Project

General

Profile

Issue #2301

HMAC-SHA256 truncation length changes from 128 to 96 when kernel-pfkey is used

Added by Sudheer Anumolu over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
kernel
Affected version:
5.4.0
Resolution:
No change required

Description

Hi

In strongswan.conf, i add kernel-pfkey to use a propriety pfkey module.
And even when propriety pfkey module is not loaded, i used to leave the kernel-pfkey entry in strongswan.conf and it was fine till SHA-1.

SHA256 HMAC truncation length varies in ip-xfrm-state o/p w.r.t kernel-pfkey entry in strongswan.conf and i observe packet flow issues in below transport mode setup.

I have two x86 machines connected as below:

Host-A : kernel-pfkey entry not added - 128bits hmac trunc length
Host-B : kernel-pfkey entry added - 96bits hmac trunc length

Host-B dump with pfkey entry
---------------------------- # grep pfkey /etc/strongswan.conf
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr gcm kernel-pfkey stroke kernel-netlink socket-default updown
  1. ip xfrm state
    src 192.168.10.2 dst 192.168.10.1
    proto esp spi 0xc665fc85 reqid 1 mode transport
    replay-window 32
    auth-trunc hmac(sha256) 0xa0edd6b7b05461f543d40d4ad2a194bf50aadce853cb8d983fec2f5fae8f5cad 96
    enc cbc(aes) 0x6694b1709e5d169c5ec61eb9cc4efb05
    sel src 0.0.0.0/0 dst 0.0.0.0/0
    src 192.168.10.1 dst 192.168.10.2
    proto esp spi 0xc4fcea46 reqid 1 mode transport
    replay-window 32
    auth-trunc hmac(sha256) 0x913dc4868a0c7ae6109f87a787ef6dc03655980044a9b1c9402f8c8089edc2d9 96
    enc cbc(aes) 0xa26ca3eb7998f12c549274dd07dd0a42
    sel src 0.0.0.0/0 dst 0.0.0.0/0 #

Host-B dump without pfkey entry
----------------------------

  1. grep pfkey /etc/strongswan.conf
  2. ip xfrm state
    src 192.168.10.2 dst 192.168.10.1
    proto esp spi 0xc21645b3 reqid 1 mode transport
    replay-window 32
    auth-trunc hmac(sha256) 0x5898dfa1bf2ff2b0b8f7f0117293d657aa0ff8d82033f0d2d3334d5ed670fa25 128
    enc cbc(aes) 0x216e2ce7b2868c618ba4a08ed4f5a702
    sel src 192.168.10.2/32 dst 192.168.10.1/32
    src 192.168.10.1 dst 192.168.10.2
    proto esp spi 0xc3136eb3 reqid 1 mode transport
    replay-window 32
    auth-trunc hmac(sha256) 0x2c3dc0c35c7e1448c5d1ec27bb29d686e7c6f694adcf28cc3a33e27e6acf06f9 128
    enc cbc(aes) 0xf9d48441290bd7f4a833109e439bcada
    sel src 192.168.10.1/32 dst 192.168.10.2/32 #

I believe that packet flow issue is due to difference in hmac trunc length.
Can someone tell how kernel-pfkey affects the hmac trunc length

Packet flow is fine, if kernel-pfkey entry added/removed entry in both the machines i:e when both hosts have same hmac trunc length.

Thanks
Sudheer

History

#1 Updated by Noel Kuntze over 8 years ago

  • Category set to kernel
  • Status changed from New to Feedback
  • Priority changed from High to Normal

I took a look at the kernel-pfkey plugin in version 5.5.2 and it looks fine. HMAC256_128 is defined with the identifier "5" in the pfkeyv2.h header file that Linux and strongSwan ship with, so that matches. Maybe your kernel uses SHA2 with 96 bit truncation for that identifier? What kernel are you using?
Use kernel-netlink. With netlink, it seems, you can use both the 128 bit and 96 truncation by specifying the corresponding hmac's keyword in the cipher settings.

#2 Updated by Sudheer Anumolu over 8 years ago

Thanks for response.

I use 4.4.0-31 kernel.

  1. uname -ar
    Linux ubnt-113 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Maybe your kernel uses SHA2 with 96 bit truncation for that identifier

Can you tell how to check this ? Is it SADB_X_AALG_SHA2_256HMAC

Use kernel-netlink. With netlink, it seems, you can use both the 128 bit and 96 truncation by specifying the corresponding >hmac's keyword in the cipher settings.

Shall try it but currently i need to use kernel-pfkey.

#3 Updated by Noel Kuntze over 8 years ago

Sudheer Anumolu wrote:

  1. uname -ar
    Linux ubnt-113 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

That's relatively new. I'm surprised that happens.

Maybe your kernel uses SHA2 with 96 bit truncation for that identifier

Can you tell how to check this ? Is it SADB_X_AALG_SHA2_256HMAC

Well, you'll have to check the pfkeyv2.h header file and the kernel against the strongSwan source code and the kernel source code for pfkeyv2 and xfrm.
But again, only the one identifier for HMAC256 in pfkey.

Use kernel-netlink. With netlink, it seems, you can use both the 128 bit and 96 truncation by specifying the corresponding >hmac's keyword in the cipher settings.

Shall try it but currently i need to use kernel-pfkey.

Well, good effort then.

#4 Updated by Sudheer Anumolu over 8 years ago

Could this 'icv_truncbits = 96' be a problem ?

http://lxr.free-electrons.com/source/net/xfrm/xfrm_algo.c

{
239 .name = "hmac(sha256)",
240 .compat = "sha256",
241
242 .uinfo = {
243 .auth = {
244 .icv_truncbits = 96,
245 .icv_fullbits = 256,
246 }
247 },
248
249 .pfkey_supported = 1,
250
251 .desc = {
252 .sadb_alg_id = SADB_X_AALG_SHA2_256HMAC,
253 .sadb_alg_ivlen = 0,
254 .sadb_alg_minbits = 256,
255 .sadb_alg_maxbits = 256
256 }
257 },

#5 Updated by Noel Kuntze over 8 years ago

I doubt that file is recent. Get the source for your kernel and read that.

#6 Updated by Noel Kuntze over 8 years ago

  • Subject changed from sha256 hmac length changes with kernel-pfkey entry in stringswan.conf to HMAC-SHA256 truncation length changes from 128 to 96 when kernel-pfkey is used

#7 Updated by Sudheer Anumolu over 8 years ago

On 4.4.1 kernel, I modified in net/xfrm/xfrm_algo.c as below and issue is solved. With kernel-pfkey entry also, truncation length is 128.

{
.name = "hmac(sha256)",
.compat = "sha256",

.uinfo = {
                .auth = {
-                       .icv_truncbits = 96,
+                       .icv_truncbits = 128,
                        .icv_fullbits = 256,
                }
        },

Thanks for all the support.

Thanks
Sudheer

#8 Updated by Noel Kuntze over 8 years ago

This is weird. I'd expect there to be a second version of HMAC-256 to be somewhere in XFRM, because both 96 and 128 bit truncation are supported and can be used at the same time (for different SAs obviously). I wonder where the 128 bit version comes from?

#9 Updated by Tobias Brunner over 8 years ago

This is weird. I'd expect there to be a second version of HMAC-256 to be somewhere in XFRM, because both 96 and 128 bit truncation are supported and can be used at the same time (for different SAs obviously). I wonder where the 128 bit version comes from?

Via XFRM the truncation length can be set explicitly to an arbitrary value (source:src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c#L1485). But PF_KEYv2 is not XFRM (it's basically a wrapper around it). It does not provide that flexibility and uses a static list of algorithms with predefined truncation lengths (see the structure Sudheer cited above - these SADB_X_* constants are the PF_KEYv2 algorithm identifiers). Unfortunately, the truncation length in that structure, which is also used as default for XFRM if no explicit truncation length is specified, has never been changed (probably due to concerns regarding backwards compatibility). This is only one of the limitations of that interface. Basically, there is absolutely no reason to use PF_KEYv2 on Linux, ever.

#10 Updated by Noel Kuntze over 8 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Alright, thank you for the explanation. It makes sense.

#11 Updated by Sudheer Anumolu over 8 years ago

Thanks for explanation.