From: Chinh Nguyen <cnguyen@certicom.com>
To: Netfilter Developer Mailing List <netfilter-devel@lists.netfilter.org>
Subject: SHA-2 HMAC support in linux kernel
Date: Fri, 16 Mar 2007 16:25:53 -0500 [thread overview]
Message-ID: <45FB0B61.8060809@certicom.com> (raw)
In-Reply-To: <45FAF4FE.5000105@cpsc.ucalgary.ca>
Hi,
I believe that this is the right list for my question. I'm trying to get
SHA-2 HMAC support working ipsec in linux kernel (I'm configuring via
pfkey).
First, sha-384 and sha-512 as authentication algorithm always return
function not support. But I noted that my linux kernel has a sha512
kernel module (with alias for sha384). Second, sha-256 uses a 12-byte
hmac (96 bits).
Looking at the source http://lxr.linux.no/source/net/xfrm/xfrm_algo.c,
it seems to confirm that this is true. In fact, sha-384 and sha-512 are
not supported at this time and sha-256 is truncated to 96-bit.
However, the following ietf draft, which I believe is very closed to
ratification (it has already been assigned iana numbers), specifies
sha-256 to use 128-bits as hmac (page 18):
http://www.ietf.org/internet-drafts/draft-kelly-ipsec-ciph-sha2-01.txt
sha-384 is 192 bits, and sha-512 is 256 bits.
1. Is adding sha-384 and sha-512 as simple as adding to the aalg_list
structure? Can this be done for some subsequent kernel release in the
future?
2. Can the sha-256 be changed to use 128 bits? Or in order to not break
backward compatibility, another sha-256 hmac algorithm id be used for
128 bits?
Thanks,
Chinh
next prev parent reply other threads:[~2007-03-16 21:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-16 19:50 Using libnetfilter_queue Rennie deGraaf
2007-03-16 21:25 ` Chinh Nguyen [this message]
2007-03-16 20:31 ` SHA-2 HMAC support in linux kernel YOSHIFUJI Hideaki / 吉藤英明
2007-03-16 20:32 ` Jan Engelhardt
2007-03-16 21:42 ` Chinh Nguyen
-- strict thread matches above, loose matches on Subject: below --
2007-03-16 21:51 Chinh Nguyen
2007-04-02 23:04 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45FB0B61.8060809@certicom.com \
--to=cnguyen@certicom.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.