---Problem Description--- userspace (setkey) is not able to add aes-ctr algorithm. aes-ctr definition needs to be added to xfrm_nalgo.c. It is in xfrm_algo.c, but not in xfrm_nalgo.c ---uname output--- 2.6.18-88.el5 Machine Type = i386 ---Steps to Reproduce--- The problem is on all platforms/architectures. To reproduce, configure ipsec via setkey with, spdflush; flush; add fc00:0:0:105::35 fc00:0:0:105::64 esp 35590 -m transport -E aes-ctr "ipv6readylogaescin01" -A aes-xcbc-mac "ipv6readaesxin01"; add fc00:0:0:105::64 fc00:0:0:105::35 esp 12360 -m transport -E aes-ctr "ipv6readylogaescin01" -A aes-xcbc-mac "ipv6readaesxin01"; spdadd ::/0 ::/0 icmp6 135,0 -P in none; spdadd ::/0 ::/0 icmp6 135,0 -P out none; spdadd -6 fc00:0:0:105::35 fc00:0:0:105::64 any -P in ipsec esp/transport//require; spdadd -6 fc00:0:0:105::64 fc00:0:0:105::35 any -P out ipsec esp/transport//require; setkey fails to add the SA since ipsec kernel doesn't recognize this algorithm. I have tested a patch against RHEL5.2 snapshot 3 with the 88 kernel from dzickus and it appears to work fine. 18 hour stress test completed successfully between i386 and ppc64. Had aes-ctr and aes-xcbc-mac configured for ipsec via manual keying between two machines sending tcp and udp packets of varying sizes.
Created attachment 301582 [details] Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c.
Looks good, and its upstream. I'll smoke test/post later today. Neil
I do note that in the upstream commit an entry to the sadb list was added and is left out of the supplied backport, why did you skip defining SADB_X_EALG_AESCTR?
nm, I see it was already added previously as part of another patch. That seems a bit odd, but at least its there
in kernel-2.6.18-90.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
------- Comment From latten.com 2008-04-23 17:06 EDT------- Successfully verified in 90 kernel.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html