NetBSD Problem Report #34843

From jakllsch@kirkkit.kollasch.net  Tue Oct 17 20:20:03 2006
Return-Path: <jakllsch@kirkkit.kollasch.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 2780A63B8A2
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 17 Oct 2006 20:20:03 +0000 (UTC)
Message-Id: <200610172020.k9HKK1Br004825@kirkkit.kollasch.net>
Date: Tue, 17 Oct 2006 15:20:01 -0500 (CDT)
From: jakllsch@kollasch.net
Reply-To: jakllsch@kollasch.net
To: gnats-bugs@NetBSD.org
Subject: FAST_IPSEC and "use"
X-Send-Pr-Version: 3.95

>Number:         34843
>Category:       kern
>Synopsis:       "use" level policy doesn't seem to work right w/ FAST_IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 17 20:25:05 +0000 2006
>Closed-Date:    Sun Feb 25 19:37:17 +0000 2018
>Last-Modified:  Sun Feb 25 19:37:17 +0000 2018
>Originator:     Jonathan A. Kollasch
>Release:        NetBSD 3.0
>Organization:
>Environment:
System: NetBSD kirkkit.kollasch.net 3.0 NetBSD 3.0 (KIRKKIT) #2: Mon Oct 16 21:27:42 CDT 2006 root@kirkkit.kollasch.net:/usr/src/sys/arch/i386/compile/KIRKKIT i386
Architecture: i386
Machine: i386
>Description:

policy like this:

spdadd -4 0.0.0.0/0 10.0.0.0/24 any -P out ipsec
esp/transport//use;
spdadd -4 10.0.0.0/24 0.0.0.0/0 any -P in ipsec
esp/transport//use;

under KAME IPsec)  allows this host to communitcate with a
non-IPsec-enabled host.  additionally, IPsec is used
when the other end responds w/ appropriate ISAKMP packets.

under FAST_IPSEC)  sending fails with EINVAL when a SA does
not exist (yet).  this practically makes the "use" level
useless.

>How-To-Repeat:
Using FAST_IPSEC, attempt to use the "use" level to contact
a host that doesn't support IPsec.

>Fix:
Unknown.

>Release-Note:

>Audit-Trail:
From: DEGROOTE Arnaud <degroote@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: PR/34843 CVS commit: src/sys/netipsec
Date: Sat, 29 Dec 2007 16:43:19 +0000 (UTC)

 Module Name:	src
 Committed By:	degroote
 Date:		Sat Dec 29 16:43:19 UTC 2007

 Modified Files:
 	src/sys/netipsec: ipsec_output.c

 Log Message:
 Fix the ipsec processing in case of USE rules with no SA installed.

 In case where there is no more isr to process, just tag the packet and reinject
 in the ip{,6} stack.

 Fix pr/34843


 To generate a diff of this commit:
 cvs rdiff -r1.25 -r1.26 src/sys/netipsec/ipsec_output.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: dholland@narn.netbsd.org
State-Changed-When: Sat, 19 Jan 2008 18:54:57 +0000
State-Changed-Why:
submitter is going to check if it is really fixed


From: "Jonathan A. Kollasch" <jakllsch@kollasch.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/34843: FAST_IPSEC and "use"
Date: Fri, 2 May 2008 00:37:39 +0000

 Well, this fix seems to have worked, but only for IPv4.
 IPv6 and the use policy seems to have not been fixed.

 Furthermore, I managed to trigger a diagnostic assertion in
 the IPv6 case, but that's probably an issue for another pr
 or current-users.

 This was tested with 4.99.61 from a day or four ago
 with the FAST_IPSEC fixes from a day or two latter.

State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 04 May 2008 02:02:02 +0000
State-Changed-Why:
feedback received.


From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/34843: FAST_IPSEC and "use"
Date: Sun, 4 May 2008 02:19:52 +0000

 This didn't make it to gnats:

 From: Arnaud Degroote <degroote@netbsd.org>
 To: "Jonathan A. Kollasch" <jakllsch@kollasch.net>
 Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
 Subject: Re: kern/34843: FAST_IPSEC and "use"
 Date: Mon, 28 Apr 2008 19:49:27 +0200

 On Mon, Apr 28, 2008 at 03:51:29PM +0000, Jonathan A. Kollasch wrote:
 > Well, this fix seems to have worked, but only for IPv4.
 > IPv6 and the use policy seems to have not been fixed.
 > 
 > Furthermore, I managed to trigger a diagnostic assertion in
 > the IPv6 case, but that's probably an issue for another pr
 > or current-users.

 Can you retry with rev 1.28 of ipsec_output.c ? I fixed a really stupid
 bug (which explain the assertion and the failure I think). 

 If the assertion still fires, please report it.

 Thanks you.
 -- 
 Arnaud Degroote
 degroote@netbsd.org

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 04 May 2008 02:22:13 +0000
State-Changed-Why:
more feedback...


From: "Jonathan A. Kollasch" <jakllsch@kollasch.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/34843
Date: Sat, 6 Sep 2008 18:13:36 +0000

 The use level policy seems to work okay with FAST_IPSEC on 4.99.72
 for both AFs.  Maybe.  I did have some trouble with IPv4, but that may
 have just been racoon being its usual buggy self.

 Also, I'm getting fairly repeatable null pointer dereferences
 with backtraces in the ipsec code.  Maybe that's for another PR.

State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 24 Mar 2009 21:46:16 +0000
State-Changed-Why:
Works, but I don't see another PR for those null dereferences...


State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sun, 25 Feb 2018 19:37:17 +0000
State-Changed-Why:
The issue was fixed.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.