From nobody Fri May 20 00:42:42 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 109FA1B46FBB; Fri, 20 May 2022 00:42:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L47H672GCz3sbR; Fri, 20 May 2022 00:42:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653007363; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pePCp08KVqAJtIMgXnLED8C9q6UKclCphBzoKyvHvp0=; b=KBTHkCAmC4Fzutd5soUQP0gaM4/su3/l4Brsahp3FXL4PSkAXdgcRmRtZra/S0KOHA9Rer 3541w1J5r6muBmzejWnzsqIJIYmNa3NRL+9fUi1qD78lG2z1OocWxs3ntVsas6arrTn/pO QE6xys2tcwo9foV8t4/AQ0Dher5aGnsOl+1Q8kmEjXs7/3KagmVNzb7GjP3KyU/EdFjU8F 0eJu6/UDl88VDBdXgaA+VjS4NvZvSz8ushaB9X0M3q4cKlOP22Yds3oHeqtGLbhDhUCDs1 ohCGkXx4eMGYrZ6DYa9mTya0kBvIqaKb2SGzLfZYAe88WakbR/ZC6fW1ok3fQA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D154F335; Fri, 20 May 2022 00:42:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24K0ggP7004222; Fri, 20 May 2022 00:42:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24K0ggmk004221; Fri, 20 May 2022 00:42:42 GMT (envelope-from git) Date: Fri, 20 May 2022 00:42:42 GMT Message-Id: <202205200042.24K0ggmk004221@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 6aaf8a8b1bcf - stable/12 - setkey(8): Clarify language around AEAD ciphers. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 6aaf8a8b1bcf500aa7342043d43007ff9c52cd65 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653007363; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pePCp08KVqAJtIMgXnLED8C9q6UKclCphBzoKyvHvp0=; b=aTmN/c0r5UbIPxzHQnRq7UF6mGmo8MH9tMVq0UsHv/hO75djzB7Ux/reyEH83bohDDLP2V yY7ch+/vZWHb+ctMFoURD7DEhKNAhy3RoYNZ4SQ+cEktN95GPfml8cfF8QMBiw15BSdyPe Yvdhc63Nd+uh2bJH5+fATgXStZoq3loKTjlIstlJg95UygzKFnbUDK5Gjf5gvNNXh+R54Z 568ZGlWuXy45Cx6PhX6PEn3hRdILIlh1excH4ko1bZd2+7Lp2dT8FL7WFmUkgpv6Au4mqx 0HE3ciIFYN0ZIYicubNvLNZYTHSPfyHB77WSL2Nd2VjzP8oUn1exV0dir1kEtQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653007363; a=rsa-sha256; cv=none; b=CL29v4zAVsWEznrOzQZm/bTYgylnCfRyaqHHH/tgT6iNpn1ZcCt8YaZhwyVtSH+TUMldPJ gKO3b+bUoYjAjzFnj4V2axO/zMe8tHswQcuDj88yT208Aehc5AOpvVFoZQTSf3r8kXjcZD 87aXHaWQhb26mYBk9vpUwm031uOjm/jyHCpXDlEoBGf1yHgudBy14x0OIJs+8ASQ9PC/3G Lkz844rmMpOGx+m05f14WMhYT/JcObIZRdd0CKg5vAhVS6DxP77FG3oLdc/eFNP/AZ09J+ 5zL8eqO03ZXK7jn5SpzkiGodhtK5o1pJ/SRXq7L4CCsMOJmGfzsgnwGiQMuIfw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=6aaf8a8b1bcf500aa7342043d43007ff9c52cd65 commit 6aaf8a8b1bcf500aa7342043d43007ff9c52cd65 Author: John Baldwin AuthorDate: 2022-04-27 19:18:52 +0000 Commit: John Baldwin CommitDate: 2022-05-20 00:42:24 +0000 setkey(8): Clarify language around AEAD ciphers. AEAD ciphers for IPsec combine both encryption and authentication. As such, ESP configurations using an AEAD cipher should not use a seperate authentication algorithm via -A. However, this was not apparent from the setkey manpage and 12.x and earlier did not perform sufficient argument validation permitting users to pair an explicit -A such as SHA256-HMAC with AES-GCM. (The result was a non-standard combination of AES-CTR with the specified MAC, but with the wrong initial block counter (and thus different keystream) compared to using AES-CTR as the cipher.) Attempt to clarify this in the manpage by explicitly calling out AEAD ciphers (currently only AES-GCM) and noting that AEAD ciphers should not use -A. While here, explicitly note which authentication algorithms can be used with esp vs esp-old. Also add subsection headings for the different algorithm lists and tidy some language. I did not convert the tables to column lists (Bl -column) though that would probably be more correct than using literal blocks (Bd -literal). PR: 263379 Reviewed by: Pau Amma , markj Differential Revision: https://reviews.freebsd.org/D34947 (cherry picked from commit e6dede145616ed8f98c629c23a2ba206b812c921) --- sbin/setkey/setkey.8 | 74 ++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8 index a9653a3b25d4..38e04aa412ed 100644 --- a/sbin/setkey/setkey.8 +++ b/sbin/setkey/setkey.8 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 4, 2020 +.Dd April 27, 2022 .Dt SETKEY 8 .Os .\" @@ -328,7 +328,8 @@ Specify hard/soft life time duration of the SA. .It Ar algorithm .Bl -tag -width Fl -compact .It Fl E Ar ealgo Ar key -Specify an encryption algorithm +Specify an encryption or Authenticated Encryption with Associated Data +(AEAD) algorithm .Ar ealgo for ESP. .It Xo @@ -573,13 +574,9 @@ for details. .El .\" .Sh ALGORITHMS -The following list shows the supported algorithms. -The -.Sy protocol -and -.Sy algorithm -are almost completely orthogonal. -The following list of authentication algorithms can be used as +The following lists show the supported algorithms. +.Ss Authentication Algorithms +The following authentication algorithms can be used as .Ar aalgo in the .Fl A Ar aalgo @@ -588,29 +585,29 @@ of the parameter: .Bd -literal -offset indent algorithm keylen (bits) comment -hmac-md5 128 ah: rfc2403 - 128 ah-old: rfc2085 -hmac-sha1 160 ah: rfc2404 - 160 ah-old: 128bit ICV (no document) -keyed-md5 128 ah: 96bit ICV (no document) - 128 ah-old: rfc1828 -keyed-sha1 160 ah: 96bit ICV (no document) - 160 ah-old: 128bit ICV (no document) +hmac-md5 128 ah/esp: rfc2403 + 128 ah-old/esp-old: rfc2085 +hmac-sha1 160 ah/esp: rfc2404 + 160 ah-old/esp-old: 128bit ICV (no document) +keyed-md5 128 ah/esp: 96bit ICV (no document) + 128 ah-old/esp-old: rfc1828 +keyed-sha1 160 ah/esp: 96bit ICV (no document) + 160 ah-old/esp-old: 128bit ICV (no document) null 0 to 2048 for debugging -hmac-sha2-256 256 ah: 128bit ICV (RFC4868) - 256 ah-old: 128bit ICV (no document) -hmac-sha2-384 384 ah: 192bit ICV (RFC4868) - 384 ah-old: 128bit ICV (no document) -hmac-sha2-512 512 ah: 256bit ICV (RFC4868) - 512 ah-old: 128bit ICV (no document) -hmac-ripemd160 160 ah: 96bit ICV (RFC2857) - ah-old: 128bit ICV (no document) -aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) - 128 ah-old: 128bit ICV (no document) +hmac-sha2-256 256 ah/esp: 128bit ICV (RFC4868) + 256 ah-old/esp-old: 128bit ICV (no document) +hmac-sha2-384 384 ah/esp: 192bit ICV (RFC4868) + 384 ah-old/esp-old: 128bit ICV (no document) +hmac-sha2-512 512 ah/esp: 256bit ICV (RFC4868) + 512 ah-old/esp-old: 128bit ICV (no document) +hmac-ripemd160 160 ah/esp: 96bit ICV (RFC2857) + ah-old/esp-old: 128bit ICV (no document) +aes-xcbc-mac 128 ah/esp: 96bit ICV (RFC3566) + 128 ah-old/esp-old: 128bit ICV (no document) tcp-md5 8 to 640 tcp: rfc2385 .Ed -.Pp -The following is the list of encryption algorithms that can be used as the +.Ss Encryption Algorithms +The following encryption algorithms can be used as the .Ar ealgo in the .Fl E Ar ealgo @@ -627,15 +624,24 @@ cast128-cbc 40 to 128 rfc2451 des-deriv 64 ipsec-ciph-des-derived-01 aes-cbc 128/192/256 rfc3602 aes-ctr 160/224/288 rfc3686 -aes-gcm-16 160/224/288 rfc4106 +aes-gcm-16 160/224/288 AEAD; rfc4106 camellia-cbc 128/192/256 rfc4312 .Ed .Pp Note that the first 128/192/256 bits of a key for -.Li aes-ctr or aes-gcm-16 -will be used as AES key, and remaining 32 bits will be used as nonce. -.Pp -The following are the list of compression algorithms that can be used +.Li aes-ctr +or +.Li aes-gcm-16 +will be used as the AES key, +and the remaining 32 bits will be used as the nonce. +.Pp +AEAD encryption algorithms such as +.Li aes-gcm-16 +include authentication and should not be +paired with a separate authentication algorithm via +.Fl A . +.Ss Compression Algorithms +The following compression algorithms can be used as the .Ar calgo in the