From b5386e15c14dd35dcd82a748b00a7a741b1238f9 Mon Sep 17 00:00:00 2001
From: vanhu <vanhu@FreeBSD.org>
Date: Fri, 18 Feb 2011 09:40:13 +0000
Subject: Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant. This
 will break interoperability with all older versions of FreeBSD for those
 algorithms.

Reviewed by:	bz, gnn
Obtained from:	NETASQ
MFC after:	1w
---
 sys/netipsec/key.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'sys/netipsec/key.c')

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index e57eb44..56942e7 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -6095,6 +6095,9 @@ key_getsizes_ah(
 		case SADB_X_AALG_MD5:	*min = *max = 16; break;
 		case SADB_X_AALG_SHA:	*min = *max = 20; break;
 		case SADB_X_AALG_NULL:	*min = 1; *max = 256; break;
+		case SADB_X_AALG_SHA2_256: *min = *max = 32; break;
+		case SADB_X_AALG_SHA2_384: *min = *max = 48; break;
+		case SADB_X_AALG_SHA2_512: *min = *max = 64; break;
 		default:
 			DPRINTF(("%s: unknown AH algorithm %u\n",
 				__func__, alg));
@@ -6120,7 +6123,11 @@ key_getcomb_ah()
 	for (i = 1; i <= SADB_AALG_MAX; i++) {
 #if 1
 		/* we prefer HMAC algorithms, not old algorithms */
-		if (i != SADB_AALG_SHA1HMAC && i != SADB_AALG_MD5HMAC)
+		if (i != SADB_AALG_SHA1HMAC &&
+		    i != SADB_AALG_MD5HMAC  &&
+		    i != SADB_X_AALG_SHA2_256 &&
+		    i != SADB_X_AALG_SHA2_384 &&
+		    i != SADB_X_AALG_SHA2_512)
 			continue;
 #endif
 		algo = ah_algorithm_lookup(i);
-- 
cgit v1.1