From ruben@helium.verweg.com  Thu Jan  4 13:52:19 2007
Return-Path: <ruben@helium.verweg.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DD2D016A403
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  4 Jan 2007 13:52:19 +0000 (UTC)
	(envelope-from ruben@helium.verweg.com)
Received: from helium.verweg.com (helium.xs4all.nl [194.109.251.55])
	by mx1.freebsd.org (Postfix) with ESMTP id 6AA6613C44B
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  4 Jan 2007 13:52:19 +0000 (UTC)
	(envelope-from ruben@helium.verweg.com)
Received: from helium.verweg.com (localhost.verweg.com [IPv6:::1])
	by helium.verweg.com (8.13.8/8.13.8) with ESMTP id l04DbWUX002165
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 4 Jan 2007 14:37:37 +0100 (CET)
	(envelope-from ruben@helium.verweg.com)
Received: (from ruben@localhost)
	by helium.verweg.com (8.13.8/8.13.8/Submit) id l04DbRDf002164;
	Thu, 4 Jan 2007 14:37:27 +0100 (CET)
	(envelope-from ruben)
Message-Id: <200701041337.l04DbRDf002164@helium.verweg.com>
Date: Thu, 4 Jan 2007 14:37:27 +0100 (CET)
From: Ruben van Staveren <ruben@verweg.com>
Reply-To: Ruben van Staveren <ruben@verweg.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Inconsistency between tcp-md5 keylengths in IPSEC and FAST_IPSEC
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         107520
>Category:       kern
>Synopsis:       Inconsistency between tcp-md5 keylengths in IPSEC and FAST_IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 04 14:00:30 GMT 2007
>Closed-Date:    Thu Feb 08 12:46:42 GMT 2007
>Last-Modified:  Thu Feb  8 12:50:11 GMT 2007
>Originator:     Ruben van Staveren
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD helium.verweg.com 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #27: Thu Jan 4 13:59:46 CET 2007 root@helium.verweg.com:/usr/obj/usr/cvsup/6-stable/src/sys/HELIUM-SMP i386


	
>Description:

The use of 

echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c

is non consistent between kernels compiled with FAST_IPSEC (works) and IPSEC (key is too long)

apparently, kernels with option IPSEC only accepts keys 10 characters in length at most for tcp-md5

>How-To-Repeat:

echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c

on kernels either compiled with

options	FAST_IPSEC

or

options IPSEC
options IPSEC_ESP


both need to have

options         TCP_SIGNATURE           #include support for RFC 2385
device crypto


And "options IPSEC" need to have additionally
device cryptodev

>Fix:

Either use FAST_IPSEC kernels or allow the same keylength limits for IPSEC
kernels


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Sun Feb 4 18:28:33 UTC 2007 
Responsible-Changed-Why:  
It's my baby and I'll cry if I want to. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107520 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Mon Feb 5 11:06:06 UTC 2007 
State-Changed-Why:  
patched in -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107520 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/107520: commit references a PR
Date: Mon,  5 Feb 2007 11:19:05 +0000 (UTC)

 bms         2007-02-05 11:18:47 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet6         ah_core.c 
   Log:
   Forced commit; Vim ate my homework^Wkeystroke.
   
   Fix an incorrect TCP-MD5 key length check for the !FAST_IPSEC case.
   
   PR:             104422, 107520
   MFC after:      3 days
   
   Revision  Changes    Path
   1.29      +0 -0      src/sys/netinet6/ah_core.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Thu Feb 8 12:46:25 UTC 2007 
State-Changed-Why:  
MFC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107520 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/107520: commit references a PR
Date: Thu,  8 Feb 2007 12:46:49 +0000 (UTC)

 bms         2007-02-08 12:46:15 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/netinet6         ah_core.c 
   Log:
   MFC rev 1.29:
     Fix an incorrect TCP-MD5 key length check for the !FAST_IPSEC case.
   
   PR:             104422, 107520
   MFC after:      3 days
   
   Revision  Changes    Path
   1.25.2.2  +1 -1      src/sys/netinet6/ah_core.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
