Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant.

This will break interoperability with all older versions of FreeBSD for those algorithms. Reviewed by: bz, gnn Obtained from: NETASQ MFC after: 1w
author: vanhu <vanhu@FreeBSD.org> 2011-02-18 09:40:13 +0000
committer: vanhu <vanhu@FreeBSD.org> 2011-02-18 09:40:13 +0000
commit: b5386e15c14dd35dcd82a748b00a7a741b1238f9 (patch)
tree: 7caf902dec994fcea8dd9be967378950d398ba35 /UPDATING
parent: f9ba5edcb6ab519d38ac8a40899df85ba5713843 (diff)
download: FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.zip
FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/UPDATING b/UPDATING
index bbbb2eb..c730444 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,16 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20110218:
+	IPsec's HMAC_SHA256-512 support has been fixed to be RFC4868
+	compliant, and will now use half of hash for authentication.
+	This will break interoperability with all stacks (including all
+	actual FreeBSD versions) who implement
+	draft-ietf-ipsec-ciph-sha-256-00 (they use 96 bits of hash for
+	authentication).
+	The only workaround with such peers is to use another HMAC
+	algorithm for IPsec ("phase 2") authentication.
+
 NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.x IS SLOW:
 	FreeBSD 9.x has many debugging features turned on, in both the kernel
 	and userland.  These features attempt to detect incorrect use of
author	vanhu <vanhu@FreeBSD.org>	2011-02-18 09:40:13 +0000
committer	vanhu <vanhu@FreeBSD.org>	2011-02-18 09:40:13 +0000
commit	b5386e15c14dd35dcd82a748b00a7a741b1238f9 (patch)
tree	7caf902dec994fcea8dd9be967378950d398ba35 /UPDATING
parent	f9ba5edcb6ab519d38ac8a40899df85ba5713843 (diff)
download	FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.zip FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.tar.gz