On Fri, May 05, 2017 at 05:25:57PM +0100, Kevin Chadwick wrote: > > There was concern about my use of MD5 HMAC's so I > > took them out. The ELF header of 32 bit systems is too small to fit > > SHA256 checksums, so I'm leaving it out. > > Have you considered CMAC which can be truncated if need be and also > could take advantage of AES acceleration. > > Alternatively, signify perhaps.
I never considered that. In discussion with a friend, I did consider truncating a SHA256 HMAC, but that didn't feel right. If CMAC's can be truncated then this entire implementation can be rewritten to not truncate for 64 bit machines and truncate for 32 bit machines. The code to this should be straight forward and I'll work on that next I guess. I have a 32 bit firewall here that I'd love to ELFSEC. I know too little about signify in-kernel, I know I love it as a userland program. Regards, -peter
