UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)

ok deraadt@

1 files changed, 22 insertions, 10 deletions

diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index d4282c826ab..39e7b157821 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.69 2003/07/28 10:10:16 markus Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.70 2003/12/02 23:16:29 markus Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -74,7 +74,6 @@
 
 #include "bpfilter.h"
 
-int ipsec_common_input(struct mbuf *, int, int, int, int);
 void *ipsec_common_ctlinput(int, struct sockaddr *, void *, int);
 
 #ifdef ENCDEBUG
@@ -100,7 +99,8 @@ extern u_char ip6_protox[];
  * filtering).
  */
 int
-ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
+ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
+    int udpencap)
 {
 #define IPSEC_ISTAT(x,y,z) (sproto == IPPROTO_ESP ? (x)++ : \
 			    sproto == IPPROTO_AH ? (y)++ : (z)++)
@@ -210,6 +210,14 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 		return EINVAL;
 	}
 
+	if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) {
+		splx(s);
+		DPRINTF(("ipsec_common_input(): attempted to use non-udpencap SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto));
+		m_freem(m);
+		espstat.esps_udpinval++;
+		return EINVAL;
+	}
+
 	if (tdbp->tdb_xform == NULL) {
 		splx(s);
 		DPRINTF(("ipsec_common_input(): attempted to use uninitialized SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto));
@@ -227,7 +235,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 		 */
 		m->m_pkthdr.rcvif = &encif[0].sc_if;
 	}
-
+	
 	/* Register first use, setup expiration timer. */
 	if (tdbp->tdb_first_use == 0) {
 		int pri;
@@ -642,6 +650,10 @@ esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlen, void *newp,
 	switch (name[0]) {
 	case ESPCTL_ENABLE:
 		return sysctl_int(oldp, oldlen, newp, newlen, &esp_enable);
+	case ESPCTL_UDPENCAP_ENABLE:
+		return sysctl_int(oldp, oldlen, newp, newlen, &udpencap_enable);
+	case ESPCTL_UDPENCAP_PORT:
+		return sysctl_int(oldp, oldlen, newp, newlen, &udpencap_port);
 	default:
 		return ENOPROTOOPT;
 	}
@@ -695,7 +707,7 @@ ah4_input(struct mbuf *m, ...)
 	va_end(ap);
 
 	ipsec_common_input(m, skip, offsetof(struct ip, ip_p), AF_INET,
-	    IPPROTO_AH);
+	    IPPROTO_AH, 0);
 	return;
 }
 
@@ -751,7 +763,7 @@ esp4_input(struct mbuf *m, ...)
 	va_end(ap);
 
 	ipsec_common_input(m, skip, offsetof(struct ip, ip_p), AF_INET,
-	    IPPROTO_ESP);
+	    IPPROTO_ESP, 0);
 }
 
 /* IPv4 ESP callback. */
@@ -793,7 +805,7 @@ ipcomp4_input(struct mbuf *m, ...)
 	va_end(ap);
 
 	ipsec_common_input(m, skip, offsetof(struct ip, ip_p), AF_INET,
-	    IPPROTO_IPCOMP);
+	    IPPROTO_IPCOMP, 0);
 }
 
 /* IPv4 IPCOMP callback */
@@ -940,7 +952,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
 		}
 		protoff += offsetof(struct ip6_ext, ip6e_nxt);
 	}
-	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
+	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0);
 	return IPPROTO_DONE;
 }
 
@@ -1026,7 +1038,7 @@ esp6_input(struct mbuf **mp, int *offp, int proto)
 		}
 		protoff += offsetof(struct ip6_ext, ip6e_nxt);
 	}
-	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
+	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0);
 	return IPPROTO_DONE;
 
 }
@@ -1080,7 +1092,7 @@ ipcomp6_input(struct mbuf **mp, int *offp, int proto)
 
 		protoff += offsetof(struct ip6_ext, ip6e_nxt);
 	}
-	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
+	ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0);
 	return IPPROTO_DONE;
 }