Date: Wed, 29 Jul 2015 08:40:37 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Ermal =?iso-8859-1?Q?Lu=E7i?= <eri@freebsd.org> Cc: George Neville-Neil <gnn@neville-neil.com>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r286000 - head/sys/netipsec Message-ID: <20150729154036.GG78154@funkthat.com> In-Reply-To: <CAPBZQG3GS-wzEohLY8=Jewz_2JiFkAbArxKMFPxMz4JFg34_Hg@mail.gmail.com> References: <201507290715.t6T7FHGb094456@repo.freebsd.org> <CAPBZQG3GS-wzEohLY8=Jewz_2JiFkAbArxKMFPxMz4JFg34_Hg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ermal Lui wrote this message on Wed, Jul 29, 2015 at 14:53 +0200: > this was forgotten part on my patches merge from gnn@. > Can it be fixed by correcting the patches rather than re-introducing this? > > Most probably the constant definition is wrong on the transforms and also > some part of code removal was missed. No, it cannot be fixed by changing opencrypto/xform.c to truncate the hash size... The reason it cannot be is that OCF is not an IPsec only framework... Geli also uses the HMAC constructions, and I have not confirmed if they use the full hash size or not... I would be open to adding a field to the crypto descriptor that limited how much of the hash is copied out... It would have been helpful to comment more of these changes... If you make a change for a reason (RFC, etc), then throw that in the comments, which allows someone following to understand why and prevent their removal... At least if they were commented as to why they changed, we would have known to rework the change... > On Wed, Jul 29, 2015 at 9:15 AM, John-Mark Gurney <jmg@freebsd.org> wrote: > > > Author: jmg > > Date: Wed Jul 29 07:15:16 2015 > > New Revision: 286000 > > URL: https://svnweb.freebsd.org/changeset/base/286000 > > > > Log: > > RFC4868 section 2.3 requires that the output be half... This fixes > > problems that was introduced in r285336... I have verified that > > HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD > > 6.1.5 vm... > > > > Reviewed by: gnn -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150729154036.GG78154>