| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: ipsec_output.c,v 1.35 2011/06/07 15:54:57 drochner Exp $ */ | | 1 | /* $NetBSD: ipsec_output.c,v 1.36 2011/06/09 21:04:37 drochner Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting | | 4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
9 | * are met: | | 9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -19,27 +19,27 @@ | | | @@ -19,27 +19,27 @@ |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | | 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
26 | * SUCH DAMAGE. | | 26 | * SUCH DAMAGE. |
27 | * | | 27 | * |
28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ | | 28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ |
29 | */ | | 29 | */ |
30 | | | 30 | |
31 | #include <sys/cdefs.h> | | 31 | #include <sys/cdefs.h> |
32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.35 2011/06/07 15:54:57 drochner Exp $"); | | 32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.36 2011/06/09 21:04:37 drochner Exp $"); |
33 | | | 33 | |
34 | /* | | 34 | /* |
35 | * IPsec output processing. | | 35 | * IPsec output processing. |
36 | */ | | 36 | */ |
37 | #include "opt_inet.h" | | 37 | #include "opt_inet.h" |
38 | #ifdef __FreeBSD__ | | 38 | #ifdef __FreeBSD__ |
39 | #include "opt_inet6.h" | | 39 | #include "opt_inet6.h" |
40 | #endif | | 40 | #endif |
41 | #include "opt_ipsec.h" | | 41 | #include "opt_ipsec.h" |
42 | | | 42 | |
43 | #include <sys/param.h> | | 43 | #include <sys/param.h> |
44 | #include <sys/systm.h> | | 44 | #include <sys/systm.h> |
45 | #include <sys/mbuf.h> | | 45 | #include <sys/mbuf.h> |
| @@ -622,26 +622,38 @@ ipsec4_process_packet( | | | @@ -622,26 +622,38 @@ ipsec4_process_packet( |
622 | error = ipsec_process_done(m, isr); | | 622 | error = ipsec_process_done(m, isr); |
623 | } | | 623 | } |
624 | splx(s); | | 624 | splx(s); |
625 | return error; | | 625 | return error; |
626 | bad: | | 626 | bad: |
627 | splx(s); | | 627 | splx(s); |
628 | if (m) | | 628 | if (m) |
629 | m_freem(m); | | 629 | m_freem(m); |
630 | return error; | | 630 | return error; |
631 | } | | 631 | } |
632 | #endif | | 632 | #endif |
633 | | | 633 | |
634 | #ifdef INET6 | | 634 | #ifdef INET6 |
| | | 635 | static int |
| | | 636 | in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr *ia) |
| | | 637 | { |
| | | 638 | struct in6_addr ia2; |
| | | 639 | |
| | | 640 | memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); |
| | | 641 | if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) |
| | | 642 | ia2.s6_addr16[1] = htons(sa->sin6_scope_id); |
| | | 643 | |
| | | 644 | return IN6_ARE_ADDR_EQUAL(ia, &ia2); |
| | | 645 | } |
| | | 646 | |
635 | int | | 647 | int |
636 | ipsec6_process_packet( | | 648 | ipsec6_process_packet( |
637 | struct mbuf *m, | | 649 | struct mbuf *m, |
638 | struct ipsecrequest *isr | | 650 | struct ipsecrequest *isr |
639 | ) | | 651 | ) |
640 | { | | 652 | { |
641 | struct secasindex saidx; | | 653 | struct secasindex saidx; |
642 | struct secasvar *sav; | | 654 | struct secasvar *sav; |
643 | struct ip6_hdr *ip6; | | 655 | struct ip6_hdr *ip6; |
644 | int s, error, i, off; | | 656 | int s, error, i, off; |
645 | union sockaddr_union *dst; | | 657 | union sockaddr_union *dst; |
646 | | | 658 | |
647 | IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf")); | | 659 | IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf")); |
| @@ -663,27 +675,27 @@ ipsec6_process_packet( | | | @@ -663,27 +675,27 @@ ipsec6_process_packet( |
663 | } | | 675 | } |
664 | } | | 676 | } |
665 | | | 677 | |
666 | sav = isr->sav; | | 678 | sav = isr->sav; |
667 | dst = &sav->sah->saidx.dst; | | 679 | dst = &sav->sah->saidx.dst; |
668 | | | 680 | |
669 | ip6 = mtod(m, struct ip6_hdr *); /* XXX */ | | 681 | ip6 = mtod(m, struct ip6_hdr *); /* XXX */ |
670 | | | 682 | |
671 | /* Do the appropriate encapsulation, if necessary */ | | 683 | /* Do the appropriate encapsulation, if necessary */ |
672 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ | | 684 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ |
673 | dst->sa.sa_family != AF_INET6 || /* PF mismatch */ | | 685 | dst->sa.sa_family != AF_INET6 || /* PF mismatch */ |
674 | ((dst->sa.sa_family == AF_INET6) && | | 686 | ((dst->sa.sa_family == AF_INET6) && |
675 | (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && | | 687 | (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && |
676 | (!IN6_ARE_ADDR_EQUAL(&dst->sin6.sin6_addr, | | 688 | (!in6_sa_equal_addrwithscope(&dst->sin6, |
677 | &ip6->ip6_dst)))) { | | 689 | &ip6->ip6_dst)))) { |
678 | struct mbuf *mp; | | 690 | struct mbuf *mp; |
679 | | | 691 | |
680 | /* Fix IPv6 header payload length. */ | | 692 | /* Fix IPv6 header payload length. */ |
681 | if (m->m_len < sizeof(struct ip6_hdr)) | | 693 | if (m->m_len < sizeof(struct ip6_hdr)) |
682 | if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) | | 694 | if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) |
683 | return ENOBUFS; | | 695 | return ENOBUFS; |
684 | | | 696 | |
685 | if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { | | 697 | if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { |
686 | /* No jumbogram support. */ | | 698 | /* No jumbogram support. */ |
687 | m_freem(m); | | 699 | m_freem(m); |
688 | return ENXIO; /*XXX*/ | | 700 | return ENXIO; /*XXX*/ |
689 | } | | 701 | } |