Hi Antonio,
On 06/12/20 17:09, Antonio Quartulli wrote:
Hi all,
Some people have expressed interest in ovpn-dco supporting AES-CBC.
However, since ovpn-dco is currently using the AEAD kernel crypto API
only, introducing support for CBC mode would require quite some
refactoring and we do not really want to do that (the community believes
that as of now AEAD ciphers should always be preferred moving forward).
In a previous discussion on this mailing list, it was highlighted that
AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher.
(for the curious: it is AES "Counter with CBC-MAC", known as CCM and
described in RFC3610).
For this reason I decided to give AES-CCM a try and I implemented in it
the "aes-ccm" branch of the ovpn-dco repo.
I am not sure if we're going to merge it to master yet, but for now it
would be interesting to gather feedback from those interested in this
cipher.
Please note that OpenVPN3 does not yet support this cipher, therefore
the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool
provided in the tests/ folder.
To do so, just specify "aes-ccm" as algorithm when setting a new key.
excellent news!
Thank you very much for adding this so quickly; it won't help Tony He
though, as he is stuck using a rather old AL314 + R9000 chip which does
not support CCM or GCM. I just checked the driver code and indeed there
is no HW support for GCM. They *do* support some AEAD algorithms:
authenc-hmac-sha256-cbc-aes
authenc-hmac-sha384-cbc-aes
which are listed as the (true) AEAD equivalent of AES+SHA ; the question
is : how hard would it be to add support for this (and would it be worth
it?)
cheers,
JJK
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
