diff options
| author |   provos <provos@openbsd.org> | 1999-03-27 21:04:18 +0000 |
|---|---|---|
| committer | provos <provos@openbsd.org> | 1999-03-27 21:04:18 +0000 |
| commit | fd8f581361a9195b6152ffabfc99c2fbaaf69872 (patch) | |
| tree | c9a16cf84fd3b200a3c06a82f09171cacdde30f0 /sys/netinet/tcp_input.c | |
| parent | Upgrade to 2.5.4. Mopprobe is working again, and some linux support. -moj (diff) | |
| download | wireguard-openbsd-fd8f581361a9195b6152ffabfc99c2fbaaf69872.tar.xz wireguard-openbsd-fd8f581361a9195b6152ffabfc99c2fbaaf69872.zip | |
add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.
Diffstat (limited to 'sys/netinet/tcp_input.c')
| -rw-r--r-- | sys/netinet/tcp_input.c | 52 |
1 files changed, 51 insertions, 1 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 1bb0da1d16e..59086ee521b 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.32 1999/02/15 02:39:02 provos Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.33 1999/03/27 21:04:20 provos Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -77,6 +77,10 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>. #include <machine/stdarg.h> #include <sys/md5k.h> +#ifdef IPSEC +#include <netinet/ip_ipsp.h> +#endif /* IPSEC */ + #ifdef INET6 #include <sys/domain.h> #include <netinet6/in6_var.h> @@ -437,6 +441,9 @@ tcp_input(m, va_alist) int iphlen; va_list ap; register struct tcphdr *th; +#ifdef IPSEC + struct tdb *tdb = NULL; +#endif /* IPSEC */ #ifdef INET6 struct in6_addr laddr6; unsigned short is_ipv6; /* Type of incoming datagram. */ @@ -449,6 +456,15 @@ tcp_input(m, va_alist) tcpstat.tcps_rcvtotal++; +#ifdef IPSEC + /* Save the last SA which was used to process the mbuf */ + if ((m->m_flags & (M_CONF|M_AUTH)) && m->m_pkthdr.tdbi) { + struct tdb_ident *tdbi = m->m_pkthdr.tdbi; + tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); + free(m->m_pkthdr.tdbi, M_TEMP); + m->m_pkthdr.tdbi = NULL; + } +#endif /* IPSEC */ #ifdef INET6 /* * Before we do ANYTHING, we have to figure out if it's TCP/IPv6 or @@ -683,6 +699,18 @@ findpcb: * we're committed to it below in TCPS_LISTEN. */ dropsocket++; +#ifdef IPSEC + /* + * We need to copy the required security levels + * from the old pcb. + */ + { + struct inpcb *newinp = (struct inpcb *)so->so_pcb; + bcopy(inp->inp_seclevel, newinp->inp_seclevel, + sizeof(inp->inp_seclevel)); + newinp->inp_secrequire = inp->inp_secrequire; + } +#endif /* IPSEC */ #ifdef INET6 /* * inp still has the OLD in_pcb stuff, set the @@ -748,6 +776,28 @@ findpcb: } } +#ifdef IPSEC + /* Check if this socket requires security for incoming packets */ + if ((inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_REQUIRE && + !(m->m_flags & M_AUTH)) || + (inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_REQUIRE && + !(m->m_flags & M_CONF))) { +#ifdef notyet +#ifdef INET6 + if (is_ipv6) + ipv6_icmp_error(m, ICMPV6_BLAH, ICMPV6_BLAH, 0); + else +#endif /* INET6 */ + icmp_error(m, ICMP_BLAH, ICMP_BLAH, 0, 0); +#endif /* notyet */ + tcpstat.tcps_rcvnosec++; + goto drop; + } + /* Use tdb_bind_out for this inp's outbound communication */ + if (tdb) + tdb_add_inp(tdb, inp); +#endif /*IPSEC */ + /* * Segment received on connection. * Reset idle time and keep-alive timer. |