Am Dienstag, 26. Mai 2015, 15:57:59 schrieb Herbert Xu: Hi Herbert, >On Tue, May 26, 2015 at 09:56:17AM +0200, Stephan Mueller wrote: >> Actually, I mean the real in-kernel crypto API: the IKE daemon would set up >> the SA via XFRM where the rfc4106(gcm(aes)) cipher is set, is it not? So, >> user space is responsible to set the right IPSEC cipher. >> >> As that user space cipher name is now changed, user space would need to be >> aware of that modification, would it not? > >No the change was done in a backwards compatible way. So if you >allocate rfc4106(gcm(aes)) and use the givencrypt interface (not >encrypt) then you still get the old behaviour. I fully understand that. But the current patch set that we discuss modifies the IPSEC implementation of esp_ouput to use the new interface. Therefore, to use rfc4106(gcm(aes)) *with* the IV generator (i.e. to get the old removed givcrypt logic), the AEAD cipher handle must be allocated with seqniv(rfc4106(gcm(aes))), would it not? Therfore, I would assume that user space has to use the new cipher name when setting up IPSEC that uses the new interface. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html