Project

General

Profile

Bug #8988

SADB_ACQUIRE proposals don't include mechanism salt length

Added by Jason King over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
networking
Start date:
2018-01-24
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Upstream of Joyent OS-6525:

When the kernel wishes to create an IPsec SA, it generates an SADB_ACQUIRE message that is sent via pf_key(7P) to any process that has registered with the kernel (via sending a SADB_REGISTER message). These SADB_ACQUIRE messages can be in one of two forms – a regular ACQUIRE or an extended ACQUIRE (based on how the listening process registered with the kernel). The main difference between the two SADB_ACQUIRE messages is that a regular acquire message contains SADB_EXT_PROPOSAL extensions while an extended ACQUIRE contains SADB_X_EXT_PROP extensions. An SADB_X_EXT_PROP extension consists of an sadb_prop_t header, followed by one or more sadb_x_ecomb_t structs. Each sadb_x_ecomb_t struct is itself followed by one or more sadb_x_algdesc_t structs. An SADB_EXT_PROPOSAL extension also starts with an sadb_prop_t header, but then is followed by one or more sadb_comb_t structs.

When the kernel populates an sadb_x_algdesc_t struct, it sets the salt length of the mechanism it is describing in the sadb_x_algdesc_reserved field, however when the kernel populates an sadb_comb_t struct, it never sets the salt length of the mechanism in any field of the struct. As this needs to be generated and sent to the kernel along with the key (if the mechanism selected – e.g. aes-gcm – requires it), it must be included in the sadb_comb_t struct that it sent in a SADB_EXT_PROPOSAL extension.

History

#1

Updated by Electric Monk over 1 year ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

git commit 351128add6ee764cb0082bcf82bde86a83696801

commit  351128add6ee764cb0082bcf82bde86a83696801
Author: Jason King <jason.king@joyent.com>
Date:   2018-02-14T18:47:11.000Z

    8988 SADB_ACQUIRE proposals don't include mechanism salt length
    Reviewed by: Dan McDonald <danmcd@joyent.com>
    Reviewed by: Tim Kordas <tim.kordas@joyent.com>
    Reviewed by: Richard Lowe <richlowe@richlowe.net>
    Approved by: Gordon Ross <gordon.ross@nexenta.com>

Also available in: Atom PDF