Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 441425

Summary: IPV6DOD: aes-ctr definition needs to be added to xfrm_nalgo.c
Product: Red Hat Enterprise Linux 5 Reporter: IBM Bug Proxy <bugproxy>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: herbert.xu, lwang, tgraf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHBA-2008-0314 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 15:14:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c. none

Description IBM Bug Proxy 2008-04-08 00:48:33 UTC 
---Problem Description---
userspace (setkey) is not able to add aes-ctr algorithm. aes-ctr definition
needs to be added to xfrm_nalgo.c. It is in xfrm_algo.c, but not in xfrm_nalgo.c 
 
---uname output---
2.6.18-88.el5
 
Machine Type = i386
 
---Steps to Reproduce---
 
The problem is on all platforms/architectures.

To reproduce, configure ipsec via setkey with,

spdflush;
flush;

add fc00:0:0:105::35 fc00:0:0:105::64 esp 35590
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

add fc00:0:0:105::64 fc00:0:0:105::35 esp 12360
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

spdadd ::/0 ::/0 icmp6 135,0 -P in none;
spdadd ::/0 ::/0 icmp6 135,0 -P out none;

spdadd -6 fc00:0:0:105::35 fc00:0:0:105::64 any
-P in ipsec
esp/transport//require;

spdadd -6 fc00:0:0:105::64 fc00:0:0:105::35 any
-P out ipsec
esp/transport//require;

setkey fails to add the SA since ipsec kernel doesn't recognize this algorithm.

I have tested a patch against RHEL5.2 snapshot 3 with the 88 kernel from dzickus and it appears to
work fine.

18 hour stress test completed successfully between i386 and ppc64.
Had aes-ctr and aes-xcbc-mac configured for ipsec via manual keying
between two machines sending tcp and udp packets of varying sizes.
Comment 1 IBM Bug Proxy 2008-04-08 00:48:35 UTC 
Created attachment 301582 [details]
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c.
Comment 3 Neil Horman 2008-04-10 15:50:28 UTC 
Looks good, and its upstream.  I'll smoke test/post later today.
Neil
Comment 4 Neil Horman 2008-04-10 16:09:27 UTC 
I do note that in the upstream commit an entry to the sadb list was added and is
left out of the supplied backport, why did you skip defining SADB_X_EALG_AESCTR?
Comment 6 Neil Horman 2008-04-10 18:53:16 UTC 
nm, I see it was already added previously as part of another patch.  That seems
a bit odd, but at least its there
Comment 7 Don Zickus 2008-04-16 20:50:46 UTC 
in kernel-2.6.18-90.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 9 IBM Bug Proxy 2008-04-23 21:08:54 UTC 
------- Comment From latten.com 2008-04-23 17:06 EDT-------
Successfully verified in 90 kernel.
Comment 11 errata-xmlrpc 2008-05-21 15:14:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html