CVS commit: src/sys/netipsec

Tue, 18 Jul 2017 23:31:10 -0700 

Module Name:    src
Committed By:   ozaki-r
Date:           Wed Jul 19 06:30:33 UTC 2017

Modified Files:
        src/sys/netipsec: ipsec.c

Log Message:
Remove invalid M_AUTHIPDGM check on ESP isr->sav

M_AUTHIPDGM flag is set to a mbuf in ah_input_cb. An sav of ESP can
have AH authentication as sav->tdb_authalgxform. However, in that
case esp_input and esp_input_cb are used to do ESP decryption and
AH authentication and M_AUTHIPDGM never be set to a mbuf. So
checking M_AUTHIPDGM of a mbuf on isr->sav of ESP is meaningless.


To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.105 src/sys/netipsec/ipsec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.104 src/sys/netipsec/ipsec.c:1.105
--- src/sys/netipsec/ipsec.c:1.104	Tue Jul 18 09:00:55 2017
+++ src/sys/netipsec/ipsec.c	Wed Jul 19 06:30:32 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.104 2017/07/18 09:00:55 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.105 2017/07/19 06:30:32 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.104 2017/07/18 09:00:55 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.105 2017/07/19 06:30:32 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -1737,7 +1737,6 @@ int
 ipsec_in_reject(const struct secpolicy *sp, const struct mbuf *m)
 {
 	struct ipsecrequest *isr;
-	int need_auth;
 
 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
 		printf("%s: using SP\n", __func__);
@@ -1758,7 +1757,6 @@ ipsec_in_reject(const struct secpolicy *
 
 	/* XXX should compare policy against ipsec header history */
 
-	need_auth = 0;
 	for (isr = sp->req; isr != NULL; isr = isr->next) {
 		if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
 			continue;
@@ -1769,18 +1767,8 @@ ipsec_in_reject(const struct secpolicy *
 				    "ESP m_flags:%x\n", m->m_flags);
 				return 1;
 			}
-
-			if (!need_auth &&
-				isr->sav != NULL &&
-				isr->sav->tdb_authalgxform != NULL &&
-				(m->m_flags & M_AUTHIPDGM) == 0) {
-				KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
-				    "ESP/AH m_flags:%x\n", m->m_flags);
-				return 1;
-			}
 			break;
 		case IPPROTO_AH:
-			need_auth = 1;
 			if ((m->m_flags & M_AUTHIPHDR) == 0) {
 				KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
 				    "AH m_flags:%x\n", m->m_flags);

Reply via email to