[PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Jason Gunthorpe]

The existing setting is 96 bits which does not match the RFCs and is
not negotiable via IKEv2. RFC 4868 says the ICV should be 128 bits,
and IKEv2 uses AUTH_HMAC_SHA2_256_128 = 12 to identify it.

git blame says this setting was made before RFC 4868 was published,
so I'm not sure that it was chosen with any standard in mind.

NOTE: This 'breaks' the user space API, however at least StrongSwan
4.2.9's charon already associates AUTH_HMAC_SHA2_256_128 with
the transform name 'sha256'.

Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
---
 net/xfrm/xfrm_algo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 4141376..d136b72 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -187,7 +187,7 @@ static struct xfrm_algo_desc aalg_list[] = {
 
 	.uinfo = {
 		.auth = {
-			.icv_truncbits = 96,
+			.icv_truncbits = 128,
 			.icv_fullbits = 256,
 		}
 	},
-- 
1.5.4.2

Re: [PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Herbert Xu]

On Tue, Dec 23, 2008 at 11:02:25PM -0700, Jason Gunthorpe wrote:
> The existing setting is 96 bits which does not match the RFCs and is
> not negotiable via IKEv2. RFC 4868 says the ICV should be 128 bits,
> and IKEv2 uses AUTH_HMAC_SHA2_256_128 = 12 to identify it.
> 
> git blame says this setting was made before RFC 4868 was published,
> so I'm not sure that it was chosen with any standard in mind.
> 
> NOTE: This 'breaks' the user space API, however at least StrongSwan
> 4.2.9's charon already associates AUTH_HMAC_SHA2_256_128 with
> the transform name 'sha256'.
> 
> Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>

The 96 bits is actually still correct for the auth algorithm IDs
5, 6, and 7.  The parameters in 4868 have been assigned new IDs
starting from 12.

So what we should do is support both.

This is easy to do for af_key as it uses IDs to identify the
algorithms.  To make this work for xfrm, we need to extend the
auth algorithm specification to include the truncation length,
just like AEAD.

So if you feel adventurous, please prepare a patch to create a
new xfrm attribute XFRMA_AUTH2 that uses xfrm_algo_aead instead
of xfrm_algo, and allow that in place of XFRMA_AUTH.

After that we can restructure the auth algorithm list to be like
AEAD and then you can add a new set of SHA algorithms for RFC 4868.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Jason Gunthorpe]

On Wed, Dec 24, 2008 at 07:59:40PM +1100, Herbert Xu wrote:
> On Tue, Dec 23, 2008 at 11:02:25PM -0700, Jason Gunthorpe wrote:
> > The existing setting is 96 bits which does not match the RFCs and is
> > not negotiable via IKEv2. RFC 4868 says the ICV should be 128 bits,
> > and IKEv2 uses AUTH_HMAC_SHA2_256_128 = 12 to identify it.
> > 
> > git blame says this setting was made before RFC 4868 was published,
> > so I'm not sure that it was chosen with any standard in mind.
> > 
> > NOTE: This 'breaks' the user space API, however at least StrongSwan
> > 4.2.9's charon already associates AUTH_HMAC_SHA2_256_128 with
> > the transform name 'sha256'.
> > 
> > Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
 
> The 96 bits is actually still correct for the auth algorithm IDs
> 5, 6, and 7.  The parameters in 4868 have been assigned new IDs
> starting from 12.

Oh? Ok, I didn't realize there was something that defined those usages
on PF_KEY. They are not defined for use with IKEv2 at all..

BTW, is there some reason why SADB_X_AALG_SHA2_384HMAC and
SADB_X_AALG_SHA2_512HMAC are absent from the table in xfrm_algos?

> This is easy to do for af_key as it uses IDs to identify the
> algorithms.  To make this work for xfrm, we need to extend the
> auth algorithm specification to include the truncation length,
> just like AEAD.

Yes, I was already thinking this was the best way to support the
128/160 bit ICV lens for MD5/SHA1 that are now defined.

> So if you feel adventurous, please prepare a patch to create a
> new xfrm attribute XFRMA_AUTH2 that uses xfrm_algo_aead instead
> of xfrm_algo, and allow that in place of XFRMA_AUTH.

Thats not too hard, I might have a little time to do that over the
break.

> After that we can restructure the auth algorithm list to be like
> AEAD and then you can add a new set of SHA algorithms for RFC 4868.

It seems like those can be added today, they already have unique
names: hmac(sha384), hmac(sha512)

BTW, Herbert, if this is the way to go can you fix StrongSwan?
Mapping AUTH_HMAC_SHA2_256_128 to 'sha256' in
src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c is not
correct based on this discussion. It needs to be 'hmac(sha256)' and
use this XFRMA_AUTH2 idea. Similarly for all the SHA-2 family of
functions I guess.

Thanks,
Jason

Re: [PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Herbert Xu]

On Wed, Dec 24, 2008 at 11:33:55AM -0700, Jason Gunthorpe wrote:
>
> BTW, Herbert, if this is the way to go can you fix StrongSwan?

No I can't since I'm not a Strongswan developer :)

I've cced the people who can though.

> Mapping AUTH_HMAC_SHA2_256_128 to 'sha256' in
> src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c is not
> correct based on this discussion. It needs to be 'hmac(sha256)' and
> use this XFRMA_AUTH2 idea. Similarly for all the SHA-2 family of
> functions I guess.

Strongswan needs to drop SHA2-256-128 for now since we don't support
it currently.  Once we have XFRMA_AUTH2 it can be restored of course.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Martin Willi]

Hi,

> > > git blame says this setting was made before RFC 4868 was published,
> > > so I'm not sure that it was chosen with any standard in mind.
> > > 
> > > NOTE: This 'breaks' the user space API, however at least StrongSwan
> > > 4.2.9's charon already associates AUTH_HMAC_SHA2_256_128 with
> > > the transform name 'sha256'.

We already discussed this in
http://kerneltrap.org/mailarchive/linux-kernel/2008/6/5/2039114 ,
but it was too much effort for me to fix this properly then.

> > The 96 bits is actually still correct for the auth algorithm IDs
> > 5, 6, and 7.  The parameters in 4868 have been assigned new IDs
> > starting from 12.
> 
> Oh? Ok, I didn't realize there was something that defined those usages
> on PF_KEY. They are not defined for use with IKEv2 at all..

In PF_KEY, SADB_X_AALG_SHA2_256HMAC (5) was defined in
draft-ietf-ipsec-ciph-sha-256-00 to 96 bit truncation (what is currently
implemented). draft-ietf-ipsec-ciph-sha-256-01 defined it to 128 bit
truncation (what is now RFC 4868).
Those numbers starting from 12 are IKEv2 algorithm identifiers and are
never passed to the kernel.

> BTW, is there some reason why SADB_X_AALG_SHA2_384HMAC and
> SADB_X_AALG_SHA2_512HMAC are absent from the table in xfrm_algos?

Yes, it was not specified in draft-ietf-ipsec-ciph-sha-256-00, but is
defined in RFC 4868.

> BTW, Herbert, if this is the way to go can you fix StrongSwan?
> Mapping AUTH_HMAC_SHA2_256_128 to 'sha256' in
> src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c is not
> correct based on this discussion. It needs to be 'hmac(sha256)' and
> use this XFRMA_AUTH2 idea. Similarly for all the SHA-2 family of
> functions I guess.

Yes I'm aware of that. I'll fix it a soon as it is available in the
kernel. 

Regards
Martin

Re: [PATCH] [IPSEC]: Change the ICV length of sha256 to 128 bits

[Herbert Xu]

On Mon, Dec 29, 2008 at 02:05:19PM +0100, Martin Willi wrote:
>
> In PF_KEY, SADB_X_AALG_SHA2_256HMAC (5) was defined in
> draft-ietf-ipsec-ciph-sha-256-00 to 96 bit truncation (what is currently
> implemented). draft-ietf-ipsec-ciph-sha-256-01 defined it to 128 bit
> truncation (what is now RFC 4868).
> Those numbers starting from 12 are IKEv2 algorithm identifiers and are
> never passed to the kernel.

What are you talking about? Neither of those two drafts talks
about the ID used between the KM and the kernel.  So the PF_KEY
ID is simply irrelevant.

What is important though is what's deployed in the field with
respect to IKE.  All the BSDs support 96-bit truncation so we
should continue to do that as well.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt