svn commit: r286000 - head/sys/netipsec
John-Mark Gurney
jmg at funkthat.com
Wed Jul 29 15:40:38 UTC 2015
Ermal Lui wrote this message on Wed, Jul 29, 2015 at 14:53 +0200:
> this was forgotten part on my patches merge from gnn at .
> Can it be fixed by correcting the patches rather than re-introducing this?
>
> Most probably the constant definition is wrong on the transforms and also
> some part of code removal was missed.
No, it cannot be fixed by changing opencrypto/xform.c to truncate the
hash size... The reason it cannot be is that OCF is not an IPsec only
framework...
Geli also uses the HMAC constructions, and I have not confirmed if they
use the full hash size or not... I would be open to adding a field to
the crypto descriptor that limited how much of the hash is copied out...
It would have been helpful to comment more of these changes... If you
make a change for a reason (RFC, etc), then throw that in the comments,
which allows someone following to understand why and prevent their
removal... At least if they were commented as to why they changed, we
would have known to rework the change...
> On Wed, Jul 29, 2015 at 9:15 AM, John-Mark Gurney <jmg at freebsd.org> wrote:
>
> > Author: jmg
> > Date: Wed Jul 29 07:15:16 2015
> > New Revision: 286000
> > URL: https://svnweb.freebsd.org/changeset/base/286000
> >
> > Log:
> > RFC4868 section 2.3 requires that the output be half... This fixes
> > problems that was introduced in r285336... I have verified that
> > HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD
> > 6.1.5 vm...
> >
> > Reviewed by: gnn
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the svn-src-all
mailing list