| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
| 1 | /* $NetBSD: ipsec_output.c,v 1.35 2011/06/07 15:54:57 drochner Exp $ */ | | 1 | /* $NetBSD: ipsec_output.c,v 1.36 2011/06/09 21:04:37 drochner Exp $ */ |
| 2 | | | 2 | |
| 3 | /*- | | 3 | /*- |
| 4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting | | 4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting |
| 5 | * All rights reserved. | | 5 | * All rights reserved. |
| 6 | * | | 6 | * |
| 7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
| 8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
| 9 | * are met: | | 9 | * are met: |
| 10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
| 11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
| 12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
| 13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
| 14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -19,27 +19,27 @@ | | | @@ -19,27 +19,27 @@ |
| 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | | 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 26 | * SUCH DAMAGE. | | 26 | * SUCH DAMAGE. |
| 27 | * | | 27 | * |
| 28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ | | 28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ |
| 29 | */ | | 29 | */ |
| 30 | | | 30 | |
| 31 | #include <sys/cdefs.h> | | 31 | #include <sys/cdefs.h> |
| 32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.35 2011/06/07 15:54:57 drochner Exp $"); | | 32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.36 2011/06/09 21:04:37 drochner Exp $"); |
| 33 | | | 33 | |
| 34 | /* | | 34 | /* |
| 35 | * IPsec output processing. | | 35 | * IPsec output processing. |
| 36 | */ | | 36 | */ |
| 37 | #include "opt_inet.h" | | 37 | #include "opt_inet.h" |
| 38 | #ifdef __FreeBSD__ | | 38 | #ifdef __FreeBSD__ |
| 39 | #include "opt_inet6.h" | | 39 | #include "opt_inet6.h" |
| 40 | #endif | | 40 | #endif |
| 41 | #include "opt_ipsec.h" | | 41 | #include "opt_ipsec.h" |
| 42 | | | 42 | |
| 43 | #include <sys/param.h> | | 43 | #include <sys/param.h> |
| 44 | #include <sys/systm.h> | | 44 | #include <sys/systm.h> |
| 45 | #include <sys/mbuf.h> | | 45 | #include <sys/mbuf.h> |
| @@ -622,26 +622,38 @@ ipsec4_process_packet( | | | @@ -622,26 +622,38 @@ ipsec4_process_packet( |
| 622 | error = ipsec_process_done(m, isr); | | 622 | error = ipsec_process_done(m, isr); |
| 623 | } | | 623 | } |
| 624 | splx(s); | | 624 | splx(s); |
| 625 | return error; | | 625 | return error; |
| 626 | bad: | | 626 | bad: |
| 627 | splx(s); | | 627 | splx(s); |
| 628 | if (m) | | 628 | if (m) |
| 629 | m_freem(m); | | 629 | m_freem(m); |
| 630 | return error; | | 630 | return error; |
| 631 | } | | 631 | } |
| 632 | #endif | | 632 | #endif |
| 633 | | | 633 | |
| 634 | #ifdef INET6 | | 634 | #ifdef INET6 |
| | | 635 | static int |
| | | 636 | in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr *ia) |
| | | 637 | { |
| | | 638 | struct in6_addr ia2; |
| | | 639 | |
| | | 640 | memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); |
| | | 641 | if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) |
| | | 642 | ia2.s6_addr16[1] = htons(sa->sin6_scope_id); |
| | | 643 | |
| | | 644 | return IN6_ARE_ADDR_EQUAL(ia, &ia2); |
| | | 645 | } |
| | | 646 | |
| 635 | int | | 647 | int |
| 636 | ipsec6_process_packet( | | 648 | ipsec6_process_packet( |
| 637 | struct mbuf *m, | | 649 | struct mbuf *m, |
| 638 | struct ipsecrequest *isr | | 650 | struct ipsecrequest *isr |
| 639 | ) | | 651 | ) |
| 640 | { | | 652 | { |
| 641 | struct secasindex saidx; | | 653 | struct secasindex saidx; |
| 642 | struct secasvar *sav; | | 654 | struct secasvar *sav; |
| 643 | struct ip6_hdr *ip6; | | 655 | struct ip6_hdr *ip6; |
| 644 | int s, error, i, off; | | 656 | int s, error, i, off; |
| 645 | union sockaddr_union *dst; | | 657 | union sockaddr_union *dst; |
| 646 | | | 658 | |
| 647 | IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf")); | | 659 | IPSEC_ASSERT(m != NULL, ("ipsec6_process_packet: null mbuf")); |
| @@ -663,27 +675,27 @@ ipsec6_process_packet( | | | @@ -663,27 +675,27 @@ ipsec6_process_packet( |
| 663 | } | | 675 | } |
| 664 | } | | 676 | } |
| 665 | | | 677 | |
| 666 | sav = isr->sav; | | 678 | sav = isr->sav; |
| 667 | dst = &sav->sah->saidx.dst; | | 679 | dst = &sav->sah->saidx.dst; |
| 668 | | | 680 | |
| 669 | ip6 = mtod(m, struct ip6_hdr *); /* XXX */ | | 681 | ip6 = mtod(m, struct ip6_hdr *); /* XXX */ |
| 670 | | | 682 | |
| 671 | /* Do the appropriate encapsulation, if necessary */ | | 683 | /* Do the appropriate encapsulation, if necessary */ |
| 672 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ | | 684 | if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ |
| 673 | dst->sa.sa_family != AF_INET6 || /* PF mismatch */ | | 685 | dst->sa.sa_family != AF_INET6 || /* PF mismatch */ |
| 674 | ((dst->sa.sa_family == AF_INET6) && | | 686 | ((dst->sa.sa_family == AF_INET6) && |
| 675 | (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && | | 687 | (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && |
| 676 | (!IN6_ARE_ADDR_EQUAL(&dst->sin6.sin6_addr, | | 688 | (!in6_sa_equal_addrwithscope(&dst->sin6, |
| 677 | &ip6->ip6_dst)))) { | | 689 | &ip6->ip6_dst)))) { |
| 678 | struct mbuf *mp; | | 690 | struct mbuf *mp; |
| 679 | | | 691 | |
| 680 | /* Fix IPv6 header payload length. */ | | 692 | /* Fix IPv6 header payload length. */ |
| 681 | if (m->m_len < sizeof(struct ip6_hdr)) | | 693 | if (m->m_len < sizeof(struct ip6_hdr)) |
| 682 | if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) | | 694 | if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) |
| 683 | return ENOBUFS; | | 695 | return ENOBUFS; |
| 684 | | | 696 | |
| 685 | if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { | | 697 | if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { |
| 686 | /* No jumbogram support. */ | | 698 | /* No jumbogram support. */ |
| 687 | m_freem(m); | | 699 | m_freem(m); |
| 688 | return ENXIO; /*XXX*/ | | 700 | return ENXIO; /*XXX*/ |
| 689 | } | | 701 | } |