tech-net: Re: ipsec problem with recent current

Subject: Re: ipsec problem with recent current
To: None <itojun@netbsd.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-net
Date: 06/22/2002 20:50:04
----Next_Part(Sat_Jun_22_20:50:04_2002_965)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
Subject: Re: ipsec problem with recent current
Date: Sat, 22 Jun 2002 18:22:02 +0900 (JST)
> > there is an ipsec problem in recent current.
> > (sometimes non-ipsec'ed packets are sent
> > when they should be ipsec'ed)
> > attached diff will fix it.
> > i guess the ipv6 version of the code needs same fix.
> 
> mmm, i noticed this diff doesn't fix the problem.

i found the problem.
(listening sockets mistakenly use cached secpolicies
when the policy doesn't have selector.)
i attach a diff to fix it.

---
YAMAMOTO Takashi<yamt@mwd.biglobe.ne.jp>

----Next_Part(Sat_Jun_22_20:50:04_2002_965)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="ipsec.diff"

Index: ipsec.c
===================================================================
RCS file: /cvs/cvsroot/syssrc/sys/netinet6/ipsec.c,v
retrieving revision 1.58
diff -u -p -r1.58 ipsec.c
--- ipsec.c	2002/06/16 16:28:36	1.58
+++ ipsec.c	2002/06/22 11:20:18
@@ -202,7 +202,7 @@ ipsec_checkpcbcache(m, pcbsp, dir)
 		if (ipsec_setspidx(m, &spidx, 1) != 0)
 			return NULL;
 		if (bcmp(&pcbsp->cacheidx[dir], &spidx, sizeof(spidx))) {
-			if (pcbsp->cache[dir]->spidx &&
+			if (!pcbsp->cache[dir]->spidx ||
 			    !key_cmpspidx_withmask(pcbsp->cache[dir]->spidx,
 			    &spidx))
 				return NULL;
@@ -394,7 +394,7 @@ ipsec4_getpolicybysock(m, dir, so, error
 
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
-			if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 0) == 0 &&
+			if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
 			    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -428,7 +428,7 @@ ipsec4_getpolicybysock(m, dir, so, error
 
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
-	if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 0) == 0 &&
+	if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
 	    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -596,7 +596,7 @@ ipsec6_getpolicybysock(m, dir, so, error
 
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
-			if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 0) == 0 &&
+			if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
 			    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -630,7 +630,7 @@ ipsec6_getpolicybysock(m, dir, so, error
 
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
-	if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 0) == 0 &&
+	if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
 	    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
@@ -1247,6 +1247,7 @@ ipsec_deepcopy_policy(src)
 	dst->req = newchain;
 	dst->state = src->state;
 	dst->policy = src->policy;
+	dst->dir = src->dir;
 	/* do not touch the refcnt fields */
 
 	return dst;

----Next_Part(Sat_Jun_22_20:50:04_2002_965)----