提交 ca68145f 编写于 作者: H Herbert Xu 提交者: David S. Miller

[IPSEC]: Disallow combinations of RO and AH/ESP/IPCOMP

Combining RO and AH/ESP/IPCOMP does not make sense.  So this patch adds a
check in the state initialisation function to prevent this.

This allows us to safely remove the mode input function of RO since it
can never be called anymore.  Indeed, if somehow it does get called we'll
know about it through an OOPS instead of it slipping past silently.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 ed3e37dd
...@@ -477,8 +477,15 @@ static int ah6_init_state(struct xfrm_state *x) ...@@ -477,8 +477,15 @@ static int ah6_init_state(struct xfrm_state *x)
x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) + x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
ahp->icv_trunc_len); ahp->icv_trunc_len);
if (x->props.mode == XFRM_MODE_TUNNEL) switch (x->props.mode) {
case XFRM_MODE_BEET:
case XFRM_MODE_TRANSPORT:
break;
case XFRM_MODE_TUNNEL:
x->props.header_len += sizeof(struct ipv6hdr); x->props.header_len += sizeof(struct ipv6hdr);
default:
goto error;
}
x->data = ahp; x->data = ahp;
return 0; return 0;
......
...@@ -354,8 +354,15 @@ static int esp6_init_state(struct xfrm_state *x) ...@@ -354,8 +354,15 @@ static int esp6_init_state(struct xfrm_state *x)
(x->ealg->alg_key_len + 7) / 8)) (x->ealg->alg_key_len + 7) / 8))
goto error; goto error;
x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen; x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen;
if (x->props.mode == XFRM_MODE_TUNNEL) switch (x->props.mode) {
case XFRM_MODE_BEET:
case XFRM_MODE_TRANSPORT:
break;
case XFRM_MODE_TUNNEL:
x->props.header_len += sizeof(struct ipv6hdr); x->props.header_len += sizeof(struct ipv6hdr);
default:
goto error;
}
x->data = esp; x->data = esp;
return 0; return 0;
......
...@@ -411,8 +411,15 @@ static int ipcomp6_init_state(struct xfrm_state *x) ...@@ -411,8 +411,15 @@ static int ipcomp6_init_state(struct xfrm_state *x)
goto out; goto out;
x->props.header_len = 0; x->props.header_len = 0;
if (x->props.mode == XFRM_MODE_TUNNEL) switch (x->props.mode) {
case XFRM_MODE_BEET:
case XFRM_MODE_TRANSPORT:
break;
case XFRM_MODE_TUNNEL:
x->props.header_len += sizeof(struct ipv6hdr); x->props.header_len += sizeof(struct ipv6hdr);
default:
goto error;
}
mutex_lock(&ipcomp6_resource_mutex); mutex_lock(&ipcomp6_resource_mutex);
if (!ipcomp6_alloc_scratches()) if (!ipcomp6_alloc_scratches())
......
...@@ -58,16 +58,7 @@ static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -58,16 +58,7 @@ static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb)
return 0; return 0;
} }
/*
* Do nothing about routing optimization header unlike IPsec.
*/
static int xfrm6_ro_input(struct xfrm_state *x, struct sk_buff *skb)
{
return 0;
}
static struct xfrm_mode xfrm6_ro_mode = { static struct xfrm_mode xfrm6_ro_mode = {
.input = xfrm6_ro_input,
.output = xfrm6_ro_output, .output = xfrm6_ro_output,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.encap = XFRM_MODE_ROUTEOPTIMIZATION, .encap = XFRM_MODE_ROUTEOPTIMIZATION,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册