Re: [PATCH 5/7] esp6: Switch to new AEAD interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Dienstag, 26. Mai 2015, 15:21:52 schrieb Herbert Xu:

Hi Herbert,

>On Tue, May 26, 2015 at 08:39:56AM +0200, Stephan Mueller wrote:
>> May I also ask where I can find the generated IV when using
>> rfc4106(gcm(aes))?
>You need to use the IV generator, seqniv(rfc4106(gcm(aes)))

Thank you, that simple change does the trick.

However, now, may I ask you how the following shall be handled:

- the current IKE implementations use rfc4106(gcm(aes)). They would need to 
use seqniv(rfc4106(gcm(aes))) depending on the kernel version. So, we have a 
clear change in the user space API where the old configuration even works 
(i.e. no error), but does not produce the correct encryption that is required.

- For outbound encryption of IPSEC, we need seqniv() as the IV needs to be 
generated. But for inbound, we do not need seqniv() as the IV is already given 
(before the patch, only esp_output used the givcrypt API whereas esp_input 
used the "normal" AEAD API). I would be interested on how that difference is 
to be handled.

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux