[Ipsec-tools-devel] Problems setting static SA with 'null' auth algo via setkey on linux 2.6.12

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I got problems using the 'null' authentication algorithm for static SA setup via setkey command on linux 2.6.12.

When I specify:

setkey -c
	add 192.168.1.1 192.168.1.2 ah 256 -A null;

the appropriate SADB_ADD msg looks like this:

15:19:31.039729
00000000: 02 03 00 02 0c 00 00 00 00 00 00 00 2c 2e 00 00
00000010: 02 00 01 00 00 00 01 00 00 00 fb 00 40 00 00 00
00000020: 02 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 03 00 05 00 ff 20 00 00 02 00 00 00 c0 a8 01 01
00000040: 00 00 00 00 00 00 00 00 03 00 06 00 ff 20 00 00
00000050: 02 00 00 00 c0 a8 01 02 00 00 00 00 00 00 00 00
sadb_msg{ version=2 type=3 errno=0 satype=2
  len=12 reserved=0 seq=0 pid=11820
sadb_ext{ len=2 type=1 }
sadb_sa{ spi=256 replay=0 state=0
  auth=251 encrypt=0 flags=0x00000040 }
sadb_ext{ len=2 type=19 }
sadb_x_sa2{ mode=0 reqid=0
  reserved1=0 reserved2=0 sequence=0 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0
 c0a80101  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0
 c0a80102  }

The kernel pfkeyv2 handler returns with errno set to EINVAL: 

15:19:31.055247
00000000: 02 03 16 02 02 00 00 00 00 00 00 00 2c 2e 00 00
sadb_msg{ version=2 type=3 errno=22 satype=2
  len=2 reserved=0 seq=0 pid=11820

because the function xfrm_state_add() (called by pfkey_process() -> pfkey_add()) checks that the SADB_ADD msg has an extention header SADB_EXT_KEY_AUTH.
The setkey command doesn't generate this extension header in the case the 'null' auth algo is used.

The patch below changes that.

I'm aware of the fact, that there is no RFC for the 'null' auth algo (it is shortly mentioned in RFC2402 paragraph 2.2 though) and that the setkey manpage is mentioning it only to be used for debugging purposes.
But I think that this debugging should include the possibilty to setup such SA's using the 'null' auth algo.

Any comments appreciated!

Thanks

-- Dietmar

Patch against HEAD:

--- ipsec-tools/src/setkey/parse.y	2005-06-29 02:12:37.000000000 -0700
+++ ipsec-tools_null_auth/src/setkey/parse.y	2005-07-28 12:28:40.000000000 -0700
@@ -471,7 +471,7 @@
 			p_alg_auth = $1;
 
 			p_key_auth_len = 0;
-			p_key_auth = NULL;
+			p_key_auth = "";
 		}
 	;
 


