On Tue, Nov 02, 2021 at 12:02:07PM +0900, YASUOKA Masahiko wrote: > I'd like to clarify "aes" in ipsec.conf accepts 128:256 bits. > > sbin/ipsecctl/ike.c: > 201 case ENCXF_AES: > 202 enc_alg = "AES"; > 203 key_length = "128,128:256"; > 204 break; > > > ok? > > Clarify "aes" will accept keys which length is in 128:256 bits. >
i notice that the enc lists in ipsec.conf.5 and iked.conf.5 differ. aren;t they supposed to be in sync? for example, iked.conf.5 doesn;t mention "aes" or "aesctr". also the *-gmac and *-gcm-12 discrepancy. jmc > Index: sbin/ipsecctl/ipsec.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v > retrieving revision 1.160 > diff -u -p -r1.160 ipsec.conf.5 > --- sbin/ipsecctl/ipsec.conf.5 22 Oct 2021 12:30:54 -0000 1.160 > +++ sbin/ipsecctl/ipsec.conf.5 2 Nov 2021 02:58:13 -0000 > @@ -637,10 +637,10 @@ keyword: > The following cipher types are permitted with the > .Ic enc > keyword: > -.Bl -column "aes-128-gmac" "Key Length" "Description" -offset indent > +.Bl -column "aes-128-gmac" "128-256 bits" "Description" -offset indent > .It Em "Cipher" Ta Em "Key Length" Ta "" > .It Li 3des Ta "168 bits" Ta "" > -.It Li aes Ta "128 bits" Ta "" > +.It Li aes Ta "128-256 bits" Ta "" > .It Li aes-128 Ta "128 bits" Ta "" > .It Li aes-192 Ta "192 bits" Ta "" > .It Li aes-256 Ta "256 bits" Ta "" >