Re: can the IPv[4,6]-in-IPCOMP-in-{ESP,AH}-in-IPv[4,6] interop fix be applied to NetBSD 10?

To: tech-net <tech-net%netbsd.org@localhost>
Subject: Re: can the IPv[4,6]-in-IPCOMP-in-{ESP,AH}-in-IPv[4,6] interop fix be applied to NetBSD 10?
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Thu, 20 Oct 2022 10:04:11 -0400

Christos,
Thanks for reviewing this.


On Tue, 18 Oct 2022 at 15:42, Andrew Cagney <andrew.cagney%gmail.com@localhost> wrote:
>
> Hi,
>
> Could the patch in
> https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56836
> please be considered for NetBSD 10?
> (I've also appended it, but I'm sure gmail will mangle it).
>
> Only with the patch applied will Linux<>NetBSD interop using:
>
> pfkeyv2-transport-ipv4-ah-ipcomp-ikev2
> pfkeyv2-transport-ipv4-esp-ipcomp-ikev2
> pfkeyv2-transport-ipv6-ah-ipcomp-ikev2
> pfkeyv2-transport-ipv6-esp-ipcomp-ikev2
> pfkeyv2-tunnel-4in4-ah-ipcomp-ikev2
> pfkeyv2-tunnel-4in4-esp-ipcomp-ikev2
> pfkeyv2-tunnel-6in6-ah-ipcomp-ikev2
> pfkeyv2-tunnel-6in6-esp-ipcomp-ikev2
>
> Andrew
>
> --
>
>  always always send / expect CPI in IPcomp header
>
>  Fixes kern/56836 where an IPsec interop combining compression and
>  ESP|AH would fail.
>
>  Since fast ipsec, the outgoing IPcomp header has contained the
>  compression algorithm instead of the CPI.  Adding the
>  SADB_X_EXT_RAWCPI flag worked around this but ...
>
>  The IPcomp's SADB was unconditionally hashed using the compression
>  algorithm instead of the CPI.  This meant that an incoming packet with
>  a valid CPI could never match its SADB.
>  ---
>   sys/netipsec/key.c          | 5 +----
>   sys/netipsec/xform_ipcomp.c | 7 +------
>   2 files changed, 2 insertions(+), 10 deletions(-)
>
>  diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
>  index 4ad4a8d466d9..11577960f93f 100644
>  --- a/sys/netipsec/key.c
>  +++ b/sys/netipsec/key.c
>  @@ -8755,10 +8755,7 @@ key_savlut_writer_insert_head(struct secasvar *sav)
>       KASSERT(mutex_owned(&key_sad.lock));
>       KASSERT(!sav->savlut_added);
>
>  -    if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
>  -        hash_key = sav->alg_comp;
>  -    else
>  -        hash_key = sav->spi;
>  +    hash_key = sav->spi;
>
>       hash = key_savluthash(&sav->sah->saidx.dst.sa,
>           sav->sah->saidx.proto, hash_key, key_sad.savlutmask);
>  diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
>  index e94a0b471042..69d196bc7e39 100644
>  --- a/sys/netipsec/xform_ipcomp.c
>  +++ b/sys/netipsec/xform_ipcomp.c
>  @@ -527,7 +527,6 @@ ipcomp_output_cb(struct cryptop *crp)
>       struct mbuf *m, *mo;
>       int error, skip, rlen, roff, flags;
>       uint8_t prot;
>  -    uint16_t cpi;
>       struct ipcomp * ipcomp;
>       IPSEC_DECLARE_LOCK_VARIABLE;
>
>  @@ -589,11 +588,7 @@ ipcomp_output_cb(struct cryptop *crp)
>   #endif
>           }
>           ipcomp->comp_flags = 0;
>  -
>  -        if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
>  -            cpi = sav->alg_enc;
>  -        else
>  -            cpi = ntohl(sav->spi) & 0xffff;
>  +        uint16_t cpi = ntohl(sav->spi) & 0xffff;
>           ipcomp->comp_cpi = htons(cpi);
>
>           /* Fix Next Protocol in IPv4/IPv6 header */
>  --
>  2.35.3

References:
- can the IPv[4,6]-in-IPCOMP-in-{ESP,AH}-in-IPv[4,6] interop fix be applied to NetBSD 10?
  - From: Andrew Cagney

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: can the IPv[4,6]-in-IPCOMP-in-{ESP,AH}-in-IPv[4,6] interop fix be applied to NetBSD 10?
Next by Thread: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index