[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220806044307.4007851-2-benedictwong@google.com>
Date: Sat, 6 Aug 2022 04:43:06 +0000
From: Benedict Wong <benedictwong@...gle.com>
To: netdev@...r.kernel.org
Cc: nharold@...gle.com, benedictwong@...gle.com, lorenzo@...gle.com
Subject: [RFC ipsec 1/2] xfrm: Check policy for nested XFRM packets in xfrm_input
This change ensures that all nested XFRM packets have their policy
checked before decryption of the next layer, so that policies are
verified at each intermediate step of the decryption process.
This is necessary especially for nested tunnels, as the IP addresses,
protocol and ports may all change, thus not matching the previous
policies. In order to ensure that packets match the relevant inbound
templates, the xfrm_policy_check should be done before handing off to
the inner XFRM protocol to decrypt and decapsulate.
Test: Tested against Android Kernel Unit Tests
Signed-off-by: Benedict Wong <benedictwong@...gle.com>
Change-Id: I20c5abf39512d7f6cf438c0921a78a84e281b4e9
---
net/xfrm/xfrm_input.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 144238a50f3d..b24df8a44585 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -585,6 +585,13 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
goto drop;
}
+ // If nested tunnel, check outer states before context is lost.
+ if (x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL
+ && sp->len > 0
+ && !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) {
+ goto drop;
+ }
+
skb->mark = xfrm_smark_get(skb->mark, x);
sp->xvec[sp->len++] = x;
--
2.37.1.559.g78731f0fdb-goog
Powered by blists - more mailing lists