1 files changed, 32 insertions, 7 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1cdb87912137..d09ca0e7d139 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -2,11 +2,12 @@
 #define _NET_XFRM_H
 #include <linux/compiler.h>
+#include <linux/in.h>
 #include <linux/xfrm.h>
 #include <linux/spinlock.h>
 #include <linux/list.h>
 #include <linux/skbuff.h>
-#include <linux/netdevice.h>
+#include <linux/socket.h>
 #include <linux/crypto.h>
 #include <linux/pfkeyv2.h>
 #include <linux/in6.h>
@@ -144,6 +145,9 @@ struct xfrm_state
         * transformer. */
        struct xfrm_type        *type;
+        /* Security context */
+        struct xfrm_sec_ctx     *security;
        /* Private data of this transformer, format is opaque,
         * interpreted by xfrm_type methods. */
        void                    *data;
@@ -298,6 +302,7 @@ struct xfrm_policy
        __u8                    flags;
        __u8                    dead;
        __u8                    xfrm_nr;
+        struct xfrm_sec_ctx     *security;
        struct xfrm_tmpl        xfrm_vec[XFRM_MAX_DEPTH];
 };
@@ -510,6 +515,25 @@ xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
        return 0;
 }
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+/*      If neither has a context --> match
+ *      Otherwise, both must have a context and the sids, doi, alg must match
+ */
+static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
+{
+        return ((!s1 && !s2) ||
+                (s1 && s2 &&
+                 (s1->ctx_sid == s2->ctx_sid) &&
+                 (s1->ctx_doi == s2->ctx_doi) &&
+                 (s1->ctx_alg == s2->ctx_alg)));
+}
+#else
+static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
+{
+        return 1;
+}
+#endif
 /* A struct encoding bundle of transformations to apply to some set of flow.
 *
 * dst->child points to the next element of bundle.
@@ -644,7 +668,7 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s
        return xfrm_policy_check(sk, dir, skb, AF_INET6);
 }
+extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
 extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
@@ -807,7 +831,7 @@ struct xfrm_tunnel {
 };
 struct xfrm6_tunnel {
-        int (*handler)(struct sk_buff **pskb, unsigned int *nhoffp);
+        int (*handler)(struct sk_buff **pskb);
        void (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
                            int type, int code, int offset, __u32 info);
 };
@@ -842,10 +866,11 @@ extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
 extern int xfrm_init_state(struct xfrm_state *x);
 extern int xfrm4_rcv(struct sk_buff *skb);
 extern int xfrm4_output(struct sk_buff *skb);
+extern int xfrm4_output_finish(struct sk_buff *skb);
 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
-extern int xfrm6_rcv_spi(struct sk_buff **pskb, unsigned int *nhoffp, u32 spi);
+extern int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi);
-extern int xfrm6_rcv(struct sk_buff **pskb, unsigned int *nhoffp);
+extern int xfrm6_rcv(struct sk_buff **pskb);
 extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);
 extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);
 extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
@@ -878,8 +903,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, unsig
 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
 extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *);
 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
-struct xfrm_policy *xfrm_policy_bysel(int dir, struct xfrm_selector *sel,
+struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel,
-                                      int delete);
+                                          struct xfrm_sec_ctx *ctx, int delete);
 struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
 void xfrm_policy_flush(void);
 u32 xfrm_get_acqseq(void);

diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1cdb87912137..d09ca0e7d139 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -2,11 +2,12 @@
2	#define _NET_XFRM_H	2	#define _NET_XFRM_H
3		3
4	#include <linux/compiler.h>	4	#include <linux/compiler.h>
		5	#include <linux/in.h>
5	#include <linux/xfrm.h>	6	#include <linux/xfrm.h>
6	#include <linux/spinlock.h>	7	#include <linux/spinlock.h>
7	#include <linux/list.h>	8	#include <linux/list.h>
8	#include <linux/skbuff.h>	9	#include <linux/skbuff.h>
9	#include <linux/netdevice.h>	10	#include <linux/socket.h>
10	#include <linux/crypto.h>	11	#include <linux/crypto.h>
11	#include <linux/pfkeyv2.h>	12	#include <linux/pfkeyv2.h>
12	#include <linux/in6.h>	13	#include <linux/in6.h>
@@ -144,6 +145,9 @@ struct xfrm_state
144	* transformer. */	145	* transformer. */
145	struct xfrm_type *type;	146	struct xfrm_type *type;
146		147
		148	/* Security context */
		149	struct xfrm_sec_ctx *security;
		150
147	/* Private data of this transformer, format is opaque,	151	/* Private data of this transformer, format is opaque,
148	* interpreted by xfrm_type methods. */	152	* interpreted by xfrm_type methods. */
149	void *data;	153	void *data;
@@ -298,6 +302,7 @@ struct xfrm_policy
298	__u8 flags;	302	__u8 flags;
299	__u8 dead;	303	__u8 dead;
300	__u8 xfrm_nr;	304	__u8 xfrm_nr;
		305	struct xfrm_sec_ctx *security;
301	struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];	306	struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
302	};	307	};
303		308
@@ -510,6 +515,25 @@ xfrm_selector_match(struct xfrm_selector sel, struct flowi fl,
510	return 0;	515	return 0;
511	}	516	}
512		517
		518	#ifdef CONFIG_SECURITY_NETWORK_XFRM
		519	/* If neither has a context --> match
		520	* Otherwise, both must have a context and the sids, doi, alg must match
		521	*/
		522	static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx s1, struct xfrm_sec_ctx s2)
		523	{
		524	return ((!s1 && !s2) \|\|
		525	(s1 && s2 &&
		526	(s1->ctx_sid == s2->ctx_sid) &&
		527	(s1->ctx_doi == s2->ctx_doi) &&
		528	(s1->ctx_alg == s2->ctx_alg)));
		529	}
		530	#else
		531	static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx s1, struct xfrm_sec_ctx s2)
		532	{
		533	return 1;
		534	}
		535	#endif
		536
513	/* A struct encoding bundle of transformations to apply to some set of flow.	537	/* A struct encoding bundle of transformations to apply to some set of flow.
514	*	538	*
515	* dst->child points to the next element of bundle.	539	* dst->child points to the next element of bundle.
@@ -644,7 +668,7 @@ static inline int xfrm6_policy_check(struct sock sk, int dir, struct sk_buff s
644	return xfrm_policy_check(sk, dir, skb, AF_INET6);	668	return xfrm_policy_check(sk, dir, skb, AF_INET6);
645	}	669	}
646		670
647		671	extern int xfrm_decode_session(struct sk_buff skb, struct flowi fl, unsigned short family);
648	extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);	672	extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
649		673
650	static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)	674	static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
@@ -807,7 +831,7 @@ struct xfrm_tunnel {
807	};	831	};
808		832
809	struct xfrm6_tunnel {	833	struct xfrm6_tunnel {
810	int (handler)(struct sk_buff pskb, unsigned int nhoffp);	834	int (handler)(struct sk_buff *pskb);
811	void (err_handler)(struct sk_buff skb, struct inet6_skb_parm *opt,	835	void (err_handler)(struct sk_buff skb, struct inet6_skb_parm *opt,
812	int type, int code, int offset, __u32 info);	836	int type, int code, int offset, __u32 info);
813	};	837	};
@@ -842,10 +866,11 @@ extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
842	extern int xfrm_init_state(struct xfrm_state *x);	866	extern int xfrm_init_state(struct xfrm_state *x);
843	extern int xfrm4_rcv(struct sk_buff *skb);	867	extern int xfrm4_rcv(struct sk_buff *skb);
844	extern int xfrm4_output(struct sk_buff *skb);	868	extern int xfrm4_output(struct sk_buff *skb);
		869	extern int xfrm4_output_finish(struct sk_buff *skb);
845	extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);	870	extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
846	extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);	871	extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
847	extern int xfrm6_rcv_spi(struct sk_buff *pskb, unsigned int nhoffp, u32 spi);	872	extern int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi);
848	extern int xfrm6_rcv(struct sk_buff *pskb, unsigned int nhoffp);	873	extern int xfrm6_rcv(struct sk_buff **pskb);
849	extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);	874	extern int xfrm6_tunnel_register(struct xfrm6_tunnel *handler);
850	extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);	875	extern int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler);
851	extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);	876	extern u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr);
@@ -878,8 +903,8 @@ static inline int xfrm_dst_lookup(struct xfrm_dst *dst, struct flowi fl, unsig
878	struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);	903	struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp);
879	extern int xfrm_policy_walk(int (func)(struct xfrm_policy , int, int, void), void );	904	extern int xfrm_policy_walk(int (func)(struct xfrm_policy , int, int, void), void );
880	int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);	905	int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
881	struct xfrm_policy xfrm_policy_bysel(int dir, struct xfrm_selector sel,	906	struct xfrm_policy xfrm_policy_bysel_ctx(int dir, struct xfrm_selector sel,
882	int delete);	907	struct xfrm_sec_ctx *ctx, int delete);
883	struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);	908	struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete);
884	void xfrm_policy_flush(void);	909	void xfrm_policy_flush(void);
885	u32 xfrm_get_acqseq(void);	910	u32 xfrm_get_acqseq(void);