Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 May 2022 00:36:20 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode
Message-ID:  <bug-263379-7501-YlNpD7XIQV@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-263379-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-263379-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263379

--- Comment #16 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=3D6835ace580917ec512eb96cf9c456f4ac=
c161247

commit 6835ace580917ec512eb96cf9c456f4acc161247
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-04-27 19:18:52 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-05-20 00:35:34 +0000

    setkey(8): Clarify language around AEAD ciphers.

    AEAD ciphers for IPsec combine both encryption and authentication.  As
    such, ESP configurations using an AEAD cipher should not use a
    seperate authentication algorithm via -A.  However, this was not
    apparent from the setkey manpage and 12.x and earlier did not perform
    sufficient argument validation permitting users to pair an explicit -A
    such as SHA256-HMAC with AES-GCM.  (The result was a non-standard
    combination of AES-CTR with the specified MAC, but with the wrong
    initial block counter (and thus different keystream) compared to using
    AES-CTR as the cipher.)

    Attempt to clarify this in the manpage by explicitly calling out AEAD
    ciphers (currently only AES-GCM) and noting that AEAD ciphers should
    not use -A.

    While here, explicitly note which authentication algorithms can be
    used with esp vs esp-old.  Also add subsection headings for the
    different algorithm lists and tidy some language.

    I did not convert the tables to column lists (Bl -column) though that
    would probably be more correct than using literal blocks (Bd
    -literal).

    PR:             263379
    Reviewed by:    Pau Amma <pauamma@gundo.com>, markj
    Differential Revision:  https://reviews.freebsd.org/D34947

    (cherry picked from commit e6dede145616ed8f98c629c23a2ba206b812c921)

 sbin/setkey/setkey.8 | 58 +++++++++++++++++++++++++++++-------------------=
----
 1 file changed, 32 insertions(+), 26 deletions(-)

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263379-7501-YlNpD7XIQV>