From: Chinh Nguyen <cnguyen@certicom.com>
To: Netfilter Developer Mailing List <netfilter-devel@lists.netfilter.org>
Subject: SHA-2 HMAC support in linux kernel
Date: Fri, 16 Mar 2007 16:25:53 -0500 [thread overview]
Message-ID: <45FB0B61.8060809@certicom.com> (raw)
In-Reply-To: <45FAF4FE.5000105@cpsc.ucalgary.ca>
Hi,
I believe that this is the right list for my question. I'm trying to get
SHA-2 HMAC support working ipsec in linux kernel (I'm configuring via
pfkey).
First, sha-384 and sha-512 as authentication algorithm always return
function not support. But I noted that my linux kernel has a sha512
kernel module (with alias for sha384). Second, sha-256 uses a 12-byte
hmac (96 bits).
Looking at the source http://lxr.linux.no/source/net/xfrm/xfrm_algo.c,
it seems to confirm that this is true. In fact, sha-384 and sha-512 are
not supported at this time and sha-256 is truncated to 96-bit.
However, the following ietf draft, which I believe is very closed to
ratification (it has already been assigned iana numbers), specifies
sha-256 to use 128-bits as hmac (page 18):
http://www.ietf.org/internet-drafts/draft-kelly-ipsec-ciph-sha2-01.txt
sha-384 is 192 bits, and sha-512 is 256 bits.
1. Is adding sha-384 and sha-512 as simple as adding to the aalg_list
structure? Can this be done for some subsequent kernel release in the
future?
2. Can the sha-256 be changed to use 128 bits? Or in order to not break
backward compatibility, another sha-256 hmac algorithm id be used for
128 bits?
Thanks,
Chinh
next prev parent reply other threads:[~2007-03-16 21:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-16 19:50 Using libnetfilter_queue Rennie deGraaf
2007-03-16 21:25 ` Chinh Nguyen [this message]
2007-03-16 20:31 ` SHA-2 HMAC support in linux kernel YOSHIFUJI Hideaki / 吉藤英明
2007-03-16 20:32 ` Jan Engelhardt
2007-03-16 21:42 ` Chinh Nguyen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45FB0B61.8060809@certicom.com \
--to=cnguyen@certicom.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).