kern/107520: Inconsistency between tcp-md5 keylengths in IPSEC and
FAST_IPSEC
Ruben van Staveren
ruben at verweg.com
Thu Jan 4 06:00:32 PST 2007
>Number: 107520
>Category: kern
>Synopsis: Inconsistency between tcp-md5 keylengths in IPSEC and FAST_IPSEC
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 04 14:00:30 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Ruben van Staveren
>Release: FreeBSD 6.2-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD helium.verweg.com 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #27: Thu Jan 4 13:59:46 CET 2007 root at helium.verweg.com:/usr/obj/usr/cvsup/6-stable/src/sys/HELIUM-SMP i386
>Description:
The use of
echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c
is non consistent between kernels compiled with FAST_IPSEC (works) and IPSEC (key is too long)
apparently, kernels with option IPSEC only accepts keys 10 characters in length at most for tcp-md5
>How-To-Repeat:
echo 'add 192.168.1.1 192.168.1.34 tcp 0x1000 -A tcp-md5 "1234567890abcdefghijk;' | setkey -c
on kernels either compiled with
options FAST_IPSEC
or
options IPSEC
options IPSEC_ESP
both need to have
options TCP_SIGNATURE #include support for RFC 2385
device crypto
And "options IPSEC" need to have additionally
device cryptodev
>Fix:
Either use FAST_IPSEC kernels or allow the same keylength limits for IPSEC
kernels
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list