IPSEC/FAST_IPSEC panic.

Sat, 22 Apr 2006 08:54:08 -0700
I have been experiencing panics when testing IPSEC under HEAD. The Kernel panics when sending or receiving Authentication Headers (AH) and TCP connections encapsulated in ESP time out. 


I've made some progress resolving the panic but I can't get IPSEC or 
FAST_IPSEC to work correctly. I've gone through the ipsec code looking 
for any glaring errors. Any help would be appreciated.


Regards

Gary


Communication between DragonFly Head and FreeBSD 4/6 using IPSEC.


options IPSEC
options IPSEC_ESP

IPSEC AH        ICMP, UDP and TCP are working between PCs.
IPSEC ESP       ICMP and UDP work. TCP connections time out.
IPSEC AH-ESP    ICMP and UDP work. TCP connections time out.


options FAST_IPSEC

IPSEC AH        Kernel panic.
IPSEC ESP       ICMP, UDP and TCP are working between PCs.
IPSEC AH-ESP    Kernel panic.


flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E rijndael-cbc 
"123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E rijndael-cbc 
"123456789012345678901234";

spdadd 192.168.20.4 192.168.20.6 any -P out ipsec 
        esp/transport//require
        ah/transport//require;


Index: sys/netproto/ipsec/ipsec.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/ipsec.c,v
retrieving revision 1.13
diff -u -r1.13 ipsec.c
--- sys/netproto/ipsec/ipsec.c  14 Jan 2006 13:36:40 -0000      1.13
+++ sys/netproto/ipsec/ipsec.c  22 Apr 2006 12:01:51 -0000
@@ -672,7 +672,7 @@
                        spidx->dst.sin.sin_port = uh.uh_dport;
                        return;
                case IPPROTO_AH:
-                       if (m->m_pkthdr.len > off + sizeof(ip6e))
+                       if (off + sizeof(ip6e) > m->m_pkthdr.len)
                                goto done;
                        /* XXX sigh, this works but is totally bogus */
                        m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e);
Index: sys/netproto/ipsec/keysock.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/keysock.c,v
retrieving revision 1.11
diff -u -r1.11 keysock.c
--- sys/netproto/ipsec/keysock.c        14 Jan 2006 13:36:40 -0000      1.11
+++ sys/netproto/ipsec/keysock.c        19 Apr 2006 18:00:36 -0000
@@ -48,6 +48,7 @@
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/systm.h>
+#include <sys/thread2.h>
 
 #include <net/raw_cb.h>
 #include <net/route.h>
Index: sys/netproto/ipsec/xform_ipcomp.c
===================================================================
RCS file: /home/dcvs/src/sys/netproto/ipsec/xform_ipcomp.c,v
retrieving revision 1.7
diff -u -r1.7 xform_ipcomp.c
--- sys/netproto/ipsec/xform_ipcomp.c   10 Jun 2005 23:59:31 -0000      1.7
+++ sys/netproto/ipsec/xform_ipcomp.c   19 Apr 2006 17:46:55 -0000
@@ -40,6 +40,7 @@
 #include <sys/kernel.h>
 #include <sys/protosw.h>
 #include <sys/sysctl.h>
+#include <sys/thread2.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>























					Reply via email to