Re: [Linuxptp-devel] [PATCH 00/14] Initial Authentication TLV Support
On Thu, Nov 09, 2023 at 09:44:56AM -0500, Clay Kaiser via Linuxptp-devel wrote: > The following patch introduces initial support for immediate security > processing of > authentication tlv as defined in IEEE1588-2019 section 16.14. > > Integrity Check Values (aka Message Authentication Codes) are calculated with > nettle, > or gnutls when abstracted mac support is not supported by installed (older) > nettle. > Support is included for SHA256-128, SHA258, AES128, AES256. Cool. > I have not seen nor heard of any practical use or application for delayed > security > processing so that is not included. If someone can think of a use, they can > surely > add on. Yeah, delayed processing is crazy stupid. After all, it is impossible to "roll back" synchronization. The example in the standard has the disclosed key arriving once every 24 hours. What the heck were those guys smoking? Thanks, Richard ___ Linuxptp-devel mailing list Linuxptp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxptp-devel
[Linuxptp-devel] [PATCH 00/14] Initial Authentication TLV Support
The following patch introduces initial support for immediate security processing of authentication tlv as defined in IEEE1588-2019 section 16.14. Integrity Check Values (aka Message Authentication Codes) are calculated with nettle, or gnutls when abstracted mac support is not supported by installed (older) nettle. Support is included for SHA256-128, SHA258, AES128, AES256. Tested with standard e2e and p2p and clknetsim linuxptp testsuite. A few limitations: I have not seen nor heard of any practical use or application for delayed security processing so that is not included. If someone can think of a use, they can surely add on. This patch only supports two-step mode as one-step mode would require hardware support. This is not practical as far as I know. Standard specifies for a security parameters database to determine the security parameters pointer (spp) for any inbound or outbound message depending on any variety of parameters. This implementation simply ties the spp to a port instead, so any message sent or received on that port are handled under the same security association. Under typical circumstances, this should be more than sufficient. Future enhancement may be added if someone finds this insufficient. Clay Kaiser (14): tlv: add authentication tlv sad: introduce security association database sad: introduce nettle mac library sad: introduce gnutls mac library sad: introduce sad_process_auth() and sad_check_auth_tlv(). port: add security processing to bc_event() sad: introduce sad_set_last_seqid() and sad_check_seqid() sad: introduce sad_append_auth_tlv() and sad_generate_icv() man: add man updates for authentication tlv pmc: introduce CMD support with SA_REKEY_NP sad: introduce sad_update_auth_tlv() msg: add authentication tlv in management handling pmc: add authentication tlv for pmc nsm: add authentication tlv for nsm clock.c| 46 +++- config.c | 4 + config.h | 3 + e2e_tc.c | 24 +- incdefs.sh | 41 +++ makefile | 31 ++- msg.c | 28 +- msg.h | 41 ++- nsm.8 | 21 ++ nsm.c | 44 ++- p2p_tc.c | 25 +- phc2sys.8 | 25 +- phc2sys.c | 5 + pmc.8 | 27 +- pmc.c | 14 +- pmc_agent.c| 8 +- pmc_common.c | 111 +++- pmc_common.h | 4 + port.c | 82 +- port_private.h | 2 + ptp4l.8| 77 +- ptp4l.c| 6 + sad.c | 713 + sad.h | 100 +++ sad_gnutls.c | 185 + sad_nettle.c | 151 +++ sad_private.h | 82 ++ tc.c | 7 + tlv.c | 31 +++ tlv.h | 10 + ts2phc.8 | 25 +- ts2phc.c | 12 +- tz2alt.8 | 23 ++ tz2alt.c | 6 + 34 files changed, 1965 insertions(+), 49 deletions(-) create mode 100644 sad.c create mode 100644 sad.h create mode 100644 sad_gnutls.c create mode 100644 sad_nettle.c create mode 100644 sad_private.h -- 2.42.1 ___ Linuxptp-devel mailing list Linuxptp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxptp-devel
