From: mikeb <mikeb@openbsd.org>
Date: Mon, 13 Apr 2015 16:50:43 +0000 (+0000)
Subject: Perform IPsec bypass check on a socket before performing TDB lookups.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2d477d2c71e6b53cac7c50cc54db15ba6c780a10;p=openbsd

Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer
---

diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c
index 4fe95bfd127..25a8d135956 100644
--- a/sys/netinet/ip_spd.c
+++ b/sys/netinet/ip_spd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_spd.c,v 1.80 2015/04/13 16:48:01 mikeb Exp $ */
+/* $OpenBSD: ip_spd.c,v 1.81 2015/04/13 16:50:43 mikeb Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -326,17 +326,6 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 
 	/* Outgoing packet policy check. */
 	if (direction == IPSP_DIRECTION_OUT) {
-		/*
-		 * Fetch the incoming TDB based on the SPI passed
-		 * in ipsecflow and use it's dstid when looking
-		 * up the outgoing TDB.
-		 */
-		if (ipsecflowinfo &&
-		   (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc,
-		    ipo->ipo_sproto)) != NULL) {
-			srcid = tdbin->tdb_dstid;
-			dstid = tdbin->tdb_srcid;
-		}
 		/*
 		 * If the packet is destined for the policy-specified
 		 * gateway/endhost, and the socket has the BYPASS
@@ -355,6 +344,18 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction,
 			}
 		}
 
+		/*
+		 * Fetch the incoming TDB based on the SPI passed
+		 * in ipsecflow and use it's dstid when looking
+		 * up the outgoing TDB.
+		 */
+		if (ipsecflowinfo &&
+		   (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc,
+		    ipo->ipo_sproto)) != NULL) {
+			srcid = tdbin->tdb_dstid;
+			dstid = tdbin->tdb_srcid;
+		}
+
 		/* Check that the cached TDB (if present), is appropriate. */
 		if (ipo->ipo_tdb) {
 			if ((ipo->ipo_last_searched <= ipsec_last_added) ||