Message ID | 20181016080634.139776-1-zenczykowski@gmail.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
Series | net-xfrm: add build time cfg option to PF_KEY SHA256 to use RFC4868-compliant truncation | expand |
Yes, I realize there's been similar submits in the past, but we're trying to get rid of or upstream android kernel networking divergences... maybe this approach will be more palatable? Thanks, Maciej
On Tue, Oct 16, 2018 at 5:06 PM Maciej Żenczykowski <zenczykowski@gmail.com> wrote: > +config XFRM_HMAC_SHA256_RFC4868 > + bool "Strict RFC4868 hmac(sha256) 128-bit truncation" > + depends on XFRM_ALGO > + default n > + ---help--- > + Support strict RFC4868 hmac(sha256) 128-bit truncation > + (default on Android) instead of the default 96-bit Linux truncation. Not sure it's worth mentioning Android here, given that other contributors from other organizations have attempted to change this as well. > .uinfo = { > .auth = { > +#if IS_ENABLED(CONFIG_XFRM_HMAC_SHA256_RFC4868) > + .icv_truncbits = 128, > +#else > .icv_truncbits = 96, > +#endif Also, consider adding a Tested: line saying that this allows pf_key_test.py to pass on upstream kernels. Other than that, Acked-By: Lorenzo Colitti <lorenzo@google.com>
Maciej Żenczykowski <zenczykowski@gmail.com> wrote: > > +#if IS_ENABLED(CONFIG_XFRM_HMAC_SHA256_RFC4868) > + .icv_truncbits = 128, > +#else > .icv_truncbits = 96, > +#endif Nack. We don't want a build-time configuration knob for this. This needs to be decided at run-time. In fact you can already do this at run-time anyway through the xfrm interface. So please please please just ditch whatever that you're using that's still glued to the long-obsolete (more than a decade) af_key interface and switch it over to xfrm. Thanks,
I'm afraid it's nothing we're using. It's what people are using. I guess we'll just carry this patch for a few more years.
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index 4a9ee2d83158..0ede7e81a5d3 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -15,6 +15,16 @@ config XFRM_ALGO select XFRM select CRYPTO +config XFRM_HMAC_SHA256_RFC4868 + bool "Strict RFC4868 hmac(sha256) 128-bit truncation" + depends on XFRM_ALGO + default n + ---help--- + Support strict RFC4868 hmac(sha256) 128-bit truncation + (default on Android) instead of the default 96-bit Linux truncation. + + If unsure, say N. + config XFRM_USER tristate "Transformation user configuration interface" depends on INET diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c index 44ac85fe2bc9..a70391fb2c1e 100644 --- a/net/xfrm/xfrm_algo.c +++ b/net/xfrm/xfrm_algo.c @@ -241,7 +241,11 @@ static struct xfrm_algo_desc aalg_list[] = { .uinfo = { .auth = { +#if IS_ENABLED(CONFIG_XFRM_HMAC_SHA256_RFC4868) + .icv_truncbits = 128, +#else .icv_truncbits = 96, +#endif .icv_fullbits = 256, } },