Commit ec111ae6 authored by David S. Miller's avatar David S. Miller

Merge nuts.ninka.net:/home/davem/src/BK/network-2.5

into nuts.ninka.net:/home/davem/src/BK/net-2.5
parents c2ef76af f60dc6b1
......@@ -70,6 +70,7 @@ struct in_addr {
#define IP_MTU 14
#define IP_FREEBIND 15
#define IP_IPSEC_POLICY 16
#define IP_XFRM_POLICY 17
/* BSD compatibility */
#define IP_RECVRETOPTS IP_RETOPTS
......
......@@ -91,6 +91,22 @@ struct xfrm_stats {
__u32 integrity_failed;
};
enum
{
XFRM_POLICY_IN = 0,
XFRM_POLICY_OUT = 1,
XFRM_POLICY_FWD = 2,
XFRM_POLICY_MAX = 3
};
enum
{
XFRM_SHARE_ANY, /* No limitations */
XFRM_SHARE_SESSION, /* For this session only */
XFRM_SHARE_USER, /* For this user only */
XFRM_SHARE_UNIQUE /* Use once */
};
/* Netlink configuration messages. */
#define XFRM_MSG_BASE 0x10
......@@ -104,8 +120,9 @@ struct xfrm_stats {
#define XFRM_MSG_ALLOCSPI (RTM_BASE + 6)
#define XFRM_MSG_ACQUIRE (RTM_BASE + 7)
#define XFRM_MSG_EXPIRE (RTM_BASE + 8)
#define XFRM_MSG_MAX (XFRM_MSG_ACQUIRE+1)
#define XFRM_MSG_MAX (XFRM_MSG_EXPIRE+1)
struct xfrm_user_tmpl {
struct xfrm_id id;
......@@ -113,6 +130,7 @@ struct xfrm_user_tmpl {
__u16 reqid;
__u8 mode;
__u8 share;
__u8 optional;
__u32 aalgos;
__u32 ealgos;
__u32 calgos;
......@@ -135,9 +153,9 @@ struct xfrm_usersa_info {
struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft;
struct xfrm_stats stats;
__u32 seq;
__u16 family;
__u16 reqid;
__u8 sa_type;
__u8 mode; /* 0=transport,1=tunnel */
__u8 replay_window;
};
......@@ -148,15 +166,26 @@ struct xfrm_usersa_id {
__u8 proto;
};
struct xfrm_userspi_info {
struct xfrm_usersa_info info;
u32 min;
u32 max;
};
struct xfrm_userpolicy_info {
struct xfrm_selector sel;
struct xfrm_id id;
struct xfrm_lifetime_cfg lft;
struct xfrm_lifetime_cur curlft;
__u32 priority;
__u32 index;
__u16 family;
__u8 dir;
__u8 action;
#define XFRM_POLICY_ALLOW 0
#define XFRM_POLICY_BLOCK 1
__u8 flags;
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
__u8 share;
};
struct xfrm_userpolicy_id {
......@@ -165,4 +194,22 @@ struct xfrm_userpolicy_id {
__u8 dir;
};
struct xfrm_user_acquire {
struct xfrm_id id;
xfrm_address_t saddr;
struct xfrm_userpolicy_info policy;
__u32 aalgos;
__u32 ealgos;
__u32 calgos;
__u32 seq;
};
struct xfrm_user_expire {
struct xfrm_usersa_info state;
__u8 hard;
};
#define XFRMGRP_ACQUIRE 1
#define XFRMGRP_EXPIRE 2
#endif /* _LINUX_XFRM_H */
......@@ -187,22 +187,6 @@ struct xfrm_tmpl
#define XFRM_MAX_DEPTH 3
enum
{
XFRM_SHARE_ANY, /* No limitations */
XFRM_SHARE_SESSION, /* For this session only */
XFRM_SHARE_USER, /* For this user only */
XFRM_SHARE_UNIQUE /* Use once */
};
enum
{
XFRM_POLICY_IN = 0,
XFRM_POLICY_OUT = 1,
XFRM_POLICY_FWD = 2,
XFRM_POLICY_MAX = 3
};
struct xfrm_policy
{
struct xfrm_policy *next;
......@@ -218,10 +202,7 @@ struct xfrm_policy
struct xfrm_lifetime_cur curlft;
struct dst_entry *bundles;
__u8 action;
#define XFRM_POLICY_ALLOW 0
#define XFRM_POLICY_BLOCK 1
__u8 flags;
#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
__u8 dead;
__u8 xfrm_nr;
struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
......
......@@ -362,5 +362,13 @@ config INET_ESP
If unsure, say Y.
config XFRM_USER
tristate "IP: IPsec user configuration interface"
---help---
Support for IPsec user configuration interface used
by native Linux tools.
If unsure, say Y.
source "net/ipv4/netfilter/Kconfig"
......@@ -20,6 +20,7 @@ obj-$(CONFIG_INET_AH) += ah.o
obj-$(CONFIG_INET_ESP) += esp.o
obj-$(CONFIG_IP_PNP) += ipconfig.o
obj-$(CONFIG_NETFILTER) += netfilter/
obj-$(CONFIG_XFRM_USER) += xfrm_user.o
obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o
......
......@@ -189,7 +189,7 @@ int ah_output(struct sk_buff *skb)
top_iph->saddr = x->props.saddr.xfrm4_addr;
top_iph->daddr = x->id.daddr.xfrm4_addr;
ah = (struct ip_auth_hdr*)(top_iph+1);
ah->nexthdr = IPPROTO_IP;
ah->nexthdr = IPPROTO_IPIP;
} else {
memcpy(&tmp_iph, skb->data, iph->ihl*4);
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
......
......@@ -190,11 +190,10 @@ esp_hmac_digest(struct esp_data *esp, struct sk_buff *skb, int offset,
struct crypto_tfm *tfm = esp->auth.tfm;
char *digest = esp->auth.work_digest;
memset(auth_data, 0, esp->auth.authlen);
crypto_hmac_init(tfm, esp->auth.key, &esp->auth.key_len);
skb_digest_walk(skb, tfm, offset, len);
crypto_hmac_final(tfm, esp->auth.key, &esp->auth.key_len, digest);
memcpy(auth_data, digest, crypto_tfm_alg_digestsize(tfm));
memcpy(auth_data, digest, esp->auth.authlen);
}
/* Check that skb data bits are writable. If they are not, copy data
......@@ -370,7 +369,7 @@ int esp_output(struct sk_buff *skb)
if (x->props.mode) {
top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
esph = (struct ip_esp_hdr*)(top_iph+1);
*(u8*)(trailer->tail - 1) = IPPROTO_IP;
*(u8*)(trailer->tail - 1) = IPPROTO_IPIP;
top_iph->ihl = 5;
top_iph->version = 4;
top_iph->tos = iph->tos; /* DS disclosed */
......@@ -463,16 +462,16 @@ int esp_input(struct xfrm_state *x, struct sk_buff *skb)
/* If integrity check is required, do this. */
if (esp->auth.authlen) {
int icvsize = crypto_tfm_alg_digestsize(esp->auth.tfm);
u8 sum[icvsize];
u8 sum1[icvsize];
u8 sum[esp->auth.authlen];
u8 sum1[esp->auth.authlen];
esp->auth.digest(esp, skb, 0, skb->len-esp->auth.authlen, sum);
if (skb_copy_bits(skb, skb->len-esp->auth.authlen, sum1, icvsize))
if (skb_copy_bits(skb, skb->len-esp->auth.authlen, sum1,
esp->auth.authlen))
BUG();
if (unlikely(memcmp(sum, sum1, icvsize))) {
if (unlikely(memcmp(sum, sum1, esp->auth.authlen))) {
x->stats.integrity_failed++;
goto out;
}
......@@ -605,14 +604,20 @@ int esp_init_state(struct xfrm_state *x, void *args)
memset(esp, 0, sizeof(*esp));
if (x->aalg) {
int digestsize;
esp->auth.key = x->aalg->alg_key;
esp->auth.key_len = (x->aalg->alg_key_len+7)/8;
esp->auth.tfm = crypto_alloc_tfm(x->aalg->alg_name, 0);
if (esp->auth.tfm == NULL)
goto error;
esp->auth.digest = esp_hmac_digest;
esp->auth.authlen = crypto_tfm_alg_digestsize(esp->auth.tfm);
esp->auth.work_digest = kmalloc(esp->auth.authlen, GFP_KERNEL);
digestsize = crypto_tfm_alg_digestsize(esp->auth.tfm);
/* XXX RFC2403 and RFC 2404 truncate auth to 96 bit */
esp->auth.authlen = 12;
if (esp->auth.authlen > digestsize) /* XXX */
BUG();
esp->auth.work_digest = kmalloc(digestsize, GFP_KERNEL);
if (!esp->auth.work_digest)
goto error;
}
......
......@@ -626,6 +626,7 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
break;
case IP_IPSEC_POLICY:
case IP_XFRM_POLICY:
err = xfrm_user_policy(sk, optname, optval, optlen);
break;
......
......@@ -944,7 +944,7 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
/*
* Charge it to the socket, dropping if the queue is full.
*/
if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb)) {
if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb)) {
kfree_skb(skb);
return -1;
}
......
......@@ -91,7 +91,7 @@ int xfrm4_rcv(struct sk_buff *skb)
iph = skb->nh.iph;
if (x->props.mode) {
if (iph->protocol != IPPROTO_IP)
if (iph->protocol != IPPROTO_IPIP)
goto drop;
skb->nh.raw = skb->data;
iph = skb->nh.iph;
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment