Bug 27285

Summary: SKIP doesn't work on 4.x
Product: Ports & Packages Reporter: Bob Bishop <rb>
Component: Individual Port(s)Assignee: Archie Cobbs <archie>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Bob Bishop 2001-05-12 16:40:00 UTC 
	SKIP appears to work perfectly (fetches remote host's
	certificate properly, generates packets understood by
	remote host) except that incoming proto 57 packets are
	always dropped, skiplog says:

	<date> : Warning: <host> (<IP>) failed authentication
	Its certificate/key id may be invalid

Fix: 

Dunno. Playing with MTU on the SKIP-enabled port
	doesn't seem to help.
How-To-Repeat: 
	Set SKIP up with remote keys etc, ping remote host.
	Observe protocol 57 traffic with tcpdump, monitor
	skiplog and SKIP encription stats.
Comment 1 Tetsurou Okazaki freebsd_committer freebsd_triage 2001-05-15 06:45:10 UTC 
Responsible Changed
From-To: freebsd-ports->archie

over to maintainer
Comment 2 Bob Bishop 2001-05-22 20:46:09 UTC 
The problem is that the id field in incoming IP headers is byte-swapped by
the time it reaches skip_auth() in common/skip_ah.c. This blows the MAC
calculation out of the water; swapping it back works around the problem.

There seems to be no rhyme or reason - it looks as though there's a mix of
host and net byte ordered fields in the header when the outgoing MAC
calculation is done, and for some reason 4.x (probably current too)
delivers packets to the skip module with ip_id swapped wrt what is expected.

I'll follow up again with a patch when I've had a dig in RFCs to see if any
of this is specified (but I'm not optimistic).


--
Bob Bishop              (0118) 977 4017  international code +44 118
rb@gid.co.uk        fax (0118) 989 4254
Comment 3 Bob Bishop 2001-05-23 10:09:47 UTC 
The following patch works around the problem, but I believe the raw packet 
received by skip should all be in network byte order. On 4.2R at least, 
ip_id in the clear header isn't.

--- skip/common/skip_ah.c.orig  Wed May 16 16:11:34 2001
+++ skip/common/skip_ah.c       Wed May 23 09:02:03 2001
@@ -342,6 +342,8 @@
         ip->ip_tos = 0;
         ip->ip_off = 0;

+       ip->ip_id = htons(ip->ip_id);
+
         /*
          * Compute the AH Data
          */
@@ -359,6 +361,8 @@
         ip->ip_ttl = ip_ttl;
         ip->ip_tos = ip_tos;
         ip->ip_off = ip_off;
+
+       ip->ip_id = ntohs(ip->ip_id);

         /*
          * Now, check if MAC is OK...

--
Bob Bishop		    +44 (0)118 977 4017
rb@gid.co.uk		fax +44 (0)118 989 4254
Comment 4 Archie Cobbs freebsd_committer freebsd_triage 2001-06-05 03:26:10 UTC 
State Changed
From-To: open->closed

Patch applied.