linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: latten@austin.ibm.com
To: linux-kernel@vger.kernel.org
Subject: IPSec Patch for NULL Encryption
Date: Fri, 7 Feb 2003 15:31:22 -0600	[thread overview]
Message-ID: <200302072131.h17LVM516670@faith.austin.ibm.com> (raw)

Hi,

I was not able to get setkey to create an SA with NULL Encryption. 

setkey -c
  add 10.15.1.5 10.15.1.6 esp 0x1000 -m transport -E simple;

always fails with an error message about invalid argument. 

I did some investigating an have included a PATCH so that setkey will
create an SA with Null Encryption. 

I have also included the following note to explain...

Note:
RFC 2410 (Null Encryption Algorithm and its use with IPSEC) 
states on page 3:

  " For purposes of IKE [IKE] key extraction, the key size for this
   algorithm MUST be zero (0) bits, to facilitate interoperability and
   to avoid any potential export control problems."


Let me know if this is all ok.

Thanks,
Joy



--- /tmp/linux-2.5.59/net/ipv4/esp.c	2003-01-16 20:22:18.000000000 -0600
+++ esp.c	2003-02-07 11:34:34.000000000 -0600
@@ -595,7 +595,7 @@
 		if (x->aalg->alg_key_len == 0 || x->aalg->alg_key_len > 512)
 			goto error;
 	}
-	if (x->ealg == NULL || x->ealg->alg_key_len == 0)
+	if (x->ealg == NULL || (x->ealg->alg_key_len == 0 && x->props.ealgo != SADB_EALG_NULL))
 		goto error;
 
 	esp = kmalloc(sizeof(*esp), GFP_KERNEL);
@@ -623,7 +623,10 @@
 			goto error;
 	}
 	esp->conf.key = x->ealg->alg_key;
-	esp->conf.key_len = (x->ealg->alg_key_len+7)/8;
+	if (x->props.ealgo != SADB_EALG_NULL)
+		esp->conf.key_len = (x->ealg->alg_key_len+7)/8;
+	else
+		esp->conf.key_len = 0;
 	esp->conf.tfm = crypto_alloc_tfm(x->ealg->alg_name, CRYPTO_TFM_MODE_CBC);
 	if (esp->conf.tfm == NULL)
 		goto error;

--- /tmp/linux-2.5.59/net/key/af_key.c	2003-01-16 20:21:47.000000000 -0600
+++ af_key.c	2003-02-07 13:25:38.000000000 -0600
@@ -796,7 +796,7 @@
 	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
 		return ERR_PTR(-EINVAL);
 	key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
-	if (key != NULL &&
+	if (key != NULL && sa->sadb_sa_encrypt != SADB_EALG_NULL &&
 	    ((key->sadb_key_bits+7) / 8 == 0 ||
 	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
 		return ERR_PTR(-EINVAL);


                 reply	other threads:[~2003-02-07 21:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200302072131.h17LVM516670@faith.austin.ibm.com \
    --to=latten@austin.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: IPSec Patch for NULL Encryption' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).