lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 28 Jan 2020 10:54:23 +0100 (CET)
From:   David Miller <davem@...emloft.net>
To:     thomas.egerer@...unet.com
Cc:     netdev@...r.kernel.org, steffen.klassert@...unet.com,
        herbert@...dor.apana.org.au
Subject: Re: [PATCH net] xfrm: Interpret XFRM_INF as 32 bit value for
 non-ESN states

From: Thomas Egerer <thomas.egerer@...unet.com>
Date: Mon, 27 Jan 2020 15:31:14 +0100

> Currently, when left unconfigured, hard and soft packet limit are set to
> XFRM_INF ((__u64)~0). This can be problematic for non-ESN states, as
> their 'natural' packet limit is 2^32 - 1 packets. When reached, instead
> of creating an expire event, the states become unusable and increase
> their respective 'state expired' counter in the xfrm statistics. The
> only way for them to actually expire is based on their lifetime limits.
> 
> This patch reduces the packet limit of non-ESN states with XFRM_INF as
> their soft/hard packet limit to their maximum achievable sequence
> number in order to trigger an expire, which can then be used by an IKE
> daemon to reestablish the connection.
> 
> Signed-off-by: Thomas Egerer <thomas.egerer@...unet.com>

Please always CC: the ipsec maintainers for patches to IPSEC.

Steffen, I assume I will get this from you.

Thanks.

> ---
>  net/xfrm/xfrm_user.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index b88ba45..84d4008 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -505,6 +505,13 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
>  
>  	if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC))
>  		x->sel.family = p->family;
> +
> +	if ((x->props.flags & XFRM_STATE_ESN) == 0 {
> +		if (x->lft.soft_packet_limit == XFRM_INF)
> +			x->lft.soft_packet_limit == (__u32)~0;
> +		if (x->lft.hard_packet_limit == XFRM_INF)
> +			x->lft.hard_packet_limit == (__u32)~0;
> +	}
>  }
>  
>  /*
> -- 
> 2.6.4
> 

Powered by blists - more mailing lists