Bug 441425 - IPV6DOD: aes-ctr definition needs to be added to xfrm_nalgo.c
IPV6DOD: aes-ctr definition needs to be added to xfrm_nalgo.c
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.2
All All
high Severity high
: rc
: ---
Assigned To: Neil Horman
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-07 20:48 EDT by IBM Bug Proxy
Modified: 2008-05-21 11:14 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 11:14:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c. (710 bytes, text/plain)
2008-04-07 20:48 EDT, IBM Bug Proxy
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 43853 None None None Never

  None (edit)
Description IBM Bug Proxy 2008-04-07 20:48:33 EDT
---Problem Description---
userspace (setkey) is not able to add aes-ctr algorithm. aes-ctr definition
needs to be added to xfrm_nalgo.c. It is in xfrm_algo.c, but not in xfrm_nalgo.c 
 
---uname output---
2.6.18-88.el5
 
Machine Type = i386
 
---Steps to Reproduce---
 
The problem is on all platforms/architectures.

To reproduce, configure ipsec via setkey with,

spdflush;
flush;

add fc00:0:0:105::35 fc00:0:0:105::64 esp 35590
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

add fc00:0:0:105::64 fc00:0:0:105::35 esp 12360
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

spdadd ::/0 ::/0 icmp6 135,0 -P in none;
spdadd ::/0 ::/0 icmp6 135,0 -P out none;

spdadd -6 fc00:0:0:105::35 fc00:0:0:105::64 any
-P in ipsec
esp/transport//require;

spdadd -6 fc00:0:0:105::64 fc00:0:0:105::35 any
-P out ipsec
esp/transport//require;

setkey fails to add the SA since ipsec kernel doesn't recognize this algorithm.

I have tested a patch against RHEL5.2 snapshot 3 with the 88 kernel from dzickus and it appears to
work fine.

18 hour stress test completed successfully between i386 and ppc64.
Had aes-ctr and aes-xcbc-mac configured for ipsec via manual keying
between two machines sending tcp and udp packets of varying sizes.
Comment 1 IBM Bug Proxy 2008-04-07 20:48:35 EDT
Created attachment 301582 [details]
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c.
Comment 3 Neil Horman 2008-04-10 11:50:28 EDT
Looks good, and its upstream.  I'll smoke test/post later today.
Neil
Comment 4 Neil Horman 2008-04-10 12:09:27 EDT
I do note that in the upstream commit an entry to the sadb list was added and is
left out of the supplied backport, why did you skip defining SADB_X_EALG_AESCTR?
Comment 6 Neil Horman 2008-04-10 14:53:16 EDT
nm, I see it was already added previously as part of another patch.  That seems
a bit odd, but at least its there
Comment 7 Don Zickus 2008-04-16 16:50:46 EDT
in kernel-2.6.18-90.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 9 IBM Bug Proxy 2008-04-23 17:08:54 EDT
------- Comment From latten@us.ibm.com 2008-04-23 17:06 EDT-------
Successfully verified in 90 kernel.
Comment 11 errata-xmlrpc 2008-05-21 11:14:02 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html

Note You need to log in before you can comment on or make changes to this bug.