From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 7 Feb 2022 13:28:19 +0000 (+0100)
Subject: ipsec-types: Add a proper hash function for ipsec_sa_cfg_t
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=666ba58c01fe2eedc87cfb9a01540e7687befa6c;p=thirdparty%2Fstrongswan.git

ipsec-types: Add a proper hash function for ipsec_sa_cfg_t

While 3c1290510366 ("ipsec: Add function to compare two ipsec_sa_cfg_t
instances") added a comparison function to avoid issues with non-zeroed
padding, hashes were still calculated using chunk_hash().
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7a6d24b5ff..3c5d226ce8 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -407,7 +407,7 @@ static u_int ipsec_sa_hash(ipsec_sa_t *sa)
 						  chunk_hash_inc(sa->dst->get_address(sa->dst),
 						  chunk_hash_inc(chunk_from_thing(sa->mark),
 						  chunk_hash_inc(chunk_from_thing(sa->if_id),
-						  chunk_hash(chunk_from_thing(sa->cfg))))));
+						  ipsec_sa_cfg_hash(&sa->cfg)))));
 }
 
 /**
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 51a47b9f85..fe14dc8ec9 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -347,7 +347,7 @@ static u_int ipsec_sa_hash(ipsec_sa_t *sa)
 {
 	return chunk_hash_inc(sa->src->get_address(sa->src),
 						  chunk_hash_inc(sa->dst->get_address(sa->dst),
-						  chunk_hash(chunk_from_thing(sa->cfg))));
+						  ipsec_sa_cfg_hash(&sa->cfg)));
 }
 
 /**
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 2f0f31abd4..0c581388f1 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -50,6 +50,22 @@ ENUM(dscp_copy_names, DSCP_COPY_OUT_ONLY, DSCP_COPY_NO,
 	"no",
 );
 
+/*
+ * See header
+ */
+u_int ipsec_sa_cfg_hash(ipsec_sa_cfg_t *this)
+{
+	return chunk_hash_inc(chunk_from_thing(this->mode),
+			chunk_hash_inc(chunk_from_thing(this->reqid),
+			chunk_hash_inc(chunk_from_thing(this->policy_count),
+			chunk_hash_inc(chunk_from_thing(this->esp.use),
+			chunk_hash_inc(chunk_from_thing(this->esp.spi),
+			chunk_hash_inc(chunk_from_thing(this->ah.use),
+			chunk_hash_inc(chunk_from_thing(this->ah.spi),
+			chunk_hash_inc(chunk_from_thing(this->ipcomp.transform),
+				chunk_hash(chunk_from_thing(this->ipcomp.cpi))))))))));
+}
+
 /*
  * See header
  */
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index 1c61fecfe8..6aa29bdf10 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -175,6 +175,14 @@ struct ipsec_sa_cfg_t {
 	} ipcomp;
 };
 
+/**
+ * Hash an ipsec_sa_cfg_t object.
+ *
+ * @param this		object to hash
+ * @return			hash value
+ */
+u_int ipsec_sa_cfg_hash(ipsec_sa_cfg_t *this);
+
 /**
  * Compare two ipsec_sa_cfg_t objects for equality.
  *