svn commit: r275703 - in head/sys: netinet netinet6

Thu Dec 11 14:58:57 UTC 2014

Author: ae
Date: Thu Dec 11 14:58:55 2014
New Revision: 275703
URL: https://svnweb.freebsd.org/changeset/base/275703

Log:
  Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
  security policy. The changed block of code in ip*_ipsec_input() is
  called when packet has ESP/AH header. Presence of
  PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
  packet was already handled by IPSEC and reinjected in the netisr,
  and it has another ESP/AH headers (encrypted twice?).
  Since it was already processed by IPSEC code, the AH/ESP headers
  was already stripped (and probably outer IP header was stripped too)
  and security policy from the tdb_ident was applied to those headers.
  It is incorrect to apply this security policy to current headers.
  
  Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().
  
  Obtained from:	Yandex LLC
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netinet/ip_input.c
  head/sys/netinet/ip_ipsec.c
  head/sys/netinet/ip_ipsec.h
  head/sys/netinet6/ip6_ipsec.c

Modified: head/sys/netinet/ip_input.c
==============================================================================

--- head/sys/netinet/ip_input.c	Thu Dec 11 14:43:44 2014	(r275702)
+++ head/sys/netinet/ip_input.c	Thu Dec 11 14:58:55 2014	(r275703)
@@ -785,7 +785,7 @@ ours:
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if (ip_ipsec_input(m))
+	if (ip_ipsec_input(m, ip->ip_p) != 0)
 		goto bad;
 #endif /* IPSEC */
 

Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c	Thu Dec 11 14:43:44 2014	(r275702)
+++ head/sys/netinet/ip_ipsec.c	Thu Dec 11 14:58:55 2014	(r275703)
@@ -146,11 +146,8 @@ ip_ipsec_fwd(struct mbuf *m)
  * 1 = drop packet, 0 = continue processing packet.
  */
 int
-ip_ipsec_input(struct mbuf *m)
+ip_ipsec_input(struct mbuf *m, int nxt)
 {
-	struct ip *ip = mtod(m, struct ip *);
-	struct m_tag *mtag;
-	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int error;
 	/*
@@ -158,21 +155,9 @@ ip_ipsec_input(struct mbuf *m)
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
-		/*
-		 * Check if the packet has already had IPsec processing
-		 * done.  If so, then just pass it along.  This tag gets
-		 * set during AH, ESP, etc. input handling, before the
-		 * packet is returned to the ip input queue for delivery.
-		 */ 
-		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
-		if (mtag != NULL) {
-			tdbi = (struct tdb_ident *)(mtag + 1);
-			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
-		} else {
-			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
-						   IP_FORWARDING, &error);   
-		}
+	if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
+		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 		if (sp != NULL) {
 			/*
 			 * Check security policy against packet attributes.
@@ -183,12 +168,11 @@ ip_ipsec_input(struct mbuf *m)
 			/* XXX error stat??? */
 			error = EINVAL;
 			DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
-			return 1;
 		}
-		if (error)
-			return 1;
+		if (error != 0)
+			return (1);
 	}
-	return 0;
+	return (0);
 }
 
 /*

Modified: head/sys/netinet/ip_ipsec.h
==============================================================================
--- head/sys/netinet/ip_ipsec.h	Thu Dec 11 14:43:44 2014	(r275702)
+++ head/sys/netinet/ip_ipsec.h	Thu Dec 11 14:58:55 2014	(r275703)
@@ -34,7 +34,7 @@
 
 int	ip_ipsec_filtertunnel(struct mbuf *);
 int	ip_ipsec_fwd(struct mbuf *);
-int	ip_ipsec_input(struct mbuf *);
+int	ip_ipsec_input(struct mbuf *, int);
 int	ip_ipsec_mtu(struct mbuf *, int);
 int	ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *);
 #endif

Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c	Thu Dec 11 14:43:44 2014	(r275702)
+++ head/sys/netinet6/ip6_ipsec.c	Thu Dec 11 14:58:55 2014	(r275703)
@@ -167,8 +167,6 @@ int
 ip6_ipsec_input(struct mbuf *m, int nxt)
 {
 #ifdef IPSEC
-	struct m_tag *mtag;
-	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int error;
 	/*
@@ -178,21 +176,8 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
 	 */
 	if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
 	    ipsec6_in_reject(m, NULL)) {
-
-		/*
-		 * Check if the packet has already had IPsec processing
-		 * done.  If so, then just pass it along.  This tag gets
-		 * set during AH, ESP, etc. input handling, before the
-		 * packet is returned to the ip input queue for delivery.
-		 */
-		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
-		if (mtag != NULL) {
-			tdbi = (struct tdb_ident *)(mtag + 1);
-			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
-		} else {
-			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
-						   IP_FORWARDING, &error);
-		}
+		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 		if (sp != NULL) {
 			/*
 			 * Check security policy against packet attributes.
@@ -203,13 +188,12 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
 			/* XXX error stat??? */
 			error = EINVAL;
 			DPRINTF(("%s: no SP, packet discarded\n", __func__));/*XXX*/
-			return 1;
 		}
-		if (error)
-			return 1;
+		if (error != 0)
+			return (1);
 	}
 #endif /* IPSEC */
-	return 0;
+	return (0);
 }
 
 /*
