sel src 10.10.10.1 dst 10.10.10.2
 
@@ -44,7 +45,7 @@ sudo ip xfrm state add \
   spi 0xf6e9b80d \
   mode transport \
   replay-window 64 \
-  auth $alg 0x02020202020202020202020202020202 \
+  auth-trunc $alg 0x02020202020202020202020202020202 $len \
   enc cipher_null "" \
   sel src 10.10.10.2 dst 10.10.10.1
 
diff --git a/src/wolfesp.c b/src/wolfesp.c
@@ -8,13 +8,14 @@
 #define ESP_ICV_ALIGNMENT    4
 /* hmac-[sha256, sha1, md5]-96*/
 #define ESP_ICVLEN_HMAC_96   12
+#define ESP_ICVLEN_HMAC_128  16
 #define WOLFIP_ESP_NUM_SA    1
 
 typedef enum {
   ESP_AUTH_NONE = 0,
   ESP_AUTH_MD5_RFC2403,    /* hmac(md5)-96 */
   ESP_AUTH_SHA1_RFC2404,   /* hmac(sha1)-96 */
-  ESP_AUTH_SHA256_RFC4868, /* hmac(sha256)-96 */
+  ESP_AUTH_SHA256_RFC4868, /* hmac(sha256)-N, N=96,128  */
   ESP_AUTH_GCM_RFC4106,    /* placeholder to indicate gcm auth. */
   ESP_AUTH_GCM_RFC4543     /* rfc4543 gmac */
 } esp_auth_t;
@@ -49,7 +50,7 @@ struct wolfIP_esp_sa in_sa_list[WOLFIP_ESP_NUM_SA] =
         {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
          0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
         16,
-        ESP_ICVLEN_HMAC_96
+        ESP_ICVLEN_HMAC_128
     },
 };
 
@@ -65,7 +66,7 @@ struct wolfIP_esp_sa out_sa_list[WOLFIP_ESP_NUM_SA] =
         {0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
          0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02},
         16,
-        ESP_ICVLEN_HMAC_96
+        ESP_ICVLEN_HMAC_128
     },
 };
 
