kern/107520: Inconsistency between tcp-md5 keylengths in IPSEC and FAST_IPSEC

Ruben van Staveren ruben at verweg.com
Thu Jan 4 06:00:32 PST 2007


>Number:         107520
>Category:       kern
>Synopsis:       Inconsistency between tcp-md5 keylengths in IPSEC and FAST_IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 04 14:00:30 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Ruben van Staveren
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD helium.verweg.com 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #27: Thu Jan 4 13:59:46 CET 2007 root at helium.verweg.com:/usr/obj/usr/cvsup/6-stable/src/sys/HELIUM-SMP i386


	
>Description:

The use of 

echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c

is non consistent between kernels compiled with FAST_IPSEC (works) and IPSEC (key is too long)

apparently, kernels with option IPSEC only accepts keys 10 characters in length at most for tcp-md5

>How-To-Repeat:

echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c

on kernels either compiled with

options	FAST_IPSEC

or

options IPSEC
options IPSEC_ESP


both need to have

options         TCP_SIGNATURE           #include support for RFC 2385
device crypto


And "options IPSEC" need to have additionally
device cryptodev

>Fix:

Either use FAST_IPSEC kernels or allow the same keylength limits for IPSEC
kernels


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list