Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-bugs
Date: 04/09/2005 07:53:02
The following reply was made to PR bin/29915; it has been noted by GNATS.
From: Emmanuel Dreyfus <manu@netbsd.org>
To: Peter Eisch <peter@boku.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
Date: Sat, 9 Apr 2005 07:52:49 +0000
On Fri, Apr 08, 2005 at 09:41:12PM -0500, Peter Eisch wrote:
> While the second patch didn't apply cleanly, it does get further. With
> tcpdump I don't see the md5's on the packets, though the dump below shows
> many of the proper values of the IPs and it seems to have the value for the
> auth type. Is the 'Invalid SA type' because libipsec doesn't know about
> proto tcp and the tcp-md5 algorithm?
Yes, I found missing bits in libipsec.
Try the following patch against HEAD
It superseeds the previous one: start by cvs diff|patch -R, then
patch -p1 < tcpmd5.patch
Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/parse.y,v
retrieving revision 1.19
diff -U4 -r1.19 parse.y
--- parse.y 23 Jan 2005 19:38:47 -0000 1.19
+++ parse.y 8 Apr 2005 15:05:22 -0000
@@ -119,9 +119,9 @@
}
%token EOT SLASH BLCL ELCL
%token ADD GET DELETE DELETEALL FLUSH DUMP EXIT
-%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP
+%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_AUTH_NOKEY
@@ -139,9 +139,9 @@
%type <num> prefix protocol_spec upper_spec
%type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
%type <num> ALG_AUTH ALG_AUTH_NOKEY
%type <num> ALG_COMP
-%type <num> PR_ESP PR_AH PR_IPCOMP PR_ESPUDP
+%type <num> PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
%type <num> EXTENSION MODE
%type <ulnum> DECSTRING
%type <val> PL_REQUESTS portstr key_string
%type <val> policy_requests
@@ -291,8 +291,14 @@
p_ext &= ~SADB_X_EXT_OLD;
p_natt_oa = $2;
p_natt_type = UDP_ENCAP_ESPINUDP;
}
+ | PR_TCP
+ {
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ $$ = SADB_X_SATYPE_TCPSIGNATURE;
+#endif
+ }
;
spi
: DECSTRING { p_spi = $1; }
@@ -762,8 +762,13 @@
upper_spec
: DECSTRING { $$ = $1; }
| ANY { $$ = IPSEC_ULPROTO_ANY; }
+ | PR_TCP {
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ $$ = IPPROTO_TCP;
+#endif
+ }
| STRING
{
struct protoent *ent;
Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.8,v
retrieving revision 1.11
diff -U4 -r1.11 setkey.8
--- setkey.8 23 Jan 2005 19:38:47 -0000 1.11
+++ setkey.8 8 Apr 2005 15:05:23 -0000
@@ -285,8 +285,10 @@
.It Li ah-old
AH based on rfc1826
.It Li ipcomp
IPComp
+.It Li tcp
+TCP-MD5 based on rfc2385
.El
.\"
.Pp
.It Ar spi
@@ -298,8 +300,10 @@
.Dq Li 0x
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
+TCP-MD5 associations must use 0x1000 and therefore only have per-host
+granularity at this time.
.\"
.Pp
.It Ar extensions
take some of the following:
@@ -661,8 +665,9 @@
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
+tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
.Ar ealgo
@@ -745,8 +750,9 @@
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
+add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Ed
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/token.l,v
retrieving revision 1.12
diff -U4 -r1.12 token.l
--- token.l 23 Jan 2005 19:38:47 -0000 1.12
+++ token.l 8 Apr 2005 15:05:23 -0000
@@ -174,8 +174,13 @@
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
esp-udp { yylval.num = 0; return(PR_ESPUDP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
+tcp {
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ yylval.num = 0; return(PR_TCP);
+#endif
+ }
/* authentication alogorithm */
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/libipsec/pfkey.c,v
retrieving revision 1.11
diff -U4 -r1.11 pfkey.c
--- src/libipsec/pfkey.c 7 Jan 2005 14:22:31 -0000 1.11
+++ src/libipsec/pfkey.c 9 Apr 2005 07:32:41 -0000
@@ -92,14 +92,21 @@
/*
* make and search supported algorithm structure.
*/
-static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
+static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL,
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ NULL,
+#endif
+};
static int supported_map[] = {
SADB_SATYPE_AH,
SADB_SATYPE_ESP,
SADB_X_SATYPE_IPCOMP,
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ SADB_X_SATYPE_TCPSIGNATURE,
+#endif
};
static int
findsupportedmap(satype)
@@ -1259,8 +1266,20 @@
__ipsec_errcode = EIPSEC_NO_ALGS;
return -1;
}
break;
+#ifdef SADB_X_AALG_TCP_MD5
+ case SADB_X_SATYPE_TCPSIGNATURE:
+ if (e_type != SADB_EALG_NONE) {
+ __ipsec_errcode = EIPSEC_INVAL_ALGS;
+ return -1;
+ }
+ if (a_type != SADB_X_AALG_TCP_MD5) {
+ __ipsec_errcode = EIPSEC_INVAL_ALGS;
+ return -1;
+ }
+ break;
+#endif
default:
__ipsec_errcode = EIPSEC_INVAL_SATYPE;
return -1;
}
@@ -1542,8 +1561,11 @@
case SADB_SATYPE_UNSPEC:
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
case SADB_X_SATYPE_IPCOMP:
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ case SADB_X_SATYPE_TCPSIGNATURE:
+#endif
break;
default:
__ipsec_errcode = EIPSEC_INVAL_SATYPE;
return -1;
@@ -2013,8 +2035,11 @@
break;
case SADB_SATYPE_ESP:
case SADB_SATYPE_AH:
case SADB_X_SATYPE_IPCOMP:
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ case SADB_X_SATYPE_TCPSIGNATURE:
+#endif
switch (msg->sadb_msg_type) {
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:
case SADB_X_SPDGET:
Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/libipsec/pfkey_dump.c,v
retrieving revision 1.9
diff -U4 -r1.9 pfkey_dump.c
--- src/libipsec/pfkey_dump.c 4 Dec 2004 12:44:03 -0000 1.9
+++ src/libipsec/pfkey_dump.c 9 Apr 2005 07:32:42 -0000
@@ -127,8 +127,10 @@
"ospfv2",
"ripv2",
"mip",
"ipcomp",
+ "policy",
+ "tcp",
};
static char *str_mode[] = {
"any",
@@ -149,8 +151,11 @@
{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
{ SADB_X_AALG_MD5, "md5", },
{ SADB_X_AALG_SHA, "sha", },
{ SADB_X_AALG_NULL, "null", },
+#ifdef SADB_X_AALG_TCP_MD5
+ { SADB_X_AALG_TCP_MD5, "tcp-md5", },
+#endif
#ifdef SADB_X_AALG_SHA2_256
{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
#endif
#ifdef SADB_X_AALG_SHA2_384
--
Emmanuel Dreyfus
manu@netbsd.org