[src/trunk]: src/sys make sure to validate packet against ipsec policy.

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d168805a2e0c
branches:  trunk
changeset: 504263:d168805a2e0c
user:      itojun <itojun%NetBSD.org@localhost>
date:      Mon Feb 26 07:20:44 2001 +0000

description:
make sure to validate packet against ipsec policy.

diffstat:

 sys/netinet/raw_ip.c   |  19 ++++++++++++++++++-
 sys/netinet6/raw_ip6.c |  25 +++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 3 deletions(-)

diffs (86 lines):

diff -r 9b342fdf7636 -r d168805a2e0c sys/netinet/raw_ip.c
--- a/sys/netinet/raw_ip.c      Mon Feb 26 03:09:23 2001 +0000
+++ b/sys/netinet/raw_ip.c      Mon Feb 26 07:20:44 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip.c,v 1.54 2001/01/24 09:04:15 itojun Exp $       */
+/*     $NetBSD: raw_ip.c,v 1.55 2001/02/26 07:20:44 itojun Exp $       */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -175,6 +175,14 @@
                        continue;
                if (last) {
                        struct mbuf *n;
+
+#ifdef IPSEC
+                       /* check AH/ESP integrity. */
+                       if (ipsec4_in_reject_so(m, last->inp_socket)) {
+                               ipsecstat.in_polvio++;
+                               /* do not inject data to pcb */
+                       } else
+#endif /*IPSEC*/
                        if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
                                if (last->inp_flags & INP_CONTROLOPTS ||
                                    last->inp_socket->so_options & SO_TIMESTAMP)
@@ -192,6 +200,15 @@
                }
                last = inp;
        }
+#ifdef IPSEC
+       /* check AH/ESP integrity. */
+       if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
+               m_freem(m);
+               ipsecstat.in_polvio++;
+               ipstat.ips_delivered--;
+               /* do not inject data to pcb */
+       } else
+#endif /*IPSEC*/
        if (last) {
                if (last->inp_flags & INP_CONTROLOPTS ||
                    last->inp_socket->so_options & SO_TIMESTAMP)
diff -r 9b342fdf7636 -r d168805a2e0c sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Mon Feb 26 03:09:23 2001 +0000
+++ b/sys/netinet6/raw_ip6.c    Mon Feb 26 07:20:44 2001 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: raw_ip6.c,v 1.29 2001/02/11 06:49:52 itojun Exp $      */
-/*     $KAME: raw_ip6.c,v 1.65 2001/02/08 18:36:17 itojun Exp $        */
+/*     $NetBSD: raw_ip6.c,v 1.30 2001/02/26 07:20:45 itojun Exp $      */
+/*     $KAME: raw_ip6.c,v 1.66 2001/02/26 06:33:14 itojun Exp $        */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -182,6 +182,16 @@
                }
                if (last) {
                        struct  mbuf *n;
+
+#ifdef IPSEC
+                       /*
+                        * Check AH/ESP integrity.
+                        */
+                       if (ipsec6_in_reject(m, last)) {
+                               ipsec6stat.in_polvio++;
+                               /* do not inject data into pcb */
+                       } else
+#endif /*IPSEC*/
                        if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
                                if (last->in6p_flags & IN6P_CONTROLOPTS)
                                        ip6_savecontrol(last, &opts, ip6, n);
@@ -201,6 +211,17 @@
                }
                last = in6p;
        }
+#ifdef IPSEC
+       /*
+        * Check AH/ESP integrity.
+        */
+       if (last && ipsec6_in_reject(m, last)) {
+               m_freem(m);
+               ipsec6stat.in_polvio++;
+               ip6stat.ip6s_delivered--;
+               /* do not inject data into pcb */
+       } else
+#endif /*IPSEC*/
        if (last) {
                if (last->in6p_flags & IN6P_CONTROLOPTS)
                        ip6_savecontrol(last, &opts, ip6, m);