Module Name: src
Committed By: christos
Date: Wed Oct 19 21:28:03 UTC 2022
Modified Files:
src/sys/netipsec: key.c xform_ipcomp.c
Log Message:
PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header
Always always send / expect CPI in IPcomp header
Fixes kern/56836 where an IPsec interop combining compression and
ESP|AH would fail.
Since fast ipsec, the outgoing IPcomp header has contained the
compression algorithm instead of the CPI. Adding the
SADB_X_EXT_RAWCPI flag worked around this but ...
The IPcomp's SADB was unconditionally hashed using the compression
algorithm instead of the CPI. This meant that an incoming packet with
a valid CPI could never match its SADB.
To generate a diff of this commit:
cvs rdiff -u -r1.277 -r1.278 src/sys/netipsec/key.c
cvs rdiff -u -r1.74 -r1.75 src/sys/netipsec/xform_ipcomp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.277 src/sys/netipsec/key.c:1.278
--- src/sys/netipsec/key.c:1.277 Tue Oct 11 05:51:47 2022
+++ src/sys/netipsec/key.c Wed Oct 19 17:28:02 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $ */
+/* $NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $ */
/* $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.277 2022/10/11 09:51:47 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.278 2022/10/19 21:28:02 christos Exp $");
/*
* This code is referred to RFC 2367
@@ -8765,10 +8765,7 @@ key_savlut_writer_insert_head(struct sec
KASSERT(mutex_owned(&key_sad.lock));
KASSERT(!sav->savlut_added);
- if (sav->sah->saidx.proto == IPPROTO_IPCOMP)
- hash_key = sav->alg_comp;
- else
- hash_key = sav->spi;
+ hash_key = sav->spi;
hash = key_savluthash(&sav->sah->saidx.dst.sa,
sav->sah->saidx.proto, hash_key, key_sad.savlutmask);
Index: src/sys/netipsec/xform_ipcomp.c
diff -u src/sys/netipsec/xform_ipcomp.c:1.74 src/sys/netipsec/xform_ipcomp.c:1.75
--- src/sys/netipsec/xform_ipcomp.c:1.74 Sun May 22 07:40:29 2022
+++ src/sys/netipsec/xform_ipcomp.c Wed Oct 19 17:28:02 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $ */
+/* $NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $ */
/* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.74 2022/05/22 11:40:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $");
/* IP payload compression protocol (IPComp), see RFC 2393 */
#if defined(_KERNEL_OPT)
@@ -573,10 +573,7 @@ ipcomp_output_cb(struct cryptop *crp)
}
ipcomp->comp_flags = 0;
- if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
- cpi = sav->alg_enc;
- else
- cpi = ntohl(sav->spi) & 0xffff;
+ cpi = ntohl(sav->spi) & 0xffff;
ipcomp->comp_cpi = htons(cpi);
/* Fix Next Protocol in IPv4/IPv6 header */
