yeah, also looking forward to add support authenc-hmac-sha256-cbc-aes because I have another IPQ806x device which support this mode but not CCM or GCM. IPQ806x devices are widely used for router users.
Tony Jan Just Keijser <janj...@nikhef.nl> 于2020年12月7日周一 下午5:12写道: > Hi Antonio, > > On 06/12/20 17:09, Antonio Quartulli wrote: > > Hi all, > > Some people have expressed interest in ovpn-dco supporting AES-CBC. > > However, since ovpn-dco is currently using the AEAD kernel crypto API > only, introducing support for CBC mode would require quite some > refactoring and we do not really want to do that (the community believes > that as of now AEAD ciphers should always be preferred moving forward). > > In a previous discussion on this mailing list, it was highlighted that > AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. > > (for the curious: it is AES "Counter with CBC-MAC", known as CCM and > described in RFC3610). > > For this reason I decided to give AES-CCM a try and I implemented in it > the "aes-ccm" branch of the ovpn-dco repo. > > I am not sure if we're going to merge it to master yet, but for now it > would be interesting to gather feedback from those interested in this > cipher. > > Please note that OpenVPN3 does not yet support this cipher, therefore > the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool > provided in the tests/ folder. > > > To do so, just specify "aes-ccm" as algorithm when setting a new key. > > > > > excellent news! > Thank you very much for adding this so quickly; it won't help Tony He > though, as he is stuck using a rather old AL314 + R9000 chip which does not > support CCM or GCM. I just checked the driver code and indeed there is no > HW support for GCM. They *do* support some AEAD algorithms: > > authenc-hmac-sha256-cbc-aes > authenc-hmac-sha384-cbc-aes > > which are listed as the (true) AEAD equivalent of AES+SHA ; the question > is : how hard would it be to add support for this (and would it be worth > it?) > > cheers, > > JJK > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel