diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2002-05-31 04:43:27 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2002-05-31 04:43:27 +0000 |
| commit | 715c735cdcbbc79564ca587ff30ce78bdc6a897c (patch) | |
| tree | 5a175a5b8088641ad3832bf088d92b2f951c619d /sys | |
| parent | 010e92f60a15b6f37bcc35777a9cb2bee4f4e81c (diff) | |
Socket-specific IPsec policy.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/tcp_input.c | 51 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 22 |
2 files changed, 38 insertions, 35 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 473c33651d5..b662b6db9b7 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.112 2002/05/29 07:54:59 itojun Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.113 2002/05/31 04:43:25 angelos Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -761,31 +761,18 @@ findpcb: bcopy(inp->inp_seclevel, newinp->inp_seclevel, sizeof(inp->inp_seclevel)); newinp->inp_secrequire = inp->inp_secrequire; - if (inp->inp_ipsec_localid != NULL) { - newinp->inp_ipsec_localid = inp->inp_ipsec_localid; - inp->inp_ipsec_localid->ref_count++; - } - if (inp->inp_ipsec_remoteid != NULL) { - newinp->inp_ipsec_remoteid = inp->inp_ipsec_remoteid; - inp->inp_ipsec_remoteid->ref_count++; - } - if (inp->inp_ipsec_localcred != NULL) { - newinp->inp_ipsec_localcred = inp->inp_ipsec_localcred; - inp->inp_ipsec_localcred->ref_count++; + if (inp->inp_ipo != NULL) { + newinp->inp_ipo = inp->inp_ipo; + inp->inp_ipo->ipo_ref_count++; } if (inp->inp_ipsec_remotecred != NULL) { - newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred; - inp->inp_ipsec_remotecred->ref_count++; - } - if (inp->inp_ipsec_localauth != NULL) { - newinp->inp_ipsec_localauth - = inp->inp_ipsec_localauth; - inp->inp_ipsec_localauth->ref_count++; + newinp->inp_ipsec_remotecred = inp->inp_ipsec_remotecred; + inp->inp_ipsec_remotecred->ref_count++; } if (inp->inp_ipsec_remoteauth != NULL) { - newinp->inp_ipsec_remoteauth - = inp->inp_ipsec_remoteauth; - inp->inp_ipsec_remoteauth->ref_count++; + newinp->inp_ipsec_remoteauth + = inp->inp_ipsec_remoteauth; + inp->inp_ipsec_remoteauth->ref_count++; } } #endif /* IPSEC */ @@ -856,14 +843,26 @@ findpcb: tdb = NULL; ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN, tdb, inp); + if (error) { + splx(s); + goto drop; + } /* Latch SA */ if (inp->inp_tdb_in != tdb) { if (tdb) { tdb_add_inp(tdb, inp, 1); - if (inp->inp_ipsec_remoteid == NULL && + if (inp->inp_ipo == NULL) { + inp->inp_ipo = ipsec_add_policy(inp, af, + IPSP_DIRECTION_OUT); + if (inp->inp_ipo == NULL) { + splx(s); + goto drop; + } + } + if (inp->inp_ipo->ipo_dstid == NULL && tdb->tdb_srcid != NULL) { - inp->inp_ipsec_remoteid = tdb->tdb_srcid; + inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } if (inp->inp_ipsec_remotecred == NULL && @@ -885,10 +884,6 @@ findpcb: } } splx(s); - - /* Error or otherwise drop-packet indication */ - if (error) - goto drop; #endif /* IPSEC */ /* diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 63431eda548..1403e97ed29 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.76 2002/03/15 18:19:53 millert Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.77 2002/05/31 04:43:26 angelos Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -538,15 +538,27 @@ udp_input(struct mbuf *m, ...) tdb = NULL; ipsp_spd_lookup(m, srcsa.sa.sa_family, iphlen, &error, IPSP_DIRECTION_IN, tdb, inp); + if (error) { + splx(s); + goto bad; + } /* Latch SA only if the socket is connected */ if (inp->inp_tdb_in != tdb && (inp->inp_socket->so_state & SS_ISCONNECTED)) { if (tdb) { tdb_add_inp(tdb, inp, 1); - if (inp->inp_ipsec_remoteid == NULL && + if (inp->inp_ipo == NULL) { + inp->inp_ipo = ipsec_add_policy(inp, + srcsa.sa.sa_family, IPSP_DIRECTION_OUT); + if (inp->inp_ipo == NULL) { + splx(s); + goto bad; + } + } + if (inp->inp_ipo->ipo_dstid == NULL && tdb->tdb_srcid != NULL) { - inp->inp_ipsec_remoteid = tdb->tdb_srcid; + inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; tdb->tdb_srcid->ref_count++; } if (inp->inp_ipsec_remotecred == NULL && @@ -568,10 +580,6 @@ udp_input(struct mbuf *m, ...) } } splx(s); - - /* Error or otherwise drop-packet indication. */ - if (error) - goto bad; #endif /*IPSEC */ opts = NULL; |