Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-bugs
Date: 04/08/2005 21:18:01
The following reply was made to PR bin/29915; it has been noted by GNATS.
From: manu@netbsd.org (Emmanuel Dreyfus)
To: gnats-bugs@netbsd.org
Cc: peter@boku.net
Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
Date: Fri, 8 Apr 2005 23:17:54 +0200
The following patch should fix it. Apply it that way:
cd src/crypto/dist/ipsec-tools/src/setkey
patch < tcpmd5.patch
And tell me if it fixes your problem.
Index: parse.y
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/parse.y,v
retrieving revision 1.19
diff -U4 -r1.19 parse.y
--- parse.y 23 Jan 2005 19:38:47 -0000 1.19
+++ parse.y 8 Apr 2005 15:05:22 -0000
@@ -119,9 +119,9 @@
}
%token EOT SLASH BLCL ELCL
%token ADD GET DELETE DELETEALL FLUSH DUMP EXIT
-%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP
+%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
%token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
%token F_MODE MODE F_REQID
%token F_EXT EXTENSION NOCYCLICSEQ
%token ALG_AUTH ALG_AUTH_NOKEY
@@ -291,8 +291,14 @@
p_ext &= ~SADB_X_EXT_OLD;
p_natt_oa = $2;
p_natt_type = UDP_ENCAP_ESPINUDP;
}
+ | PR_TCP
+ {
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ $$ = SADB_X_SATYPE_TCPSIGNATURE;
+#endif
+ }
;
spi
: DECSTRING { p_spi = $1; }
Index: setkey.8
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.8,v
retrieving revision 1.11
diff -U4 -r1.11 setkey.8
--- setkey.8 23 Jan 2005 19:38:47 -0000 1.11
+++ setkey.8 8 Apr 2005 15:05:23 -0000
@@ -285,8 +285,10 @@
.It Li ah-old
AH based on rfc1826
.It Li ipcomp
IPComp
+.It Li tcp
+TCP-MD5 based on rfc2385
.El
.\"
.Pp
.It Ar spi
@@ -298,8 +300,10 @@
.Dq Li 0x
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
+TCP-MD5 associations must use 0x1000 and therefore only have per-host
+granularity at this time.
.\"
.Pp
.It Ar extensions
take some of the following:
@@ -661,8 +665,9 @@
hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
ah-old: 128bit ICV (no document)
aes-xcbc-mac 128 ah: 96bit ICV (RFC3566)
128 ah-old: 128bit ICV (no document)
+tcp-md5 8 to 640 tcp: rfc2385
.Ed
.Pp
Followings are the list of encryption algorithms that can be used as
.Ar ealgo
@@ -745,8 +750,9 @@
spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
+add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
.Ed
.\"
.Sh SEE ALSO
.Xr ipsec_set_policy 3 ,
Index: token.l
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/token.l,v
retrieving revision 1.12
diff -U4 -r1.12 token.l
--- token.l 23 Jan 2005 19:38:47 -0000 1.12
+++ token.l 8 Apr 2005 15:05:23 -0000
@@ -174,8 +174,13 @@
ah-old { yylval.num = 1; return(PR_AH); }
esp-old { yylval.num = 1; return(PR_ESP); }
esp-udp { yylval.num = 0; return(PR_ESPUDP); }
ipcomp { yylval.num = 0; return(PR_IPCOMP); }
+tcp {
+#ifdef SADB_X_SATYPE_TCPSIGNATURE
+ yylval.num = 0; return(PR_TCP);
+#endif
+ }
/* authentication alogorithm */
{hyphen}A { BEGIN S_AUTHALG; return(F_AUTH); }
<S_AUTHALG>hmac-md5 { yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL;
return(ALG_AUTH); }
--
Emmanuel Dreyfus
manu@netbsd.org