Dev news

Commit f10b9adec9 for strongswan.org

commit f10b9adec92bfde985aadd9e96b78f89fd631cc7
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Mon Feb 7 14:28:19 2022 +0100

    ipsec-types: Add a proper hash function for ipsec_sa_cfg_t

    While 3c1290510366 ("ipsec: Add function to compare two ipsec_sa_cfg_t
    instances") added a comparison function to avoid issues with non-zeroed
    padding, hashes were still calculated using chunk_hash().

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index d951aa0737..b06c836d1e 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -470,7 +470,7 @@ static u_int ipsec_sa_hash(ipsec_sa_t *sa)
 						  chunk_hash_inc(chunk_from_thing(sa->mark),
 						  chunk_hash_inc(chunk_from_thing(sa->if_id),
 						  chunk_hash_inc(chunk_from_thing(sa->hw_offload),
-						  chunk_hash(chunk_from_thing(sa->cfg)))))));
+						  ipsec_sa_cfg_hash(&sa->cfg))))));
 }

 /**
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 469b4b9cc6..abf85fdbd5 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -348,7 +348,7 @@ static u_int ipsec_sa_hash(ipsec_sa_t *sa)
 {
 	return chunk_hash_inc(sa->src->get_address(sa->src),
 						  chunk_hash_inc(sa->dst->get_address(sa->dst),
-						  chunk_hash(chunk_from_thing(sa->cfg))));
+						  ipsec_sa_cfg_hash(&sa->cfg)));
 }

 /**
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index d84c97b395..82b5c9ee79 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -53,6 +53,22 @@ ENUM(dscp_copy_names, DSCP_COPY_OUT_ONLY, DSCP_COPY_NO,
 	"no",
 );

+/*
+ * See header
+ */
+u_int ipsec_sa_cfg_hash(ipsec_sa_cfg_t *this)
+{
+	return chunk_hash_inc(chunk_from_thing(this->mode),
+			chunk_hash_inc(chunk_from_thing(this->reqid),
+			chunk_hash_inc(chunk_from_thing(this->policy_count),
+			chunk_hash_inc(chunk_from_thing(this->esp.use),
+			chunk_hash_inc(chunk_from_thing(this->esp.spi),
+			chunk_hash_inc(chunk_from_thing(this->ah.use),
+			chunk_hash_inc(chunk_from_thing(this->ah.spi),
+			chunk_hash_inc(chunk_from_thing(this->ipcomp.transform),
+				chunk_hash(chunk_from_thing(this->ipcomp.cpi))))))))));
+}
+
 /*
  * See header
  */
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index 936e4f86ee..22f54819ea 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -179,6 +179,14 @@ struct ipsec_sa_cfg_t {
 	} ipcomp;
 };

+/**
+ * Hash an ipsec_sa_cfg_t object.
+ *
+ * @param this		object to hash
+ * @return			hash value
+ */
+u_int ipsec_sa_cfg_hash(ipsec_sa_cfg_t *this);
+
 /**
  * Compare two ipsec_sa_cfg_t objects for equality.
  *