From 439349a5c157eb7df43741cd278c7d9280ab856d Mon Sep 17 00:00:00 2001
From: yasuoka <yasuoka@openbsd.org>
Date: Thu, 4 Nov 2021 03:53:57 +0000
Subject: [PATCH] Clarify "aes" will accept keys which length is in 128:256
 bits.  Also correct "cast" in ipsec.conf.5 to "cast128", add missing
 "chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some places.

ok jmc sthen
---
 sbin/iked/iked.conf.5      |  8 ++++----
 sbin/ipsecctl/ipsec.conf.5 | 30 +++++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index 7787cf851d5..6186e1825e7 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.87 2021/10/26 17:31:22 tobhe Exp $
+.\" $OpenBSD: iked.conf.5,v 1.88 2021/11/04 03:53:57 yasuoka Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 26 2021 $
+.Dd $Mdocdate: November 4 2021 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -998,9 +998,9 @@ keyword.
 3DES requires 24 bytes to form its 168-bit key.
 This is because the most significant bit of each byte is used for parity.
 .Pp
-The keysize of AES-CTR is actually 128-bit.
+The keysize of AES-CTR can be 128, 192, or 256 bits.
 However as well as the key, a 32-bit nonce has to be supplied.
-Thus 160 bits of key material have to be supplied.
+Thus 160, 224, or 288 bits of key material, respectively, have to be supplied.
 The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305,
 however in the latter case the keysize is 256 bit.
 .Pp
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index f948af81228..98acad6a4ff 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipsec.conf.5,v 1.160 2021/10/22 12:30:54 bluhm Exp $
+.\"	$OpenBSD: ipsec.conf.5,v 1.161 2021/11/04 03:53:57 yasuoka Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 22 2021 $
+.Dd $Mdocdate: November 4 2021 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -637,10 +637,10 @@ keyword:
 The following cipher types are permitted with the
 .Ic enc
 keyword:
-.Bl -column "aes-128-gmac" "Key Length" "Description" -offset indent
+.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent
 .It Em "Cipher" Ta Em "Key Length" Ta ""
 .It Li 3des Ta "168 bits" Ta ""
-.It Li aes Ta "128 bits" Ta ""
+.It Li aes Ta "128-256 bits" Ta ""
 .It Li aes-128 Ta "128 bits" Ta ""
 .It Li aes-192 Ta "192 bits" Ta ""
 .It Li aes-256 Ta "256 bits" Ta ""
@@ -651,21 +651,37 @@ keyword:
 .It Li aes-128-gcm Ta "160 bits" Ta "[phase 2 only, IKE only]"
 .It Li aes-192-gcm Ta "224 bits" Ta "[phase 2 only, IKE only]"
 .It Li aes-256-gcm Ta "288 bits" Ta "[phase 2 only, IKE only]"
+.It Li blowfish Ta "160 bits" Ta ""
+.It Li cast128 Ta "128 bits" Ta ""
+.It Li chacha20-poly1305 Ta "288 bits" Ta ""
+.El
+.Pp
+The following cipher types provide only authentication, not encryption:
+.Bl -column "chacha20-poly1305" "128-256 bits" "Description" -offset indent
 .It Li aes-128-gmac Ta "160 bits" Ta "[phase 2 only, IKE only]"
 .It Li aes-192-gmac Ta "224 bits" Ta "[phase 2 only, IKE only]"
 .It Li aes-256-gmac Ta "288 bits" Ta "[phase 2 only, IKE only]"
-.It Li blowfish Ta "160 bits" Ta ""
-.It Li cast Ta "128 bits" Ta ""
 .It Li null Ta "(none)" Ta "[phase 2 only]"
 .El
 .Pp
+Transforms followed by
+.Bq IKE only
+can only be used with the
+.Ic ike
+keyword, transforms with
+.Bq phase 2 only
+can only be used with the
+.Ic quick
+keyword.
+.Pp
 3DES requires 24 bytes to form its 168-bit key.
 This is because the most significant bit of each byte is used for parity.
 .Pp
 The keysize of AES-CTR can be 128, 192, or 256 bits.
 However as well as the key, a 32-bit nonce has to be supplied.
 Thus 160, 224, or 288 bits of key material, respectively, have to be supplied.
-The same applies to AES-GCM and AES-GMAC.
+The same applies to AES-GCM, AES-GMAC and Chacha20-Poly1305,
+however in the latter case the keysize is 256 bit.
 .Pp
 Using AES-GMAC or NULL with ESP will only provide authentication.
 This is useful in setups where AH cannot be used, e.g. when NAT is involved.
-- 
2.20.1