Skip to content

L
linux
Commit 6c55c29f authored by Alexey Kuznetsov's avatar Alexey Kuznetsov Committed by David S. Miller
Browse files
Options

[IPSEC]: Add transform engine and AH implementation.

parent e26bdd97
Hide whitespace changes
Inline Side-by-side
Showing with 2379 additions and 10 deletions
include/linux/pfkeyv2.h 0 → 100644
View file @ 6c55c29f
/* PF_KEY user interface, this is defined by rfc2367 so
* do not make arbitrary modifications or else this header
* file will not be compliant.
*/
#ifndef _LINUX_PFKEY2_H
#define _LINUX_PFKEY2_H
#include <linux/types.h>
#define PF_KEY_V2 2
#define PFKEYV2_REVISION 199806L
struct sadb_msg {
uint8_t sadb_msg_version;
uint8_t sadb_msg_type;
uint8_t sadb_msg_errno;
uint8_t sadb_msg_satype;
uint16_t sadb_msg_len;
uint16_t sadb_msg_reserved;
uint32_t sadb_msg_seq;
uint32_t sadb_msg_pid;
} __attribute__((packed));
/* sizeof(struct sadb_msg) == 16 */
struct sadb_ext {
uint16_t sadb_ext_len;
uint16_t sadb_ext_type;
} __attribute__((packed));
/* sizeof(struct sadb_ext) == 4 */
struct sadb_sa {
uint16_t sadb_sa_len;
uint16_t sadb_sa_exttype;
uint32_t sadb_sa_spi;
uint8_t sadb_sa_replay;
uint8_t sadb_sa_state;
uint8_t sadb_sa_auth;
uint8_t sadb_sa_encrypt;
uint32_t sadb_sa_flags;
} __attribute__((packed));
/* sizeof(struct sadb_sa) == 16 */
struct sadb_lifetime {
uint16_t sadb_lifetime_len;
uint16_t sadb_lifetime_exttype;
uint32_t sadb_lifetime_allocations;
uint64_t sadb_lifetime_bytes;
uint64_t sadb_lifetime_addtime;
uint64_t sadb_lifetime_usetime;
} __attribute__((packed));
/* sizeof(struct sadb_lifetime) == 32 */
struct sadb_address {
uint16_t sadb_address_len;
uint16_t sadb_address_exttype;
uint8_t sadb_address_proto;
uint8_t sadb_address_prefixlen;
uint16_t sadb_address_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_address) == 8 */
struct sadb_key {
uint16_t sadb_key_len;
uint16_t sadb_key_exttype;
uint16_t sadb_key_bits;
uint16_t sadb_key_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_key) == 8 */
struct sadb_ident {
uint16_t sadb_ident_len;
uint16_t sadb_ident_exttype;
uint16_t sadb_ident_type;
uint16_t sadb_ident_reserved;
uint64_t sadb_ident_id;
} __attribute__((packed));
/* sizeof(struct sadb_ident) == 16 */
struct sadb_sens {
uint16_t sadb_sens_len;
uint16_t sadb_sens_exttype;
uint32_t sadb_sens_dpd;
uint8_t sadb_sens_sens_level;
uint8_t sadb_sens_sens_len;
uint8_t sadb_sens_integ_level;
uint8_t sadb_sens_integ_len;
uint32_t sadb_sens_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_sens) == 16 */
/* followed by:
uint64_t sadb_sens_bitmap[sens_len];
uint64_t sadb_integ_bitmap[integ_len]; */
struct sadb_prop {
uint16_t sadb_prop_len;
uint16_t sadb_prop_exttype;
uint8_t sadb_prop_replay;
uint8_t sadb_prop_reserved[3];
} __attribute__((packed));
/* sizeof(struct sadb_prop) == 8 */
/* followed by:
struct sadb_comb sadb_combs[(sadb_prop_len +
sizeof(uint64_t) - sizeof(struct sadb_prop)) /
sizeof(strut sadb_comb)]; */
struct sadb_comb {
uint8_t sadb_comb_auth;
uint8_t sadb_comb_encrypt;
uint16_t sadb_comb_flags;
uint16_t sadb_comb_auth_minbits;
uint16_t sadb_comb_auth_maxbits;
uint16_t sadb_comb_encrypt_minbits;
uint16_t sadb_comb_encrypt_maxbits;
uint32_t sadb_comb_reserved;
uint32_t sadb_comb_soft_allocations;
uint32_t sadb_comb_hard_allocations;
uint64_t sadb_comb_soft_bytes;
uint64_t sadb_comb_hard_bytes;
uint64_t sadb_comb_soft_addtime;
uint64_t sadb_comb_hard_addtime;
uint64_t sadb_comb_soft_usetime;
uint64_t sadb_comb_hard_usetime;
} __attribute__((packed));
/* sizeof(struct sadb_comb) == 72 */
struct sadb_supported {
uint16_t sadb_supported_len;
uint16_t sadb_supported_exttype;
uint32_t sadb_supported_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_supported) == 8 */
/* followed by:
struct sadb_alg sadb_algs[(sadb_supported_len +
sizeof(uint64_t) - sizeof(struct sadb_supported)) /
sizeof(struct sadb_alg)]; */
struct sadb_alg {
uint8_t sadb_alg_id;
uint8_t sadb_alg_ivlen;
uint16_t sadb_alg_minbits;
uint16_t sadb_alg_maxbits;
uint16_t sadb_alg_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_alg) == 8 */
struct sadb_spirange {
uint16_t sadb_spirange_len;
uint16_t sadb_spirange_exttype;
uint32_t sadb_spirange_min;
uint32_t sadb_spirange_max;
uint32_t sadb_spirange_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_spirange) == 16 */
struct sadb_x_kmprivate {
uint16_t sadb_x_kmprivate_len;
uint16_t sadb_x_kmprivate_exttype;
u_int32_t sadb_x_kmprivate_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_x_kmprivate) == 8 */
struct sadb_x_sa2 {
uint16_t sadb_x_sa2_len;
uint16_t sadb_x_sa2_exttype;
uint8_t sadb_x_sa2_mode;
uint8_t sadb_x_sa2_reserved1;
uint16_t sadb_x_sa2_reserved2;
uint32_t sadb_x_sa2_sequence;
uint32_t sadb_x_sa2_reqid;
} __attribute__((packed));
/* sizeof(struct sadb_x_sa2) == 16 */
struct sadb_x_policy {
uint16_t sadb_x_policy_len;
uint16_t sadb_x_policy_exttype;
uint16_t sadb_x_policy_type;
uint8_t sadb_x_policy_dir;
uint8_t sadb_x_policy_reserved;
uint32_t sadb_x_policy_id;
uint32_t sadb_x_policy_reserved2;
} __attribute__((packed));
/* sizeof(struct sadb_x_policy) == 16 */
struct sadb_x_ipsecrequest {
uint16_t sadb_x_ipsecrequest_len;
uint16_t sadb_x_ipsecrequest_exttype;
uint8_t sadb_x_ipsecrequest_mode;
uint8_t sadb_x_ipsecrequest_level;
uint16_t sadb_x_ipsecrequest_reqid;
} __attribute__((packed));
/* sizeof(struct sadb_x_ipsecrequest) == 16 */
/* Message types */
#define SADB_RESERVED 0
#define SADB_GETSPI 1
#define SADB_UPDATE 2
#define SADB_ADD 3
#define SADB_DELETE 4
#define SADB_GET 5
#define SADB_ACQUIRE 6
#define SADB_REGISTER 7
#define SADB_EXPIRE 8
#define SADB_FLUSH 9
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_SPDUPDATE 13
#define SADB_X_SPDADD 14
#define SADB_X_SPDDELETE 15
#define SADB_X_SPDGET 16
#define SADB_X_SPDACQUIRE 17
#define SADB_X_SPDDUMP 18
#define SADB_X_SPDFLUSH 19
#define SADB_X_SPDSETIDX 20
#define SADB_X_SPDEXPIRE 21
#define SADB_X_SPDDELETE2 22
#define SADB_MAX 22
/* Security Association flags */
#define SADB_SAFLAGS_PFS 1
/* Security Association states */
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
#define SADB_SASTATE_DYING 2
#define SADB_SASTATE_DEAD 3
#define SADB_SASTATE_MAX 3
/* Security Association types */
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_AH 2
#define SADB_SATYPE_ESP 3
#define SADB_SATYPE_RSVP 5
#define SADB_SATYPE_OSPFV2 6
#define SADB_SATYPE_RIPV2 7
#define SADB_SATYPE_MIP 8
#define SADB_X_SATYPE_IPCOMP 9
#define SADB_SATYPE_MAX 9
/* Authentication algorithms */
#define SADB_AALG_NONE 0
#define SADB_AALG_MD5HMAC 2
#define SADB_AALG_SHA1HMAC 3
#define SADB_AALG_MAX 3
/* Encryption algorithms */
#define SADB_EALG_NONE 0
#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_EALG_NULL 11
#define SADB_EALG_MAX 11
/* Extension Header values */
#define SADB_EXT_RESERVED 0
#define SADB_EXT_SA 1
#define SADB_EXT_LIFETIME_CURRENT 2
#define SADB_EXT_LIFETIME_HARD 3
#define SADB_EXT_LIFETIME_SOFT 4
#define SADB_EXT_ADDRESS_SRC 5
#define SADB_EXT_ADDRESS_DST 6
#define SADB_EXT_ADDRESS_PROXY 7
#define SADB_EXT_KEY_AUTH 8
#define SADB_EXT_KEY_ENCRYPT 9
#define SADB_EXT_IDENTITY_SRC 10
#define SADB_EXT_IDENTITY_DST 11
#define SADB_EXT_SENSITIVITY 12
#define SADB_EXT_PROPOSAL 13
#define SADB_EXT_SUPPORTED_AUTH 14
#define SADB_EXT_SUPPORTED_ENCRYPT 15
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_KMPRIVATE 17
#define SADB_X_EXT_POLICY 18
#define SADB_X_EXT_SA2 19
#define SADB_EXT_MAX 19
/* Identity Extension values */
#define SADB_IDENTTYPE_RESERVED 0
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_IDENTTYPE_FQDN 2
#define SADB_IDENTTYPE_USERFQDN 3
#define SADB_IDENTTYPE_MAX 3
#endif /* !(_LINUX_PFKEY2_H) */
include/linux/skbuff.h
View file @ 6c55c29f
......@@ -213,6 +213,7 @@ struct sk_buff {
} mac;
struct dst_entry *dst;
struct sec_path *sp;
/*
* This is the control buffer. It is free to use for every
......
include/net/dst.h
View file @ 6c55c29f
......@@ -59,6 +59,7 @@ struct dst_entry
struct neighbour *neighbour;
struct hh_cache *hh;
struct xfrm_state *xfrm;
int (*input)(struct sk_buff*);
int (*output)(struct sk_buff*);
......@@ -233,6 +234,11 @@ static inline int dst_input(struct sk_buff *skb)
extern void dst_init(void);
struct flowi;
extern int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
struct sock *sk, int flags);
#endif
#endif /* _NET_DST_H */
include/net/xfrm.h 0 → 100644
View file @ 6c55c29f
#include <linux/types.h>
#include <linux/spinlock.h>
#include <linux/list.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <net/dst.h>
#include <net/route.h>
/* Organization of SPD aka "XFRM rules"
------------------------------------
Basic objects:
- policy rule, struct xfrm_policy (=SPD entry)
- bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
- instance of a transformer, struct xfrm_state (=SA)
- template to clone xfrm_state, struct xfrm_tmpl
SPD is plain linear list of xfrm_policy rules, ordered by priority.
(To be compatible with existing pfkeyv2 implementations,
many rules with priority of 0x7fffffff are allowed to exist and
such rules are ordered in an unpredictable way, thanks to bsd folks.)
Lookup is plain linear search until the first match with selector.
If "action" is "block", then we prohibit the flow, otherwise:
if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
policy entry has list of up to XFRM_MAX_DEPTH transformations,
described by templates xfrm_tmpl. Each template is resolved
to a complete xfrm_state (see below) and we pack bundle of transformations
to a dst_entry returned to requestor.
dst -. xfrm .-> xfrm_state #1
|---. child .-> dst -. xfrm .-> xfrm_state #2
|---. child .-> dst -. xfrm .-> xfrm_state #3
|---. child .-> NULL
Bundles are cached at xrfm_policy struct (field ->bundles).
Resolution of xrfm_tmpl
-----------------------
Template contains:
1. ->mode Mode: transport or tunnel
2. ->id.proto Protocol: AH/ESP/IPCOMP
3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
Q: allow to resolve security gateway?
4. ->id.spi If not zero, static SPI.
5. ->saddr Local tunnel endpoint, ignored for transport mode.
6. ->algos List of allowed algos. Plain bitmask now.
Q: ealgos, aalgos, calgos. What a mess...
7. ->share Sharing mode.
Q: how to implement private sharing mode? To add struct sock* to
flow id?
8. ->resolved If template uniquely resolves to a static xfrm_state,
the reference is stores here.
Having this template we search through SAD searching for entries
with appropriate mode/proto/algo, permitted by selector.
If no appropriate entry found, it is requested from key manager.
PROBLEMS:
Q: How to find all the bundles referring to a physical path for
PMTU discovery? Seems, dst should contain list of all parents...
and enter to infinite locking hierarchy disaster.
No! It is easier, we will not search for them, let them find us.
We add genid to each dst plus pointer to genid of raw IP route,
pmtu disc will update pmtu on raw IP route and increase its genid.
dst_check() will see this for top level and trigger resyncing
metrics. Plus, it will be made via sk->dst_cache. Solved.
*/
/* Structure to encapsulate addresses. I do not want to use
* "standard" structure. My apologies. */
typedef union
{
struct {
u32 addr;
u32 mask; /* Use unused bits to cache mask. */
} a4;
#define xfrm4_addr a4.addr
#define xfrm4_mask a4.mask
u32 a6[4];
} xfrm_address_t;
/* Ident of a specific xfrm_state. It is used on input to lookup
* the state by (spi,daddr,ah/esp) or to store information about
* spi, protocol and tunnel address on output. */
struct xfrm_id
{
xfrm_address_t daddr;
__u32 spi;
__u8 proto;
};
/* Selector, used as selector both on policy rules (SPD) and SAs. */
struct xfrm_selector
{
xfrm_address_t daddr;
xfrm_address_t saddr;
__u16 dport;
__u16 dport_mask;
__u16 sport;
__u16 sport_mask;
__u8 prefixlen_d;
__u8 prefixlen_s;
__u8 proto;
int ifindex;
uid_t user;
void *owner;
};
/* Full description of state of transformer. */
struct xfrm_state
{
struct list_head bydst;
struct list_head byspi;
atomic_t refcnt;
spinlock_t lock;
struct xfrm_id id;
struct xfrm_selector sel;
/* Key manger bits */
struct {
int state;
u32 seq;
u32 warn_bytes;
} km;
/* Parameters of this state. */
struct {
u8 mode;
u8 algo;
xfrm_address_t saddr;
int header_len;
int trailer_len;
u32 hard_byte_limit;
u32 soft_byte_limit;
u32 replay_window;
/* More... */
} props;
/* State for replay detection */
struct {
u32 oseq;
u32 seq;
u32 bitmap;
} replay;
/* Statistics */
struct {
unsigned long lastuse;
unsigned long expires;
u32 bytes;
u32 replay_window;
u32 replay;
u32 integrity_failed;
/* More... */
} stats;
/* Reference to data common to all the instances of this
* transformer. */
struct xfrm_type *type;
/* Private data of this transformer, format is opaque,
* interpreted by xfrm_type methods. */
void *data;
};
enum {
XFRM_STATE_VOID,
XFRM_STATE_ACQ,
XFRM_STATE_VALID,
XFRM_STATE_ERROR,
XFRM_STATE_EXPIRED,
XFRM_STATE_DEAD
};
#define XFRM_DST_HSIZE 1024
struct xfrm_type
{
char *description;
atomic_t refcnt;
__u8 proto;
__u8 algo;
int (*init_state)(struct xfrm_state *x, void *args);
void (*destructor)(struct xfrm_state *);
int (*input)(struct xfrm_state *, struct sk_buff *skb);
int (*output)(struct sk_buff *skb);
/* Estimate maximal size of result of transformation of a dgram */
u32 (*get_max_size)(struct xfrm_state *, int size);
};
struct xfrm_tmpl
{
/* id in template is interpreted as:
* daddr - destination of tunnel, may be zero for transport mode.
* spi - zero to acquire spi. Not zero if spi is static, then
* daddr must be fixed too.
* proto - AH/ESP/IPCOMP
*/
struct xfrm_id id;
/* Source address of tunnel. Ignored, if it is not a tunnel. */
xfrm_address_t saddr;
/* Mode: transport/tunnel */
__u8 mode;
/* Sharing mode: unique, this session only, this user only etc. */
__u8 share;
/* Bit mask of algos allowed for acquisition */
__u32 algos;
/* If template statically resolved, hold ref here */
struct xfrm_state *resolved;
};
#define XFRM_MAX_DEPTH 3
enum
{
XFRM_SHARE_ANY, /* No limitations */
XFRM_SHARE_SESSION, /* For this session only */
XFRM_SHARE_USER, /* For this user only */
XFRM_SHARE_UNIQUE /* Use once */
};
enum
{
XFRM_POLICY_IN = 0,
XFRM_POLICY_FWD = 1,
XFRM_POLICY_OUT = 2,
XFRM_POLICY_MAX = 3
};
struct xfrm_policy
{
struct xfrm_policy *next;
/* This lock only affects elements except for entry. */
rwlock_t lock;
atomic_t refcnt;
u32 priority;
u32 index;
struct xfrm_selector selector;
unsigned long expires;
unsigned long lastuse;
struct dst_entry *bundles;
__u8 action;
#define XFRM_POLICY_ALLOW 0
#define XFRM_POLICY_BLOCK 1
__u8 flags;
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
__u8 dead;
__u8 xfrm_nr;
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
};
extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX];
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
{
if (policy)
atomic_inc(&policy->refcnt);
}
extern void __xfrm_policy_destroy(struct xfrm_policy *policy);
static inline void xfrm_pol_put(struct xfrm_policy *policy)
{
if (atomic_dec_and_test(&policy->refcnt))
__xfrm_policy_destroy(policy);
}
extern void __xfrm_state_destroy(struct xfrm_state *);
static inline void xfrm_state_put(struct xfrm_state *x)
{
if (atomic_dec_and_test(&x->refcnt))
__xfrm_state_destroy(x);
}
static inline int
xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
{
return !((fl->fl4_dst^sel->daddr.xfrm4_addr)&sel->daddr.xfrm4_mask) &&
!((fl->uli_u.ports.dport^sel->dport)&sel->dport_mask) &&
!((fl->uli_u.ports.sport^sel->sport)&sel->sport_mask) &&
(fl->proto == sel->proto || !sel->proto) &&
(fl->oif == sel->ifindex || !sel->ifindex) &&
!((fl->fl4_src^sel->saddr.xfrm4_addr)&sel->saddr.xfrm4_mask);
}
/* A struct encoding bundle of transformations to apply to some set of flow.
*
* dst->child points to the next element of bundle.
* dst->xfrm points to an instanse of transformer.
*
* Due to unfortunate limitations of current routing cache, which we
* have no time to fix, it mirrors struct rtable and bound to the same
* routing key, including saddr,daddr. However, we can have many of
* bundles differing by session id. All the bundles grow from a parent
* policy rule.
*/
struct xfrm_dst
{
union {
struct xfrm_dst *next;
struct dst_entry dst;
struct rtable rt;
} u;
};
struct sec_path
{
atomic_t refcnt;
int len;
struct xfrm_state *xvec[XFRM_MAX_DEPTH];
};
static inline struct sec_path *
secpath_get(struct sec_path *sp)
{
if (sp)
atomic_inc(&sp->refcnt);
return sp;
}
extern void __secpath_destroy(struct sec_path *sp);
static inline void
secpath_put(struct sec_path *sp)
{
if (sp && atomic_dec_and_test(&sp->refcnt))
__secpath_destroy(sp);
}
extern int __xfrm_policy_check(int dir, struct sk_buff *skb);
static inline int xfrm_policy_check(int dir, struct sk_buff *skb)
{
return !xfrm_policy_list[dir] ||
(skb->dst->flags & DST_NOPOLICY) ||
__xfrm_policy_check(dir, skb);
}
extern int __xfrm_route_forward(struct sk_buff *skb);
static inline int xfrm_route_forward(struct sk_buff *skb)
{
return !xfrm_policy_list[XFRM_POLICY_OUT] ||
(skb->dst->flags & DST_NOXFRM) ||
__xfrm_route_forward(skb);
}
extern void xfrm_state_init(void);
extern void xfrm_input_init(void);
extern struct xfrm_state *xfrm_state_alloc(void);
extern struct xfrm_state *xfrm_state_find(u32 daddr, struct flowi *fl, struct xfrm_tmpl *tmpl);
extern int xfrm_state_check_expire(struct xfrm_state *x);
extern void xfrm_state_insert(struct xfrm_state *x);
extern int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb);
extern struct xfrm_state * xfrm_state_lookup(u32 daddr, u32 spi, u8 proto);
extern struct xfrm_policy *xfrm_policy_lookup(int dir, struct flowi *fl);
extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
extern int xfrm_check_selectors(struct xfrm_state **x, int n, struct flowi *fl);
extern int xfrm4_rcv(struct sk_buff *skb);
extern wait_queue_head_t *km_waitq;
extern void km_notify(struct xfrm_state *x, int event);
extern int km_query(struct xfrm_state *x);
extern int ah4_init(void);
net/core/skbuff.c
View file @ 6c55c29f
......@@ -58,6 +58,7 @@
#include <net/dst.h>
#include <net/sock.h>
#include <net/checksum.h>
#include <net/xfrm.h>
#include <asm/uaccess.h>
#include <asm/system.h>
......@@ -235,6 +236,7 @@ static inline void skb_headerinit(void *p, kmem_cache_t *cache,
skb->stamp.tv_sec = 0; /* No idea about time */
skb->dev = NULL;
skb->dst = NULL;
skb->sp = NULL;
memset(skb->cb, 0, sizeof(skb->cb));
skb->pkt_type = PACKET_HOST; /* Default type */
skb->ip_summed = 0;
......@@ -322,6 +324,7 @@ void __kfree_skb(struct sk_buff *skb)
}
dst_release(skb->dst);
secpath_put(skb->sp);
if(skb->destructor) {
if (in_irq())
printk(KERN_WARNING "Warning: kfree_skb on "
......@@ -374,6 +377,8 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
C(mac);
C(dst);
dst_clone(n->dst);
C(sp);
secpath_get(n->sp);
memcpy(n->cb, skb->cb, sizeof(skb->cb));
C(len);
C(data_len);
......@@ -433,6 +438,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new->priority = old->priority;
new->protocol = old->protocol;
new->dst = dst_clone(old->dst);
new->sp = secpath_get(old->sp);
new->h.raw = old->h.raw + offset;
new->nh.raw = old->nh.raw + offset;
new->mac.raw = old->mac.raw + offset;
......
net/ipv4/Makefile
View file @ 6c55c29f
......@@ -18,4 +18,6 @@ obj-$(CONFIG_SYN_COOKIES) += syncookies.o
obj-$(CONFIG_IP_PNP) += ipconfig.o
obj-$(CONFIG_NETFILTER) += netfilter/
obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o ah.o
include $(TOPDIR)/Rules.make
net/ipv4/ah.c 0 → 100644
View file @ 6c55c29f
#include <net/ip.h>
#include <net/xfrm.h>
#include <linux/crypto.h>
#include <net/icmp.h>
struct ah_data
{
u8 *key;
int key_len;
int digest_len;
void (*digest)(struct xfrm_state*,
struct sk_buff *skb,
u8 *digest);
struct crypto_tfm *tfm;
};
/* Clear mutable options and find final destination to substitute
* into IP header for digest calculation. Options are already checked
* for validity, so paranoia is not required. */
int ip_clear_mutable_options(struct iphdr *iph, u32 *daddr)
{
unsigned char * optptr = (unsigned char*)(iph+1);
int l = iph->ihl*4 - 20;
int optlen;
while (l > 0) {
switch (*optptr) {
case IPOPT_END:
return 0;
case IPOPT_NOOP:
l--;
optptr++;
continue;
}
optlen = optptr[1];
if (optlen<2 || optlen>l)
return -EINVAL;
switch (*optptr) {
case IPOPT_SEC:
case 0x85: /* Some "Extended Security" crap. */
case 0x86: /* Another "Commercial Security" crap. */
case IPOPT_RA:
case 0x80|21: /* RFC1770 */
break;
case IPOPT_LSRR:
case IPOPT_SSRR:
if (optlen < 6)
return -EINVAL;
memcpy(daddr, optptr+optlen-4, 4);
/* Fall through */
default:
memset(optptr+2, 0, optlen-2);
}
l -= optlen;
optptr += optlen;
}
return 0;
}
void skb_ah_walk(const struct sk_buff *skb, struct crypto_tfm *tfm)
{
int offset = 0;
int len = skb->len;
int start = skb->len - skb->data_len;
int i, copy = start - offset;
/* Checksum header. */
if (copy > 0) {
if (copy > len)
copy = len;
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, skb->data+offset, copy);
if ((len -= copy) == 0)
return;
offset += copy;
}
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
int end;
BUG_TRAP(start <= offset + len);
end = start + skb_shinfo(skb)->frags[i].size;
if ((copy = end - offset) > 0) {
u8 *vaddr;
skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
if (copy > len)
copy = len;
vaddr = kmap_skb_frag(frag);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, vaddr+frag->page_offset+offset-start, copy);
kunmap_skb_frag(vaddr);
if (!(len -= copy))
return;
offset += copy;
}
start = end;
}
if (skb_shinfo(skb)->frag_list) {
struct sk_buff *list = skb_shinfo(skb)->frag_list;
for (; list; list = list->next) {
int end;
BUG_TRAP(start <= offset + len);
end = start + list->len;
if ((copy = end - offset) > 0) {
if (copy > len)
copy = len;
skb_ah_walk(list, tfm);
if ((len -= copy) == 0)
return;
offset += copy;
}
start = end;
}
}
if (len)
BUG();
}
#if 0 /* obsolete? */
static void
ah_old_digest(struct xfrm_state *x, struct sk_buff *skb, u8 *auth_data)
{
struct ah_data *ahp = (struct ah_data*)x->data;
struct crypto_tfm *tfm = ahp->tfm;
u8 pad[512/8 - ahp->key_len];
memset(auth_data, 0, ahp->digest_len);
memset(pad, 0, sizeof(pad));
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, ahp->key_len);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, sizeof(pad)-ahp->key_len);
skb_ah_walk(skb, tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, ahp->key_len);
crypto_digest_final(tfm, auth_data);
}
#endif
/* I bring apologies for wrong use of crypto lib. Use of official
* api to get hmac digest is too chumbersome.
*/
static void
ah_hmac_digest(struct xfrm_state *x, struct sk_buff *skb, u8 *auth_data)
{
struct ah_data *ahp = (struct ah_data*)x->data;
struct crypto_tfm *tfm = ahp->tfm;
int i;
char tmp_digest[crypto_tfm_digestsize(tfm)];
char pad[crypto_tfm_blocksize(tfm)];
memset(auth_data, 0, ahp->digest_len);
memset(pad, 0, sizeof(pad));
memcpy(pad, ahp->key, ahp->key_len);
for (i = 0; i < crypto_tfm_blocksize(tfm); i++)
pad[i] ^= 0x36;
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, pad, sizeof(pad));
skb_ah_walk(skb, tfm);
crypto_digest_final(tfm, tmp_digest);
memset(pad, 0, sizeof(pad));
memcpy(pad, ahp->key, ahp->key_len);
for (i = 0; i < crypto_tfm_blocksize(tfm); i++)
pad[i] ^= 0x5c;
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, pad, sizeof(pad));
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, tmp_digest, crypto_tfm_digestsize(tfm));
crypto_digest_final(tfm, auth_data);
}
int ah_output(struct sk_buff *skb)
{
int err;
struct dst_entry *dst = skb->dst;
struct xfrm_state *x = dst->xfrm;
struct iphdr *iph, *top_iph;
struct ip_auth_hdr *ah;
struct ah_data *ahp;
union {
struct iphdr iph;
char buf[60];
} tmp_iph;
if (skb->ip_summed == CHECKSUM_HW && skb_checksum_help(skb) == NULL)
return -EINVAL;
spin_lock_bh(&x->lock);
if ((err = xfrm_state_check_expire(x)) != 0)
goto error;
if ((err = xfrm_state_check_space(x, skb)) != 0)
goto error;
iph = skb->nh.iph;
if (x->props.mode) {
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
top_iph->ihl = 4;
top_iph->version = 5;
top_iph->tos = 0;
top_iph->tot_len = htons(skb->len);
top_iph->id = inet_getid(((struct rtable*)dst)->peer, 0);
top_iph->frag_off = 0;
top_iph->ttl = 0;
top_iph->protocol = IPPROTO_AH;
top_iph->check = 0;
top_iph->saddr = x->props.saddr.xfrm4_addr;
top_iph->daddr = x->id.daddr.xfrm4_addr;
ah = (struct ip_auth_hdr*)(top_iph+1);
ah->nexthdr = IPPROTO_IP;
} else {
memcpy(&tmp_iph, skb->data, iph->ihl*4);
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
memcpy(top_iph, &tmp_iph, iph->ihl*4);
iph = &tmp_iph.iph;
top_iph->tos = 0;
top_iph->tot_len = htons(skb->len);
top_iph->frag_off = 0;
top_iph->ttl = 0;
top_iph->protocol = IPPROTO_AH;
top_iph->check = 0;
if (top_iph->ihl != 5) {
err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
if (err)
goto error;
}
ah = (struct ip_auth_hdr*)((char*)top_iph+iph->ihl*4);
ah->nexthdr = iph->protocol;
}
ahp = x->data;
ah->hdrlen = (((ahp->digest_len + 12 + 7)&~7)>>2)-2;
ah->reserved = 0;
ah->spi = x->id.spi;
ah->seq_no = htonl(++x->replay.oseq);
ahp->digest(x, skb, ah->auth_data);
top_iph->tos = iph->tos;
top_iph->ttl = iph->ttl;
if (x->props.mode) {
top_iph->frag_off = iph->frag_off&~htons(IP_MF|IP_OFFSET);
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
} else {
top_iph->frag_off = iph->frag_off;
top_iph->daddr = iph->daddr;
if (iph->ihl != 5)
memcpy(top_iph+1, iph+1, iph->ihl*5 - 20);
}
ip_send_check(top_iph);
skb->nh.raw = skb->data;
x->stats.bytes += skb->len;
spin_unlock_bh(&x->lock);
if ((skb->dst = dst_pop(dst)) == NULL)
goto error;
return NET_XMIT_BYPASS;
error:
spin_unlock_bh(&x->lock);
kfree_skb(skb);
return err;
}
int ah_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct iphdr *iph;
struct ip_auth_hdr *ah;
struct ah_data *ahp;
char work_buf[60];
if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
goto out;
ah = (struct ip_auth_hdr*)skb->data;
ahp = x->data;
if (((ah->hdrlen+2)<<2) != ((ahp->digest_len + 12 + 7)&~7))
goto out;
if (!pskb_may_pull(skb, (ah->hdrlen+2)<<2))
goto out;
/* We are going to _remove_ AH header to keep sockets happy,
* so... Later this can change. */
if (skb_cloned(skb) &&
pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
goto out;
ah = (struct ip_auth_hdr*)skb->data;
iph = skb->nh.iph;
memcpy(work_buf, iph, iph->ihl*4);
iph->ttl = 0;
iph->tos = 0;
iph->frag_off = 0;
iph->check = 0;
if (iph->ihl != 5) {
u32 dummy;
if (ip_clear_mutable_options(iph, &dummy))
goto out;
}
{
u8 auth_data[ahp->digest_len];
memcpy(auth_data, ah->auth_data, ahp->digest_len);
skb_push(skb, skb->data - skb->nh.raw);
ahp->digest(x, skb, ah->auth_data);
if (memcmp(ah->auth_data, auth_data, ahp->digest_len)) {
x->stats.integrity_failed++;
goto out;
}
}
((struct iphdr*)work_buf)->protocol = ah->nexthdr;
skb->nh.raw = skb_pull(skb, (ah->hdrlen+2)<<2);
memcpy(skb->nh.raw, work_buf, iph->ihl*4);
skb->nh.iph->tot_len = htons(skb->len);
skb_pull(skb, skb->nh.iph->ihl*4);
skb->h.raw = skb->data;
return 0;
out:
return -EINVAL;
}
void ah4_err(struct sk_buff *skb, u32 info)
{
struct iphdr *iph = (struct iphdr*)skb->data;
struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+(iph->ihl<<2));
struct xfrm_state *x;
if (skb->h.icmph->type != ICMP_DEST_UNREACH ||
skb->h.icmph->code != ICMP_FRAG_NEEDED)
return;
x = xfrm_state_lookup(iph->daddr, ah->spi, IPPROTO_AH);
if (!x)
return;
printk(KERN_DEBUG "pmtu discvovery on SA AH/%08x/%08x\n",
ntohl(ah->spi), ntohl(iph->daddr));
xfrm_state_put(x);
}
static struct inet_protocol ah4_protocol = {
.handler = xfrm4_rcv,
.err_handler = ah4_err,
};
int __init ah4_init(void)
{
if (inet_add_protocol(&ah4_protocol, IPPROTO_AH) < 0) {
printk(KERN_INFO "ip ah init: can't add protocol\n");
return -EAGAIN;
}
return 0;
}
static void __exit ah4_fini(void)
{
if (inet_del_protocol(&ah4_protocol, IPPROTO_AH) < 0)
printk(KERN_INFO "ip ah close: can't remove protocol\n");
}
void ah_destroy(struct xfrm_state *x)
{
}
struct ah_data debugging_ah_state =
{
.key = "PIZDETSPIZDETSPIZDETSPIZDETSPIZDETS",
.key_len = 32,
.digest_len = 16,
.digest = ah_hmac_digest
};
int ah_init_state(struct xfrm_state *x, void *args)
{
debugging_ah_state.tfm = crypto_alloc_tfm(CRYPTO_ALG_MD5);
x->data = &debugging_ah_state;
x->props.header_len = 16+16;
return 0;
}
struct xfrm_type ah_type =
{
.description = "AH4-HMAC",
.refcnt = ATOMIC_INIT(1),
.proto = IPPROTO_AH,
.algo = 0,
.init_state = ah_init_state,
.destructor = ah_destroy,
.input = ah_input,
.output = ah_output
};
net/ipv4/ip_forward.c
View file @ 6c55c29f
......@@ -40,9 +40,7 @@
#include <net/checksum.h>
#include <linux/route.h>
#include <net/route.h>
#if 0
#include <net/xfrm.h>
#endif
static inline int ip_forward_finish(struct sk_buff *skb)
{
......@@ -62,10 +60,9 @@ int ip_forward(struct sk_buff *skb)
struct rtable *rt; /* Route we use */
struct ip_options * opt = &(IPCB(skb)->opt);
#if 0
if (!xfrm_policy_check(XFRM_POLICY_FWD, skb))
goto drop;
#endif
if (IPCB(skb)->opt.router_alert && ip_call_ra_chain(skb))
return NET_RX_SUCCESS;
......@@ -85,10 +82,8 @@ int ip_forward(struct sk_buff *skb)
if (iph->ttl <= 1)
goto too_many_hops;
#if 0
if (!xfrm_route_forward(skb))
goto drop;
#endif
iph = skb->nh.iph;
rt = (struct rtable*)skb->dst;
......
net/ipv4/ip_input.c
View file @ 6c55c29f
......@@ -141,6 +141,7 @@
#include <net/raw.h>
#include <net/checksum.h>
#include <linux/netfilter_ipv4.h>
#include <net/xfrm.h>
#include <linux/mroute.h>
#include <linux/netlink.h>
......@@ -222,6 +223,15 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
struct inet_protocol *ipprot;
resubmit:
/* Fuck... This IS ugly. */
if (protocol != IPPROTO_AH &&
protocol != IPPROTO_ESP &&
!xfrm_policy_check(XFRM_POLICY_IN, skb)) {
kfree_skb(skb);
return 0;
}
hash = protocol & (MAX_INET_PROTOS - 1);
raw_sk = raw_v4_htable[hash];
......
net/ipv4/route.c
View file @ 6c55c29f
......@@ -2031,11 +2031,7 @@ int ip_route_output_key(struct rtable **rp, struct flowi *flp)
if ((err = __ip_route_output_key(rp, flp)) != 0)
return err;
#if 0
return flp->proto ? xfrm_lookup((struct dst_entry**)rp, flp, NULL, 0) : 0;
#else
return 0;
#endif
}
static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
......@@ -2545,4 +2541,5 @@ void __init ip_rt_init(void)
#ifdef CONFIG_NET_CLS_ROUTE
create_proc_read_entry("net/rt_acct", 0, 0, ip_rt_acct_read, NULL);
#endif
xfrm_init();
}
net/ipv4/xfrm_input.c 0 → 100644
View file @ 6c55c29f
#include <net/ip.h>
#include <net/xfrm.h>
static kmem_cache_t *secpath_cachep;
void __secpath_destroy(struct sec_path *sp)
{
int i;
for (i = 0; i < sp->len; i++)
xfrm_state_put(sp->xvec[i]);
kmem_cache_free(secpath_cachep, sp);
}
/* Fetch spi and seq frpm ipsec header */
static int xfrm_parse_spi(struct sk_buff *skb, u32 *spi, u32 *seq)
{
int offset, offset_seq;
switch (skb->nh.iph->protocol) {
case IPPROTO_AH:
offset = offsetof(struct ip_auth_hdr, spi);
offset_seq = offsetof(struct ip_auth_hdr, seq_no);
break;
case IPPROTO_ESP:
offset = offsetof(struct ip_esp_hdr, spi);
offset_seq = offsetof(struct ip_esp_hdr, seq_no);
break;
case IPPROTO_COMP:
if (!pskb_may_pull(skb, 4))
return -EINVAL;
*spi = *(u16*)(skb->h.raw + 2);
*seq = 0;
return 0;
default:
return 1;
}
if (!pskb_may_pull(skb, 16))
return -EINVAL;
*spi = *(u32*)(skb->h.raw + offset);
*seq = *(u32*)(skb->h.raw + offset_seq);
return 0;
}
int xfrm4_rcv(struct sk_buff *skb)
{
int err;
u32 spi, seq;
struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
struct xfrm_state *x;
int xfrm_nr = 0;
int decaps = 0;
if ((err = xfrm_parse_spi(skb, &spi, &seq)) != 0)
goto drop;
do {
struct iphdr *iph = skb->nh.iph;
if (xfrm_nr == XFRM_MAX_DEPTH)
goto drop;
x = xfrm_state_lookup(iph->daddr, spi, iph->protocol);
if (x == NULL)
goto drop;
spin_lock(&x->lock);
if (unlikely(x->km.state != XFRM_STATE_VALID))
goto drop_unlock;
if (x->props.replay_window && xfrm_replay_check(x, seq))
goto drop_unlock;
if (x->type->input(x, skb))
goto drop_unlock;
if (x->props.replay_window)
xfrm_replay_advance(x, seq);
spin_unlock(&x->lock);
xfrm_vec[xfrm_nr++] = x;
iph = skb->nh.iph;
if (x->props.mode) {
if (iph->protocol != IPPROTO_IP)
goto drop;
skb->nh.raw = skb->data;
iph = skb->nh.iph;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
decaps = 1;
break;
}
if ((err = xfrm_parse_spi(skb, &spi, &seq)) < 0)
goto drop;
} while (!err);
/* Allocate new secpath or COW existing one. */
if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
struct sec_path *sp;
sp = kmem_cache_alloc(secpath_cachep, SLAB_ATOMIC);
if (!sp)
goto drop;
if (skb->sp) {
memcpy(sp, skb->sp, sizeof(struct sec_path));
secpath_put(skb->sp);
} else
sp->len = 0;
atomic_set(&sp->refcnt, 1);
skb->sp = sp;
}
if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
goto drop;
memcpy(skb->sp->xvec+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(void*));
skb->sp->len += xfrm_nr;
if (decaps) {
dst_release(skb->dst);
skb->dst = NULL;
netif_rx(skb);
return 0;
} else {
return -skb->nh.iph->protocol;
}
drop_unlock:
spin_unlock(&x->lock);
xfrm_state_put(x);
drop:
while (--xfrm_nr >= 0)
xfrm_state_put(xfrm_vec[xfrm_nr]);
kfree_skb(skb);
return 0;
}
void __init xfrm_input_init(void)
{
secpath_cachep = kmem_cache_create("secpath_cache",
sizeof(struct sec_path),
0, SLAB_HWCACHE_ALIGN,
NULL, NULL);
if (!secpath_cachep)
panic("IP: failed to allocate secpath_cache\n");
}
net/ipv4/xfrm_policy.c 0 → 100644
View file @ 6c55c29f
#include <net/xfrm.h>
#include <net/ip.h>
static u32 xfrm_policy_genid;
static rwlock_t xfrm_policy_lock = RW_LOCK_UNLOCKED;
struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX];
extern struct dst_ops xfrm4_dst_ops;
/* Limited flow cache. Its function now is to accelerate search for
* policy rules.
*
* Flow cache is private to cpus, at the moment this is important
* mostly for flows which do not match any rule, so that flow lookups
* are absolultely cpu-local. When a rule exists we do some updates
* to rule (refcnt, stats), so that locality is broken. Later this
* can be repaired.
*/
struct flow_entry
{
struct flow_entry *next;
struct flowi fl;
u8 dir;
u32 genid;
struct xfrm_policy *pol;
};
static kmem_cache_t *flow_cachep;
struct flow_entry **flow_table;
#define FLOWCACHE_HASH_SIZE 1024
static inline u32 flow_hash(struct flowi *fl)
{
u32 hash = fl->fl4_src ^ fl->uli_u.ports.sport;
hash = ((hash & 0xF0F0F0F0) >> 4) | ((hash & 0x0F0F0F0F) << 4);
hash ^= fl->fl4_dst ^ fl->uli_u.ports.dport;
hash ^= (hash >> 10);
hash ^= (hash >> 20);
return hash & (FLOWCACHE_HASH_SIZE-1);
}
static int flow_lwm = 2*FLOWCACHE_HASH_SIZE;
static int flow_hwm = 4*FLOWCACHE_HASH_SIZE;
static int flow_number[NR_CPUS] __cacheline_aligned;
#define flow_count(cpu) (flow_number[cpu])
static void flow_cache_shrink(int cpu)
{
int i;
struct flow_entry *fle, **flp;
int shrink_to = flow_lwm/FLOWCACHE_HASH_SIZE;
for (i=0; i<FLOWCACHE_HASH_SIZE; i++) {
int k = 0;
flp = &flow_table[cpu*FLOWCACHE_HASH_SIZE+i];
while ((fle=*flp) != NULL && k<shrink_to) {
k++;
flp = &fle->next;
}
while ((fle=*flp) != NULL) {
*flp = fle->next;
if (fle->pol)
xfrm_pol_put(fle->pol);
kmem_cache_free(flow_cachep, fle);
}
}
}
struct xfrm_policy *flow_lookup(int dir, struct flowi *fl)
{
struct xfrm_policy *pol;
struct flow_entry *fle;
u32 hash = flow_hash(fl);
int cpu;
local_bh_disable();
cpu = smp_processor_id();
for (fle = flow_table[cpu*FLOWCACHE_HASH_SIZE+hash];
fle; fle = fle->next) {
if (memcmp(fl, &fle->fl, sizeof(fle->fl)) == 0 &&
fle->dir == dir) {
if (fle->genid == xfrm_policy_genid) {
if ((pol = fle->pol) != NULL)
atomic_inc(&pol->refcnt);
local_bh_enable();
return pol;
}
break;
}
}
pol = xfrm_policy_lookup(dir, fl);
if (fle) {
/* Stale flow entry found. Update it. */
fle->genid = xfrm_policy_genid;
if (fle->pol)
xfrm_pol_put(fle->pol);
fle->pol = pol;
if (pol)
atomic_inc(&pol->refcnt);
} else {
if (flow_count(cpu) > flow_hwm)
flow_cache_shrink(cpu);
fle = kmem_cache_alloc(flow_cachep, SLAB_ATOMIC);
if (fle) {
flow_count(cpu)++;
fle->fl = *fl;
fle->genid = xfrm_policy_genid;
fle->dir = dir;
fle->pol = pol;
if (pol)
atomic_inc(&pol->refcnt);
fle->next = flow_table[cpu*FLOWCACHE_HASH_SIZE+hash];
flow_table[cpu*FLOWCACHE_HASH_SIZE+hash] = fle;
}
}
local_bh_enable();
return pol;
}
void __init flow_cache_init(void)
{
int order;
flow_cachep = kmem_cache_create("flow_cache",
sizeof(struct flow_entry),
0, SLAB_HWCACHE_ALIGN,
NULL, NULL);
if (!flow_cachep)
panic("NET: failed to allocate flow cache slab\n");
for (order = 0;
(PAGE_SIZE<<order) < (NR_CPUS*sizeof(struct flow_entry *)*FLOWCACHE_HASH_SIZE);
order++)
/* NOTHING */;
flow_table = (struct flow_entry **)__get_free_pages(GFP_ATOMIC, order);
if (!flow_table)
panic("Failed to allocate flow cache hash table\n");
memset(flow_table, 0, PAGE_SIZE<<order);
}
/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
* SPD calls.
*/
struct xfrm_policy *xfrm_policy_alloc(void)
{
struct xfrm_policy *policy;
policy = kmalloc(sizeof(struct xfrm_policy), GFP_KERNEL);
if (policy) {
memset(policy, 0, sizeof(struct xfrm_policy));
atomic_set(&policy->refcnt, 1);
policy->lock = RW_LOCK_UNLOCKED;
}
return policy;
}
/* Destroy xfrm_policy: descendant resources must be released to this moment. */
void __xfrm_policy_destroy(struct xfrm_policy *policy)
{
int i;
if (!policy->dead)
BUG();
for (i=0; i<policy->xfrm_nr; i++) {
if (policy->xfrm_vec[i].resolved)
BUG();
}
if (policy->bundles)
BUG();
kfree(policy);
}
/* Rule must be locked. Release descentant resources, announce
* entry dead. The rule must be unlinked from lists to the moment.
*/
void xfrm_policy_kill(struct xfrm_policy *policy)
{
struct dst_entry *dst;
int i;
policy->dead = 1;
for (i=0; i<policy->xfrm_nr; i++) {
if (policy->xfrm_vec[i].resolved) {
xfrm_state_put(policy->xfrm_vec[i].resolved);
policy->xfrm_vec[i].resolved = NULL;
}
}
while ((dst = policy->bundles) != NULL) {
policy->bundles = dst->next;
dst_free(dst);
}
}
/* Find policy to apply to this flow. */
struct xfrm_policy *xfrm_policy_lookup(int dir, struct flowi *fl)
{
struct xfrm_policy *pol;
unsigned long now = xtime.tv_sec;
read_lock(&xfrm_policy_lock);
for (pol = xfrm_policy_list[dir]; pol; pol = pol->next) {
struct xfrm_selector *sel = &pol->selector;
if (xfrm4_selector_match(sel, fl) && now < pol->expires) {
pol->lastuse = now;
atomic_inc(&pol->refcnt);
break;
}
}
read_unlock(&xfrm_policy_lock);
return pol;
}
/* Resolve list of templates for the flow, given policy. */
static int
xfrm_tmpl_resolve(struct xfrm_policy *policy, struct flowi *fl,
struct xfrm_state **xfrm)
{
int i, error;
u32 daddr = fl->fl4_dst;
for (i = 0; i < policy->xfrm_nr; i++) {
struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
if (tmpl->mode)
daddr = tmpl->id.daddr.xfrm4_addr;
if (tmpl->resolved) {
if (tmpl->resolved->km.state != XFRM_STATE_VALID) {
error = -EINVAL;
goto fail;
}
xfrm[i] = tmpl->resolved;
atomic_inc(&tmpl->resolved->refcnt);
} else {
xfrm[i] = xfrm_state_find(daddr, fl, tmpl);
if (xfrm[i] == NULL) {
error = -ENOMEM;
goto fail;
}
if (xfrm[i]->km.state == XFRM_STATE_VALID)
continue;
i++;
if (xfrm[i]->km.state == XFRM_STATE_ERROR)
error = -EINVAL;
else
error = -EAGAIN;
goto fail;
}
}
return 0;
fail:
for (i--; i>=0; i--)
xfrm_state_put(xfrm[i]);
return error;
}
/* Check that the bundle accepts the flow and its components are
* still valid.
*/
static int xfrm_bundle_ok(struct xfrm_dst *xdst, struct flowi *fl)
{
do {
if (xdst->u.dst.ops != &xfrm4_dst_ops)
return 1;
if (!xfrm4_selector_match(&xdst->u.dst.xfrm->sel, fl))
return 0;
if (xdst->u.dst.xfrm->km.state != XFRM_STATE_VALID ||
xdst->u.dst.path->obsolete > 0)
return 0;
xdst = (struct xfrm_dst*)xdst->u.dst.child;
} while (xdst);
return 0;
}
/* Allocate chain of dst_entry's, attach known xfrm's, calculate
* all the metrics... Shortly, bundle a bundle.
*/
int
xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm,
struct flowi *fl, struct dst_entry **dst_p)
{
struct dst_entry *dst, *dst_prev;
struct rtable *rt = (struct rtable*)(*dst_p);
u32 remote = fl->fl4_dst;
u32 local = fl->fl4_src;
int i;
int err;
int header_len = 0;
dst = dst_prev = NULL;
for (i = 0; i < policy->xfrm_nr; i++) {
struct dst_entry *dst1 = dst_alloc(&xfrm4_dst_ops);
if (unlikely(dst1 == NULL)) {
err = -ENOBUFS;
goto error;
}
dst1->xfrm = xfrm[i];
if (!dst)
dst = dst1;
else
dst_prev->child = dst1;
dst_prev = dst1;
if (xfrm[i]->props.mode) {
remote = xfrm[i]->id.daddr.xfrm4_addr;
local = xfrm[i]->props.saddr.xfrm4_addr;
}
header_len += xfrm[i]->props.header_len;
}
if (remote != fl->fl4_dst) {
struct flowi fl_tunnel = { .nl_u = { .ip4_u =
{ .daddr = remote,
.saddr = local }
}
};
err = ip_route_output_key(&rt, &fl_tunnel);
if (err)
goto error;
dst_release(*dst_p);
*dst_p = &rt->u.dst;
}
dst_prev->child = &rt->u.dst;
for (dst_prev = dst; dst_prev != &rt->u.dst; dst_prev = dst_prev->child) {
struct xfrm_dst *x = (struct xfrm_dst*)dst_prev;
x->u.rt.fl = *fl;
dst_prev->dev = rt->u.dst.dev;
if (rt->u.dst.dev)
dev_hold(rt->u.dst.dev);
dst_prev->flags = DST_HOST;
dst_prev->lastuse = jiffies;
dst_prev->header_len = header_len;
memcpy(&dst_prev->metrics, &rt->u.dst.metrics, sizeof(&dst_prev->metrics));
dst_prev->path = &rt->u.dst;
/* Copy neighbout for reachability confirmation */
dst_prev->neighbour = neigh_clone(rt->u.dst.neighbour);
dst_prev->input = rt->u.dst.input;
dst_prev->output = dst_prev->xfrm->type->output;
if (rt->peer)
atomic_inc(&rt->peer->refcnt);
x->u.rt.peer = rt->peer;
x->u.rt.rt_flags = rt->rt_flags;
x->u.rt.rt_type = rt->rt_type;
x->u.rt.rt_src = rt->rt_src;
x->u.rt.rt_src = rt->rt_src;
x->u.rt.rt_dst = rt->rt_dst;
x->u.rt.rt_gateway = rt->rt_gateway;
x->u.rt.rt_spec_dst = rt->rt_spec_dst;
header_len -= x->u.dst.xfrm->props.header_len;
}
*dst_p = dst;
return 0;
error:
if (dst)
dst_free(dst);
return err;
}
/* Main function: finds/creates a bundle for given flow.
*
* At the moment we eat a raw IP route. Mostly to speed up lookups
* on interfaces with disabled IPsec.
*/
int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
struct sock *sk, int flags)
{
struct xfrm_policy *policy;
struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
struct rtable *rt = (struct rtable*)*dst_p;
struct dst_entry *dst;
int err;
u32 genid;
/* To accelerate a bit... */
if ((rt->u.dst.flags & DST_NOXFRM) || !xfrm_policy_list[XFRM_POLICY_OUT])
return 0;
fl->oif = rt->u.dst.dev->ifindex;
fl->fl4_src = rt->rt_src;
restart:
genid = xfrm_policy_genid;
policy = flow_lookup(XFRM_POLICY_OUT, fl);
if (!policy)
return 0;
switch (policy->action) {
case XFRM_POLICY_BLOCK:
/* Prohibit the flow */
xfrm_pol_put(policy);
return -EPERM;
case XFRM_POLICY_ALLOW:
if (policy->xfrm_nr == 0) {
/* Flow passes not transformed. */
xfrm_pol_put(policy);
return 0;
}
/* Try to find matching bundle.
*
* LATER: help from flow cache. It is optional, this
* is required only for output policy.
*/
read_lock_bh(&policy->lock);
for (dst = policy->bundles; dst; dst = dst->next) {
struct xfrm_dst *xdst = (struct xfrm_dst*)dst;
if (xdst->u.rt.fl.fl4_dst == fl->fl4_dst &&
xdst->u.rt.fl.fl4_src == fl->fl4_src &&
xdst->u.rt.fl.oif == fl->oif &&
xfrm_bundle_ok(xdst, fl)) {
dst_clone(dst);
break;
}
}
read_unlock_bh(&policy->lock);
if (dst)
break;
err = xfrm_tmpl_resolve(policy, fl, xfrm);
if (unlikely(err)) {
if (err == -EAGAIN) {
struct task_struct *tsk = current;
DECLARE_WAITQUEUE(wait, tsk);
if (!flags)
goto error;
__set_task_state(tsk, TASK_INTERRUPTIBLE);
add_wait_queue(km_waitq, &wait);
err = xfrm_tmpl_resolve(policy, fl, xfrm);
if (err == -EAGAIN)
schedule();
__set_task_state(tsk, TASK_RUNNING);
remove_wait_queue(km_waitq, &wait);
if (err == -EAGAIN && signal_pending(current)) {
err = -ERESTART;
goto error;
}
if (err == -EAGAIN ||
genid != xfrm_policy_genid)
goto restart;
}
if (err)
goto error;
}
dst = &rt->u.dst;
err = xfrm_bundle_create(policy, xfrm, fl, &dst);
if (unlikely(err)) {
int i;
for (i=0; i<policy->xfrm_nr; i++)
xfrm_state_put(xfrm[i]);
err = -EPERM;
goto error;
}
write_lock_bh(&policy->lock);
if (unlikely(policy->dead)) {
/* Wow! While we worked on resolving, this
* policy has gone. Retry. It is not paranoia,
* we just cannot enlist new bundle to dead object.
*/
write_unlock_bh(&policy->lock);
xfrm_pol_put(policy);
if (dst) {
dst_release(dst);
dst_free(dst);
}
goto restart;
}
dst->next = policy->bundles;
policy->bundles = dst;
write_unlock_bh(&policy->lock);
}
*dst_p = dst;
ip_rt_put(rt);
xfrm_pol_put(policy);
return 0;
error:
ip_rt_put(rt);
xfrm_pol_put(policy);
*dst_p = NULL;
return err;
}
/* When skb is transformed back to its "native" form, we have to
* check policy restrictions. At the moment we make this in maximally
* stupid way. Shame on me. :-) Of course, connected sockets must
* have policy cached at them.
*/
static inline int
xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x)
{
return x->id.proto == tmpl->id.proto &&
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
x->props.mode == tmpl->mode &&
(tmpl->algos & (1<<x->props.algo)) &&
(!x->props.mode || !tmpl->saddr.xfrm4_addr ||
tmpl->saddr.xfrm4_addr == x->props.saddr.xfrm4_addr);
}
static inline int
xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int idx)
{
for (; idx < sp->len; idx++) {
if (xfrm_state_ok(tmpl, sp->xvec[idx]))
return ++idx;
}
return -1;
}
static inline void
_decode_session(struct sk_buff *skb, struct flowi *fl)
{
struct iphdr *iph = skb->nh.iph;
u8 *xprth = skb->nh.raw + iph->ihl*4;
if (!(iph->frag_off & htons(IP_MF | IP_OFFSET))) {
switch (iph->protocol) {
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
u16 *ports = (u16 *)xprth;
fl->uli_u.ports.sport = ports[0];
fl->uli_u.ports.dport = ports[1];
}
break;
case IPPROTO_ESP:
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
u32 *ehdr = (u32 *)xprth;
fl->uli_u.spi = ehdr[0];
}
break;
case IPPROTO_AH:
if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
u32 *ah_hdr = (u32*)xprth;
fl->uli_u.spi = ah_hdr[1];
}
break;
default:
fl->uli_u.spi = 0;
break;
};
} else {
memset(fl, 0, sizeof(struct flowi));
}
fl->proto = iph->protocol;
fl->fl4_dst = iph->daddr;
fl->fl4_src = iph->saddr;
}
int __xfrm_policy_check(int dir, struct sk_buff *skb)
{
struct xfrm_policy *pol;
struct flowi fl;
_decode_session(skb, &fl);
/* First, check used SA against their selectors. */
if (skb->sp) {
int i;
for (i=skb->sp->len-1; i>=0; i++) {
if (!xfrm4_selector_match(&skb->sp->xvec[i]->sel, &fl))
return 0;
}
}
pol = flow_lookup(dir, &fl);
if (!pol)
return 1;
if (pol->action == XFRM_POLICY_ALLOW) {
if (pol->xfrm_nr != 0) {
struct sec_path *sp;
int i, k;
if ((sp = skb->sp) == NULL)
goto reject;
/* For each tmpl search corresponding xfrm.
* Order is _important_. Later we will implement
* some barriers, but at the moment barriers
* are implied between each two transformations.
*/
for (i = pol->xfrm_nr-1, k = 0; i >= 0; i--) {
k = xfrm_policy_ok(pol->xfrm_vec+i, sp, k);
if (k < 0)
goto reject;
}
}
xfrm_pol_put(pol);
return 1;
}
reject:
xfrm_pol_put(pol);
return 0;
}
int __xfrm_route_forward(struct sk_buff *skb)
{
struct flowi fl;
_decode_session(skb, &fl);
return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;
}
static struct dst_entry *xfrm4_dst_check(struct dst_entry *dst, u32 cookie)
{
dst_release(dst);
return NULL;
}
static void xfrm4_dst_destroy(struct dst_entry *dst)
{
xfrm_state_put(dst->xfrm);
dst->xfrm = NULL;
}
static void xfrm4_link_failure(struct sk_buff *skb)
{
/* Impossible. Such dst must be popped before reaches point of failure. */
return;
}
static struct dst_entry *xfrm4_negative_advice(struct dst_entry *dst)
{
if (dst) {
if (dst->obsolete) {
dst_release(dst);
dst = NULL;
}
}
return dst;
}
static int xfrm4_garbage_collect(void)
{
int i;
struct xfrm_policy *pol;
struct dst_entry *dst, **dstp, *gc_list = NULL;
read_lock_bh(&xfrm_policy_lock);
for (i=0; i<XFRM_POLICY_MAX; i++) {
for (pol = xfrm_policy_list[i]; pol; pol = pol->next) {
write_lock(&pol->lock);
dstp = &pol->bundles;
while ((dst=*dstp) != NULL) {
if (atomic_read(&dst->__refcnt) == 0) {
*dstp = dst->next;
dst->next = gc_list;
gc_list = dst;
} else {
dstp = &dst->next;
}
}
write_unlock(&pol->lock);
}
}
read_unlock_bh(&xfrm_policy_lock);
while (gc_list) {
dst = gc_list;
gc_list = dst->next;
dst_destroy(dst);
}
return (atomic_read(&xfrm4_dst_ops.entries) > xfrm4_dst_ops.gc_thresh*2);
}
static void xfrm4_update_pmtu(struct dst_entry *dst, u32 mtu)
{
struct dst_entry *path = dst->path;
if (mtu < 68 + dst->header_len)
return;
path->ops->update_pmtu(path, mtu);
}
/* Well... that's _TASK_. We need to scan through transformation
* list and figure out what mss tcp should generate in order to
* final datagram fit to mtu. Mama mia... :-)
*
* Apparently, some easy way exists, but we used to choose the most
* bizarre ones. :-) So, raising Kalashnikov... tra-ta-ta.
*
* Consider this function as something like dark humour. :-)
*/
static int xfrm4_get_mss(struct dst_entry *dst, u32 mtu)
{
int res = mtu - dst->header_len;
for (;;) {
struct dst_entry *d = dst;
int m = res;
do {
struct xfrm_state *x = d->xfrm;
if (x) {
if (x->type->get_max_size)
m = x->type->get_max_size(d->xfrm, m);
else
m += x->props.header_len;
}
} while ((d = d->child) != NULL);
if (m <= mtu)
break;
res -= (m - mtu);
if (res < 88)
return mtu;
}
return res + dst->header_len;
}
struct dst_ops xfrm4_dst_ops = {
.family = AF_INET,
.protocol = __constant_htons(ETH_P_IP),
.gc = xfrm4_garbage_collect,
.check = xfrm4_dst_check,
.destroy = xfrm4_dst_destroy,
.negative_advice = xfrm4_negative_advice,
.link_failure = xfrm4_link_failure,
.update_pmtu = xfrm4_update_pmtu,
.get_mss = xfrm4_get_mss,
.gc_thresh = 1024,
.entry_size = sizeof(struct xfrm_dst),
};
void create_debug_policy(void)
{
extern struct xfrm_type ah_type;
struct xfrm_policy *pol = xfrm_policy_alloc();
struct xfrm_state *x;
if (!pol)
panic("panic\n");
pol->expires = ~0UL;
pol->action = XFRM_POLICY_ALLOW;
pol->xfrm_nr = 1;
pol->xfrm_vec[0] = (struct xfrm_tmpl){
.id = { .proto = IPPROTO_AH },
.algos = ~0
};
pol->selector = (struct xfrm_selector){
.daddr = { .a4 = { .addr = __constant_htonl(0x7f000001),
.mask = ~0 } },
.dport = __constant_htons(8888),
.dport_mask = ~0,
.prefixlen_d = 32,
.proto = IPPROTO_UDP
};
xfrm_policy_list[XFRM_POLICY_OUT] = pol;
x = xfrm_state_alloc();
x->sel = pol->selector;
/* Debug. */
x->id.proto = IPPROTO_AH;
x->id.spi = 1;
x->id.daddr = pol->selector.daddr;
x->km.state = XFRM_STATE_VALID;
x->km.warn_bytes = 0;
x->replay.oseq = 1;
x->type = &ah_type;
x->type->init_state(x, NULL);
xfrm_state_insert(x);
}
void __init xfrm_init(void)
{
xfrm4_dst_ops.kmem_cachep = kmem_cache_create("xfrm4_dst_cache",
sizeof(struct xfrm_dst),
0, SLAB_HWCACHE_ALIGN,
NULL, NULL);
if (!xfrm4_dst_ops.kmem_cachep)
panic("IP: failed to allocate xfrm4_dst_cache\n");
flow_cache_init();
xfrm_state_init();
xfrm_input_init();
ah4_init();
create_debug_policy();
}
net/ipv4/xfrm_state.c 0 → 100644
View file @ 6c55c29f
#include <net/xfrm.h>
#include <linux/pfkeyv2.h>
/* Each xfrm_state is linked to three tables:
1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
2. Hash table by daddr to find what SAs exist for given
destination/tunnel endpoint. (output)
3. (optional, NI) Radix tree by _selector_ for the case,
when we have to find a tunnel mode SA appropriate for given flow,
but do not know tunnel endpoint. At the moment we do
not support this and assume that tunnel endpoint is given
by policy. (output)
*/
spinlock_t xfrm_state_lock = SPIN_LOCK_UNLOCKED;
/* Hash table to find appropriate SA towards given target (endpoint
* of tunnel or destination of transport mode) allowed by selector.
*
* Main use is finding SA after policy selected tunnel or transport mode.
* Also, it can be used by ah/esp icmp error handler to find offending SA.
*/
struct list_head xfrm_state_bydst[XFRM_DST_HSIZE];
struct list_head xfrm_state_byspi[XFRM_DST_HSIZE];
wait_queue_head_t *km_waitq;
struct xfrm_state *xfrm_state_alloc(void)
{
struct xfrm_state *x;
x = kmalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
if (x) {
memset(x, 0, sizeof(struct xfrm_state));
atomic_set(&x->refcnt, 1);
INIT_LIST_HEAD(&x->bydst);
INIT_LIST_HEAD(&x->byspi);
x->lock = SPIN_LOCK_UNLOCKED;
}
return x;
}
void __xfrm_state_destroy(struct xfrm_state *x)
{
BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
if (x->type)
x->type->destructor(x);
kfree(x);
}
struct xfrm_state *
xfrm_state_find(u32 daddr, struct flowi *fl, struct xfrm_tmpl *tmpl)
{
unsigned h = ntohl(daddr);
struct xfrm_state *x;
int acquire_in_progress = 0;
int error = 0;
h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_for_each_entry(x, xfrm_state_bydst+h, bydst) {
if (daddr == x->id.daddr.xfrm4_addr &&
tmpl->mode == x->props.mode &&
tmpl->id.proto == x->id.proto) {
/* Resolution logic:
1. There is a valid state with matching selector.
Done.
2. Valid state with inappropriate selector. Skip.
Entering area of "sysdeps".
3. If state is not valid, selector is temporary,
it selects only session which triggered
previous resolution. Key manager will do
something to install a state with proper
selector.
*/
if (x->km.state == XFRM_STATE_VALID) {
if (!xfrm4_selector_match(&x->sel, fl))
continue;
atomic_inc(&x->refcnt);
spin_unlock_bh(&xfrm_state_lock);
return x;
} else if (x->km.state == XFRM_STATE_ACQ) {
acquire_in_progress = 1;
} else if (x->km.state == XFRM_STATE_ERROR) {
if (xfrm4_selector_match(&x->sel, fl))
error = 1;
}
}
}
x = NULL;
if (!error && !acquire_in_progress &&
((x = xfrm_state_alloc()) != NULL)) {
/* Initialize temporary selector matching only
* to current session. */
x->sel.daddr.xfrm4_addr = fl->fl4_dst;
x->sel.daddr.xfrm4_mask = ~0;
x->sel.saddr.xfrm4_addr = fl->fl4_src;
x->sel.saddr.xfrm4_mask = ~0;
x->sel.dport = fl->uli_u.ports.dport;
x->sel.dport_mask = ~0;
x->sel.sport = fl->uli_u.ports.sport;
x->sel.sport_mask = ~0;
x->sel.prefixlen_d = 32;
x->sel.prefixlen_s = 32;
x->sel.proto = fl->proto;
x->sel.ifindex = fl->oif;
x->id = tmpl->id;
if (km_query(x) == 0) {
list_add_tail(&x->bydst, xfrm_state_bydst+h);
atomic_inc(&x->refcnt);
} else {
x->km.state = XFRM_STATE_DEAD;
xfrm_state_put(x);
x = NULL;
}
}
spin_unlock_bh(&xfrm_state_lock);
return x;
}
void xfrm_state_insert(struct xfrm_state *x)
{
unsigned h = ntohl(x->id.daddr.xfrm4_addr);
h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_add(&x->bydst, xfrm_state_bydst+h);
atomic_inc(&x->refcnt);
h = ntohl(x->id.daddr.xfrm4_addr^x->id.spi^x->id.proto);
h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
list_add(&x->byspi, xfrm_state_byspi+h);
atomic_inc(&x->refcnt);
spin_unlock_bh(&xfrm_state_lock);
}
int xfrm_state_check_expire(struct xfrm_state *x)
{
if (x->km.state != XFRM_STATE_VALID)
return -EINVAL;
if (x->props.hard_byte_limit &&
x->stats.bytes >= x->props.hard_byte_limit) {
km_notify(x, SADB_EXT_LIFETIME_HARD);
return -EINVAL;
}
if (x->km.warn_bytes &&
x->stats.bytes >= x->km.warn_bytes) {
x->km.warn_bytes = 0;
km_notify(x, SADB_EXT_LIFETIME_SOFT);
}
return 0;
}
int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
{
int nhead = x->props.header_len + skb->dst->dev->hard_header_len
- skb_headroom(skb);
if (nhead > 0)
return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
/* Check tail too... */
return 0;
}
struct xfrm_state *
xfrm_state_lookup(u32 daddr, u32 spi, u8 proto)
{
unsigned h = ntohl(daddr^spi^proto);
struct xfrm_state *x;
h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_for_each_entry(x, xfrm_state_byspi+h, byspi) {
if (spi == x->id.spi &&
daddr == x->id.daddr.xfrm4_addr &&
proto == x->id.proto) {
atomic_inc(&x->refcnt);
x->stats.lastuse = xtime.tv_sec;
spin_unlock_bh(&xfrm_state_lock);
return x;
}
}
spin_unlock_bh(&xfrm_state_lock);
return NULL;
}
int xfrm_replay_check(struct xfrm_state *x, u32 seq)
{
u32 diff;
seq = ntohl(seq);
if (unlikely(seq == 0))
return -EINVAL;
if (likely(seq > x->replay.seq))
return 0;
diff = x->replay.seq - seq;
if (diff >= x->props.replay_window) {
x->stats.replay_window++;
return -EINVAL;
}
if (x->replay.bitmap & (1U << diff)) {
x->stats.replay++;
return -EINVAL;
}
return 0;
}
void xfrm_replay_advance(struct xfrm_state *x, u32 seq)
{
u32 diff;
seq = ntohl(seq);
if (seq > x->replay.seq) {
diff = seq - x->replay.seq;
if (diff < x->props.replay_window)
x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
else
x->replay.bitmap = 1;
x->replay.seq = seq;
} else {
diff = x->replay.seq - seq;
x->replay.bitmap |= (1U << diff);
}
}
int xfrm_check_selectors(struct xfrm_state **x, int n, struct flowi *fl)
{
int i;
for (i=0; i<n; i++) {
if (!xfrm4_selector_match(&x[i]->sel, fl))
return -EINVAL;
}
return 0;
}
void km_notify(struct xfrm_state *x, int event)
{
}
int km_query(struct xfrm_state *x)
{
return -EINVAL;
}
void __init xfrm_state_init(void)
{
int i;
for (i=0; i<XFRM_DST_HSIZE; i++) {
INIT_LIST_HEAD(&xfrm_state_bydst[i]);
INIT_LIST_HEAD(&xfrm_state_byspi[i]);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7