From: Dietmar E. <die...@gm...> - 2005-07-29 04:11:30
|
I got problems using the 'null' authentication algorithm for static SA setup via setkey command on linux 2.6.12. When I specify: setkey -c add 192.168.1.1 192.168.1.2 ah 256 -A null; the appropriate SADB_ADD msg looks like this: 15:19:31.039729 00000000: 02 03 00 02 0c 00 00 00 00 00 00 00 2c 2e 00 00 00000010: 02 00 01 00 00 00 01 00 00 00 fb 00 40 00 00 00 00000020: 02 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030: 03 00 05 00 ff 20 00 00 02 00 00 00 c0 a8 01 01 00000040: 00 00 00 00 00 00 00 00 03 00 06 00 ff 20 00 00 00000050: 02 00 00 00 c0 a8 01 02 00 00 00 00 00 00 00 00 sadb_msg{ version=2 type=3 errno=0 satype=2 len=12 reserved=0 seq=0 pid=11820 sadb_ext{ len=2 type=1 } sadb_sa{ spi=256 replay=0 state=0 auth=251 encrypt=0 flags=0x00000040 } sadb_ext{ len=2 type=19 } sadb_x_sa2{ mode=0 reqid=0 reserved1=0 reserved2=0 sequence=0 } sadb_ext{ len=3 type=5 } sadb_address{ proto=255 prefixlen=32 reserved=0x0000 } sockaddr{ len=16 family=2 port=0 c0a80101 } sadb_ext{ len=3 type=6 } sadb_address{ proto=255 prefixlen=32 reserved=0x0000 } sockaddr{ len=16 family=2 port=0 c0a80102 } The kernel pfkeyv2 handler returns with errno set to EINVAL: 15:19:31.055247 00000000: 02 03 16 02 02 00 00 00 00 00 00 00 2c 2e 00 00 sadb_msg{ version=2 type=3 errno=22 satype=2 len=2 reserved=0 seq=0 pid=11820 because the function xfrm_state_add() (called by pfkey_process() -> pfkey_add()) checks that the SADB_ADD msg has an extention header SADB_EXT_KEY_AUTH. The setkey command doesn't generate this extension header in the case the 'null' auth algo is used. The patch below changes that. I'm aware of the fact, that there is no RFC for the 'null' auth algo (it is shortly mentioned in RFC2402 paragraph 2.2 though) and that the setkey manpage is mentioning it only to be used for debugging purposes. But I think that this debugging should include the possibilty to setup such SA's using the 'null' auth algo. Any comments appreciated! Thanks -- Dietmar Patch against HEAD: --- ipsec-tools/src/setkey/parse.y 2005-06-29 02:12:37.000000000 -0700 +++ ipsec-tools_null_auth/src/setkey/parse.y 2005-07-28 12:28:40.000000000 -0700 @@ -471,7 +471,7 @@ p_alg_auth = $1; p_key_auth_len = 0; - p_key_auth = NULL; + p_key_auth = ""; } ; |