lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aDQhZ_ikHEt_pLn_@gondor.apana.org.au>
Date: Mon, 26 May 2025 16:08:07 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Aakash Kumar S <saakashkumar@...vell.com>
Cc: netdev@...r.kernel.org, steffen.klassert@...unet.com,
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
	pabeni@...hat.com, horms@...nel.org, akamaluddin@...vell.com
Subject: Re: [PATCH] xfrm: Duplicate SPI Handling – IPsec-v3 Compliance Concern

On Mon, May 26, 2025 at 12:13:22PM +0530, Aakash Kumar S wrote:
>
>  static inline unsigned int
> -__xfrm_spi_hash(const xfrm_address_t *daddr, __be32 spi, u8 proto,
> -		unsigned short family, unsigned int hmask)
> +__xfrm_spi_hash(const xfrm_address_t * __maybe_unused daddr, __be32 spi,
> +		u8 __maybe_unused proto, unsigned short __maybe_unused family,
> +		unsigned int hmask)
>  {
> -	unsigned int h = (__force u32)spi ^ proto;
> -	switch (family) {
> -	case AF_INET:
> -		h ^= __xfrm4_addr_hash(daddr);
> -		break;
> -	case AF_INET6:
> -		h ^= __xfrm6_addr_hash(daddr);
> -		break;
> -	}
> +	unsigned int h = (__force u32)spi;
>  	return (h ^ (h >> 10) ^ (h >> 20)) & hmask;
>  }

I don't think this patch is sufficient.  The logic around state
lookups need to be changed to exclude the destination address
comparison to achieve your objective.

It's also dangerous to unilaterally do this since existing deployments
could rely on the old behaviour.  You'd need to add a toggle for
compatibility.

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ