Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Herbert Xu 
On Wed, May 02, 2018 at 01:41:36PM +0100, Dmitry Safonov wrote:
>
> But still it's possible to create ipsec with zero SPI.
> And it seems not making sense to search for a state with SPI hash if
> request has zero SPI.

Fair enough.  In fact a zero SPI is legal and defined for IPcomp.

The bug arose from this patch:

commit 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Author: Masahide NAKAMURA 
Date:   Wed Sep 27 22:21:52 2006 -0700

[XFRM]: Do not add a state whose SPI is zero to the SPI hash.

SPI=0 is used for acquired IPsec SA and MIPv6 RO state.
Such state should not be added to the SPI hash
because we do not care about it on deleting path.

Signed-off-by: Masahide NAKAMURA 
Signed-off-by: YOSHIFUJI Hideaki 

I think it would be better to revert this.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Herbert Xu 
On Wed, May 02, 2018 at 01:41:36PM +0100, Dmitry Safonov wrote:
>
> But still it's possible to create ipsec with zero SPI.
> And it seems not making sense to search for a state with SPI hash if
> request has zero SPI.

Fair enough.  In fact a zero SPI is legal and defined for IPcomp.

The bug arose from this patch:

commit 7b4dc3600e4877178ba94c7fbf7e520421378aa6
Author: Masahide NAKAMURA 
Date:   Wed Sep 27 22:21:52 2006 -0700

[XFRM]: Do not add a state whose SPI is zero to the SPI hash.

SPI=0 is used for acquired IPsec SA and MIPv6 RO state.
Such state should not be added to the SPI hash
because we do not care about it on deleting path.

Signed-off-by: Masahide NAKAMURA 
Signed-off-by: YOSHIFUJI Hideaki 

I think it would be better to revert this.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Dmitry Safonov 
On Wed, 2018-05-02 at 17:11 +0800, Herbert Xu wrote:
> On Wed, May 02, 2018 at 03:02:20AM +0100, Dmitry Safonov wrote:
> > It seems to be a valid use case to add xfrm state without
> > Security Parameter Indexes (SPI) value associated:
> > ip xfrm state add src $src dst $dst proto $proto mode $mode sel src
> > $src dst $dst $algo
> > 
> > The bad thing is that it's currently impossible to get/delete the
> > state
> > without SPI: __xfrm_state_insert() obviously doesn't add hash for
> > zero
> > SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
> > xfrm_state_lookup() does lookups by hash.
> > 
> > It also isn't possible to workaround from userspace as
> > xfrm_id_proto_match() will be always true for ah/esp/comp protos.
> > 
> > So, don't try looking up by hash if SPI == 0.
> > 
> > Cc: Steffen Klassert 
> > Cc: Herbert Xu 
> > Cc: "David S. Miller" 
> > Cc: net...@vger.kernel.org
> > Signed-off-by: Dmitry Safonov 
> 
> A zero SPI is illegal for many IPsec protocols because that value
> is used for other purposes, e.g., IKE encapsulation.

But still it's possible to create ipsec with zero SPI.
And it seems not making sense to search for a state with SPI hash if
request has zero SPI.

-- 
Dima

Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Dmitry Safonov 
On Wed, 2018-05-02 at 17:11 +0800, Herbert Xu wrote:
> On Wed, May 02, 2018 at 03:02:20AM +0100, Dmitry Safonov wrote:
> > It seems to be a valid use case to add xfrm state without
> > Security Parameter Indexes (SPI) value associated:
> > ip xfrm state add src $src dst $dst proto $proto mode $mode sel src
> > $src dst $dst $algo
> > 
> > The bad thing is that it's currently impossible to get/delete the
> > state
> > without SPI: __xfrm_state_insert() obviously doesn't add hash for
> > zero
> > SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
> > xfrm_state_lookup() does lookups by hash.
> > 
> > It also isn't possible to workaround from userspace as
> > xfrm_id_proto_match() will be always true for ah/esp/comp protos.
> > 
> > So, don't try looking up by hash if SPI == 0.
> > 
> > Cc: Steffen Klassert 
> > Cc: Herbert Xu 
> > Cc: "David S. Miller" 
> > Cc: net...@vger.kernel.org
> > Signed-off-by: Dmitry Safonov 
> 
> A zero SPI is illegal for many IPsec protocols because that value
> is used for other purposes, e.g., IKE encapsulation.

But still it's possible to create ipsec with zero SPI.
And it seems not making sense to search for a state with SPI hash if
request has zero SPI.

-- 
Dima

Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Herbert Xu 
On Wed, May 02, 2018 at 03:02:20AM +0100, Dmitry Safonov wrote:
> It seems to be a valid use case to add xfrm state without
> Security Parameter Indexes (SPI) value associated:
> ip xfrm state add src $src dst $dst proto $proto mode $mode sel src $src dst 
> $dst $algo
> 
> The bad thing is that it's currently impossible to get/delete the state
> without SPI: __xfrm_state_insert() obviously doesn't add hash for zero
> SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
> xfrm_state_lookup() does lookups by hash.
> 
> It also isn't possible to workaround from userspace as
> xfrm_id_proto_match() will be always true for ah/esp/comp protos.
> 
> So, don't try looking up by hash if SPI == 0.
> 
> Cc: Steffen Klassert 
> Cc: Herbert Xu 
> Cc: "David S. Miller" 
> Cc: net...@vger.kernel.org
> Signed-off-by: Dmitry Safonov 

A zero SPI is illegal for many IPsec protocols because that value
is used for other purposes, e.g., IKE encapsulation.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-02 Thread Herbert Xu 
On Wed, May 02, 2018 at 03:02:20AM +0100, Dmitry Safonov wrote:
> It seems to be a valid use case to add xfrm state without
> Security Parameter Indexes (SPI) value associated:
> ip xfrm state add src $src dst $dst proto $proto mode $mode sel src $src dst 
> $dst $algo
> 
> The bad thing is that it's currently impossible to get/delete the state
> without SPI: __xfrm_state_insert() obviously doesn't add hash for zero
> SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
> xfrm_state_lookup() does lookups by hash.
> 
> It also isn't possible to workaround from userspace as
> xfrm_id_proto_match() will be always true for ah/esp/comp protos.
> 
> So, don't try looking up by hash if SPI == 0.
> 
> Cc: Steffen Klassert 
> Cc: Herbert Xu 
> Cc: "David S. Miller" 
> Cc: net...@vger.kernel.org
> Signed-off-by: Dmitry Safonov 

A zero SPI is illegal for many IPsec protocols because that value
is used for other purposes, e.g., IKE encapsulation.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-01 Thread Dmitry Safonov 
It seems to be a valid use case to add xfrm state without
Security Parameter Indexes (SPI) value associated:
ip xfrm state add src $src dst $dst proto $proto mode $mode sel src $src dst 
$dst $algo

The bad thing is that it's currently impossible to get/delete the state
without SPI: __xfrm_state_insert() obviously doesn't add hash for zero
SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
xfrm_state_lookup() does lookups by hash.

It also isn't possible to workaround from userspace as
xfrm_id_proto_match() will be always true for ah/esp/comp protos.

So, don't try looking up by hash if SPI == 0.

Cc: Steffen Klassert 
Cc: Herbert Xu 
Cc: "David S. Miller" 
Cc: net...@vger.kernel.org
Signed-off-by: Dmitry Safonov 
---
 net/xfrm/xfrm_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 080035f056d9..6b38503255c8 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -681,7 +681,7 @@ static struct xfrm_state *xfrm_user_state_lookup(struct net 
*net,
int err;
u32 mark = xfrm_mark_get(attrs, );
 
-   if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) {
+   if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY) && p->spi) {
err = -ESRCH;
x = xfrm_state_lookup(net, mark, >daddr, p->spi, p->proto, 
p->family);
} else {
-- 
2.13.6

[PATCH] net/xfrm: Fix lookups for states with spi == 0

2018-05-01 Thread Dmitry Safonov 
It seems to be a valid use case to add xfrm state without
Security Parameter Indexes (SPI) value associated:
ip xfrm state add src $src dst $dst proto $proto mode $mode sel src $src dst 
$dst $algo

The bad thing is that it's currently impossible to get/delete the state
without SPI: __xfrm_state_insert() obviously doesn't add hash for zero
SPI in xfrm.state_byspi, and xfrm_user_state_lookup() will fail as
xfrm_state_lookup() does lookups by hash.

It also isn't possible to workaround from userspace as
xfrm_id_proto_match() will be always true for ah/esp/comp protos.

So, don't try looking up by hash if SPI == 0.

Cc: Steffen Klassert 
Cc: Herbert Xu 
Cc: "David S. Miller" 
Cc: net...@vger.kernel.org
Signed-off-by: Dmitry Safonov 
---
 net/xfrm/xfrm_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 080035f056d9..6b38503255c8 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -681,7 +681,7 @@ static struct xfrm_state *xfrm_user_state_lookup(struct net 
*net,
int err;
u32 mark = xfrm_mark_get(attrs, );
 
-   if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) {
+   if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY) && p->spi) {
err = -ESRCH;
x = xfrm_state_lookup(net, mark, >daddr, p->spi, p->proto, 
p->family);
} else {
-- 
2.13.6