Page MenuHomeFreeBSD

Refer to AES-CBC as "aes-cbc" rather than "rijndael-cbc" for IPsec.
ClosedPublic

Authored by jhb on May 22 2020, 5:33 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 18, 2:02 PM
Unknown Object (File)
Sat, Oct 18, 2:02 PM
Unknown Object (File)
Sat, Oct 18, 2:02 PM
Unknown Object (File)
Sat, Oct 18, 2:02 PM
Unknown Object (File)
Sat, Oct 18, 2:39 AM
Unknown Object (File)
Fri, Oct 17, 11:58 PM
Unknown Object (File)
Fri, Oct 17, 6:40 AM
Unknown Object (File)
Tue, Sep 30, 11:58 PM

Details

Summary

At this point, AES is the more common name for Rijndael128. setkey
will still accept the old name and old constants remain for
compatiblity.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.May 22 2020, 5:33 PM
lib/libipsec/pfkey_dump.c
162–163 ↗(On Diff #72129)

Ditto below remarks

sbin/setkey/token.l
162–163 ↗(On Diff #72129)

For these I would encourage use of SADB_X_EALG_AESCBC.

sys/net/pfkeyv2.h
384–385 ↗(On Diff #72129)

Can we kill SADB_X_EALG_RIJNDAELCBC? And perhaps SADB_X_EALG_AES?

usr.bin/netstat/ipsec.c
140–141 ↗(On Diff #72129)

These are bad.

142–143 ↗(On Diff #72129)

Maybe use SADB_X_EALG_AESCBC now that it has been added.

jhb marked 3 inline comments as done.May 22 2020, 9:46 PM
jhb added inline comments.
lib/libipsec/pfkey_dump.c
162–163 ↗(On Diff #72129)

I can change this one. This is originally code from KAME which is why it has all the #ifdef's and other crud.

sys/net/pfkeyv2.h
384–385 ↗(On Diff #72129)

We can't kill the RIJNDAELCBC one because that's what KAME uses and so it's what 3rd party software like IKE daemons in ports expect. We might be able to care the bare 'AES' but to feel comfortable I'd have to do an exp-run.

usr.bin/netstat/ipsec.c
140–141 ↗(On Diff #72129)

These are just for reporting counts for 'netstat -s'. Even if we remove NULL from OCF it will have to stay around for IPsec. I suspect the "none" entry never gets used.

sys/net/pfkeyv2.h
384–385 ↗(On Diff #72129)

Ah, that's unfortunate.

usr.bin/netstat/ipsec.c
140–141 ↗(On Diff #72129)

I think they should be removed from IPsec. Orthogonal to this change.

jhb marked an inline comment as done.

Address some feedback.

bcr added a subscriber: bcr.

OK from manpages (bump .Dd when you commit). Thanks!

sys/net/pfkeyv2.h
384–385 ↗(On Diff #72129)

BTW, I looked at the sources for raccon2 and apparently Linux uses AESCBC and parts of raccoon2 like the Linux name and add compat defines from the KAME name and from 'AES` to AESCBC and other parts of that tree use the AES name and map the KAME name and AESCBC to AES. It seems simplest to provide all three sadly.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 4 2020, 10:58 PM
This revision was automatically updated to reflect the committed changes.