>Number: 105614
>Category: bin
>Synopsis: Creating NULL encryption ESP SAs with setkey fails
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 16 20:30:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Jan Mikael Melen
>Release: CURRENT
>Organization:
>Environment:
FreeBSD n-current.nomadiclab.com 7.0-CURRENT FreeBSD 7.0-CURRENT #9: Thu Nov 16 19:54:26 UTC 2006 root at n51-current.nomadiclab.com:/usr/beet/sys/i386/compile/IPSEC_BEET i386
>Description:
The setkey manual says that the null encryption mode is supported, but when trying to create a SA with -E null it will result in a Invalid Argument. This is because the SADB_EXT_KEY_ENCRYPT is not included in to the PF_KEY message, if the null is defined. Although it should be included in case the mode is ESP because the kernel expects to receive it whenever the SA type is ESP even if the null encryption is to be used.
>How-To-Repeat:
# ./setkey -c
add 10.10.19.50 10.10.19.100 esp 1680464666 -m transport -E null -A hmac-md5 "authentication!!" ;
The result of line 1: Invalid argument.
>Fix:
Index: parse.y
===================================================================
RCS file: /opt/beet/src/sbin/setkey/parse.y,v
retrieving revision 1.3
diff -u -r1.3 parse.y
--- parse.y 14 Nov 2006 13:10:24 -0000 1.3
+++ parse.y 16 Nov 2006 11:28:28 -0000
@@ -1029,7 +1029,8 @@
l = sizeof(struct sadb_msg);
/* set encryption algorithm, if present. */
- if (satype != SADB_X_SATYPE_IPCOMP && p_key_enc) {
+ if (satype != SADB_X_SATYPE_IPCOMP &&
+ (p_key_enc || satype == SADB_SATYPE_ESP)) {
struct sadb_key m_key;
m_key.sadb_key_len =
>Release-Note:
>Audit-Trail:
>Unformatted: