Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 fix SA lookup when IPsec transport mode and tun...
details: https://anonhg.NetBSD.org/src/rev/10997e19ef3b
branches: trunk
changeset: 514885:10997e19ef3b
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Sep 13 06:30:57 2001 +0000
description:
fix SA lookup when IPsec transport mode and tunnel mode over IPv6 is used
at the same time. sync with kame
(like "IP AH ESP IP", policy = "esp/tunnel/a-b/use ah/transport//use")
diffstat:
sys/netinet6/ipsec.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 49 insertions(+), 6 deletions(-)
diffs (90 lines):
diff -r 618ba107fd49 -r 10997e19ef3b sys/netinet6/ipsec.c
--- a/sys/netinet6/ipsec.c Thu Sep 13 06:27:23 2001 +0000
+++ b/sys/netinet6/ipsec.c Thu Sep 13 06:30:57 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ipsec.c,v 1.37 2001/08/06 10:25:01 itojun Exp $ */
-/* $KAME: ipsec.c,v 1.124 2001/08/05 07:03:50 itojun Exp $ */
+/* $NetBSD: ipsec.c,v 1.38 2001/09/13 06:30:57 itojun Exp $ */
+/* $KAME: ipsec.c,v 1.125 2001/09/12 23:01:16 sakane Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -2648,6 +2648,8 @@
/* make SA index for search proper SA */
ip = mtod(state->m, struct ip *);
bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ saidx.mode = isr->saidx.mode;
+ saidx.reqid = isr->saidx.reqid;
sin = (struct sockaddr_in *)&saidx.src;
if (sin->sin_len == 0) {
sin->sin_len = sizeof(*sin);
@@ -2869,6 +2871,8 @@
/* make SA index for search proper SA */
ip6 = mtod(state->m, struct ip6_hdr *);
bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ saidx.mode = isr->saidx.mode;
+ saidx.reqid = isr->saidx.reqid;
sin6 = (struct sockaddr_in6 *)&saidx.src;
if (sin6->sin6_len == 0) {
sin6->sin6_len = sizeof(*sin6);
@@ -3037,8 +3041,47 @@
}
for (/* already initialized */; isr; isr = isr->next) {
- /* When tunnel mode, SA peers must be specified. */
- bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
+ /* When tunnel mode, SA peers must be specified. */
+ bcopy(&isr->saidx, &saidx, sizeof(saidx));
+ } else {
+ /* make SA index to look for a proper SA */
+ struct sockaddr_in6 *sin6;
+
+ bzero(&saidx, sizeof(saidx));
+ saidx.proto = isr->saidx.proto;
+ saidx.mode = isr->saidx.mode;
+ saidx.reqid = isr->saidx.reqid;
+
+ ip6 = mtod(state->m, struct ip6_hdr *);
+ sin6 = (struct sockaddr_in6 *)&saidx.src;
+ if (sin6->sin6_len == 0) {
+ sin6->sin6_len = sizeof(*sin6);
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = IPSEC_PORT_ANY;
+ bcopy(&ip6->ip6_src, &sin6->sin6_addr,
+ sizeof(ip6->ip6_src));
+ if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
+ /* fix scope id for comparing SPD */
+ sin6->sin6_addr.s6_addr16[1] = 0;
+ sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
+ }
+ }
+ sin6 = (struct sockaddr_in6 *)&saidx.dst;
+ if (sin6->sin6_len == 0) {
+ sin6->sin6_len = sizeof(*sin6);
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = IPSEC_PORT_ANY;
+ bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
+ sizeof(ip6->ip6_dst));
+ if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
+ /* fix scope id for comparing SPD */
+ sin6->sin6_addr.s6_addr16[1] = 0;
+ sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
+ }
+ }
+ }
+
if (key_checkrequest(isr, &saidx) == ENOENT) {
/*
* IPsec processing is required, but no SA found.
@@ -3367,8 +3410,8 @@
for (n = m, mpp = &m; n; n = n->m_next) {
if (n->m_flags & M_EXT) {
/*
- * Make a copy only if there are more than one references
- * to the cluster.
+ * Make a copy only if there are more than one
+ * references to the cluster.
* XXX: is this approach effective?
*/
if (n->m_ext.ext_free || MCLISREFERENCED(n)) {
Home |
Main Index |
Thread Index |
Old Index