Module Name: src Committed By: christos Date: Wed Oct 19 21:28:03 UTC 2022
Modified Files: src/sys/netipsec: key.c xform_ipcomp.c Log Message: PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header Always always send / expect CPI in IPcomp header Fixes kern/56836 where an IPsec interop combining compression and ESP|AH would fail. Since fast ipsec, the outgoing IPcomp header has contained the compression algorithm instead of the CPI. Adding the SADB_X_EXT_RAWCPI flag worked around this but ... The IPcomp's SADB was unconditionally hashed using the compression algorithm instead of the CPI. This meant that an incoming packet with a valid CPI could never match its SADB. To generate a diff of this commit: cvs rdiff -u -r1.277 -r1.278 src/sys/netipsec/key.c cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/xform_ipcomp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.277 src/sys/netipsec/key.c:1.278 --- src/sys/netipsec/key.c:1.277 Tue Oct 11 05:51:47 2022 +++ src/sys/netipsec/key.c Wed Oct 19 17:28:02 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $ */ +/* $NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $ */ /* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $"); /* * This code is referred to RFC 2367 @@ -8765,10 +8765,7 @@ key_savlut_writer_insert_head(struct sec KASSERT(mutex_owned(&key_sad.lock)); KASSERT(!sav->savlut_added); - if (sav->sah->saidx.proto == IPPROTO_IPCOMP) - hash_key = sav->alg_comp; - else - hash_key = sav->spi; + hash_key = sav->spi; hash = key_savluthash(&sav->sah->saidx.dst.sa, sav->sah->saidx.proto, hash_key, key_sad.savlutmask); Index: src/sys/netipsec/xform_ipcomp.c diff -u src/sys/netipsec/xform_ipcomp.c:1.74 src/sys/netipsec/xform_ipcomp.c:1.75 --- src/sys/netipsec/xform_ipcomp.c:1.74 Sun May 22 07:40:29 2022 +++ src/sys/netipsec/xform_ipcomp.c Wed Oct 19 17:28:02 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $ */ +/* $NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $ */ /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */ @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $"); /* IP payload compression protocol (IPComp), see RFC 2393 */ #if defined(_KERNEL_OPT) @@ -573,10 +573,7 @@ ipcomp_output_cb(struct cryptop *crp) } ipcomp->comp_flags = 0; - if ((sav->flags & SADB_X_EXT_RAWCPI) == 0) - cpi = sav->alg_enc; - else - cpi = ntohl(sav->spi) & 0xffff; + cpi = ntohl(sav->spi) & 0xffff; ipcomp->comp_cpi = htons(cpi); /* Fix Next Protocol in IPv4/IPv6 header */