| Message ID | 1400771437-14096-2-git-send-email-horia.geanta@freescale.com |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
Le 22/05/2014 17:10, Horia Geanta a écrit : > From: Lei Xu <Lei.Xu@freescale.com> > > Currently the sha256 icv truncation length is set to 96bit > while the length is defined as 128bit in RFC4868. > This may result in somer errors when working with other IPsec devices > with the standard truncation length. > Thus, change the sha256 truncation length from 96bit to 128bit. The patch was already proposed, but it was kept as-is for userspace compatibility. See: https://lkml.org/lkml/2012/3/7/431 Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 5/22/2014 7:03 PM, Nicolas Dichtel wrote: > Le 22/05/2014 17:10, Horia Geanta a écrit : >> From: Lei Xu <Lei.Xu@freescale.com> >> >> Currently the sha256 icv truncation length is set to 96bit >> while the length is defined as 128bit in RFC4868. >> This may result in somer errors when working with other IPsec devices >> with the standard truncation length. >> Thus, change the sha256 truncation length from 96bit to 128bit. > The patch was already proposed, but it was kept as-is for userspace > compatibility. > > See: https://lkml.org/lkml/2012/3/7/431 Thanks, somehow I missed that. So this just means bad luck for user space tools (for e.g. ipsec-tools - setkey, racoon - and any other PF_KEY-based tool) that AFAICT cannot override the default truncated icv size, right? Thanks, Horia -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Le 23/05/2014 08:28, Horia Geantă a écrit : > On 5/22/2014 7:03 PM, Nicolas Dichtel wrote: >> Le 22/05/2014 17:10, Horia Geanta a écrit : >>> From: Lei Xu <Lei.Xu@freescale.com> >>> >>> Currently the sha256 icv truncation length is set to 96bit >>> while the length is defined as 128bit in RFC4868. >>> This may result in somer errors when working with other IPsec devices >>> with the standard truncation length. >>> Thus, change the sha256 truncation length from 96bit to 128bit. >> The patch was already proposed, but it was kept as-is for userspace >> compatibility. >> >> See: https://lkml.org/lkml/2012/3/7/431 > > Thanks, somehow I missed that. > > So this just means bad luck for user space tools (for e.g. ipsec-tools - setkey, > racoon - and any other PF_KEY-based tool) that AFAICT cannot override the > default truncated icv size, right? You can change the default value with the netlink attribute XFRMA_ALG_AUTH_TRUNC (option 'auth-trunc' in iproute2). Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c index debe733386f8..ca21ba7a0716 100644 --- a/net/xfrm/xfrm_algo.c +++ b/net/xfrm/xfrm_algo.c @@ -220,7 +220,7 @@ static struct xfrm_algo_desc aalg_list[] = { .uinfo = { .auth = { - .icv_truncbits = 96, + .icv_truncbits = 128, .icv_fullbits = 256, } },