From owner-svn-src-all@freebsd.org Wed Jul 29 15:40:38 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D32289AEFAD; Wed, 29 Jul 2015 15:40:38 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 93E468D5; Wed, 29 Jul 2015 15:40:38 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t6TFebvw007226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 08:40:37 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t6TFebb9007225; Wed, 29 Jul 2015 08:40:37 -0700 (PDT) (envelope-from jmg) Date: Wed, 29 Jul 2015 08:40:37 -0700 From: John-Mark Gurney To: Ermal =?iso-8859-1?Q?Lu=E7i?= Cc: George Neville-Neil , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r286000 - head/sys/netipsec Message-ID: <20150729154036.GG78154@funkthat.com> References: <201507290715.t6T7FHGb094456@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 29 Jul 2015 08:40:37 -0700 (PDT) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 15:40:38 -0000 Ermal Lui wrote this message on Wed, Jul 29, 2015 at 14:53 +0200: > this was forgotten part on my patches merge from gnn@. > Can it be fixed by correcting the patches rather than re-introducing this? > > Most probably the constant definition is wrong on the transforms and also > some part of code removal was missed. No, it cannot be fixed by changing opencrypto/xform.c to truncate the hash size... The reason it cannot be is that OCF is not an IPsec only framework... Geli also uses the HMAC constructions, and I have not confirmed if they use the full hash size or not... I would be open to adding a field to the crypto descriptor that limited how much of the hash is copied out... It would have been helpful to comment more of these changes... If you make a change for a reason (RFC, etc), then throw that in the comments, which allows someone following to understand why and prevent their removal... At least if they were commented as to why they changed, we would have known to rework the change... > On Wed, Jul 29, 2015 at 9:15 AM, John-Mark Gurney wrote: > > > Author: jmg > > Date: Wed Jul 29 07:15:16 2015 > > New Revision: 286000 > > URL: https://svnweb.freebsd.org/changeset/base/286000 > > > > Log: > > RFC4868 section 2.3 requires that the output be half... This fixes > > problems that was introduced in r285336... I have verified that > > HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD > > 6.1.5 vm... > > > > Reviewed by: gnn -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."