NetBSD Problem Report #52161

From www@NetBSD.org  Fri Apr 14 03:21:58 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 6B2C57A283
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 14 Apr 2017 03:21:58 +0000 (UTC)
Message-Id: <20170414032156.463DD7A2B3@mollari.NetBSD.org>
Date: Fri, 14 Apr 2017 03:21:56 +0000 (UTC)
From: ozaki-r@netbsd.org
Reply-To: ozaki-r@netbsd.org
To: gnats-bugs@NetBSD.org
Subject: ipsec: tunnel mode with AH over IPv6 doesn't work
X-Send-Pr-Version: www-1.0

>Number:         52161
>Category:       kern
>Synopsis:       ipsec: tunnel mode with AH over IPv6 doesn't work
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 14 03:25:00 +0000 2017
>Closed-Date:    Thu Feb 15 15:13:59 +0000 2018
>Last-Modified:  Thu Feb 15 15:13:59 +0000 2018
>Originator:     Ryota Ozaki
>Release:        -current
>Organization:
IIJ
>Environment:
NetBSD 7.99.69 (RUMP-ROAST)
on
NetBSD rangeley 7.99.66 NetBSD 7.99.66 (RANGELEY) #68: Thu Mar 16 12:44:31 JST 2017  ozaki-r@rangeley:(hidden) amd64
>Description:
IPsec doesn't work with the tunnel mode with AH over IPv6. The Tx side of
a tunnel successfully sends a packet with AH header however the Rx side
of the tunnel fails to receive the packet:
  ah_input: authentication hash mismatch over 20 bytes for packet in SA fc00::2/00002710:
  4940:a796:6f38:752b:8602:f2fa, 6523:ec6b:c941:bcf1:1ae2:3460

Only null algorithm on the setups works so something goes wrong on
hash calculations of the Tx or Rx (or both).

Note that the tunnel mode with AH over IPv4 works,
the tunnel mode with ESP over IPv6 works and
the transport mode with AH over IPv6 works.

>How-To-Repeat:
Run t_ipsec_tunnel (tests/net/ipsec/t_ipsec_tunnel.sh)
>Fix:
n/a

>Release-Note:

>Audit-Trail:
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: src/tests/net/ipsec
Date: Fri, 14 Apr 2017 03:35:40 +0000

 Module Name:	src
 Committed By:	ozaki-r
 Date:		Fri Apr 14 03:35:40 UTC 2017

 Modified Files:
 	src/tests/net/ipsec: t_ipsec_tunnel.sh

 Log Message:
 Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)


 To generate a diff of this commit:
 cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel.sh

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: src/sys/netipsec
Date: Fri, 14 Apr 2017 18:35:05 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Fri Apr 14 22:35:05 UTC 2017

 Modified Files:
 	src/sys/netipsec: xform_ipip.c

 Log Message:
 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.43 -r1.44 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: src/tests/net/ipsec
Date: Sun, 16 Apr 2017 10:34:49 +0000

 Module Name:	src
 Committed By:	ozaki-r
 Date:		Sun Apr 16 10:34:49 UTC 2017

 Modified Files:
 	src/tests/net/ipsec: t_ipsec_tunnel.sh

 Log Message:
 Revert "Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)"

 The issue was fixed by christos@


 To generate a diff of this commit:
 cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_tunnel.sh

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->pending-pullups
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 12 Feb 2018 13:16:51 +0000
State-Changed-Why:
I've sent pullups


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-7] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:39:43 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:39:43 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-7]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1567):
 	sys/netipsec/xform_ipip.c: revision 1.44
 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.31.2.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-7-1] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:41:57 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:41:57 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-7-1]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1567):
 	sys/netipsec/xform_ipip.c: revision 1.44
 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.31.10.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-7-0] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:43:13 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:43:12 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-7-0]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1567):
 	sys/netipsec/xform_ipip.c: revision 1.44
 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.31.6.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-6] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:49:00 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:49:00 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-6]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1529):
 	sys/netipsec/xform_ipip.c: revision 1.44 via patch

 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.28 -r1.28.8.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-6-1] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:50:17 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:50:17 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-6-1]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1529):
 	sys/netipsec/xform_ipip.c: revision 1.44 via patch

 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.28 -r1.28.22.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52161 CVS commit: [netbsd-6-0] src/sys/netipsec
Date: Thu, 15 Feb 2018 14:51:44 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Feb 15 14:51:44 UTC 2018

 Modified Files:
 	src/sys/netipsec [netbsd-6-0]: xform_ipip.c

 Log Message:
 Pull up following revision(s) (requested by maxv in ticket #1529):
 	sys/netipsec/xform_ipip.c: revision 1.44 via patch

 PR/52161: Ryota Ozaki: Fix AH tunnel ipsec for ipv6. Compute plen right,
 don't forget to subtract the ipv6 header length.


 To generate a diff of this commit:
 cvs rdiff -u -r1.28 -r1.28.14.1 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Thu, 15 Feb 2018 15:13:59 +0000
State-Changed-Why:
pulled up in [NetBSD-6#1529] and [NetBSD-7#1567]


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.