From: "Adrian-Ken Rüegsegger" <rueegsegger@swiss-it.ch>
To: Martin Willi <martin@strongswan.org>
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec
Date: Thu, 05 Jun 2008 16:07:12 +0200 [thread overview]
Message-ID: <4847F310.7020207@swiss-it.ch> (raw)
In-Reply-To: <1212671211.6339.58.camel@martin>
Martin Willi wrote:
> RFC4868 defines the use of SHA256, SHA384 and SHA512 in HMAC using 128,
> 192 and 256 bits truncation. This patch replaces the outdated SHA256
> algorithm with 96 bits truncation by the 128 bit variant and adds the
> SHA384/512 algorithms.
>
> Signed-off-by: Martin Willi <martin@strongswan.org>
>
> ---
> Replacing the 96 bit truncation SHA256 algorithm might be problematic,
> but it is obsolete in IPsec and I don't see a way to register two
> different truncation lengths in XFRM.
You could register a new SADB algorithm id in pfkeyv2.h and add a new
entry to the aalg_list analogous to how GCM is doing that in the aead_list.
Adrian
> --- a/net/xfrm/xfrm_algo.c 2008-06-05 14:01:01.000000000 +0200
> +++ b/net/xfrm/xfrm_algo.c 2008-06-05 14:39:31.000000000 +0200
> @@ -187,7 +187,7 @@
>
> .uinfo = {
> .auth = {
> - .icv_truncbits = 96,
> + .icv_truncbits = 128,
> .icv_fullbits = 256,
> }
> },
> @@ -200,6 +200,42 @@
> }
> },
> {
> + .name = "hmac(sha384)",
> + .compat = "sha384",
> +
> + .uinfo = {
> + .auth = {
> + .icv_truncbits = 192,
> + .icv_fullbits = 384,
> + }
> + },
> +
> + .desc = {
> + .sadb_alg_id = SADB_X_AALG_SHA2_384HMAC,
> + .sadb_alg_ivlen = 0,
> + .sadb_alg_minbits = 384,
> + .sadb_alg_maxbits = 384
> + }
> +},
> +{
> + .name = "hmac(sha512)",
> + .compat = "sha512",
> +
> + .uinfo = {
> + .auth = {
> + .icv_truncbits = 256,
> + .icv_fullbits = 512,
> + }
> + },
> +
> + .desc = {
> + .sadb_alg_id = SADB_X_AALG_SHA2_512HMAC,
> + .sadb_alg_ivlen = 0,
> + .sadb_alg_minbits = 512,
> + .sadb_alg_maxbits = 512
> + }
> +},
> +{
> .name = "hmac(rmd160)",
> .compat = "rmd160",
>
next prev parent reply other threads:[~2008-06-05 14:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-05 13:06 [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec Martin Willi
2008-06-05 14:07 ` Adrian-Ken Rüegsegger [this message]
2008-06-05 14:45 ` Martin Willi
2008-06-05 14:58 ` Adrian-Ken Rüegsegger
2008-06-06 7:53 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4847F310.7020207@swiss-it.ch \
--to=rueegsegger@swiss-it.ch \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.