diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2010-01-10 12:43:08 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2010-01-10 12:43:08 +0000 |
| commit | e984d91179e6d0cd1106eb8a8f90cd3cdebf4ad2 (patch) | |
| tree | bda04e5dbaef37b20c5c45e7c0dd7c34f727ff0d /sys/netinet/ip_ah.h | |
| parent | e86b036f8f31495d41041510999f7ece130f9cc9 (diff) | |
Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
Diffstat (limited to 'sys/netinet/ip_ah.h')
| -rw-r--r-- | sys/netinet/ip_ah.h | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h index 8d6fe54bcd7..c920cc19dc2 100644 --- a/sys/netinet/ip_ah.h +++ b/sys/netinet/ip_ah.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.h,v 1.32 2007/12/14 18:33:40 deraadt Exp $ */ +/* $OpenBSD: ip_ah.h,v 1.33 2010/01/10 12:43:07 markus Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -72,9 +72,6 @@ struct ah /* Length of base AH header */ #define AH_FLENGTH 8 -/* Size of the largest hash function output used in AH-new, in bytes */ -#define AH_MAX_HASHLEN 20 - /* * Names for AH sysctl objects */ |