yeah, also looking forward to add support authenc-hmac-sha256-cbc-aes
because I have another IPQ806x device which support this mode but not CCM
or GCM. IPQ806x devices
are widely used for router users.

Tony

Jan Just Keijser <janj...@nikhef.nl> 于2020年12月7日周一 下午5:12写道:

> Hi Antonio,
>
> On 06/12/20 17:09, Antonio Quartulli wrote:
>
> Hi all,
>
> Some people have expressed interest in ovpn-dco supporting AES-CBC.
>
> However, since ovpn-dco is currently using the AEAD kernel crypto API
> only, introducing support for CBC mode would require quite some
> refactoring and we do not really want to do that (the community believes
> that as of now AEAD ciphers should always be preferred moving forward).
>
> In a previous discussion on this mailing list, it was highlighted that
> AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher.
>
> (for the curious: it is AES "Counter with CBC-MAC", known as CCM and
> described in RFC3610).
>
> For this reason I decided to give AES-CCM a try and I implemented in it
> the "aes-ccm" branch of the ovpn-dco repo.
>
> I am not sure if we're going to merge it to master yet, but for now it
> would be interesting to gather feedback from those interested in this
> cipher.
>
> Please note that OpenVPN3 does not yet support this cipher, therefore
> the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool
> provided in the tests/ folder.
>
>
> To do so, just specify "aes-ccm" as algorithm when setting a new key.
>
>
>
>
> excellent news!
> Thank you very much for adding this so quickly; it won't help Tony He
> though, as he is stuck using a rather old AL314 + R9000 chip which does not
> support CCM or GCM. I just checked the driver code and indeed there is no
> HW support for GCM.  They *do* support some AEAD algorithms:
>
>   authenc-hmac-sha256-cbc-aes
>   authenc-hmac-sha384-cbc-aes
>
> which are listed as the (true) AEAD equivalent of AES+SHA ; the question
> is : how hard would it be to add support for this (and would it be worth
> it?)
>
> cheers,
>
> JJK
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to