PR/56836 CVS commit: src/sys/netipsec

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,andrew.cagney%gmail.com@localhost
Subject: PR/56836 CVS commit: src/sys/netipsec
From: "Christos Zoulas" <christos%netbsd.org@localhost>
Date: Wed, 19 Oct 2022 21:30:03 +0000 (UTC)

The following reply was made to PR kern/56836; it has been noted by GNATS.

From: "Christos Zoulas" <christos%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/56836 CVS commit: src/sys/netipsec
Date: Wed, 19 Oct 2022 17:28:03 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Wed Oct 19 21:28:03 UTC 2022

 Modified Files:
 	src/sys/netipsec: key.c xform_ipcomp.c

 Log Message:
 PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header

 Always always send / expect CPI in IPcomp header

 Fixes kern/56836 where an IPsec interop combining compression and
 ESP|AH would fail.

 Since fast ipsec, the outgoing IPcomp header has contained the
 compression algorithm instead of the CPI.  Adding the
 SADB_X_EXT_RAWCPI flag worked around this but ...

 The IPcomp's SADB was unconditionally hashed using the compression
 algorithm instead of the CPI.  This meant that an incoming packet with
 a valid CPI could never match its SADB.

 To generate a diff of this commit:
 cvs rdiff -u -r1.277 -r1.278 src/sys/netipsec/key.c
 cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/xform_ipcomp.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Follow-Ups:
- Re: PR/56836 CVS commit: src/sys/netipsec
  - From: Andrew Cagney

Prev by Date: Re: lib/56926 (curses: vi screen corrupted with UTF-8 multicolumn characters)
Next by Date: PR/57063 CVS commit: src/sys
Previous by Thread: PR/57065 CVS commit: src/crypto/external/bsd/openssl/dist/apps
Next by Thread: Re: PR/56836 CVS commit: src/sys/netipsec
Indexes:

Home | Main Index | Thread Index | Old Index