Remove some code that breaks AH tunnels completely. The comment describing

the purpose of this code appears to be on crack -- it's talking about end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end authentication; it's authentication of the tunnel endpoints. NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00 · 2003-09-28 04:45:14 +00:00 · ca96c7c4ec
commit ca96c7c4ec
parent 6cac03ae0e
2 changed files with 4 additions and 47 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.178 2003/09/06 03:36:30 itojun Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.179 2003/09/28 04:45:14 mycroft Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.178 2003/09/06 03:36:30 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.179 2003/09/28 04:45:14 mycroft Exp $");

 #include "opt_gateway.h"
 #include "opt_pfil_hooks.h"
@ -443,16 +443,6 @@ ip_input(struct mbuf *m)
 	if ((m->m_flags & M_PKTHDR) == 0)
 		panic("ipintr no HDR");
 #endif
-#ifdef IPSEC
-	/*
-	 * should the inner packet be considered authentic?
-	 * see comment in ah4_input().
-	 */
-	if (m) {
-		m->m_flags &= ~M_AUTHIPHDR;
-		m->m_flags &= ~M_AUTHIPDGM;
-	}
-#endif

 	/*
 	 * If no IP addresses have been set yet but the interfaces
--- a/sys/netinet6/ah_input.c
+++ b/sys/netinet6/ah_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ah_input.c,v 1.41 2003/08/06 14:47:32 itojun Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.42 2003/09/28 04:45:14 mycroft Exp $	*/
 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/

 /*
@ -35,7 +35,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.41 2003/08/06 14:47:32 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ah_input.c,v 1.42 2003/09/28 04:45:14 mycroft Exp $");

 #include "opt_inet.h"

@ -388,30 +388,6 @@ ah4_input(m, va_alist)
 			goto fail;
 		}

-#if 1
-		/*
-		 * Should the inner packet be considered authentic?
-		 * My current answer is: NO.
-		 *
-		 * host1 -- gw1 === gw2 -- host2
-		 *	In this case, gw2 can trust the	authenticity of the
-		 *	outer packet, but NOT inner.  Packet may be altered
-		 *	between host1 and gw1.
-		 *
-		 * host1 -- gw1 === host2
-		 *	This case falls into the same scenario as above.
-		 *
-		 * host1 === host2
-		 *	This case is the only case when we may be able to leave
-		 *	M_AUTHIPHDR and M_AUTHIPDGM set.
-		 *	However, if host1 is wrongly configured, and allows
-		 *	attacker to inject some packet with src=host1 and
-		 *	dst=host2, you are in risk.
-		 */
-		m->m_flags &= ~M_AUTHIPHDR;
-		m->m_flags &= ~M_AUTHIPDGM;
-#endif
-
 		key_sa_recordxfer(sav, m);
 		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0 ||
 		    ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) {
@ -831,15 +807,6 @@ ah6_input(mp, offp, proto)
 			goto fail;
 		}

-#if 1
-		/*
-		 * should the inner packet be considered authentic?
-		 * see comment in ah4_input().
-		 */
-		m->m_flags &= ~M_AUTHIPHDR;
-		m->m_flags &= ~M_AUTHIPDGM;
-#endif
-
 		key_sa_recordxfer(sav, m);
 		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0 ||
 		    ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) {