lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Aug 2022 10:45:14 +0200 From: Steffen Klassert <steffen.klassert@...unet.com> To: Benedict Wong <benedictwong@...gle.com> CC: <netdev@...r.kernel.org>, <nharold@...gle.com>, <lorenzo@...gle.com> Subject: Re: [PATCH ipsec 1/2] xfrm: Check policy for nested XFRM packets in xfrm_input On Wed, Aug 10, 2022 at 06:22:09PM +0000, Benedict Wong wrote: > This change ensures that all nested XFRM packets have their policy > checked before decryption of the next layer, so that policies are > verified at each intermediate step of the decryption process. > > This is necessary especially for nested tunnels, as the IP addresses, > protocol and ports may all change, thus not matching the previous > policies. In order to ensure that packets match the relevant inbound > templates, the xfrm_policy_check should be done before handing off to > the inner XFRM protocol to decrypt and decapsulate. > > Test: Tested against Android Kernel Unit Tests > Signed-off-by: Benedict Wong <benedictwong@...gle.com> > Change-Id: I20c5abf39512d7f6cf438c0921a78a84e281b4e9 > --- > net/xfrm/xfrm_input.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c > index 144238a50f3d..b24df8a44585 100644 > --- a/net/xfrm/xfrm_input.c > +++ b/net/xfrm/xfrm_input.c > @@ -585,6 +585,13 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) > goto drop; > } > > + // If nested tunnel, check outer states before context is lost. Please use networking style comments like so /* ... */ > + if (x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL > + && sp->len > 0 Please align this to the opening brace of the if statement like it is done everywhere in networking code. If you are unsure about coding style, try checkpatch it helps in that case. > + && !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family)) { Hm, shouldn't the xfrm_policy_check called along the packet path for each round after decapsulation? Do you use ESP transformation offload (INET_ESP_OFFLOAD/ INET6_ESP_OFFLOAD)? > + goto drop; > + } > + > skb->mark = xfrm_smark_get(skb->mark, x); > > sp->xvec[sp->len++] = x; > -- > 2.37.1.595.g718a3a8f04-goog
Powered by blists - more mailing lists