]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dd9cd45) | patch
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
authorAndrey V. Elsukov <ae@FreeBSD.org>
Thu, 11 Dec 2014 14:58:55 +0000 (14:58 +0000)
committerAndrey V. Elsukov <ae@FreeBSD.org>
Thu, 11 Dec 2014 14:58:55 +0000 (14:58 +0000)
commite58320f127619da81bf8e9808894fcce4084199e
tree89c1e58ca7d3d507929b16d725a5260a8b6e131dtree | snapshot
parentdd9cd45b4465660ff4de4409a7487b66918ec485commit | diff
Remove PACKET_TAG_IPSEC_IN_DONE mbuf tag lookup and usage of its
security policy. The changed block of code in ip*_ipsec_input() is
called when packet has ESP/AH header. Presence of
PACKET_TAG_IPSEC_IN_DONE mbuf tag in the same time means that
packet was already handled by IPSEC and reinjected in the netisr,
and it has another ESP/AH headers (encrypted twice?).
Since it was already processed by IPSEC code, the AH/ESP headers
was already stripped (and probably outer IP header was stripped too)
and security policy from the tdb_ident was applied to those headers.
It is incorrect to apply this security policy to current headers.

Also make ip_ipsec_input() prototype similar to ip6_ipsec_input().

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
sys/netinet/ip_input.c diff | blob | history
sys/netinet/ip_ipsec.c diff | blob | history
sys/netinet/ip_ipsec.h diff | blob | history
sys/netinet6/ip6_ipsec.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.