Change Details

The HMAC construction natively permits any key size between 0 and the input block length. Before r324017, the auth_hash 'keysize' member was the hash output length, which is used by ipsec for key sizes. (Non-ipsec consumers need the ability to use other keysizes, hence, r324017.) The ipsec SADB code blindly uses the auth_hash 'keysize' member for both minimum and maximum key size, which is wrong. Instead it should use the range [0, keysize], or perhaps the 'hashsize' parameter to match the previous hardcoded lengths, if exclusively those key sizes should be accepted.

The HMAC construction natively permits any key size between 0 and the input block length. Before r324017, the auth_hash 'keysize' member was the hash output length, which was used by ipsec for key sizes. (Non-ipsec consumers need the ability to use other keysizes, hence, r324017.) The ipsec SADB code blindly uses the auth_hash 'keysize' member for both minimum and maximum key size, which is wrong (from an HMAC perspective). For now, just switch it to 'hashsize', which matches the existing expectations. Instead it should probably use the range [0, keysize]. But there may be other broken code in ipsec that rejects hashes with too small a minimum key size. Reported by: olivier@

The HMAC construction natively permits any key size between 0 and the input block length. Before r324017, the auth_hash 'keysize' member was the hash output length, which iswas used by ipsec for key sizes. (Non-ipsec consumers need the ability to use other keysizes, hence, r324017.) The ipsec SADB code blindly uses the auth_hash 'keysize' member for both minimum and maximum key size, which is wrong. Instead it should use the (from an HMAC perspective). range [0For now, keyjust switch it to 'hashsize]', or perhaps the 'hashsize' parameter to match thewhich matches the existing previous hardcoded lengthsexpectations. Instead it should probably use the range [0, if exclusively those key sizes should bekeysize]. But there may be accepted.other broken code in ipsec that rejects hashes with too small a minimum key size. Reported by: olivier@