kernel/3006: Kernel misunderstands IPSec transport policies

From: Mike Neuman <mcn(at)EnGarde.com>
Date: Fri Nov 29 2002 - 23:35:56 EST

>Number: 3006
net
>Environment:

        System      : OpenBSD 3.2
        Architecture: OpenBSD.i386
        Machine     : i386

>Description:

See also bug user/2996--they are related and essentially the same problem. user/2996 has a patch for the ISAKMPD problem.

An IPSEC transport policy is specified thus: ipsecadm flow -require -addr 0.0.0.0 0.0.0.0 1.2.3.4 255.255.255.255 -out

An IPSEC tunnel policy is specified with the addition of the '-dst gw' flag. In the absence of the '-dst' flag, the kernel passes around an all-0 sockaddr
as the destination. The kernel (and ISAKMPD) don't expect the all-0 sockaddr,
and rather are expecting an AF_INET or AF_INET6 sockaddr with an address equal to INADDR_ANY.

Since this is not the case, the kernel (and ISAKMPD) fail with transport mode IPSEC policies & SAs.
>How-To-Repeat:

Create a transport IPSEC policy (for example, the one above). Then telnet to the destination. ISAKMPD fails (see user/2996 for the fix). Once ISAKMPD is fixed, the kernel also fails (from a similar problem).
>Fix:

This patch fixes two things:
1) It properly handles IPSEC transport policies 2) It fixes the broken 'XXX' marked section in ipsp_aux_match with a proper

   policy/tdb comparison.

I apologize if this does not follow KNF.

cvs diff: Diffing .
Index: ip_ipsp.c

---

RCS file: /home/mcn/OS/obsd-cvs/src/sys/netinet/ip_ipsp.c,v retrieving revision 1.149
diff -r1.149 ip_ipsp.c
334,343c334,345

<               /*
<                * XXX We should really be doing a subnet-check (see
<                * whether the TDB-associated filter is a subset
<                * of the policy's. For now, an exact match will solve
<                * most problems (all this will do is make every
<                * policy get its own SAs).
<                */
<               if (bcmp(tfilter, pfilter, sizeof(struct sockaddr_encap)) ||
<                   bcmp(tfiltermask, pfiltermask,
<                       sizeof(struct sockaddr_encap)))
---

>               if (pfilter->sen_type != tfilter->sen_type ||

>                   pfilter->sen_direction  != tfilter->sen_direction ||

>           ((pfilter->sen_ip_src.s_addr & pfiltermask->sen_ip_src.s_addr)

!=

>            (tfilter->sen_ip_src.s_addr & pfiltermask->sen_ip_src.s_addr))

||

>           ((pfilter->sen_ip_dst.s_addr & pfiltermask->sen_ip_dst.s_addr)

!=

>            (tfilter->sen_ip_dst.s_addr & pfiltermask->sen_ip_dst.s_addr))

||

>           ((pfilter->sen_sport & pfiltermask->sen_sport) !=

>            (tfilter->sen_sport & pfiltermask->sen_sport)) ||

>           ((pfilter->sen_dport & pfiltermask->sen_dport) !=

>            (tfilter->sen_dport & pfiltermask->sen_dport)) ||

>           ((pfilter->sen_proto & pfiltermask->sen_proto) !=

>            (tfilter->sen_proto & pfiltermask->sen_proto)))

Index: ip_spd.c

---

RCS file: /home/mcn/OS/obsd-cvs/src/sys/netinet/ip_spd.c,v retrieving revision 1.46
diff -r1.46 ip_spd.c
294a295,297
> case 0: /* Occurs if destination was not specified in policy */
> dignore = 1;
> break;

311a315,317
> case 0: /* Occurs if source was not specified in policy */
> signore = 1;
> break;

>Release-Note:
Received on Sat Nov 30 12:22:38 2002