From bdf6f9025a1427eb7e7c77e35fcae7217eefbeb9 Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Tue, 19 Sep 2000 03:23:17 +0000 Subject: Added files, and IPv6-IPsec update. --- sys/conf/files | 4 +++- sys/netinet6/ip6_output.c | 24 ++++-------------------- 2 files changed, 7 insertions(+), 21 deletions(-) diff --git a/sys/conf/files b/sys/conf/files index 4dc2fa3e6ae..77aefe54d58 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.176 2000/09/15 13:44:23 mickey Exp $ +# $OpenBSD: files,v 1.177 2000/09/19 03:23:16 angelos Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -549,9 +549,11 @@ file netinet/ip_proxy.c ipfilter file netinet/ip_auth.c ipfilter file netinet/ip_log.c ipfilter file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature) +file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature) file netinet/ip_ipip.c inet | inet6 file netinet/ip_ether.c inet & ipsec file netinet/ipsec_input.c (inet | inet6) & ipsec +file netinet/ipsec_output.c (inet | inet6) & ipsec file netinet/ip_esp.c inet & ipsec file netinet/ip_ah.c inet & ipsec file crypto/rijndael.c (inet & ipsec) | crypto | uvm_swap_encrypt diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 28c60943663..a4c55256d61 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.15 2000/09/16 13:58:23 itojun Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.16 2000/09/19 03:23:16 angelos Exp $ */ /* $KAME: ip6_output.c,v 1.122 2000/08/19 02:12:02 jinmei Exp $ */ /* @@ -165,7 +165,6 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp) #ifdef IPSEC union sockaddr_union sdst; u_int32_t sspi; - u_int8_t sa_require = 0, sa_have = 0; struct inpcb *inp; struct tdb *tdb; int s; @@ -223,7 +222,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp) tdb = inp->inp_tdb; } else { tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr), - &error); + &error, IPSP_DIRECTION_OUT, NULL, NULL); } if (tdb == NULL) { @@ -270,24 +269,9 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp) goto done_spd; } - /* What are the socket (or default) security requirements ? */ - if (inp == NULL) - sa_require = get_sa_require(NULL); - else - sa_require = inp->inp_secrequire; - - /* - * Now we check if this tdb has all the transforms which - * are required by the socket or our default policy. - */ - SPI_CHAIN_ATTRIB(sa_have, tdb_onext, tdb); - splx(s); - if (sa_require & ~sa_have) { - error = EHOSTUNREACH; - goto freehdrs; - } + /* XXX Take into consideration socket requirements ? */ -#if 1 +#if 1 /* XXX */ /* if we have any extension header, we cannot perform IPsec */ if (exthdrs.ip6e_hbh || exthdrs.ip6e_dest1 || exthdrs.ip6e_rthdr || exthdrs.ip6e_dest2) { -- cgit v1.2.3