Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755212AbdCGOZL (ORCPT <rfc822;w@1wt.eu>);
        Tue, 7 Mar 2017 09:25:11 -0500
Received: from a.mx.secunet.com ([62.96.220.36]:58018 "EHLO a.mx.secunet.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755020AbdCGOW4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Mar 2017 09:22:56 -0500
Date: Tue, 7 Mar 2017 13:56:13 +0100
From: Steffen Klassert <steffen.klassert@secunet.com>
To: <trajaraman@mvista.com>
CC: <davem@davemloft.net>, <netdev@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] xfrm: Added the auth and enc update support in "state
 update"
Message-ID: <20170307125613.GL694@gauss.secunet.com>
References: <1488888193-4071-1-git-send-email-trajaraman@mvista.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1488888193-4071-1-git-send-email-trajaraman@mvista.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Originating-IP: [10.182.7.102]
X-G-Data-MailSecurity-for-Exchange-State: 0
X-G-Data-MailSecurity-for-Exchange-Error: 0
X-G-Data-MailSecurity-for-Exchange-Sender: 23
X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
X-G-Data-MailSecurity-for-Exchange-Guid: A0708277-6A2C-4D9D-B4EF-ED85C0773387
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1504
Lines: 31

On Tue, Mar 07, 2017 at 05:33:13PM +0530, trajaraman@mvista.com wrote:
> From: Thiruvadi rajaraman <trajaraman@mvista.com>
> 
> The "ip xfrm state update" process doesn't update the new authendication
> and encryption keys as well as it doesn't return an error.
> 
> Test logs: (Default)
> ==========
> ~# ip xfrm state list
> ~# ip xfrm state add src fe80::/10 dst ff02::3 proto esp spi 1235 mode transport auth sha1 0xAABBCCDDEEFF0010 enc des 0xAABBCCDDEEFF0010
> ~# ip xfrm state list
> src fe80:: dst ff02::3
>         proto esp spi 0x000004d3 reqid 0 mode transport
>         replay-window 0
>         auth-trunc hmac(sha1) 0xaabbccddeeff0010 96
>         enc cbc(des) 0xaabbccddeeff0010
>         sel src ::/0 dst ::/0
> ~#
> 
> ~# ip xfrm state update src fe80::/10 dst ff02::3 proto esp spi 1235 mode transport auth sha1 0xAABBCCDDEEFF0015 enc des 0xAABBCCDDEEFF0020
> src fe80:: dst ff02::3
>         proto esp spi 0x000004d3 reqid 0 mode transport
>         replay-window 0
>         auth-trunc hmac(sha1) 0xaabbccddeeff0010 96   ----> [ Auth key doesn't changed and remains same ]
>         enc cbc(des) 0xaabbccddeeff0010               ----> [  Enc key doesn't changed and remains same ]

This is intentional, the original state is not XFRM_STATE_ACQ,
so you are not allowed to update keys without requesting for
a new SPI. The original code was written 15 years ago, based
on RFC 2367 (PF_KEY) which says we must return -EINVAL in this
case. So if we change this, we should return an error.