aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-10-18 00:35:15 -0400
committerDavid S. Miller <davem@davemloft.net>2007-10-18 00:35:15 -0400
commitca68145f16359f71cd62b2671aa3e8c58f45ef19 (patch)
treedcd8806792a443cddc1c25f015d136a179c6882b /net/ipv6
parented3e37ddb0b422120d3d2d5da718c44c40af30ba (diff)
[IPSEC]: Disallow combinations of RO and AH/ESP/IPCOMP
Combining RO and AH/ESP/IPCOMP does not make sense. So this patch adds a check in the state initialisation function to prevent this. This allows us to safely remove the mode input function of RO since it can never be called anymore. Indeed, if somehow it does get called we'll know about it through an OOPS instead of it slipping past silently. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/ah6.c9
-rw-r--r--net/ipv6/esp6.c9
-rw-r--r--net/ipv6/ipcomp6.c9
-rw-r--r--net/ipv6/xfrm6_mode_ro.c9
4 files changed, 24 insertions, 12 deletions
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index a8221d1da0ff..67cd06613a25 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -477,8 +477,15 @@ static int ah6_init_state(struct xfrm_state *x)
477 477
478 x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) + 478 x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
479 ahp->icv_trunc_len); 479 ahp->icv_trunc_len);
480 if (x->props.mode == XFRM_MODE_TUNNEL) 480 switch (x->props.mode) {
481 case XFRM_MODE_BEET:
482 case XFRM_MODE_TRANSPORT:
483 break;
484 case XFRM_MODE_TUNNEL:
481 x->props.header_len += sizeof(struct ipv6hdr); 485 x->props.header_len += sizeof(struct ipv6hdr);
486 default:
487 goto error;
488 }
482 x->data = ahp; 489 x->data = ahp;
483 490
484 return 0; 491 return 0;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 9eb928598351..b0715432e454 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -354,8 +354,15 @@ static int esp6_init_state(struct xfrm_state *x)
354 (x->ealg->alg_key_len + 7) / 8)) 354 (x->ealg->alg_key_len + 7) / 8))
355 goto error; 355 goto error;
356 x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen; 356 x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen;
357 if (x->props.mode == XFRM_MODE_TUNNEL) 357 switch (x->props.mode) {
358 case XFRM_MODE_BEET:
359 case XFRM_MODE_TRANSPORT:
360 break;
361 case XFRM_MODE_TUNNEL:
358 x->props.header_len += sizeof(struct ipv6hdr); 362 x->props.header_len += sizeof(struct ipv6hdr);
363 default:
364 goto error;
365 }
359 x->data = esp; 366 x->data = esp;
360 return 0; 367 return 0;
361 368
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 28fc8edfdc3a..80ef2a1d39fd 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -411,8 +411,15 @@ static int ipcomp6_init_state(struct xfrm_state *x)
411 goto out; 411 goto out;
412 412
413 x->props.header_len = 0; 413 x->props.header_len = 0;
414 if (x->props.mode == XFRM_MODE_TUNNEL) 414 switch (x->props.mode) {
415 case XFRM_MODE_BEET:
416 case XFRM_MODE_TRANSPORT:
417 break;
418 case XFRM_MODE_TUNNEL:
415 x->props.header_len += sizeof(struct ipv6hdr); 419 x->props.header_len += sizeof(struct ipv6hdr);
420 default:
421 goto error;
422 }
416 423
417 mutex_lock(&ipcomp6_resource_mutex); 424 mutex_lock(&ipcomp6_resource_mutex);
418 if (!ipcomp6_alloc_scratches()) 425 if (!ipcomp6_alloc_scratches())
diff --git a/net/ipv6/xfrm6_mode_ro.c b/net/ipv6/xfrm6_mode_ro.c
index 957ae36b6695..a7bc8c62317a 100644
--- a/net/ipv6/xfrm6_mode_ro.c
+++ b/net/ipv6/xfrm6_mode_ro.c
@@ -58,16 +58,7 @@ static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb)
58 return 0; 58 return 0;
59} 59}
60 60
61/*
62 * Do nothing about routing optimization header unlike IPsec.
63 */
64static int xfrm6_ro_input(struct xfrm_state *x, struct sk_buff *skb)
65{
66 return 0;
67}
68
69static struct xfrm_mode xfrm6_ro_mode = { 61static struct xfrm_mode xfrm6_ro_mode = {
70 .input = xfrm6_ro_input,
71 .output = xfrm6_ro_output, 62 .output = xfrm6_ro_output,
72 .owner = THIS_MODULE, 63 .owner = THIS_MODULE,
73 .encap = XFRM_MODE_ROUTEOPTIMIZATION, 64 .encap = XFRM_MODE_ROUTEOPTIMIZATION,