[src/trunk]: src/sys/netipsec PR/56836: Andrew Cagney: IPv6 ESN tunneling IPc...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d3ccf327a771
branches:  trunk
changeset: 371947:d3ccf327a771
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Oct 19 21:28:02 2022 +0000

description:
PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header

Always always send / expect CPI in IPcomp header

Fixes kern/56836 where an IPsec interop combining compression and
ESP|AH would fail.

Since fast ipsec, the outgoing IPcomp header has contained the
compression algorithm instead of the CPI.  Adding the
SADB_X_EXT_RAWCPI flag worked around this but ...

The IPcomp's SADB was unconditionally hashed using the compression
algorithm instead of the CPI.  This meant that an incoming packet with
a valid CPI could never match its SADB.

diffstat:

 sys/netipsec/key.c          |  9 +++------
 sys/netipsec/xform_ipcomp.c |  9 +++------
 2 files changed, 6 insertions(+), 12 deletions(-)

diffs (60 lines):

diff -r 4c08fecb9bc8 -r d3ccf327a771 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Wed Oct 19 18:16:01 2022 +0000
+++ b/sys/netipsec/key.c        Wed Oct 19 21:28:02 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $      */
+/*     $NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $       */
 /*     $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -8765,10 +8765,7 @@
        KASSERT(mutex_owned(&key_sad.lock));
        KASSERT(!sav->savlut_added);
 
-       if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
-               hash_key = sav->alg_comp;
-       else
-               hash_key = sav->spi;
+       hash_key = sav->spi;
 
        hash = key_savluthash(&sav->sah->saidx.dst.sa,
            sav->sah->saidx.proto, hash_key, key_sad.savlutmask);
diff -r 4c08fecb9bc8 -r d3ccf327a771 sys/netipsec/xform_ipcomp.c
--- a/sys/netipsec/xform_ipcomp.c       Wed Oct 19 18:16:01 2022 +0000
+++ b/sys/netipsec/xform_ipcomp.c       Wed Oct 19 21:28:02 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $      */
+/*     $NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $       */
 /*     $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $        */
 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
 
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $");
 
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #if defined(_KERNEL_OPT)
@@ -573,10 +573,7 @@
                }
                ipcomp->comp_flags = 0;
 
-               if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
-                       cpi = sav->alg_enc;
-               else
-                       cpi = ntohl(sav->spi) & 0xffff;
+               cpi = ntohl(sav->spi) & 0xffff;
                ipcomp->comp_cpi = htons(cpi);
 
                /* Fix Next Protocol in IPv4/IPv6 header */