diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:37:58 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:54:29 -0500 |
| commit | 35579e99c39d480d190f0e29606710433c0d3bf0 (patch) | |
| tree | 9553b514373292e4666e14b906e1dcb4a079812b /sys/netinet6/ip6_ipsec.c | |
| parent | 3c0d181698b9de090cab91e9774478734903f554 (diff) | |
| download | FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.zip FreeBSD-src-35579e99c39d480d190f0e29606710433c0d3bf0.tar.gz | |
MFC r275703:
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.
Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netinet6/ip6_ipsec.c')
| -rw-r--r-- | sys/netinet6/ip6_ipsec.c | 26 |
1 files changed, 5 insertions, 21 deletions
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index 9e6c13e..9d84349 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -166,8 +166,6 @@ int ip6_ipsec_input(struct mbuf *m, int nxt) { #ifdef IPSEC - struct m_tag *mtag; - struct tdb_ident *tdbi; struct secpolicy *sp; int error; /* @@ -177,21 +175,8 @@ ip6_ipsec_input(struct mbuf *m, int nxt) */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { - - /* - * Check if the packet has already had IPsec processing - * done. If so, then just pass it along. This tag gets - * set during AH, ESP, etc. input handling, before the - * packet is returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -202,13 +187,12 @@ ip6_ipsec_input(struct mbuf *m, int nxt) /* XXX error stat??? */ error = EINVAL; DPRINTF(("%s: no SP, packet discarded\n", __func__));/*XXX*/ - return 1; } - if (error) - return 1; + if (error != 0) + return (1); } #endif /* IPSEC */ - return 0; + return (0); } /* |
