openswan's ikev2 daemon should negotiate CCM algorithm.
Contact Information = Joy Lattenfirstname.lastname@example.org
Machine Type = lpar
---Steps to Reproduce---
ikev2 is not aware of CCM algorithm. See rfc 4309
---Base System Tools Component Data---
Userspace tool common name: openswan ikev2
The userspace tool has the following bit modes: 32
Userspace rpm: openswan-2.6.09-1.el5.ppc.rpm
Created attachment 306757 [details]
Add CCM support to Openswan
This lets me use CCM with openswan. As I tried to minimise the changes to
Openswan, the syntax is a bit awkward. You have to specify something like
esp=aes-ccm-a-152-null for it to work, where a/b/c means ICV lengths 8, 12 and
16, and 152 is the AES key length 128 plus a fixed 24 bits of nonce (and the
null needs to be there to prevent Openswan from sticking in an additional auth
Since I don't have anything else to test against it is only known to
interoperate with itself.
One hunk did not apply against 2.6.12. Please verify my merge with 2.6.14rc4
Paul, if you could let me know where 2.6.14rc4 is then I'll verify it :)
Oops. Uploaded now :)
Note that this release also has some fixes in kernel_netlink.c (from #testing
merge). If you have the time to go over those, that would be great too.
OK I've had a look:
1) What happened to ikev2= in the config file? The parser no longer understands it.
2) AEAD is mutually exclusive with enckeylen. So unless you've changed it to
not set enckeylen when AEAD is in use, the AEAD test in kernel_netlink's add_sa
needs to be before the enckeylen test and the latter needs to be in the else
clause (i.e., not AEAD).
I'll have a look at 1)
2) is indeed the failed hunk of your patch. I think you removed
for the else, but the diff did not show that, and I merged it in wrong.
I now changed it to:
aead = get_aead_alg(sa->enc(sa->encalg);
Oh I see. Did you apply my patch to support NULL encryption? That's the one
which removed the enckeylen check. Thanks!
Created attachment 307268 [details]
Resync 14rc5 with my patches
This is the merge of all my patches for 12 for 14rc5. Note that I killed
AUTH_NULL because it's not meant to be included in the proposal. That is, the
absence of an integ transform is used to indicate NULL.
thanks. I just completed double checking my merge and found the problem of the
ikev2 keyword missing (and some other merge artifacts due to merging in #testing
with overlapip support). I will verify everything with your patch, and then put
out an 2.6.14rc6.
Thanks for your work Herbert!
It's available now:
The upload had been aborted partially.
This has now been fixed in the new uploaded version
Please use attached patch against rc6
Created attachment 307319 [details]
SADB_EALG_MAX and sadb_x_lifetime_packets fix
Author: Paul Wouters <email@example.com>
Date: Sun Jun 1 16:18:17 2008 -0400
SADB_EALG_MAX -> K_SADB_EALG_MAX fix
Added sadb_x_lifetime_packets to struct sadb_lifetime
2.6.14rc7-1 was built to address the bug being reported.
------- Comment From firstname.lastname@example.org 2008-06-05 16:47 EDT-------
I verified ccm support in openswan-2.6.14rc10 from openswan.org between an i386
and ppc machine.
------- Comment From email@example.com 2008-06-05 16:53 EDT-------
BTW, I wanted to document that the ESP Algorithm identifier line that I had to
use was a little different than what was reported earlier in the bug report. I
had to use:
as opposed to:
The only difference is a few '_' characters in place of some '-' characters
Sorry my bad. Yes only underscores can appear in the encryption part of the
~~ Attention - RHEL 5.4 Beta Released! ~~
RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!
If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.
Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.
Questions can be posted to this bug or your customer or partner representative.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.