OS-6333: sadb_x_kmc_t's KM cookie should be 64-bits

Details

Issue Type:Improvement
Priority:4 - Normal
Status:Resolved
Created at:2017-09-08T12:20:30.000Z
Updated at:2018-01-10T16:19:51.830Z

People

Created by:dan.mcdonald
Reported by:Dan McDonald
Assigned to:Dan McDonald

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2017-09-26T13:27:23.000Z)

Fix Versions

2017-09-28 Battle Square (Release Date: 2017-09-28)

Related Links

Description

IKEv2 development requires a stronger tie to the IKE SA that creates IPsec SAs. The easiest way to do this is to either expand sadb_x_kmc_t's sadb_x_kmc_cookie, or create a sadb_x_kmc_cookie64 (and have the internals deal with it completely. Per MM chat:

I'll look at the current code, and report back here.
http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/inet/sadb.h#243
At the bottom of that block, ipsa_kmc needs to grow.
http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/inet/ip/sadb.c#1046
arg3 needs to grow, and code needs to slightly change.
Slight mods here too:
http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/inet/ip/sadb.c#3134
And  sadb_form_query() callers need inspection.
Not that bad.
(And of course, the libipsecutil and ipseckey bits.)

Additional spelunking indicates a required change in (currently reserved) ipp_km_cookie: http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/inet/ipsec_impl.h#220

Comments

Comment by Dan McDonald
Created at 2017-09-22T18:40:14.000Z
Updated at 2017-12-14T17:01:32.349Z

Part of fixing this (mostly for the test suite) was to add SADB_UPDATE's ability to write into the KMC if it wasn't there already. This found a bug in KMC matching that is fixed as part of this bugfix.


Comment by Dan McDonald
Created at 2017-09-25T16:30:14.000Z
Updated at 2017-12-14T17:01:31.589Z

Tests performed during development included the new pf_key os-tests, and running in.iked over the new kernel. I will update this ticket with final pre-IA results.


Comment by Dan McDonald
Created at 2017-09-25T18:40:08.000Z
Updated at 2017-12-14T17:01:31.876Z

Confirmed on a fresh-today smartos-live build with these changes in place. Ran in.iked successfully, and the KMC reported by ipseckey(1M) is identical to the one pre-this-change. Also ran the new /opt/os-tests/tests/pf_key/kmc-update successfully.


Comment by Bot Bot [X]
Created at 2017-09-25T18:44:00.000Z

illumos-joyent commit 02ba530 (branch master, by Dan McDonald)

OS-6333 sadb_x_kmc_t's KM cookie should be 64-bits
Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Approved by: Jerry Jelinek <jerry.jelinek@joyent.com>


Comment by Jira Bot
Created at 2018-01-10T16:19:51.830Z

illumos-joyent commit 9451a447ff40db1a74c1c97c931629d2d96c5bbb (branch master, by Dan McDonald)

Fix messed-up upstream of OS-6333/illumos#8927.

Restore conflicted files:
usr/src/lib/libipsecutil/common/ipsec_util.c
usr/src/test/os-tests/tests/pf_key/kmc-update.sh
usr/src/test/os-tests/tests/pf_key/kmc-updater.c
usr/src/uts/common/inet/ip/sadb.c

To re-include:
OS-6333 (commit 02ba530437bfbfdddf56de010d62a5ff453813ae)
OS-6480 (commit 9ba45b30b3b7aaeb1b63f85670403e6ea3a550eb)

NOTE: Source histories of those particular files lost illumos-joyent changes.