[Openswan dev] [PATCH] Openswan: fix ipcomp skb offset calculations

Paul Wouters paul at xelerance.com
Wed Dec 3 23:20:09 EST 2008


On Mon, 1 Dec 2008, Florian Westphal wrote:

> 
> When a compressed packed is received, the kernel panics
> (also see http://bugs.xelerance.com/view.php?id=982 , which appears to describe
> the same issue):

can you confirm that with openswan-2.6.20dr2? Some of the defines got
accidentally flipped around on some kernels.

I tried to reproduce this. I did run into issues.

- initiating with compress=yes on 2.6.20dr2 yielded a working connection,
  but without IPcomp. Filed bug: http://bugs.xelerance.com/view.php?id=1014
- klips 2.4.x on the remote initiating to us. IPcomp negotiated. packets fail, despite:
  klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
- netkey 2.6.x on the remote initiating to us. IPcomp negotiated. packets fail as with klips 2.4

I do not however get a crasher or oops. It actually appears to me fine:

klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0

I checked with the klips 2.4.x <-> klips 2.6.20dr2 where 2.4.x initiated and a correct ipcomp
SA is established. pinging from 2.4.x to 2.6.20dr2 gives me encrypted packets out of 2.4.x
onto 2.6.20dr2, decrypted, replied, encrypted send to 2.4.x, decrypted and then vanish.
klipsdebug on 2.4.x tells me:

klips_debug:ipsec_xmit_encap_once: calling output for <COMP_DEFLATE>, SA:comp.ae2c at 193.110.157.17
klips_debug:ipsec_xmit_encap_once: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_once: head,tailroom: 56,96 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_encap_once: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_encap_once: after <COMP_DEFLATE>, SA:comp.ae2c at 193.110.157.17:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:60345 frag_off:0 ttl:64 proto:4 chk:53594 saddr:193.110.157.143 daddr:193.110.157.17
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:60345 frag_off:0 ttl:64 proto:4 chk:53594 saddr:193.110.157.143 daddr:193.110.157.17
klips_debug:ipsec_xmit_encap_once: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.91d3983c at 193.110.157.17
klips_debug:ipsec_xmit_encap_once: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_once: head,tailroom: 32,72 before xform.
klips_dmp: at pre-encrypt, len=152:
klips_debug:   @000: 45 00 00 98 eb b9 00 00 40 32 d1 5a c1 6e 9d 8f
klips_debug:   @010: c1 6e 9d 11 91 d3 98 3c 00 00 00 32 eb b9 00 00
klips_debug:   @020: 40 04 d1 5a c1 6e 9d 8f c1 6e 9d 11 45 00 00 54
klips_debug:   @030: 00 00 40 00 40 01 7d 2b c1 6e 9d 8f c1 6e 9d 11
klips_debug:   @040: 08 00 b9 1e cd 36 00 04 58 59 37 49 ea 00 0d 00
klips_debug:   @050: 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17
klips_debug:   @060: 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
klips_debug:   @070: 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37
klips_debug:   @080: 01 02 03 04 05 06 07 08 09 0a 0a 04 3e 63 31 36
klips_debug:   @090: 65 39 64 31 31 00 9d d1
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=d16abfa0
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c2a44c00 idat=c325004c ilen=96 iv=c325003c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_encap_once: after <ESP_AES_HMAC_SHA1>, SA:esp.91d3983c at 193.110.157.17:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:60345 frag_off:0 ttl:64 proto:50 (ESP) chk:53500 saddr:193.110.157.143 daddr:193.110.157.17
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:60345 frag_off:0 ttl:64 proto:50 (ESP) chk:53500 saddr:193.110.157.143 daddr:193.110.157.17
klips_error:ipsec_sa_put: null pointer passed in!
klips_debug:ipsec_findroute: 193.110.157.143:0->193.110.157.17:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc2b163a0
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,72
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,72
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:60345 frag_off:0 ttl:64 proto:50 (ESP) chk:53500 saddr:193.110.157.143 daddr:193.110.157.17

I am not sure why I am not seeing the successfully decrypted packet.

I did want to test with your patch, to see if it resolved anything. But
it did not compile for me:

make -C /usr/src/kernels/2.6.27.5-117.fc10.x86_64/  BUILDDIR=/vol/git/openswan.ikev2/modobj26 SUBDIRS=/vol/git/openswan.ikev2/modobj26 MODULE_DEF_INCLUDE=/vol/git/openswan.ikev2/packaging/linus/config-all.h MODULE_DEFCONFIG=/vol/git/openswan.ikev2/linux/net/ipsec/defconfig  MODULE_EXTRA_INCLUDE= ARCH=x86_64 modules
make[2]: Entering directory `/usr/src/kernels/2.6.27.5-117.fc10.x86_64'
  CC [M]  /vol/git/openswan.ikev2/modobj26/ipcomp.o
/vol/git/openswan.ikev2/modobj26/ipcomp.c: In function 'skb_copy_ipcomp':
/vol/git/openswan.ikev2/modobj26/ipcomp.c:618: error: 'struct sk_buff' has no member named 'h'
/vol/git/openswan.ikev2/modobj26/ipcomp.c:626: error: 'struct sk_buff' has no member named 'nh'
make[3]: *** [/vol/git/openswan.ikev2/modobj26/ipcomp.o] Error 1

What kernel source are you using? Is this a modified or backported kernel?

There is surely something fishy going on with ipcomp, but I'm not sure yet
what the problem is.

Paul


More information about the Dev mailing list