aboutsummaryrefslogtreecommitdiff
path: root/sbin/mdconfig
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2017-02-13 11:37:52 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2017-02-13 11:37:52 +0000
commit627c036f65f2978234273299e6794694ad897e7d (patch)
treef417108b1dd9914fb9033a9a03fb0aa412dc9c9a /sbin/mdconfig
parent496ab0532d71f020458d28206bee5b132522320c (diff)
downloadsrc-627c036f65f2978234273299e6794694ad897e7d.tar.gz
src-627c036f65f2978234273299e6794694ad897e7d.zip
Remove IPsec related PCB code from SCTP.
The inpcb structure has inp_sp pointer that is initialized by ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec security policies associated with a specific socket. An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options to configure these security policies. Then ip[6]_output() uses inpcb pointer to specify that an outgoing packet is associated with some socket. And IPSEC_OUTPUT() method can use a security policy stored in the inp_sp. For inbound packet the protocol-specific input routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms to inbound security policy configured in the inpcb. SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends packets. Thus IPSEC_OUTPUT() method does not consider such packets as associated with some socket and can not apply security policies from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY() method is called from protocol-specific input routine, it can specify inpcb pointer and associated with socket inbound policy will be checked. But there are two problems: 1. Such check is asymmetric, becasue we can not apply security policy from inpcb for outgoing packet. 2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and access to inp_sp is protected. But for SCTP this is not correct, becasue SCTP uses own locks to protect inpcb. To fix these problems remove IPsec related PCB code from SCTP. This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options will be not applicable to SCTP sockets. To be able correctly check inbound security policies for SCTP, mark its protocol header with the PR_LASTHDR flag. Reported by: tuexen Reviewed by: tuexen Differential Revision: https://reviews.freebsd.org/D9538
Notes
Notes: svn path=/head/; revision=313697
Diffstat (limited to 'sbin/mdconfig')
0 files changed, 0 insertions, 0 deletions