| ip6_ipsec.c (171259) | ip6_ipsec.c (171260) |
|---|---|
| 1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * | 1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * |
| 29 * $FreeBSD: head/sys/netinet6/ip6_ipsec.c 171259 2007-07-05 16:23:49Z delphij $ | 29 * $FreeBSD: head/sys/netinet6/ip6_ipsec.c 171260 2007-07-05 16:29:40Z delphij $ |
| 30 */ 31 32#include "opt_ipsec.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/kernel.h> 37#include <sys/mac.h> --- 67 unchanged lines hidden (view full) --- 105 int s, error; 106 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 107 s = splnet(); 108 if (mtag != NULL) { 109 tdbi = (struct tdb_ident *)(mtag + 1); 110 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 111 } else { 112 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, | 30 */ 31 32#include "opt_ipsec.h" 33 34#include <sys/param.h> 35#include <sys/systm.h> 36#include <sys/kernel.h> 37#include <sys/mac.h> --- 67 unchanged lines hidden (view full) --- 105 int s, error; 106 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 107 s = splnet(); 108 if (mtag != NULL) { 109 tdbi = (struct tdb_ident *)(mtag + 1); 110 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 111 } else { 112 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
| 113 IP_FORWARDING, &error); | 113 IP_FORWARDING, &error); |
| 114 } 115 if (sp == NULL) { /* NB: can happen if error */ 116 splx(s); 117 /*XXX error stat???*/ 118 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 119 return 1; 120 } 121 --- 34 unchanged lines hidden (view full) --- 156 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 157 ipsec6_in_reject(m, NULL)) { 158 159 /* 160 * Check if the packet has already had IPsec processing 161 * done. If so, then just pass it along. This tag gets 162 * set during AH, ESP, etc. input handling, before the 163 * packet is returned to the ip input queue for delivery. | 114 } 115 if (sp == NULL) { /* NB: can happen if error */ 116 splx(s); 117 /*XXX error stat???*/ 118 DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ 119 return 1; 120 } 121 --- 34 unchanged lines hidden (view full) --- 156 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 157 ipsec6_in_reject(m, NULL)) { 158 159 /* 160 * Check if the packet has already had IPsec processing 161 * done. If so, then just pass it along. This tag gets 162 * set during AH, ESP, etc. input handling, before the 163 * packet is returned to the ip input queue for delivery. |
| 164 */ | 164 */ |
| 165 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 166 s = splnet(); 167 if (mtag != NULL) { 168 tdbi = (struct tdb_ident *)(mtag + 1); 169 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 170 } else { 171 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, | 165 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 166 s = splnet(); 167 if (mtag != NULL) { 168 tdbi = (struct tdb_ident *)(mtag + 1); 169 sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); 170 } else { 171 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
| 172 IP_FORWARDING, &error); | 172 IP_FORWARDING, &error); |
| 173 } 174 if (sp != NULL) { 175 /* 176 * Check security policy against packet attributes. 177 */ 178 error = ipsec_in_reject(sp, m); 179 KEY_FREESP(&sp); 180 } else { --- 8 unchanged lines hidden (view full) --- 189 } 190#endif /* IPSEC */ 191 return 0; 192} 193 194/* 195 * Called from ip6_output(). 196 * 1 = drop packet, 0 = continue processing packet, | 173 } 174 if (sp != NULL) { 175 /* 176 * Check security policy against packet attributes. 177 */ 178 error = ipsec_in_reject(sp, m); 179 KEY_FREESP(&sp); 180 } else { --- 8 unchanged lines hidden (view full) --- 189 } 190#endif /* IPSEC */ 191 return 0; 192} 193 194/* 195 * Called from ip6_output(). 196 * 1 = drop packet, 0 = continue processing packet, |
| 197 * -1 = packet was reinjected and stop processing packet 198 */ | 197 * -1 = packet was reinjected and stop processing packet 198 */ |
| 199 200int 201ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, | 199 200int 201ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, |
| 202 struct ifnet **ifp, struct secpolicy **sp) | 202 struct ifnet **ifp, struct secpolicy **sp) |
| 203{ 204#ifdef IPSEC 205 struct tdb_ident *tdbi; 206 struct m_tag *mtag; 207 /* XXX int s; */ 208 if (sp == NULL) 209 return 1; 210 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); --- 5 unchanged lines hidden (view full) --- 216 m_tag_delete(*m, mtag); 217 } else { 218 *sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 219 error, inp); 220 } 221 222 /* 223 * There are four return cases: | 203{ 204#ifdef IPSEC 205 struct tdb_ident *tdbi; 206 struct m_tag *mtag; 207 /* XXX int s; */ 208 if (sp == NULL) 209 return 1; 210 mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); --- 5 unchanged lines hidden (view full) --- 216 m_tag_delete(*m, mtag); 217 } else { 218 *sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, 219 error, inp); 220 } 221 222 /* 223 * There are four return cases: |
| 224 * sp != NULL apply IPsec policy | 224 * sp != NULL apply IPsec policy |
| 225 * sp == NULL, error == 0 no IPsec handling needed 226 * sp == NULL, error == -EINVAL discard packet w/o error 227 * sp == NULL, error != 0 discard packet, report error 228 */ 229 if (*sp != NULL) { 230 /* Loop detection, check if ipsec processing already done */ 231 KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request")); 232 for (mtag = m_tag_first(*m); mtag != NULL; --- 136 unchanged lines hidden --- | 225 * sp == NULL, error == 0 no IPsec handling needed 226 * sp == NULL, error == -EINVAL discard packet w/o error 227 * sp == NULL, error != 0 discard packet, report error 228 */ 229 if (*sp != NULL) { 230 /* Loop detection, check if ipsec processing already done */ 231 KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request")); 232 for (mtag = m_tag_first(*m); mtag != NULL; --- 136 unchanged lines hidden --- |