Author: ae
Date: Thu Dec 11 14:58:55 2014
New Revision: 275703
URL: https://svnweb.freebsd.org/changeset/base/275703
Log:
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Modified:
head/sys/netinet/ip_input.c
head/sys/netinet/ip_ipsec.c
head/sys/netinet/ip_ipsec.h
head/sys/netinet6/ip6_ipsec.c
Modified: head/sys/netinet/ip_input.c
==============================================================================
--- head/sys/netinet/ip_input.c Thu Dec 11 14:43:44 2014 (r275702)
+++ head/sys/netinet/ip_input.c Thu Dec 11 14:58:55 2014 (r275703)
@@ -785,7 +785,7 @@ ours:
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
- if (ip_ipsec_input(m))
+ if (ip_ipsec_input(m, ip->ip_p) != 0)
goto bad;
#endif /* IPSEC */
Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c Thu Dec 11 14:43:44 2014 (r275702)
+++ head/sys/netinet/ip_ipsec.c Thu Dec 11 14:58:55 2014 (r275703)
@@ -146,11 +146,8 @@ ip_ipsec_fwd(struct mbuf *m)
* 1 = drop packet, 0 = continue processing packet.
*/
int
-ip_ipsec_input(struct mbuf *m)
+ip_ipsec_input(struct mbuf *m, int nxt)
{
- struct ip *ip = mtod(m, struct ip *);
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int error;
/*
@@ -158,21 +155,9 @@ ip_ipsec_input(struct mbuf *m)
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
- if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
- /*
- * Check if the packet has already had IPsec processing
- * done. If so, then just pass it along. This tag gets
- * set during AH, ESP, etc. input handling, before the
- * packet is returned to the ip input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
+ if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+ IP_FORWARDING, &error);
if (sp != NULL) {
/*
* Check security policy against packet attributes.
@@ -183,12 +168,11 @@ ip_ipsec_input(struct mbuf *m)
/* XXX error stat??? */
error = EINVAL;
DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
- return 1;
}
- if (error)
- return 1;
+ if (error != 0)
+ return (1);
}
- return 0;
+ return (0);
}
/*
Modified: head/sys/netinet/ip_ipsec.h
==============================================================================
--- head/sys/netinet/ip_ipsec.h Thu Dec 11 14:43:44 2014 (r275702)
+++ head/sys/netinet/ip_ipsec.h Thu Dec 11 14:58:55 2014 (r275703)
@@ -34,7 +34,7 @@
int ip_ipsec_filtertunnel(struct mbuf *);
int ip_ipsec_fwd(struct mbuf *);
-int ip_ipsec_input(struct mbuf *);
+int ip_ipsec_input(struct mbuf *, int);
int ip_ipsec_mtu(struct mbuf *, int);
int ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *);
#endif
Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c Thu Dec 11 14:43:44 2014
(r275702)
+++ head/sys/netinet6/ip6_ipsec.c Thu Dec 11 14:58:55 2014
(r275703)
@@ -167,8 +167,6 @@ int
ip6_ipsec_input(struct mbuf *m, int nxt)
{
#ifdef IPSEC
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int error;
/*
@@ -178,21 +176,8 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
-
- /*
- * Check if the packet has already had IPsec processing
- * done. If so, then just pass it along. This tag gets
- * set during AH, ESP, etc. input handling, before the
- * packet is returned to the ip input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+ IP_FORWARDING, &error);
if (sp != NULL) {
/*
* Check security policy against packet attributes.
@@ -203,13 +188,12 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
/* XXX error stat??? */
error = EINVAL;
DPRINTF(("%s: no SP, packet discarded\n",
__func__));/*XXX*/
- return 1;
}
- if (error)
- return 1;
+ if (error != 0)
+ return (1);
}
#endif /* IPSEC */
- return 0;
+ return (0);
}
/*
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
