Bug 441425 - IPV6DOD: aes-ctr definition needs to be added to xfrm_nalgo.c
Summary: IPV6DOD: aes-ctr definition needs to be added to xfrm_nalgo.c
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.2
Hardware: All
OS: All
high
high
Target Milestone: rc
: ---
Assignee: Neil Horman
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-08 00:48 UTC by IBM Bug Proxy
Modified: 2008-05-21 15:14 UTC (History)
3 users (show)

Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 15:14:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c. (710 bytes, text/plain)
2008-04-08 00:48 UTC, IBM Bug Proxy 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 43853 0 None None None Never
Red Hat Product Errata RHBA-2008:0314 0 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description IBM Bug Proxy 2008-04-08 00:48:33 UTC 
---Problem Description---
userspace (setkey) is not able to add aes-ctr algorithm. aes-ctr definition
needs to be added to xfrm_nalgo.c. It is in xfrm_algo.c, but not in xfrm_nalgo.c 
 
---uname output---
2.6.18-88.el5
 
Machine Type = i386
 
---Steps to Reproduce---
 
The problem is on all platforms/architectures.

To reproduce, configure ipsec via setkey with,

spdflush;
flush;

add fc00:0:0:105::35 fc00:0:0:105::64 esp 35590
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

add fc00:0:0:105::64 fc00:0:0:105::35 esp 12360
-m transport
-E aes-ctr "ipv6readylogaescin01"
-A aes-xcbc-mac "ipv6readaesxin01";

spdadd ::/0 ::/0 icmp6 135,0 -P in none;
spdadd ::/0 ::/0 icmp6 135,0 -P out none;

spdadd -6 fc00:0:0:105::35 fc00:0:0:105::64 any
-P in ipsec
esp/transport//require;

spdadd -6 fc00:0:0:105::64 fc00:0:0:105::35 any
-P out ipsec
esp/transport//require;

setkey fails to add the SA since ipsec kernel doesn't recognize this algorithm.

I have tested a patch against RHEL5.2 snapshot 3 with the 88 kernel from dzickus and it appears to
work fine.

18 hour stress test completed successfully between i386 and ppc64.
Had aes-ctr and aes-xcbc-mac configured for ipsec via manual keying
between two machines sending tcp and udp packets of varying sizes.
Comment 1 IBM Bug Proxy 2008-04-08 00:48:35 UTC 
Created attachment 301582 [details]
Add aes-ctr definition to list of ipsec algorithms to be used in xfrm_nalgo.c.
Comment 3 Neil Horman 2008-04-10 15:50:28 UTC 
Looks good, and its upstream.  I'll smoke test/post later today.
Neil
Comment 4 Neil Horman 2008-04-10 16:09:27 UTC 
I do note that in the upstream commit an entry to the sadb list was added and is
left out of the supplied backport, why did you skip defining SADB_X_EALG_AESCTR?
Comment 6 Neil Horman 2008-04-10 18:53:16 UTC 
nm, I see it was already added previously as part of another patch.  That seems
a bit odd, but at least its there
Comment 7 Don Zickus 2008-04-16 20:50:46 UTC 
in kernel-2.6.18-90.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 9 IBM Bug Proxy 2008-04-23 21:08:54 UTC 
------- Comment From latten.com 2008-04-23 17:06 EDT-------
Successfully verified in 90 kernel.
Comment 11 errata-xmlrpc 2008-05-21 15:14:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html
Note You need to log in before you can comment on or make changes to this bug.