Hi Antonio,
On 07/12/20 10:56, Antonio Quartulli wrote:
Hi Jan Just, Tony,
On 07/12/2020 10:10, Jan Just Keijser wrote:
Thank you very much for adding this so quickly; it won't help Tony He
though, as he is stuck using a rather old AL314 + R9000 chip which does
not support CCM or GCM. I just checked the driver code and indeed there
is no HW support for GCM. They *do* support some AEAD algorithms:
authenc-hmac-sha256-cbc-aes
authenc-hmac-sha384-cbc-aes
which are listed as the (true) AEAD equivalent of AES+SHA ; the question
is : how hard would it be to add support for this (and would it be worth
it?)
I would ask the same question to the vendor: how hard would it be to
support AES-GCM in the current HW engine?
Any info about that?
They are the best recipient for such feature request I think.
As far as I understood the HW engine is also open source, so actually
anybody with the right motivation could take up that task.
I fully agree; however, the last change to the kernel driver for that
hardware was made over 3 years ago , so I suspect that it will be hard
to get GCM support for it.
Forcing ourselves to sticking to legacy algorithms is not the right
move, imho (especially when there are solutions - see above).
To answer your question: my feeling is that working on it is not worth
the benefit.
again, I tend to agree *but* when you say that 'openvpn-dco only
supports AEAD crypto algorithms" you can expect that sooner or later
someone will ask the question "how about authenc-hmac-sha256-cbc-aes ?"
because that *IS* an AEAD algorithm after all.
But without support in OpenVPN 2.x for this the point is moot, as far as
I am concerned, as supporting something only in the kernel driver will
make it interoperable with the open source community version of OpenVPN.
cheers,
JJK
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
