From: "Adrian-Ken Rüegsegger" <rueegsegger@swiss-it.ch>
To: Martin Willi <martin@strongswan.org>
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec
Date: Thu, 05 Jun 2008 16:07:12 +0200 [thread overview]
Message-ID: <4847F310.7020207@swiss-it.ch> (raw)
In-Reply-To: <1212671211.6339.58.camel@martin>
Martin Willi wrote:
> RFC4868 defines the use of SHA256, SHA384 and SHA512 in HMAC using 128,
> 192 and 256 bits truncation. This patch replaces the outdated SHA256
> algorithm with 96 bits truncation by the 128 bit variant and adds the
> SHA384/512 algorithms.
>
> Signed-off-by: Martin Willi <martin@strongswan.org>
>
> ---
> Replacing the 96 bit truncation SHA256 algorithm might be problematic,
> but it is obsolete in IPsec and I don't see a way to register two
> different truncation lengths in XFRM.
You could register a new SADB algorithm id in pfkeyv2.h and add a new
entry to the aalg_list analogous to how GCM is doing that in the aead_list.
Adrian
> --- a/net/xfrm/xfrm_algo.c 2008-06-05 14:01:01.000000000 +0200
> +++ b/net/xfrm/xfrm_algo.c 2008-06-05 14:39:31.000000000 +0200
> @@ -187,7 +187,7 @@
>
> .uinfo = {
> .auth = {
> - .icv_truncbits = 96,
> + .icv_truncbits = 128,
> .icv_fullbits = 256,
> }
> },
> @@ -200,6 +200,42 @@
> }
> },
> {
> + .name = "hmac(sha384)",
> + .compat = "sha384",
> +
> + .uinfo = {
> + .auth = {
> + .icv_truncbits = 192,
> + .icv_fullbits = 384,
> + }
> + },
> +
> + .desc = {
> + .sadb_alg_id = SADB_X_AALG_SHA2_384HMAC,
> + .sadb_alg_ivlen = 0,
> + .sadb_alg_minbits = 384,
> + .sadb_alg_maxbits = 384
> + }
> +},
> +{
> + .name = "hmac(sha512)",
> + .compat = "sha512",
> +
> + .uinfo = {
> + .auth = {
> + .icv_truncbits = 256,
> + .icv_fullbits = 512,
> + }
> + },
> +
> + .desc = {
> + .sadb_alg_id = SADB_X_AALG_SHA2_512HMAC,
> + .sadb_alg_ivlen = 0,
> + .sadb_alg_minbits = 512,
> + .sadb_alg_maxbits = 512
> + }
> +},
> +{
> .name = "hmac(rmd160)",
> .compat = "rmd160",
>
next prev parent reply other threads:[~2008-06-05 14:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-05 13:06 [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec Martin Willi
2008-06-05 14:07 ` Adrian-Ken Rüegsegger [this message]
2008-06-05 14:45 ` Martin Willi
2008-06-05 14:58 ` Adrian-Ken Rüegsegger
2008-06-06 7:53 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4847F310.7020207@swiss-it.ch \
--to=rueegsegger@swiss-it.ch \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox