[Swan-dev] IKEv1 AH parsing quirk

Andrew Cagney andrew.cagney at gmail.com
Fri Aug 18 03:04:46 UTC 2017 

On 17 August 2017 at 22:09, Paul Wouters <paul at nohats.ca> wrote:
> There was a correcting function that did a minus 1 in the past. It was wrong for newer numbers and I think I killed it

It isn't that.  Here's the text from the RFC https://tools.ietf.org/html/rfc2407

   Note: the Authentication Algorithm attribute MUST be specified to
   identify the appropriate AH protection suite.  For example, AH_MD5
   can best be thought of as a generic AH transform using MD5.  To
   request the HMAC construction with AH, one specifies the AH_MD5
   transform ID along with the Authentication Algorithm attribute set to
   HMAC-MD5.  This is shown using the "Auth(HMAC-MD5)" notation in the
   following sections.

so both must be present, but other than a cross-check sanity check,
just the auth_alg value should be used

> Sent from my iPhone
>
>> On Aug 17, 2017, at 21:51, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>>
>>> On 17 August 2017 at 21:17, Paul Wouters <paul at nohats.ca> wrote:
>>> The ESP integ numbers were the same as the AH integ numbers and the same as the IKE integ numbers? Probably sloppy programming that still worked?
>>
>> They are different.  For instance:
>>
>> AH_MD5=2 - transform
>> AUTH_ALGORITHM_HMAC_MD5=1 - attribute
>>
>> perhaps specifying both is just an IKEv1 quirk
>>
>>
>>> Sent from my iPhone
>>>
>>>> On Aug 17, 2017, at 20:46, Andrew Cagney <andrew.cagney at gmail.com> wrote:
>>>>
>>>> I've been trying to figure out why the IKEv1 AH_* values are pretty
>>>> much absent from pluto's code base and instead AUTH_ALGORITHM_*
>>>> appears everywhere.  Then I noticed this (ah-pluto-01):
>>>>
>>>> | *****parse ISAKMP Transform Payload (AH):
>>>> |    next payload type: ISAKMP_NEXT_NONE (0x0)
>>>> |    length: 28 (0x1c)
>>>> |    AH transform number: 0 (0x0)
>>>> |    AH transform ID: AH_SHA (0x3)
>>>> | encryption ike_alg_lookup_by_id id: 3DES=3, found 3DES_CBC
>>>>
>>>> which is clearly wrong.  The code that handles this, and dates back to
>>>> <=2007, unconditionally assigns the AH value to  .encrypt vis:
>>>>
>>>>   if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
>>>>       return FALSE;
>>>>  ...
>>>>   attrs->transattrs.encrypt = trans->isat_transid;
>>>>   attrs->transattrs.encrypter =
>>>> ikev1_get_kernel_encrypt_desc(trans->isat_transid); // new
>>>>
>>>> it then goes on:
>>>>
>>>> | ******parse ISAKMP IPsec DOI attribute:
>>>> |    af+type: AUTH_ALGORITHM (0x8005)
>>>> |    length/value: 2 (0x2)
>>>> |    [2 is AUTH_ALGORITHM_HMAC_SHA1]
>>>> | integrity ike_alg_lookup_by_id id: HMAC_SHA1=2, found HMAC_SHA1_96
>>>>
>>>> which is handled by:
>>>>
>>>>       case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
>>>>           attrs->transattrs.integ_hash = val;
>>>>           attrs->transattrs.integ = ikev1_get_kernel_integ_desc(val); // new
>>>>           break;
>>>>
>>>> which "fixes" the integrity.  From there, while most code uses
>>>> integ_hash, .encrypt does get used as well.  For instance, in
>>>> compute_proto_keymat() both fields get used:
>>>>
>>>>   case PROTO_IPSEC_AH:
>>>>       switch (pi->attrs.transattrs.encrypt) {
>>>>       case AH_MD5:
>>>>           needed_len = HMAC_MD5_KEY_LEN;
>>>>           break;
>>>> ...
>>>>       default:
>>>>           if (kernel_alg_ah_auth_ok(
>>>>               pi->attrs.transattrs.integ_hash, NULL)) {
>>>>               needed_len += kernel_alg_ah_auth_keylen(
>>>>                   pi->attrs.transattrs.integ_hash);
>>>>               break;
>>>>           }
>>>>           bad_case(pi->attrs.transattrs.encrypt);
>>>>       }
>>>>
>>>> short of me reading the IKEv1 spec, can anyone explain what is happening here?
>>>>
>>>> Andrew
>>>> _______________________________________________
>>>> Swan-dev mailing list
>>>> Swan-dev at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan-dev
>>>
>

More information about the Swan-dev mailing list