mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-03 23:28:58 +00:00
6835ace580
AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authentication algorithm via -A. However, this was not
apparent from the setkey manpage and 12.x and earlier did not perform
sufficient argument validation permitting users to pair an explicit -A
such as SHA256-HMAC with AES-GCM. (The result was a non-standard
combination of AES-CTR with the specified MAC, but with the wrong
initial block counter (and thus different keystream) compared to using
AES-CTR as the cipher.)
Attempt to clarify this in the manpage by explicitly calling out AEAD
ciphers (currently only AES-GCM) and noting that AEAD ciphers should
not use -A.
While here, explicitly note which authentication algorithms can be
used with esp vs esp-old. Also add subsection headings for the
different algorithm lists and tidy some language.
I did not convert the tables to column lists (Bl -column) though that
would probably be more correct than using literal blocks (Bd
-literal).
PR: 263379
Reviewed by: Pau Amma <pauamma@gundo.com>, markj
Differential Revision: https://reviews.freebsd.org/D34947
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| Makefile.depend | ||
| parse.y | ||
| sample.cf | ||
| scriptdump.pl | ||
| setkey.8 | ||
| setkey.c | ||
| test-pfkey.c | ||
| test-policy.c | ||
| token.l | ||
| vchar.h | ||