Date: Thu, 11 Dec 2014 14:58:56 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275703 - in head/sys: netinet netinet6 Message-ID: <201412111458.sBBEwuav088218@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 11 14:58:55 2014 New Revision: 275703 URL: https://svnweb.freebsd.org/changeset/base/275703 Log: Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its security policy. The changed block of code in ip*_ipsec_input() is called when packet has ESP/AH header. Presence of PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that packet was already handled by IPSEC and reinjected in the netisr, and it has another ESP/AH headers (encrypted twice?). Since it was already processed by IPSEC code, the AH/ESP headers was already stripped (and probably outer IP header was stripped too) and security policy from the tdb_ident was applied to those headers. It is incorrect to apply this security policy to current headers. Also make ip_ipsec_input() prototype similar to ip6_ipsec_input(). Obtained from: Yandex LLC Sponsored by: Yandex LLC Modified: head/sys/netinet/ip_input.c head/sys/netinet/ip_ipsec.c head/sys/netinet/ip_ipsec.h head/sys/netinet6/ip6_ipsec.c Modified: head/sys/netinet/ip_input.c ============================================================================== --- head/sys/netinet/ip_input.c Thu Dec 11 14:43:44 2014 (r275702) +++ head/sys/netinet/ip_input.c Thu Dec 11 14:58:55 2014 (r275703) @@ -785,7 +785,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m)) + if (ip_ipsec_input(m, ip->ip_p) != 0) goto bad; #endif /* IPSEC */ Modified: head/sys/netinet/ip_ipsec.c ============================================================================== --- head/sys/netinet/ip_ipsec.c Thu Dec 11 14:43:44 2014 (r275702) +++ head/sys/netinet/ip_ipsec.c Thu Dec 11 14:58:55 2014 (r275703) @@ -146,11 +146,8 @@ ip_ipsec_fwd(struct mbuf *m) * 1 = drop packet, 0 = continue processing packet. */ int -ip_ipsec_input(struct mbuf *m) +ip_ipsec_input(struct mbuf *m, int nxt) { - struct ip *ip = mtod(m, struct ip *); - struct m_tag *mtag; - struct tdb_ident *tdbi; struct secpolicy *sp; int error; /* @@ -158,21 +155,9 @@ ip_ipsec_input(struct mbuf *m) * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { - /* - * Check if the packet has already had IPsec processing - * done. If so, then just pass it along. This tag gets - * set during AH, ESP, etc. input handling, before the - * packet is returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } + if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -183,12 +168,11 @@ ip_ipsec_input(struct mbuf *m) /* XXX error stat??? */ error = EINVAL; DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - return 1; } - if (error) - return 1; + if (error != 0) + return (1); } - return 0; + return (0); } /* Modified: head/sys/netinet/ip_ipsec.h ============================================================================== --- head/sys/netinet/ip_ipsec.h Thu Dec 11 14:43:44 2014 (r275702) +++ head/sys/netinet/ip_ipsec.h Thu Dec 11 14:58:55 2014 (r275703) @@ -34,7 +34,7 @@ int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_fwd(struct mbuf *); -int ip_ipsec_input(struct mbuf *); +int ip_ipsec_input(struct mbuf *, int); int ip_ipsec_mtu(struct mbuf *, int); int ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *); #endif Modified: head/sys/netinet6/ip6_ipsec.c ============================================================================== --- head/sys/netinet6/ip6_ipsec.c Thu Dec 11 14:43:44 2014 (r275702) +++ head/sys/netinet6/ip6_ipsec.c Thu Dec 11 14:58:55 2014 (r275703) @@ -167,8 +167,6 @@ int ip6_ipsec_input(struct mbuf *m, int nxt) { #ifdef IPSEC - struct m_tag *mtag; - struct tdb_ident *tdbi; struct secpolicy *sp; int error; /* @@ -178,21 +176,8 @@ ip6_ipsec_input(struct mbuf *m, int nxt) */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { - - /* - * Check if the packet has already had IPsec processing - * done. If so, then just pass it along. This tag gets - * set during AH, ESP, etc. input handling, before the - * packet is returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -203,13 +188,12 @@ ip6_ipsec_input(struct mbuf *m, int nxt) /* XXX error stat??? */ error = EINVAL; DPRINTF(("%s: no SP, packet discarded\n", __func__));/*XXX*/ - return 1; } - if (error) - return 1; + if (error != 0) + return (1); } #endif /* IPSEC */ - return 0; + return (0); } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412111458.sBBEwuav088218>