From: Michał Skalski <mskalski13@gmail.com>
Date: Mon, 22 Feb 2021 15:41:23 +0000 (+0100)
Subject: save-keys: Add support for full-length HMAC-SHA256 for ESP
X-Git-Tag: 5.9.2~1^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6b8880340ea349f416666edf94f491fe1cdd4aa;p=thirdparty%2Fstrongswan.git

save-keys: Add support for full-length HMAC-SHA256 for ESP

Wireshark doesn't really support it, but this way it at least decodes
the ESP packets correctly and the encryption keys are saved and the
packets can be decrypted.  The full-length versions of SHA-384 and
SHA-512 are not supported by Wireshark as 256-bit is the longest ICV
it is able to decode currently.
---

diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.c b/src/libcharon/plugins/save_keys/save_keys_listener.c
index fc16f20e66..60b75fdeac 100644
--- a/src/libcharon/plugins/save_keys/save_keys_listener.c
+++ b/src/libcharon/plugins/save_keys/save_keys_listener.c
@@ -234,6 +234,7 @@ static algo_map_t esp_integ[] = {
 	{ AUTH_HMAC_SHA2_384_192,  -1, "HMAC-SHA-384-192 [RFC4868]"               },
 	{ AUTH_HMAC_SHA2_512_256,  -1, "HMAC-SHA-512-256 [RFC4868]"               },
 	{ AUTH_HMAC_SHA2_256_96,   -1, "HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]" },
+	{ AUTH_HMAC_SHA2_256_256,  -1, "ANY 256 bit authentication [no checking]" },
 	{ AUTH_UNDEFINED,          64, "ANY 64 bit authentication [no checking]"  },
 	{ AUTH_UNDEFINED,          96, "ANY 96 bit authentication [no checking]"  },
 	{ AUTH_UNDEFINED,         128, "ANY 128 bit authentication [no checking]" },