Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-bugs
Date: 04/09/2005 07:53:02
The following reply was made to PR bin/29915; it has been noted by GNATS.

From: Emmanuel Dreyfus <manu@netbsd.org>
To: Peter Eisch <peter@boku.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: bin/29915 Can't setkey for tcp-md5 anymore
Date: Sat, 9 Apr 2005 07:52:49 +0000

 On Fri, Apr 08, 2005 at 09:41:12PM -0500, Peter Eisch wrote:
 > While the second patch didn't apply cleanly, it does get further.  With
 > tcpdump I don't see the md5's on the packets, though the dump below shows
 > many of the proper values of the IPs and it seems to have the value for the
 > auth type.  Is the 'Invalid SA type' because libipsec doesn't know about
 > proto tcp and the tcp-md5 algorithm?
 
 Yes, I found missing bits in libipsec.
 
 Try the following patch against HEAD
 It superseeds the previous one: start by cvs diff|patch -R, then  
 patch -p1 < tcpmd5.patch
 
 Index: src/crypto/dist/ipsec-tools/src/setkey/parse.y
 ===================================================================
 RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/parse.y,v
 retrieving revision 1.19
 diff -U4 -r1.19 parse.y
 --- parse.y	23 Jan 2005 19:38:47 -0000	1.19
 +++ parse.y	8 Apr 2005 15:05:22 -0000
 @@ -119,9 +119,9 @@
  }
  
  %token EOT SLASH BLCL ELCL
  %token ADD GET DELETE DELETEALL FLUSH DUMP EXIT
 -%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP
 +%token PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
  %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
  %token F_MODE MODE F_REQID
  %token F_EXT EXTENSION NOCYCLICSEQ
  %token ALG_AUTH ALG_AUTH_NOKEY
 @@ -139,9 +139,9 @@
  %type <num> prefix protocol_spec upper_spec
  %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
  %type <num> ALG_AUTH ALG_AUTH_NOKEY
  %type <num> ALG_COMP
 -%type <num> PR_ESP PR_AH PR_IPCOMP PR_ESPUDP
 +%type <num> PR_ESP PR_AH PR_IPCOMP PR_ESPUDP PR_TCP
  %type <num> EXTENSION MODE
  %type <ulnum> DECSTRING
  %type <val> PL_REQUESTS portstr key_string
  %type <val> policy_requests
 @@ -291,8 +291,14 @@
  			p_ext &= ~SADB_X_EXT_OLD;
  			p_natt_oa = $2;
  			p_natt_type = UDP_ENCAP_ESPINUDP;
  		}
 +	|	PR_TCP
 +		{
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +			$$ = SADB_X_SATYPE_TCPSIGNATURE;
 +#endif
 +		}
  	;
  	
  spi
  	:	DECSTRING { p_spi = $1; }
 @@ -762,8 +762,13 @@
  
  upper_spec
  	:	DECSTRING { $$ = $1; }
  	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
 +	|	PR_TCP { 
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +				$$ = IPPROTO_TCP; 
 +#endif
 +			}
  	|	STRING
  		{
  			struct protoent *ent;
  
 Index: src/crypto/dist/ipsec-tools/src/setkey/setkey.8
 ===================================================================
 RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/setkey.8,v
 retrieving revision 1.11
 diff -U4 -r1.11 setkey.8
 --- setkey.8	23 Jan 2005 19:38:47 -0000	1.11
 +++ setkey.8	8 Apr 2005 15:05:23 -0000
 @@ -285,8 +285,10 @@
  .It Li ah-old
  AH based on rfc1826
  .It Li ipcomp
  IPComp
 +.It Li tcp
 +TCP-MD5 based on rfc2385
  .El
  .\"
  .Pp
  .It Ar spi
 @@ -298,8 +300,10 @@
  .Dq Li 0x
  prefix.
  SPI values between 0 and 255 are reserved for future use by IANA
  and they cannot be used.
 +TCP-MD5 associations must use 0x1000 and therefore only have per-host
 +granularity at this time.
  .\"
  .Pp
  .It Ar extensions
  take some of the following:
 @@ -661,8 +665,9 @@
  hmac-ripemd160	160		ah: 96bit ICV (RFC2857)
  				ah-old: 128bit ICV (no document)
  aes-xcbc-mac	128		ah: 96bit ICV (RFC3566)
  		128		ah-old: 128bit ICV (no document)
 +tcp-md5		8 to 640	tcp: rfc2385
  .Ed
  .Pp
  Followings are the list of encryption algorithms that can be used as
  .Ar ealgo
 @@ -745,8 +750,9 @@
  
  spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
  	-P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
  
 +add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
  .Ed
  .\"
  .Sh SEE ALSO
  .Xr ipsec_set_policy 3 ,
 Index: src/crypto/dist/ipsec-tools/src/setkey/token.l
 ===================================================================
 RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/setkey/token.l,v
 retrieving revision 1.12
 diff -U4 -r1.12 token.l
 --- token.l	23 Jan 2005 19:38:47 -0000	1.12
 +++ token.l	8 Apr 2005 15:05:23 -0000
 @@ -174,8 +174,13 @@
  ah-old		{ yylval.num = 1; return(PR_AH); }
  esp-old		{ yylval.num = 1; return(PR_ESP); }
  esp-udp		{ yylval.num = 0; return(PR_ESPUDP); }
  ipcomp		{ yylval.num = 0; return(PR_IPCOMP); }
 +tcp		{ 
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +			yylval.num = 0; return(PR_TCP); 
 +#endif
 +		}
  
  	/* authentication alogorithm */
  {hyphen}A	{ BEGIN S_AUTHALG; return(F_AUTH); }
  <S_AUTHALG>hmac-md5	{ yylval.num = SADB_AALG_MD5HMAC; BEGIN INITIAL; return(ALG_AUTH); }
 Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey.c
 ===================================================================
 RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/libipsec/pfkey.c,v
 retrieving revision 1.11
 diff -U4 -r1.11 pfkey.c
 --- src/libipsec/pfkey.c	7 Jan 2005 14:22:31 -0000	1.11
 +++ src/libipsec/pfkey.c	9 Apr 2005 07:32:41 -0000
 @@ -92,14 +92,21 @@
  
  /*
   * make and search supported algorithm structure.
   */
 -static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
 +static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, 
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +    NULL,
 +#endif
 +};
  
  static int supported_map[] = {
  	SADB_SATYPE_AH,
  	SADB_SATYPE_ESP,
  	SADB_X_SATYPE_IPCOMP,
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +	SADB_X_SATYPE_TCPSIGNATURE,
 +#endif
  };
  
  static int
  findsupportedmap(satype)
 @@ -1259,8 +1266,20 @@
  			__ipsec_errcode = EIPSEC_NO_ALGS;
  			return -1;
  		}
  		break;
 +#ifdef SADB_X_AALG_TCP_MD5
 +	case SADB_X_SATYPE_TCPSIGNATURE:
 +		if (e_type != SADB_EALG_NONE) {
 +			__ipsec_errcode = EIPSEC_INVAL_ALGS;
 +			return -1;
 +		}
 +		if (a_type != SADB_X_AALG_TCP_MD5) {
 +			__ipsec_errcode = EIPSEC_INVAL_ALGS;
 +			return -1;
 +		}
 +		break;
 +#endif
  	default:
  		__ipsec_errcode = EIPSEC_INVAL_SATYPE;
  		return -1;
  	}
 @@ -1542,8 +1561,11 @@
  		case SADB_SATYPE_UNSPEC:
  		case SADB_SATYPE_AH:
  		case SADB_SATYPE_ESP:
  		case SADB_X_SATYPE_IPCOMP:
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +		case SADB_X_SATYPE_TCPSIGNATURE:
 +#endif
  			break;
  		default:
  			__ipsec_errcode = EIPSEC_INVAL_SATYPE;
  			return -1;
 @@ -2013,8 +2035,11 @@
  		break;
  	case SADB_SATYPE_ESP:
  	case SADB_SATYPE_AH:
  	case SADB_X_SATYPE_IPCOMP:
 +#ifdef SADB_X_SATYPE_TCPSIGNATURE
 +	case SADB_X_SATYPE_TCPSIGNATURE:
 +#endif
  		switch (msg->sadb_msg_type) {
  		case SADB_X_SPDADD:
  		case SADB_X_SPDDELETE:
  		case SADB_X_SPDGET:
 Index: src/crypto/dist/ipsec-tools/src/libipsec/pfkey_dump.c
 ===================================================================
 RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/libipsec/pfkey_dump.c,v
 retrieving revision 1.9
 diff -U4 -r1.9 pfkey_dump.c
 --- src/libipsec/pfkey_dump.c	4 Dec 2004 12:44:03 -0000	1.9
 +++ src/libipsec/pfkey_dump.c	9 Apr 2005 07:32:42 -0000
 @@ -127,8 +127,10 @@
  	"ospfv2",
  	"ripv2",
  	"mip",
  	"ipcomp",
 +	"policy",
 +	"tcp",
  };
  
  static char *str_mode[] = {
  	"any",
 @@ -149,8 +151,11 @@
  	{ SADB_AALG_SHA1HMAC, "hmac-sha1", },
  	{ SADB_X_AALG_MD5, "md5", },
  	{ SADB_X_AALG_SHA, "sha", },
  	{ SADB_X_AALG_NULL, "null", },
 +#ifdef SADB_X_AALG_TCP_MD5
 +	{ SADB_X_AALG_TCP_MD5, "tcp-md5", },
 +#endif
  #ifdef SADB_X_AALG_SHA2_256
  	{ SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
  #endif
  #ifdef SADB_X_AALG_SHA2_384
 -- 
 Emmanuel Dreyfus
 manu@netbsd.org