On 21-12-2016 14:24, Herbert Xu wrote: > On Mon, Dec 19, 2016 at 04:08:11PM +0530, Harsh Jain wrote: >> Hi Herbert, >> >> TLS default mode of operation is MAC-then-Encrypt for Authenc algos. >> Currently framework only supports EtM used in IPSec. User space >> programs like openssl cannot use af-alg interface to encrypt/decrypt >> in TLS mode. >> Are we going to support Mac-then-Encrypt mode in future kernel releases? > If someone finally adds TLS to the kernel then we'll likely do > something about it. Till that time we cannot use crypto authenc type algos with AF-ALG socket interface for TLS or MtE( separation into 2 operation always not possible). TLS RFC7366 allow users to decide weather to use EtM or MtE in TLS. We can solve this, If we have some way to communicate drivers to operate in TLS mode like in setsockopt or msghdr of sendmsg. > Otherwise you can just separate it out into > two operations via af-alg. Always not possible. If openssl has software implementation of Authec( Cipher and hash with 1 algo) it expects same from af-alg engine only then he will override. Its like if Openssl has super set(AES+ SHA256) available it expect same super set in engine(af-alg) for comparison. The machines with instruction set extensions has authenc implemented in user space like intel aes-ni. > > Cheers, -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
