On Mon, May 7, 2018 at 2:29 PM, Stephan Mueller <smueller@xxxxxxxxxx> wrote: > Am Montag, 7. Mai 2018, 13:19:47 CEST schrieb Gilad Ben-Yossef: > > Hi Gilad, > >> ah... so if I have hardware that can implement say, seqiv, I can >> register "seqiv(rfc4106(gcm(aes)))" and, assuming priorities are >> right, it will be used? > > That is the question I cannot fully answer. Seqiv is a template and thus not > subjet to prios by itself. So, you hardware however could register the full > seqiv(rfc....) cipher. I am not fully sure that such registered cipher is then > picked up by the IPSec stack. > > Look into net/xfrm/xfrm_algos.c -- there you see the individual cipher names > and the IV generator added separately. What I have not traced yet is whether > the code assembles the IV generator name and the cipher name before making the > call to crypto_alloc_aead. > > What I can say for sure is that the kernel crypto API knows of the > seqiv(rfc...) cipher name and generates the IV for your (the invocation field > that is). I see. I think the code does the assembly in esp4.c esp_init_aead() and esp_init_authenc() So it should all Just Work(TM). Many thanks for the clarification. Gilad -- Gilad Ben-Yossef Chief Coffee Drinker "If you take a class in large-scale robotics, can you end up in a situation where the homework eats your dog?" -- Jean-Baptiste Queru