Drop non-encapulated ESP packets using a UDP-encapsulating TDB, and add

the relevant counters.

Ok mikeb@

2 files changed, 13 insertions, 2 deletions

diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 97c18b50fe5..22e186319ca 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.h,v 1.42 2010/01/10 12:43:07 markus Exp $	*/
+/*	$OpenBSD: ip_esp.h,v 1.43 2016/09/02 09:39:32 vgross Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -62,6 +62,7 @@ struct espstat
     u_int32_t	esps_udpencin;  /* Input ESP-in-UDP packets */
     u_int32_t	esps_udpencout; /* Output ESP-in-UDP packets */
     u_int32_t	esps_udpinval;  /* Invalid input ESP-in-UDP packets */
+    u_int32_t	esps_udpneeded; /* Trying to use a ESP-in-UDP TDB */
 };
 
 /*
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index fe0ee48a6ad..dbe1a2ceda5 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.135 2015/09/10 17:52:05 claudio Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.136 2016/09/02 09:39:32 vgross Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -262,6 +262,16 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
 		return EINVAL;
 	}
 
+	if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) {
+		splx(s);
+		DPRINTF(("ipsec_common_input(): attempted to use udpencap "
+		    "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf,
+		    sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
+		m_freem(m);
+		espstat.esps_udpneeded++;
+		return EINVAL;
+	}
+
 	if (tdbp->tdb_xform == NULL) {
 		splx(s);
 		DPRINTF(("ipsec_common_input(): attempted to use uninitialized "