svn commit: r325872 - head/sys/netipsec
Conrad Meyer
cem at FreeBSD.org
Wed Nov 15 22:42:22 UTC 2017
Author: cem
Date: Wed Nov 15 22:42:20 2017
New Revision: 325872
URL: https://svnweb.freebsd.org/changeset/base/325872
Log:
ipsec: Use the same keysize values for HMAC as prior to r324017
The HMAC construction natively permits any key size between 0 and the input
block length. Before r324017, the auth_hash 'keysize' member was the hash
output length, which was used by ipsec for key sizes. (Non-ipsec consumers
need the ability to use other keysizes, hence, r324017.)
The ipsec SADB code blindly uses the auth_hash 'keysize' member for both
minimum and maximum key size, which is wrong (from an HMAC perspective).
For now, just switch it to 'hashsize', which matches the existing
expectations.
Instead it should probably use the range [0, keysize]. But there may be
other broken code in ipsec that rejects hashes with too small a minimum
key size.
Reported by: olivier@
Reviewed by: olivier, no objection from ae
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12770
Modified:
head/sys/netipsec/key.c
Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c Wed Nov 15 22:40:46 2017 (r325871)
+++ head/sys/netipsec/key.c Wed Nov 15 22:42:20 2017 (r325872)
@@ -6263,7 +6263,7 @@ key_getsizes_ah(const struct auth_hash *ah, int alg, u
u_int16_t* max)
{
- *min = *max = ah->keysize;
+ *min = *max = ah->hashsize;
if (ah->keysize == 0) {
/*
* Transform takes arbitrary key size but algorithm
More information about the svn-src-all
mailing list