From c14e20a2f8ae626639af3f2ea171c81eeec339f2 Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Tue, 29 May 2001 01:08:16 +0000 Subject: Verify that packets that haven't had crypto applied to them don't make it out. --- sys/netinet6/nd6.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 98d1db5325a..596aec0045c 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6.c,v 1.32 2001/03/30 11:09:03 itojun Exp $ */ +/* $OpenBSD: nd6.c,v 1.33 2001/05/29 01:08:15 angelos Exp $ */ /* $KAME: nd6.c,v 1.137 2001/03/21 21:52:06 jinmei Exp $ */ /* @@ -62,6 +62,7 @@ #include #include +#include #include #include @@ -1793,6 +1794,9 @@ nd6_output(ifp, origifp, m0, dst, rt0) struct llinfo_nd6 *ln = NULL; int error = 0; long time_second = time.tv_sec; +#ifdef IPSEC + struct m_tag *mtag; +#endif /* IPSEC */ if (IN6_IS_ADDR_MULTICAST(&dst->sin6_addr)) goto sendpkt; @@ -1954,11 +1958,36 @@ nd6_output(ifp, origifp, m0, dst, rt0) return(0); sendpkt: +#ifdef IPSEC + /* + * If the packet needs outgoing IPsec crypto processing and the + * interface doesn't support it, drop it. + */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL); +#endif /* IPSEC */ if ((ifp->if_flags & IFF_LOOPBACK) != 0) { +#ifdef IPSEC + if (mtag != NULL && + (origifp->if_capabilities & IFCAP_IPSEC) == 0) { + /* Tell IPsec to do its own crypto. */ + ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); + error = EACCES; + goto bad; + } +#endif /* IPSEC */ return((*ifp->if_output)(origifp, m, (struct sockaddr *)dst, rt)); } +#ifdef IPSEC + if (mtag != NULL && + (ifp->if_capabilities & IFCAP_IPSEC) == 0) { + /* Tell IPsec to do its own crypto. */ + ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); + error = EACCES; + goto bad; + } +#endif /* IPSEC */ return((*ifp->if_output)(ifp, m, (struct sockaddr *)dst, rt)); bad: -- cgit v1.2.3