diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-05-14 15:24:24 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-05-14 15:24:24 +0000 |
| commit | a55738a9533436fe0ae4e084081abc339e2a90fd (patch) | |
| tree | 54f4b82caabf5e5e96ce3e254665ffa0d4a2ab35 | |
| parent | 17e3f4c1d162c431b3c19d17d8b6531ea628cf63 (diff) | |
When checking the IPsec enable sysctls, ipsec_common_input() had
switches for protocol and address family. Move this code to the
specific functions from where the common function is called.
As a consequence the raw ip input functions can never be called
from udp_input() anymore. If IPsec is disabled, the functions
ah6_input(), esp6_input(), and ipcomp6_input() do not start processing
the header chain. The raw ip input functions are called with the
mbuf and offset pointers from the protocol walking loop which is
the usual behavior.
OK mpi@ markus@
| -rw-r--r-- | sys/netinet/ipsec_input.c | 68 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 4 |
2 files changed, 45 insertions, 27 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 13b33f3f947..112a5535bb0 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.162 2018/05/12 21:24:43 bluhm Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.163 2018/05/14 15:24:23 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -175,30 +175,6 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, return EINVAL; } - if ((sproto == IPPROTO_ESP && !esp_enable) || - (sproto == IPPROTO_AH && !ah_enable) || -#if NPF > 0 - (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || -#endif - (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { - switch (af) { - case AF_INET: - rip_input(&m, &skip, sproto, af); - break; -#ifdef INET6 - case AF_INET6: - rip6_input(&m, &skip, sproto, af); - break; -#endif /* INET6 */ - default: - DPRINTF(("%s: unsupported protocol family %d\n", - __func__, af)); - IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); - error = EPFNOSUPPORT; - goto drop; - } - return 0; - } if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { DPRINTF(("%s: repeated decompression\n", __func__)); ipcompstat_inc(ipcomps_pdrops); @@ -790,6 +766,13 @@ ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) int ah4_input(struct mbuf **mp, int *offp, int proto, int af) { + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !ah_enable) + return rip_input(mp, offp, proto, af); + ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, proto, 0); return IPPROTO_DONE; @@ -810,6 +793,13 @@ ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) int esp4_input(struct mbuf **mp, int *offp, int proto, int af) { + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !esp_enable) + return rip_input(mp, offp, proto, af); + ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, proto, 0); return IPPROTO_DONE; @@ -819,6 +809,13 @@ esp4_input(struct mbuf **mp, int *offp, int proto, int af) int ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) { + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !ipcomp_enable) + return rip_input(mp, offp, proto, af); + ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, proto, 0); return IPPROTO_DONE; @@ -959,6 +956,13 @@ ah6_input(struct mbuf **mp, int *offp, int proto, int af) int protoff, nxt; struct ip6_ext ip6e; + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !ah_enable) + return rip6_input(mp, offp, proto, af); + if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); ahstat_inc(ahs_hdrops); @@ -1009,6 +1013,13 @@ esp6_input(struct mbuf **mp, int *offp, int proto, int af) int protoff, nxt; struct ip6_ext ip6e; + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !esp_enable) + return rip6_input(mp, offp, proto, af); + if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); espstat_inc(esps_hdrops); @@ -1060,6 +1071,13 @@ ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) int protoff, nxt; struct ip6_ext ip6e; + if ( +#if NPF > 0 + ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || +#endif + !ipcomp_enable) + return rip6_input(mp, offp, proto, af); + if (*offp < sizeof(struct ip6_hdr)) { DPRINTF(("%s: bad offset\n", __func__)); ipcompstat_inc(ipcomps_hdrops); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 4c113c025a8..f08e8dc2018 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.247 2018/04/24 15:40:55 pirofti Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.248 2018/05/14 15:24:23 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -270,7 +270,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af) } #ifdef IPSEC - if (udpencap_enable && udpencap_port && + if (udpencap_enable && udpencap_port && esp_enable && #if NPF > 0 !(m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) && #endif |