[Bug 263379] [regression] [ipsec] compatibility broken between stable/12 and stable/13 opencrypto in AEAD mode

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 May 2022 00:43:23 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263379

--- Comment #17 from commit-hook@FreeBSD.org ---
A commit in branch stable/12 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=6aaf8a8b1bcf500aa7342043d43007ff9c52cd65

commit 6aaf8a8b1bcf500aa7342043d43007ff9c52cd65
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-04-27 19:18:52 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-05-20 00:42:24 +0000

    setkey(8): Clarify language around AEAD ciphers.

    AEAD ciphers for IPsec combine both encryption and authentication.  As
    such, ESP configurations using an AEAD cipher should not use a
    seperate authentication algorithm via -A.  However, this was not
    apparent from the setkey manpage and 12.x and earlier did not perform
    sufficient argument validation permitting users to pair an explicit -A
    such as SHA256-HMAC with AES-GCM.  (The result was a non-standard
    combination of AES-CTR with the specified MAC, but with the wrong
    initial block counter (and thus different keystream) compared to using
    AES-CTR as the cipher.)

    Attempt to clarify this in the manpage by explicitly calling out AEAD
    ciphers (currently only AES-GCM) and noting that AEAD ciphers should
    not use -A.

    While here, explicitly note which authentication algorithms can be
    used with esp vs esp-old.  Also add subsection headings for the
    different algorithm lists and tidy some language.

    I did not convert the tables to column lists (Bl -column) though that
    would probably be more correct than using literal blocks (Bd
    -literal).

    PR:             263379
    Reviewed by:    Pau Amma <pauamma@gundo.com>, markj
    Differential Revision:  https://reviews.freebsd.org/D34947

    (cherry picked from commit e6dede145616ed8f98c629c23a2ba206b812c921)

 sbin/setkey/setkey.8 | 74 ++++++++++++++++++++++++++++------------------------
 1 file changed, 40 insertions(+), 34 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.