Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header

To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, gnats-bugs%netbsd.org@localhost
Subject: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Mon, 16 May 2022 14:13:57 -0400

(so how do I bundle patches)

always always send / expect CPI in IPcomp header

Fixes kern/56836 where an IPsec interop combining compression and
ESP|AH would fail.

Since fast ipsec, the outgoing IPcomp header has contained the
compression algorithm instead of the CPI.  Adding the
SADB_X_EXT_RAWCPI flag worked around this but ...

The IPcomp's SADB was unconditionally hashed using the compression
algorithm instead of the CPI.  This meant that an incoming packet with
a valid CPI could never match its SADB.
---
 sys/netipsec/key.c          | 5 +----
 sys/netipsec/xform_ipcomp.c | 7 +------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 4ad4a8d466d9..11577960f93f 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -8755,10 +8755,7 @@ key_savlut_writer_insert_head(struct secasvar *sav)
     KASSERT(mutex_owned(&key_sad.lock));
     KASSERT(!sav->savlut_added);

-    if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
-        hash_key = sav->alg_comp;
-    else
-        hash_key = sav->spi;
+    hash_key = sav->spi;

     hash = key_savluthash(&sav->sah->saidx.dst.sa,
         sav->sah->saidx.proto, hash_key, key_sad.savlutmask);
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index e94a0b471042..69d196bc7e39 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -527,7 +527,6 @@ ipcomp_output_cb(struct cryptop *crp)
     struct mbuf *m, *mo;
     int error, skip, rlen, roff, flags;
     uint8_t prot;
-    uint16_t cpi;
     struct ipcomp * ipcomp;
     IPSEC_DECLARE_LOCK_VARIABLE;

@@ -589,11 +588,7 @@ ipcomp_output_cb(struct cryptop *crp)
 #endif
         }
         ipcomp->comp_flags = 0;
-
-        if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
-            cpi = sav->alg_enc;
-        else
-            cpi = ntohl(sav->spi) & 0xffff;
+        uint16_t cpi = ntohl(sav->spi) & 0xffff;
         ipcomp->comp_cpi = htons(cpi);

         /* Fix Next Protocol in IPv4/IPv6 header */
-- 
2.35.3

References:
- Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
  - From: Andrew Cagney

Prev by Date: Re: kern/56834: add aes-sha1 (say) to t_ipsec_tunnel_ipcomp
Next by Date: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Previous by Thread: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Next by Thread: Re: kern/56836: IPv6 ESN tunneling IPcomp has corrupt header
Indexes:

Home | Main Index | Thread Index | Old Index