From: Herbert Xu <herbert@gondor.apana.org.au>
To: "Hsieh, Che-Min" <cheminh@qti.qualcomm.com>
Cc: "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"Bronstein, Dan" <dbronste@qti.qualcomm.com>
Subject: Re: question about rfc404 support.
Date: Fri, 13 Sep 2013 21:09:04 +1000 [thread overview]
Message-ID: <20130913110904.GA7881@gondor.apana.org.au> (raw)
In-Reply-To: <A83C99F8370D4D42BEB2D2B3153A6BBC23D6C796@NASANEXD02C.na.qualcomm.com>
On Wed, Sep 11, 2013 at 07:16:13PM +0000, Hsieh, Che-Min wrote:
> Herbert:
>
> Can you confirm the following. Thanks.
>
> Rfc2404 - The Use of HMAC-SHA-1-96 within ESP and AH
>
> For the support, I can't find any algorithm to be specified in the .craname of ahash_alg for Rfc2404.
>
> From
> http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8
> it says the following :
>
> ALGORITHMS
> The following list shows the supported algorithms. The protocol and algorithm are almost completely orthogonal. The following list of authentication algorithms can be used as aalgo in the -A aalgo of the protocol parameter:
>
> algorithm keylen (bits) comment
>
> hmac-sha1 160 ah: rfc2404
>
>
> That leads me to believe, from crypto driver stand point, there is no need to have a new algorithm for hmac-sha-1-96 support. Instead, the agent SW(such as ipsec) should use "hmac(sha1)", and do the truncation of digested data from 160 bits to 96 bits.
>
> I run a quick test. The input file to setkey command is defined as such ----
>
> flush;
> spdflush;
> add 10.2.243.75 10.2.243.29 ah 0x604 -A hmac-sha1 0x8D967D88F6CAA9D714800AB3D48051D63F73A312;
> add 10.2.243.29 10.2.243.75 ah 0x605 -A hmac-sha1 0x8D967D88F6CAA9D714800AB3D48051D63F73A314;
> spdadd 10.2.243.75 10.2.243.29 any -P in ipsec ah/transport//use;
> spdadd 10.2.243.29 10.2.243.75 any -P out ipsec ah/transport//use;
>
>
> I use tcpdump. Clearly I can see 24 bytes of AH header of the ipsec packets. The header has 12 bytes of fixed information - Next (1), Ah len (1) ,Reserved (2), Spi (4) ,Sequence (4), and Auth result. (12 bytes)
>
>
> Can you confirm the above? Thanks.
Yes, see net/xfrm/xfrm_algo.c.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2013-09-13 11:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-11 19:16 question about rfc404 support Hsieh, Che-Min
2013-09-13 11:09 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130913110904.GA7881@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=cheminh@qti.qualcomm.com \
--cc=dbronste@qti.qualcomm.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox