Commit 6c55c29f authored by Alexey Kuznetsov's avatar Alexey Kuznetsov Committed by David S. Miller

[IPSEC]: Add transform engine and AH implementation.

parent e26bdd97
/* PF_KEY user interface, this is defined by rfc2367 so
* do not make arbitrary modifications or else this header
* file will not be compliant.
*/
#ifndef _LINUX_PFKEY2_H
#define _LINUX_PFKEY2_H
#include <linux/types.h>
#define PF_KEY_V2 2
#define PFKEYV2_REVISION 199806L
struct sadb_msg {
uint8_t sadb_msg_version;
uint8_t sadb_msg_type;
uint8_t sadb_msg_errno;
uint8_t sadb_msg_satype;
uint16_t sadb_msg_len;
uint16_t sadb_msg_reserved;
uint32_t sadb_msg_seq;
uint32_t sadb_msg_pid;
} __attribute__((packed));
/* sizeof(struct sadb_msg) == 16 */
struct sadb_ext {
uint16_t sadb_ext_len;
uint16_t sadb_ext_type;
} __attribute__((packed));
/* sizeof(struct sadb_ext) == 4 */
struct sadb_sa {
uint16_t sadb_sa_len;
uint16_t sadb_sa_exttype;
uint32_t sadb_sa_spi;
uint8_t sadb_sa_replay;
uint8_t sadb_sa_state;
uint8_t sadb_sa_auth;
uint8_t sadb_sa_encrypt;
uint32_t sadb_sa_flags;
} __attribute__((packed));
/* sizeof(struct sadb_sa) == 16 */
struct sadb_lifetime {
uint16_t sadb_lifetime_len;
uint16_t sadb_lifetime_exttype;
uint32_t sadb_lifetime_allocations;
uint64_t sadb_lifetime_bytes;
uint64_t sadb_lifetime_addtime;
uint64_t sadb_lifetime_usetime;
} __attribute__((packed));
/* sizeof(struct sadb_lifetime) == 32 */
struct sadb_address {
uint16_t sadb_address_len;
uint16_t sadb_address_exttype;
uint8_t sadb_address_proto;
uint8_t sadb_address_prefixlen;
uint16_t sadb_address_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_address) == 8 */
struct sadb_key {
uint16_t sadb_key_len;
uint16_t sadb_key_exttype;
uint16_t sadb_key_bits;
uint16_t sadb_key_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_key) == 8 */
struct sadb_ident {
uint16_t sadb_ident_len;
uint16_t sadb_ident_exttype;
uint16_t sadb_ident_type;
uint16_t sadb_ident_reserved;
uint64_t sadb_ident_id;
} __attribute__((packed));
/* sizeof(struct sadb_ident) == 16 */
struct sadb_sens {
uint16_t sadb_sens_len;
uint16_t sadb_sens_exttype;
uint32_t sadb_sens_dpd;
uint8_t sadb_sens_sens_level;
uint8_t sadb_sens_sens_len;
uint8_t sadb_sens_integ_level;
uint8_t sadb_sens_integ_len;
uint32_t sadb_sens_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_sens) == 16 */
/* followed by:
uint64_t sadb_sens_bitmap[sens_len];
uint64_t sadb_integ_bitmap[integ_len]; */
struct sadb_prop {
uint16_t sadb_prop_len;
uint16_t sadb_prop_exttype;
uint8_t sadb_prop_replay;
uint8_t sadb_prop_reserved[3];
} __attribute__((packed));
/* sizeof(struct sadb_prop) == 8 */
/* followed by:
struct sadb_comb sadb_combs[(sadb_prop_len +
sizeof(uint64_t) - sizeof(struct sadb_prop)) /
sizeof(strut sadb_comb)]; */
struct sadb_comb {
uint8_t sadb_comb_auth;
uint8_t sadb_comb_encrypt;
uint16_t sadb_comb_flags;
uint16_t sadb_comb_auth_minbits;
uint16_t sadb_comb_auth_maxbits;
uint16_t sadb_comb_encrypt_minbits;
uint16_t sadb_comb_encrypt_maxbits;
uint32_t sadb_comb_reserved;
uint32_t sadb_comb_soft_allocations;
uint32_t sadb_comb_hard_allocations;
uint64_t sadb_comb_soft_bytes;
uint64_t sadb_comb_hard_bytes;
uint64_t sadb_comb_soft_addtime;
uint64_t sadb_comb_hard_addtime;
uint64_t sadb_comb_soft_usetime;
uint64_t sadb_comb_hard_usetime;
} __attribute__((packed));
/* sizeof(struct sadb_comb) == 72 */
struct sadb_supported {
uint16_t sadb_supported_len;
uint16_t sadb_supported_exttype;
uint32_t sadb_supported_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_supported) == 8 */
/* followed by:
struct sadb_alg sadb_algs[(sadb_supported_len +
sizeof(uint64_t) - sizeof(struct sadb_supported)) /
sizeof(struct sadb_alg)]; */
struct sadb_alg {
uint8_t sadb_alg_id;
uint8_t sadb_alg_ivlen;
uint16_t sadb_alg_minbits;
uint16_t sadb_alg_maxbits;
uint16_t sadb_alg_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_alg) == 8 */
struct sadb_spirange {
uint16_t sadb_spirange_len;
uint16_t sadb_spirange_exttype;
uint32_t sadb_spirange_min;
uint32_t sadb_spirange_max;
uint32_t sadb_spirange_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_spirange) == 16 */
struct sadb_x_kmprivate {
uint16_t sadb_x_kmprivate_len;
uint16_t sadb_x_kmprivate_exttype;
u_int32_t sadb_x_kmprivate_reserved;
} __attribute__((packed));
/* sizeof(struct sadb_x_kmprivate) == 8 */
struct sadb_x_sa2 {
uint16_t sadb_x_sa2_len;
uint16_t sadb_x_sa2_exttype;
uint8_t sadb_x_sa2_mode;
uint8_t sadb_x_sa2_reserved1;
uint16_t sadb_x_sa2_reserved2;
uint32_t sadb_x_sa2_sequence;
uint32_t sadb_x_sa2_reqid;
} __attribute__((packed));
/* sizeof(struct sadb_x_sa2) == 16 */
struct sadb_x_policy {
uint16_t sadb_x_policy_len;
uint16_t sadb_x_policy_exttype;
uint16_t sadb_x_policy_type;
uint8_t sadb_x_policy_dir;
uint8_t sadb_x_policy_reserved;
uint32_t sadb_x_policy_id;
uint32_t sadb_x_policy_reserved2;
} __attribute__((packed));
/* sizeof(struct sadb_x_policy) == 16 */
struct sadb_x_ipsecrequest {
uint16_t sadb_x_ipsecrequest_len;
uint16_t sadb_x_ipsecrequest_exttype;
uint8_t sadb_x_ipsecrequest_mode;
uint8_t sadb_x_ipsecrequest_level;
uint16_t sadb_x_ipsecrequest_reqid;
} __attribute__((packed));
/* sizeof(struct sadb_x_ipsecrequest) == 16 */
/* Message types */
#define SADB_RESERVED 0
#define SADB_GETSPI 1
#define SADB_UPDATE 2
#define SADB_ADD 3
#define SADB_DELETE 4
#define SADB_GET 5
#define SADB_ACQUIRE 6
#define SADB_REGISTER 7
#define SADB_EXPIRE 8
#define SADB_FLUSH 9
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_SPDUPDATE 13
#define SADB_X_SPDADD 14
#define SADB_X_SPDDELETE 15
#define SADB_X_SPDGET 16
#define SADB_X_SPDACQUIRE 17
#define SADB_X_SPDDUMP 18
#define SADB_X_SPDFLUSH 19
#define SADB_X_SPDSETIDX 20
#define SADB_X_SPDEXPIRE 21
#define SADB_X_SPDDELETE2 22
#define SADB_MAX 22
/* Security Association flags */
#define SADB_SAFLAGS_PFS 1
/* Security Association states */
#define SADB_SASTATE_LARVAL 0
#define SADB_SASTATE_MATURE 1
#define SADB_SASTATE_DYING 2
#define SADB_SASTATE_DEAD 3
#define SADB_SASTATE_MAX 3
/* Security Association types */
#define SADB_SATYPE_UNSPEC 0
#define SADB_SATYPE_AH 2
#define SADB_SATYPE_ESP 3
#define SADB_SATYPE_RSVP 5
#define SADB_SATYPE_OSPFV2 6
#define SADB_SATYPE_RIPV2 7
#define SADB_SATYPE_MIP 8
#define SADB_X_SATYPE_IPCOMP 9
#define SADB_SATYPE_MAX 9
/* Authentication algorithms */
#define SADB_AALG_NONE 0
#define SADB_AALG_MD5HMAC 2
#define SADB_AALG_SHA1HMAC 3
#define SADB_AALG_MAX 3
/* Encryption algorithms */
#define SADB_EALG_NONE 0
#define SADB_EALG_DESCBC 2
#define SADB_EALG_3DESCBC 3
#define SADB_EALG_NULL 11
#define SADB_EALG_MAX 11
/* Extension Header values */
#define SADB_EXT_RESERVED 0
#define SADB_EXT_SA 1
#define SADB_EXT_LIFETIME_CURRENT 2
#define SADB_EXT_LIFETIME_HARD 3
#define SADB_EXT_LIFETIME_SOFT 4
#define SADB_EXT_ADDRESS_SRC 5
#define SADB_EXT_ADDRESS_DST 6
#define SADB_EXT_ADDRESS_PROXY 7
#define SADB_EXT_KEY_AUTH 8
#define SADB_EXT_KEY_ENCRYPT 9
#define SADB_EXT_IDENTITY_SRC 10
#define SADB_EXT_IDENTITY_DST 11
#define SADB_EXT_SENSITIVITY 12
#define SADB_EXT_PROPOSAL 13
#define SADB_EXT_SUPPORTED_AUTH 14
#define SADB_EXT_SUPPORTED_ENCRYPT 15
#define SADB_EXT_SPIRANGE 16
#define SADB_X_EXT_KMPRIVATE 17
#define SADB_X_EXT_POLICY 18
#define SADB_X_EXT_SA2 19
#define SADB_EXT_MAX 19
/* Identity Extension values */
#define SADB_IDENTTYPE_RESERVED 0
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_IDENTTYPE_FQDN 2
#define SADB_IDENTTYPE_USERFQDN 3
#define SADB_IDENTTYPE_MAX 3
#endif /* !(_LINUX_PFKEY2_H) */
...@@ -213,6 +213,7 @@ struct sk_buff { ...@@ -213,6 +213,7 @@ struct sk_buff {
} mac; } mac;
struct dst_entry *dst; struct dst_entry *dst;
struct sec_path *sp;
/* /*
* This is the control buffer. It is free to use for every * This is the control buffer. It is free to use for every
......
...@@ -59,6 +59,7 @@ struct dst_entry ...@@ -59,6 +59,7 @@ struct dst_entry
struct neighbour *neighbour; struct neighbour *neighbour;
struct hh_cache *hh; struct hh_cache *hh;
struct xfrm_state *xfrm;
int (*input)(struct sk_buff*); int (*input)(struct sk_buff*);
int (*output)(struct sk_buff*); int (*output)(struct sk_buff*);
...@@ -233,6 +234,11 @@ static inline int dst_input(struct sk_buff *skb) ...@@ -233,6 +234,11 @@ static inline int dst_input(struct sk_buff *skb)
extern void dst_init(void); extern void dst_init(void);
struct flowi;
extern int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl,
struct sock *sk, int flags);
#endif #endif
#endif /* _NET_DST_H */ #endif /* _NET_DST_H */
This diff is collapsed.
...@@ -58,6 +58,7 @@ ...@@ -58,6 +58,7 @@
#include <net/dst.h> #include <net/dst.h>
#include <net/sock.h> #include <net/sock.h>
#include <net/checksum.h> #include <net/checksum.h>
#include <net/xfrm.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/system.h> #include <asm/system.h>
...@@ -235,6 +236,7 @@ static inline void skb_headerinit(void *p, kmem_cache_t *cache, ...@@ -235,6 +236,7 @@ static inline void skb_headerinit(void *p, kmem_cache_t *cache,
skb->stamp.tv_sec = 0; /* No idea about time */ skb->stamp.tv_sec = 0; /* No idea about time */
skb->dev = NULL; skb->dev = NULL;
skb->dst = NULL; skb->dst = NULL;
skb->sp = NULL;
memset(skb->cb, 0, sizeof(skb->cb)); memset(skb->cb, 0, sizeof(skb->cb));
skb->pkt_type = PACKET_HOST; /* Default type */ skb->pkt_type = PACKET_HOST; /* Default type */
skb->ip_summed = 0; skb->ip_summed = 0;
...@@ -322,6 +324,7 @@ void __kfree_skb(struct sk_buff *skb) ...@@ -322,6 +324,7 @@ void __kfree_skb(struct sk_buff *skb)
} }
dst_release(skb->dst); dst_release(skb->dst);
secpath_put(skb->sp);
if(skb->destructor) { if(skb->destructor) {
if (in_irq()) if (in_irq())
printk(KERN_WARNING "Warning: kfree_skb on " printk(KERN_WARNING "Warning: kfree_skb on "
...@@ -374,6 +377,8 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask) ...@@ -374,6 +377,8 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
C(mac); C(mac);
C(dst); C(dst);
dst_clone(n->dst); dst_clone(n->dst);
C(sp);
secpath_get(n->sp);
memcpy(n->cb, skb->cb, sizeof(skb->cb)); memcpy(n->cb, skb->cb, sizeof(skb->cb));
C(len); C(len);
C(data_len); C(data_len);
...@@ -433,6 +438,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old) ...@@ -433,6 +438,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new->priority = old->priority; new->priority = old->priority;
new->protocol = old->protocol; new->protocol = old->protocol;
new->dst = dst_clone(old->dst); new->dst = dst_clone(old->dst);
new->sp = secpath_get(old->sp);
new->h.raw = old->h.raw + offset; new->h.raw = old->h.raw + offset;
new->nh.raw = old->nh.raw + offset; new->nh.raw = old->nh.raw + offset;
new->mac.raw = old->mac.raw + offset; new->mac.raw = old->mac.raw + offset;
......
...@@ -18,4 +18,6 @@ obj-$(CONFIG_SYN_COOKIES) += syncookies.o ...@@ -18,4 +18,6 @@ obj-$(CONFIG_SYN_COOKIES) += syncookies.o
obj-$(CONFIG_IP_PNP) += ipconfig.o obj-$(CONFIG_IP_PNP) += ipconfig.o
obj-$(CONFIG_NETFILTER) += netfilter/ obj-$(CONFIG_NETFILTER) += netfilter/
obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o ah.o
include $(TOPDIR)/Rules.make include $(TOPDIR)/Rules.make
#include <net/ip.h>
#include <net/xfrm.h>
#include <linux/crypto.h>
#include <net/icmp.h>
struct ah_data
{
u8 *key;
int key_len;
int digest_len;
void (*digest)(struct xfrm_state*,
struct sk_buff *skb,
u8 *digest);
struct crypto_tfm *tfm;
};
/* Clear mutable options and find final destination to substitute
* into IP header for digest calculation. Options are already checked
* for validity, so paranoia is not required. */
int ip_clear_mutable_options(struct iphdr *iph, u32 *daddr)
{
unsigned char * optptr = (unsigned char*)(iph+1);
int l = iph->ihl*4 - 20;
int optlen;
while (l > 0) {
switch (*optptr) {
case IPOPT_END:
return 0;
case IPOPT_NOOP:
l--;
optptr++;
continue;
}
optlen = optptr[1];
if (optlen<2 || optlen>l)
return -EINVAL;
switch (*optptr) {
case IPOPT_SEC:
case 0x85: /* Some "Extended Security" crap. */
case 0x86: /* Another "Commercial Security" crap. */
case IPOPT_RA:
case 0x80|21: /* RFC1770 */
break;
case IPOPT_LSRR:
case IPOPT_SSRR:
if (optlen < 6)
return -EINVAL;
memcpy(daddr, optptr+optlen-4, 4);
/* Fall through */
default:
memset(optptr+2, 0, optlen-2);
}
l -= optlen;
optptr += optlen;
}
return 0;
}
void skb_ah_walk(const struct sk_buff *skb, struct crypto_tfm *tfm)
{
int offset = 0;
int len = skb->len;
int start = skb->len - skb->data_len;
int i, copy = start - offset;
/* Checksum header. */
if (copy > 0) {
if (copy > len)
copy = len;
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, skb->data+offset, copy);
if ((len -= copy) == 0)
return;
offset += copy;
}
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
int end;
BUG_TRAP(start <= offset + len);
end = start + skb_shinfo(skb)->frags[i].size;
if ((copy = end - offset) > 0) {
u8 *vaddr;
skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
if (copy > len)
copy = len;
vaddr = kmap_skb_frag(frag);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, vaddr+frag->page_offset+offset-start, copy);
kunmap_skb_frag(vaddr);
if (!(len -= copy))
return;
offset += copy;
}
start = end;
}
if (skb_shinfo(skb)->frag_list) {
struct sk_buff *list = skb_shinfo(skb)->frag_list;
for (; list; list = list->next) {
int end;
BUG_TRAP(start <= offset + len);
end = start + list->len;
if ((copy = end - offset) > 0) {
if (copy > len)
copy = len;
skb_ah_walk(list, tfm);
if ((len -= copy) == 0)
return;
offset += copy;
}
start = end;
}
}
if (len)
BUG();
}
#if 0 /* obsolete? */
static void
ah_old_digest(struct xfrm_state *x, struct sk_buff *skb, u8 *auth_data)
{
struct ah_data *ahp = (struct ah_data*)x->data;
struct crypto_tfm *tfm = ahp->tfm;
u8 pad[512/8 - ahp->key_len];
memset(auth_data, 0, ahp->digest_len);
memset(pad, 0, sizeof(pad));
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, ahp->key_len);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, sizeof(pad)-ahp->key_len);
skb_ah_walk(skb, tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, ahp->key, ahp->key_len);
crypto_digest_final(tfm, auth_data);
}
#endif
/* I bring apologies for wrong use of crypto lib. Use of official
* api to get hmac digest is too chumbersome.
*/
static void
ah_hmac_digest(struct xfrm_state *x, struct sk_buff *skb, u8 *auth_data)
{
struct ah_data *ahp = (struct ah_data*)x->data;
struct crypto_tfm *tfm = ahp->tfm;
int i;
char tmp_digest[crypto_tfm_digestsize(tfm)];
char pad[crypto_tfm_blocksize(tfm)];
memset(auth_data, 0, ahp->digest_len);
memset(pad, 0, sizeof(pad));
memcpy(pad, ahp->key, ahp->key_len);
for (i = 0; i < crypto_tfm_blocksize(tfm); i++)
pad[i] ^= 0x36;
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, pad, sizeof(pad));
skb_ah_walk(skb, tfm);
crypto_digest_final(tfm, tmp_digest);
memset(pad, 0, sizeof(pad));
memcpy(pad, ahp->key, ahp->key_len);
for (i = 0; i < crypto_tfm_blocksize(tfm); i++)
pad[i] ^= 0x5c;
crypto_digest_init(tfm);
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, pad, sizeof(pad));
tfm->__crt_alg->cra_digest.dia_update(tfm->crt_ctx, tmp_digest, crypto_tfm_digestsize(tfm));
crypto_digest_final(tfm, auth_data);
}
int ah_output(struct sk_buff *skb)
{
int err;
struct dst_entry *dst = skb->dst;
struct xfrm_state *x = dst->xfrm;
struct iphdr *iph, *top_iph;
struct ip_auth_hdr *ah;
struct ah_data *ahp;
union {
struct iphdr iph;
char buf[60];
} tmp_iph;
if (skb->ip_summed == CHECKSUM_HW && skb_checksum_help(skb) == NULL)
return -EINVAL;
spin_lock_bh(&x->lock);
if ((err = xfrm_state_check_expire(x)) != 0)
goto error;
if ((err = xfrm_state_check_space(x, skb)) != 0)
goto error;
iph = skb->nh.iph;
if (x->props.mode) {
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
top_iph->ihl = 4;
top_iph->version = 5;
top_iph->tos = 0;
top_iph->tot_len = htons(skb->len);
top_iph->id = inet_getid(((struct rtable*)dst)->peer, 0);
top_iph->frag_off = 0;
top_iph->ttl = 0;
top_iph->protocol = IPPROTO_AH;
top_iph->check = 0;
top_iph->saddr = x->props.saddr.xfrm4_addr;
top_iph->daddr = x->id.daddr.xfrm4_addr;
ah = (struct ip_auth_hdr*)(top_iph+1);
ah->nexthdr = IPPROTO_IP;
} else {
memcpy(&tmp_iph, skb->data, iph->ihl*4);
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
memcpy(top_iph, &tmp_iph, iph->ihl*4);
iph = &tmp_iph.iph;
top_iph->tos = 0;
top_iph->tot_len = htons(skb->len);
top_iph->frag_off = 0;
top_iph->ttl = 0;
top_iph->protocol = IPPROTO_AH;
top_iph->check = 0;
if (top_iph->ihl != 5) {
err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
if (err)
goto error;
}
ah = (struct ip_auth_hdr*)((char*)top_iph+iph->ihl*4);
ah->nexthdr = iph->protocol;
}
ahp = x->data;
ah->hdrlen = (((ahp->digest_len + 12 + 7)&~7)>>2)-2;
ah->reserved = 0;
ah->spi = x->id.spi;
ah->seq_no = htonl(++x->replay.oseq);
ahp->digest(x, skb, ah->auth_data);
top_iph->tos = iph->tos;
top_iph->ttl = iph->ttl;
if (x->props.mode) {
top_iph->frag_off = iph->frag_off&~htons(IP_MF|IP_OFFSET);
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
} else {
top_iph->frag_off = iph->frag_off;
top_iph->daddr = iph->daddr;
if (iph->ihl != 5)
memcpy(top_iph+1, iph+1, iph->ihl*5 - 20);
}
ip_send_check(top_iph);
skb->nh.raw = skb->data;
x->stats.bytes += skb->len;
spin_unlock_bh(&x->lock);
if ((skb->dst = dst_pop(dst)) == NULL)
goto error;
return NET_XMIT_BYPASS;
error:
spin_unlock_bh(&x->lock);
kfree_skb(skb);
return err;
}
int ah_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct iphdr *iph;
struct ip_auth_hdr *ah;
struct ah_data *ahp;
char work_buf[60];
if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
goto out;
ah = (struct ip_auth_hdr*)skb->data;
ahp = x->data;
if (((ah->hdrlen+2)<<2) != ((ahp->digest_len + 12 + 7)&~7))
goto out;
if (!pskb_may_pull(skb, (ah->hdrlen+2)<<2))
goto out;
/* We are going to _remove_ AH header to keep sockets happy,
* so... Later this can change. */
if (skb_cloned(skb) &&
pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
goto out;
ah = (struct ip_auth_hdr*)skb->data;
iph = skb->nh.iph;
memcpy(work_buf, iph, iph->ihl*4);
iph->ttl = 0;
iph->tos = 0;
iph->frag_off = 0;
iph->check = 0;
if (iph->ihl != 5) {
u32 dummy;
if (ip_clear_mutable_options(iph, &dummy))
goto out;
}
{
u8 auth_data[ahp->digest_len];
memcpy(auth_data, ah->auth_data, ahp->digest_len);
skb_push(skb, skb->data - skb->nh.raw);
ahp->digest(x, skb, ah->auth_data);
if (memcmp(ah->auth_data, auth_data, ahp->digest_len)) {
x->stats.integrity_failed++;
goto out;
}
}
((struct iphdr*)work_buf)->protocol = ah->nexthdr;
skb->nh.raw = skb_pull(skb, (ah->hdrlen+2)<<2);
memcpy(skb->nh.raw, work_buf, iph->ihl*4);
skb->nh.iph->tot_len = htons(skb->len);
skb_pull(skb, skb->nh.iph->ihl*4);
skb->h.raw = skb->data;
return 0;
out:
return -EINVAL;
}
void ah4_err(struct sk_buff *skb, u32 info)
{
struct iphdr *iph = (struct iphdr*)skb->data;
struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+(iph->ihl<<2));
struct xfrm_state *x;
if (skb->h.icmph->type != ICMP_DEST_UNREACH ||
skb->h.icmph->code != ICMP_FRAG_NEEDED)
return;
x = xfrm_state_lookup(iph->daddr, ah->spi, IPPROTO_AH);
if (!x)
return;
printk(KERN_DEBUG "pmtu discvovery on SA AH/%08x/%08x\n",
ntohl(ah->spi), ntohl(iph->daddr));
xfrm_state_put(x);
}
static struct inet_protocol ah4_protocol = {
.handler = xfrm4_rcv,
.err_handler = ah4_err,
};
int __init ah4_init(void)
{
if (inet_add_protocol(&ah4_protocol, IPPROTO_AH) < 0) {
printk(KERN_INFO "ip ah init: can't add protocol\n");
return -EAGAIN;
}
return 0;
}
static void __exit ah4_fini(void)
{
if (inet_del_protocol(&ah4_protocol, IPPROTO_AH) < 0)
printk(KERN_INFO "ip ah close: can't remove protocol\n");
}
void ah_destroy(struct xfrm_state *x)
{
}
struct ah_data debugging_ah_state =
{
.key = "PIZDETSPIZDETSPIZDETSPIZDETSPIZDETS",
.key_len = 32,
.digest_len = 16,
.digest = ah_hmac_digest
};
int ah_init_state(struct xfrm_state *x, void *args)
{
debugging_ah_state.tfm = crypto_alloc_tfm(CRYPTO_ALG_MD5);
x->data = &debugging_ah_state;
x->props.header_len = 16+16;
return 0;
}
struct xfrm_type ah_type =
{
.description = "AH4-HMAC",
.refcnt = ATOMIC_INIT(1),
.proto = IPPROTO_AH,
.algo = 0,
.init_state = ah_init_state,
.destructor = ah_destroy,
.input = ah_input,
.output = ah_output
};
...@@ -40,9 +40,7 @@ ...@@ -40,9 +40,7 @@
#include <net/checksum.h> #include <net/checksum.h>
#include <linux/route.h> #include <linux/route.h>
#include <net/route.h> #include <net/route.h>
#if 0
#include <net/xfrm.h> #include <net/xfrm.h>
#endif
static inline int ip_forward_finish(struct sk_buff *skb) static inline int ip_forward_finish(struct sk_buff *skb)
{ {
...@@ -62,10 +60,9 @@ int ip_forward(struct sk_buff *skb) ...@@ -62,10 +60,9 @@ int ip_forward(struct sk_buff *skb)
struct rtable *rt; /* Route we use */ struct rtable *rt; /* Route we use */
struct ip_options * opt = &(IPCB(skb)->opt); struct ip_options * opt = &(IPCB(skb)->opt);
#if 0
if (!xfrm_policy_check(XFRM_POLICY_FWD, skb)) if (!xfrm_policy_check(XFRM_POLICY_FWD, skb))
goto drop; goto drop;
#endif
if (IPCB(skb)->opt.router_alert && ip_call_ra_chain(skb)) if (IPCB(skb)->opt.router_alert && ip_call_ra_chain(skb))
return NET_RX_SUCCESS; return NET_RX_SUCCESS;
...@@ -85,10 +82,8 @@ int ip_forward(struct sk_buff *skb) ...@@ -85,10 +82,8 @@ int ip_forward(struct sk_buff *skb)
if (iph->ttl <= 1) if (iph->ttl <= 1)
goto too_many_hops; goto too_many_hops;
#if 0
if (!xfrm_route_forward(skb)) if (!xfrm_route_forward(skb))
goto drop; goto drop;
#endif
iph = skb->nh.iph; iph = skb->nh.iph;
rt = (struct rtable*)skb->dst; rt = (struct rtable*)skb->dst;
......
...@@ -141,6 +141,7 @@ ...@@ -141,6 +141,7 @@
#include <net/raw.h> #include <net/raw.h>
#include <net/checksum.h> #include <net/checksum.h>
#include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv4.h>
#include <net/xfrm.h>
#include <linux/mroute.h> #include <linux/mroute.h>
#include <linux/netlink.h> #include <linux/netlink.h>
...@@ -222,6 +223,15 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb) ...@@ -222,6 +223,15 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
struct inet_protocol *ipprot; struct inet_protocol *ipprot;
resubmit: resubmit:
/* Fuck... This IS ugly. */
if (protocol != IPPROTO_AH &&
protocol != IPPROTO_ESP &&
!xfrm_policy_check(XFRM_POLICY_IN, skb)) {
kfree_skb(skb);
return 0;
}
hash = protocol & (MAX_INET_PROTOS - 1); hash = protocol & (MAX_INET_PROTOS - 1);
raw_sk = raw_v4_htable[hash]; raw_sk = raw_v4_htable[hash];
......
...@@ -2031,11 +2031,7 @@ int ip_route_output_key(struct rtable **rp, struct flowi *flp) ...@@ -2031,11 +2031,7 @@ int ip_route_output_key(struct rtable **rp, struct flowi *flp)
if ((err = __ip_route_output_key(rp, flp)) != 0) if ((err = __ip_route_output_key(rp, flp)) != 0)
return err; return err;
#if 0
return flp->proto ? xfrm_lookup((struct dst_entry**)rp, flp, NULL, 0) : 0; return flp->proto ? xfrm_lookup((struct dst_entry**)rp, flp, NULL, 0) : 0;
#else
return 0;
#endif
} }
static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event, static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
...@@ -2545,4 +2541,5 @@ void __init ip_rt_init(void) ...@@ -2545,4 +2541,5 @@ void __init ip_rt_init(void)
#ifdef CONFIG_NET_CLS_ROUTE #ifdef CONFIG_NET_CLS_ROUTE
create_proc_read_entry("net/rt_acct", 0, 0, ip_rt_acct_read, NULL); create_proc_read_entry("net/rt_acct", 0, 0, ip_rt_acct_read, NULL);
#endif #endif
xfrm_init();
} }
#include <net/ip.h>
#include <net/xfrm.h>
static kmem_cache_t *secpath_cachep;
void __secpath_destroy(struct sec_path *sp)
{
int i;
for (i = 0; i < sp->len; i++)
xfrm_state_put(sp->xvec[i]);
kmem_cache_free(secpath_cachep, sp);
}
/* Fetch spi and seq frpm ipsec header */
static int xfrm_parse_spi(struct sk_buff *skb, u32 *spi, u32 *seq)
{
int offset, offset_seq;
switch (skb->nh.iph->protocol) {
case IPPROTO_AH:
offset = offsetof(struct ip_auth_hdr, spi);
offset_seq = offsetof(struct ip_auth_hdr, seq_no);
break;
case IPPROTO_ESP:
offset = offsetof(struct ip_esp_hdr, spi);
offset_seq = offsetof(struct ip_esp_hdr, seq_no);
break;
case IPPROTO_COMP:
if (!pskb_may_pull(skb, 4))
return -EINVAL;
*spi = *(u16*)(skb->h.raw + 2);
*seq = 0;
return 0;
default:
return 1;
}
if (!pskb_may_pull(skb, 16))
return -EINVAL;
*spi = *(u32*)(skb->h.raw + offset);
*seq = *(u32*)(skb->h.raw + offset_seq);
return 0;
}
int xfrm4_rcv(struct sk_buff *skb)
{
int err;
u32 spi, seq;
struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
struct xfrm_state *x;
int xfrm_nr = 0;
int decaps = 0;
if ((err = xfrm_parse_spi(skb, &spi, &seq)) != 0)
goto drop;
do {
struct iphdr *iph = skb->nh.iph;
if (xfrm_nr == XFRM_MAX_DEPTH)
goto drop;
x = xfrm_state_lookup(iph->daddr, spi, iph->protocol);
if (x == NULL)
goto drop;
spin_lock(&x->lock);
if (unlikely(x->km.state != XFRM_STATE_VALID))
goto drop_unlock;
if (x->props.replay_window && xfrm_replay_check(x, seq))
goto drop_unlock;
if (x->type->input(x, skb))
goto drop_unlock;
if (x->props.replay_window)
xfrm_replay_advance(x, seq);
spin_unlock(&x->lock);
xfrm_vec[xfrm_nr++] = x;
iph = skb->nh.iph;
if (x->props.mode) {
if (iph->protocol != IPPROTO_IP)
goto drop;
skb->nh.raw = skb->data;
iph = skb->nh.iph;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
decaps = 1;
break;
}
if ((err = xfrm_parse_spi(skb, &spi, &seq)) < 0)
goto drop;
} while (!err);
/* Allocate new secpath or COW existing one. */
if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
struct sec_path *sp;
sp = kmem_cache_alloc(secpath_cachep, SLAB_ATOMIC);
if (!sp)
goto drop;
if (skb->sp) {
memcpy(sp, skb->sp, sizeof(struct sec_path));
secpath_put(skb->sp);
} else
sp->len = 0;
atomic_set(&sp->refcnt, 1);
skb->sp = sp;
}
if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
goto drop;
memcpy(skb->sp->xvec+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(void*));
skb->sp->len += xfrm_nr;
if (decaps) {
dst_release(skb->dst);
skb->dst = NULL;
netif_rx(skb);
return 0;
} else {
return -skb->nh.iph->protocol;
}
drop_unlock:
spin_unlock(&x->lock);
xfrm_state_put(x);
drop:
while (--xfrm_nr >= 0)
xfrm_state_put(xfrm_vec[xfrm_nr]);
kfree_skb(skb);
return 0;
}
void __init xfrm_input_init(void)
{
secpath_cachep = kmem_cache_create("secpath_cache",
sizeof(struct sec_path),
0, SLAB_HWCACHE_ALIGN,
NULL, NULL);
if (!secpath_cachep)
panic("IP: failed to allocate secpath_cache\n");
}
This diff is collapsed.
#include <net/xfrm.h>
#include <linux/pfkeyv2.h>
/* Each xfrm_state is linked to three tables:
1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
2. Hash table by daddr to find what SAs exist for given
destination/tunnel endpoint. (output)
3. (optional, NI) Radix tree by _selector_ for the case,
when we have to find a tunnel mode SA appropriate for given flow,
but do not know tunnel endpoint. At the moment we do
not support this and assume that tunnel endpoint is given
by policy. (output)
*/
spinlock_t xfrm_state_lock = SPIN_LOCK_UNLOCKED;
/* Hash table to find appropriate SA towards given target (endpoint
* of tunnel or destination of transport mode) allowed by selector.
*
* Main use is finding SA after policy selected tunnel or transport mode.
* Also, it can be used by ah/esp icmp error handler to find offending SA.
*/
struct list_head xfrm_state_bydst[XFRM_DST_HSIZE];
struct list_head xfrm_state_byspi[XFRM_DST_HSIZE];
wait_queue_head_t *km_waitq;
struct xfrm_state *xfrm_state_alloc(void)
{
struct xfrm_state *x;
x = kmalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
if (x) {
memset(x, 0, sizeof(struct xfrm_state));
atomic_set(&x->refcnt, 1);
INIT_LIST_HEAD(&x->bydst);
INIT_LIST_HEAD(&x->byspi);
x->lock = SPIN_LOCK_UNLOCKED;
}
return x;
}
void __xfrm_state_destroy(struct xfrm_state *x)
{
BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
if (x->type)
x->type->destructor(x);
kfree(x);
}
struct xfrm_state *
xfrm_state_find(u32 daddr, struct flowi *fl, struct xfrm_tmpl *tmpl)
{
unsigned h = ntohl(daddr);
struct xfrm_state *x;
int acquire_in_progress = 0;
int error = 0;
h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_for_each_entry(x, xfrm_state_bydst+h, bydst) {
if (daddr == x->id.daddr.xfrm4_addr &&
tmpl->mode == x->props.mode &&
tmpl->id.proto == x->id.proto) {
/* Resolution logic:
1. There is a valid state with matching selector.
Done.
2. Valid state with inappropriate selector. Skip.
Entering area of "sysdeps".
3. If state is not valid, selector is temporary,
it selects only session which triggered
previous resolution. Key manager will do
something to install a state with proper
selector.
*/
if (x->km.state == XFRM_STATE_VALID) {
if (!xfrm4_selector_match(&x->sel, fl))
continue;
atomic_inc(&x->refcnt);
spin_unlock_bh(&xfrm_state_lock);
return x;
} else if (x->km.state == XFRM_STATE_ACQ) {
acquire_in_progress = 1;
} else if (x->km.state == XFRM_STATE_ERROR) {
if (xfrm4_selector_match(&x->sel, fl))
error = 1;
}
}
}
x = NULL;
if (!error && !acquire_in_progress &&
((x = xfrm_state_alloc()) != NULL)) {
/* Initialize temporary selector matching only
* to current session. */
x->sel.daddr.xfrm4_addr = fl->fl4_dst;
x->sel.daddr.xfrm4_mask = ~0;
x->sel.saddr.xfrm4_addr = fl->fl4_src;
x->sel.saddr.xfrm4_mask = ~0;
x->sel.dport = fl->uli_u.ports.dport;
x->sel.dport_mask = ~0;
x->sel.sport = fl->uli_u.ports.sport;
x->sel.sport_mask = ~0;
x->sel.prefixlen_d = 32;
x->sel.prefixlen_s = 32;
x->sel.proto = fl->proto;
x->sel.ifindex = fl->oif;
x->id = tmpl->id;
if (km_query(x) == 0) {
list_add_tail(&x->bydst, xfrm_state_bydst+h);
atomic_inc(&x->refcnt);
} else {
x->km.state = XFRM_STATE_DEAD;
xfrm_state_put(x);
x = NULL;
}
}
spin_unlock_bh(&xfrm_state_lock);
return x;
}
void xfrm_state_insert(struct xfrm_state *x)
{
unsigned h = ntohl(x->id.daddr.xfrm4_addr);
h = (h ^ (h>>16)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_add(&x->bydst, xfrm_state_bydst+h);
atomic_inc(&x->refcnt);
h = ntohl(x->id.daddr.xfrm4_addr^x->id.spi^x->id.proto);
h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
list_add(&x->byspi, xfrm_state_byspi+h);
atomic_inc(&x->refcnt);
spin_unlock_bh(&xfrm_state_lock);
}
int xfrm_state_check_expire(struct xfrm_state *x)
{
if (x->km.state != XFRM_STATE_VALID)
return -EINVAL;
if (x->props.hard_byte_limit &&
x->stats.bytes >= x->props.hard_byte_limit) {
km_notify(x, SADB_EXT_LIFETIME_HARD);
return -EINVAL;
}
if (x->km.warn_bytes &&
x->stats.bytes >= x->km.warn_bytes) {
x->km.warn_bytes = 0;
km_notify(x, SADB_EXT_LIFETIME_SOFT);
}
return 0;
}
int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb)
{
int nhead = x->props.header_len + skb->dst->dev->hard_header_len
- skb_headroom(skb);
if (nhead > 0)
return pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
/* Check tail too... */
return 0;
}
struct xfrm_state *
xfrm_state_lookup(u32 daddr, u32 spi, u8 proto)
{
unsigned h = ntohl(daddr^spi^proto);
struct xfrm_state *x;
h = (h ^ (h>>10) ^ (h>>20)) % XFRM_DST_HSIZE;
spin_lock_bh(&xfrm_state_lock);
list_for_each_entry(x, xfrm_state_byspi+h, byspi) {
if (spi == x->id.spi &&
daddr == x->id.daddr.xfrm4_addr &&
proto == x->id.proto) {
atomic_inc(&x->refcnt);
x->stats.lastuse = xtime.tv_sec;
spin_unlock_bh(&xfrm_state_lock);
return x;
}
}
spin_unlock_bh(&xfrm_state_lock);
return NULL;
}
int xfrm_replay_check(struct xfrm_state *x, u32 seq)
{
u32 diff;
seq = ntohl(seq);
if (unlikely(seq == 0))
return -EINVAL;
if (likely(seq > x->replay.seq))
return 0;
diff = x->replay.seq - seq;
if (diff >= x->props.replay_window) {
x->stats.replay_window++;
return -EINVAL;
}
if (x->replay.bitmap & (1U << diff)) {
x->stats.replay++;
return -EINVAL;
}
return 0;
}
void xfrm_replay_advance(struct xfrm_state *x, u32 seq)
{
u32 diff;
seq = ntohl(seq);
if (seq > x->replay.seq) {
diff = seq - x->replay.seq;
if (diff < x->props.replay_window)
x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
else
x->replay.bitmap = 1;
x->replay.seq = seq;
} else {
diff = x->replay.seq - seq;
x->replay.bitmap |= (1U << diff);
}
}
int xfrm_check_selectors(struct xfrm_state **x, int n, struct flowi *fl)
{
int i;
for (i=0; i<n; i++) {
if (!xfrm4_selector_match(&x[i]->sel, fl))
return -EINVAL;
}
return 0;
}
void km_notify(struct xfrm_state *x, int event)
{
}
int km_query(struct xfrm_state *x)
{
return -EINVAL;
}
void __init xfrm_state_init(void)
{
int i;
for (i=0; i<XFRM_DST_HSIZE; i++) {
INIT_LIST_HEAD(&xfrm_state_bydst[i]);
INIT_LIST_HEAD(&xfrm_state_byspi[i]);
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment