From fa9921e46fd52b78070dc67ce0d27ec301a90410 Mon Sep 17 00:00:00 2001 From: Nicolas Dichtel Date: Wed, 2 Feb 2011 06:29:02 +0000 Subject: ipsec: allow to align IPv4 AH on 32 bits The Linux IPv4 AH stack aligns the AH header on a 64 bit boundary (like in IPv6). This is not RFC compliant (see RFC4302, Section 3.3.3.2.1), it should be aligned on 32 bits. For most of the authentication algorithms, the ICV size is 96 bits. The AH header alignment on 32 or 64 bits gives the same results. However for SHA-256-128 for instance, the wrong 64 bit alignment results in adding useless padding in IPv4 AH, which is forbidden by the RFC. To avoid breaking backward compatibility, we use a new flag (XFRM_STATE_ALIGN4) do change original behavior. Initial patch from Dang Hongwu and Christophe Gouault . Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller --- include/net/xfrm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b9f385d..1f6e8a0 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -36,6 +36,7 @@ #define XFRM_PROTO_ROUTING IPPROTO_ROUTING #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS +#define XFRM_ALIGN4(len) (((len) + 3) & ~3) #define XFRM_ALIGN8(len) (((len) + 7) & ~7) #define MODULE_ALIAS_XFRM_MODE(family, encap) \ MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap)) -- cgit v1.1 From e8a4e37716dbc964e1cd18bca1a62fbd11805c1d Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 17:42:56 -0800 Subject: xfrm: Mark flowi arg const in key extraction helpers. Signed-off-by: David S. Miller --- include/net/xfrm.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1f6e8a0..2de3dae 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -790,7 +790,7 @@ static __inline__ int addr_match(void *token1, void *token2, int prefixlen) } static __inline__ -__be16 xfrm_flowi_sport(struct flowi *fl) +__be16 xfrm_flowi_sport(const struct flowi *fl) { __be16 port; switch(fl->proto) { @@ -817,7 +817,7 @@ __be16 xfrm_flowi_sport(struct flowi *fl) } static __inline__ -__be16 xfrm_flowi_dport(struct flowi *fl) +__be16 xfrm_flowi_dport(const struct flowi *fl) { __be16 port; switch(fl->proto) { @@ -1127,7 +1127,7 @@ static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, #endif static __inline__ -xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family) +xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family) { switch (family){ case AF_INET: @@ -1139,7 +1139,7 @@ xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family) } static __inline__ -xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family) +xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family) { switch (family){ case AF_INET: @@ -1151,7 +1151,7 @@ xfrm_address_t *xfrm_flowi_saddr(struct flowi *fl, unsigned short family) } static __inline__ -void xfrm_flowi_addr_get(struct flowi *fl, +void xfrm_flowi_addr_get(const struct flowi *fl, xfrm_address_t *saddr, xfrm_address_t *daddr, unsigned short family) { @@ -1204,7 +1204,7 @@ xfrm_state_addr_check(struct xfrm_state *x, } static __inline__ int -xfrm_state_addr_flow_check(struct xfrm_state *x, struct flowi *fl, +xfrm_state_addr_flow_check(struct xfrm_state *x, const struct flowi *fl, unsigned short family) { switch (family) { -- cgit v1.1 From 05d8402576c9c1b85bfc9e4f9d6a21c27ccbd5b1 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 17:47:10 -0800 Subject: xfrm: Mark flowi arg to ->get_tos() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 2de3dae..2c0927b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -273,7 +273,7 @@ struct xfrm_policy_afinfo { void (*decode_session)(struct sk_buff *skb, struct flowi *fl, int reverse); - int (*get_tos)(struct flowi *fl); + int (*get_tos)(const struct flowi *fl); int (*init_path)(struct xfrm_dst *path, struct dst_entry *dst, int nfheader_len); -- cgit v1.1 From 0c7b3eefb4ab8df245e94feb0d83c1c3450a3d87 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 17:48:57 -0800 Subject: xfrm: Mark flowi arg to ->fill_dst() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 2c0927b..c77407f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -279,7 +279,7 @@ struct xfrm_policy_afinfo { int nfheader_len); int (*fill_dst)(struct xfrm_dst *xdst, struct net_device *dev, - struct flowi *fl); + const struct flowi *fl); }; extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo); -- cgit v1.1 From 73e5ebb20f2809e2eb0b904448481e010c2599d7 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 17:51:44 -0800 Subject: xfrm: Mark flowi arg to ->init_tempsel() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index c77407f..614c296 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -300,7 +300,8 @@ struct xfrm_state_afinfo { const struct xfrm_type *type_map[IPPROTO_MAX]; struct xfrm_mode *mode_map[XFRM_MODE_MAX]; int (*init_flags)(struct xfrm_state *x); - void (*init_tempsel)(struct xfrm_selector *sel, struct flowi *fl); + void (*init_tempsel)(struct xfrm_selector *sel, + const struct flowi *fl); void (*init_temprop)(struct xfrm_state *x, struct xfrm_tmpl *tmpl, xfrm_address_t *daddr, xfrm_address_t *saddr); int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n); -- cgit v1.1 From 8f029de281b26ec9fd5cd77294db1d35d9876f1a Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 17:59:59 -0800 Subject: xfrm: Mark flowi arg to xfrm_type->reject() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 614c296..cbe0003 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -334,7 +334,8 @@ struct xfrm_type { void (*destructor)(struct xfrm_state *); int (*input)(struct xfrm_state *, struct sk_buff *skb); int (*output)(struct xfrm_state *, struct sk_buff *pskb); - int (*reject)(struct xfrm_state *, struct sk_buff *, struct flowi *); + int (*reject)(struct xfrm_state *, struct sk_buff *, + const struct flowi *); int (*hdr_offset)(struct xfrm_state *, struct sk_buff *, u8 **); /* Estimate maximal size of result of transformation of a dgram */ u32 (*get_mtu)(struct xfrm_state *, int size); -- cgit v1.1 From 1744a8fe09e5db7315a57da52fa7c1afa779cfa0 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 18:02:12 -0800 Subject: xfrm: Mark token args to addr_match() const. Also, make it return a real bool. Signed-off-by: David S. Miller --- include/net/xfrm.h | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index cbe0003..2328532 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -765,10 +765,11 @@ static inline void xfrm_state_hold(struct xfrm_state *x) atomic_inc(&x->refcnt); } -static __inline__ int addr_match(void *token1, void *token2, int prefixlen) +static inline bool addr_match(const void *token1, const void *token2, + int prefixlen) { - __be32 *a1 = token1; - __be32 *a2 = token2; + const __be32 *a1 = token1; + const __be32 *a2 = token2; int pdw; int pbi; @@ -777,7 +778,7 @@ static __inline__ int addr_match(void *token1, void *token2, int prefixlen) if (pdw) if (memcmp(a1, a2, pdw << 2)) - return 0; + return false; if (pbi) { __be32 mask; @@ -785,10 +786,10 @@ static __inline__ int addr_match(void *token1, void *token2, int prefixlen) mask = htonl((0xffffffff) << (32 - pbi)); if ((a1[pdw] ^ a2[pdw]) & mask) - return 0; + return false; } - return 1; + return true; } static __inline__ -- cgit v1.1 From e1ad2ab2cf0cabcd81861e2c61870fc27bb27ded Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 18:07:39 -0800 Subject: xfrm: Mark flowi arg to xfrm_selector_match() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 2328532..b965ad7 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -843,7 +843,8 @@ __be16 xfrm_flowi_dport(const struct flowi *fl) return port; } -extern int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, +extern int xfrm_selector_match(struct xfrm_selector *sel, + const struct flowi *fl, unsigned short family); #ifdef CONFIG_SECURITY_NETWORK_XFRM -- cgit v1.1 From b520e9f616f4f29c8d2557ba704b74ce6d79ff07 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 22 Feb 2011 18:24:19 -0800 Subject: xfrm: Mark flowi arg to xfrm_state_find() const. Signed-off-by: David S. Miller --- include/net/xfrm.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b965ad7..bb824a5 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1328,8 +1328,10 @@ extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, int (*func)(struct xfrm_state *, int, void*), void *); extern void xfrm_state_walk_done(struct xfrm_state_walk *walk); extern struct xfrm_state *xfrm_state_alloc(struct net *net); -extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, - struct flowi *fl, struct xfrm_tmpl *tmpl, +extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, + xfrm_address_t *saddr, + const struct flowi *fl, + struct xfrm_tmpl *tmpl, struct xfrm_policy *pol, int *err, unsigned short family); extern struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, -- cgit v1.1 From 214e005bc32c7045b8554f9f0fb07b3fcce2cd42 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:02:38 -0500 Subject: xfrm: Pass km_event pointers around as const when possible. Signed-off-by: David S. Miller --- include/net/xfrm.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index bb824a5..6ef5c37 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -284,8 +284,8 @@ struct xfrm_policy_afinfo { extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo); extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo); -extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c); -extern void km_state_notify(struct xfrm_state *x, struct km_event *c); +extern void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c); +extern void km_state_notify(struct xfrm_state *x, const struct km_event *c); struct xfrm_tmpl; extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); @@ -548,11 +548,11 @@ struct xfrm_migrate { struct xfrm_mgr { struct list_head list; char *id; - int (*notify)(struct xfrm_state *x, struct km_event *c); + int (*notify)(struct xfrm_state *x, const struct km_event *c); int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir); struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir); int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); - int (*notify_policy)(struct xfrm_policy *x, int dir, struct km_event *c); + int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c); int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k); }; -- cgit v1.1 From 19bd62441c36279ab33e311faebd357ef04ba344 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:07:20 -0500 Subject: xfrm: Const'ify tmpl and address arguments to ->init_temprop() Signed-off-by: David S. Miller --- include/net/xfrm.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 6ef5c37..46f4470 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -302,8 +302,10 @@ struct xfrm_state_afinfo { int (*init_flags)(struct xfrm_state *x); void (*init_tempsel)(struct xfrm_selector *sel, const struct flowi *fl); - void (*init_temprop)(struct xfrm_state *x, struct xfrm_tmpl *tmpl, - xfrm_address_t *daddr, xfrm_address_t *saddr); + void (*init_temprop)(struct xfrm_state *x, + const struct xfrm_tmpl *tmpl, + const xfrm_address_t *daddr, + const xfrm_address_t *saddr); int (*tmpl_sort)(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n); int (*state_sort)(struct xfrm_state **dst, struct xfrm_state **src, int n); int (*output)(struct sk_buff *skb); -- cgit v1.1 From 200ce96e5601391a6d97c87067edf21fa94fb74e Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:12:25 -0500 Subject: xfrm: Const'ify selector argument to xfrm_selector_match() Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 46f4470..567f08b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -845,7 +845,7 @@ __be16 xfrm_flowi_dport(const struct flowi *fl) return port; } -extern int xfrm_selector_match(struct xfrm_selector *sel, +extern int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl, unsigned short family); -- cgit v1.1 From 5e6b930f21b0a442f9d5db97c8314b4d91be1c27 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:14:45 -0500 Subject: xfrm: Const'ify address arguments to ->dst_lookup() Signed-off-by: David S. Miller --- include/net/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 567f08b..18f115a 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -267,8 +267,8 @@ struct xfrm_policy_afinfo { struct dst_ops *dst_ops; void (*garbage_collect)(struct net *net); struct dst_entry *(*dst_lookup)(struct net *net, int tos, - xfrm_address_t *saddr, - xfrm_address_t *daddr); + const xfrm_address_t *saddr, + const xfrm_address_t *daddr); int (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr); void (*decode_session)(struct sk_buff *skb, struct flowi *fl, -- cgit v1.1 From ff6acd16825d59de3964b036183a5d214213b9a6 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:19:13 -0500 Subject: xfrm: Const'ify address arguments to xfrm_addr_cmp() Signed-off-by: David S. Miller --- include/net/xfrm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 18f115a..1c82b94 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1520,7 +1520,8 @@ struct scatterlist; typedef int (icv_update_fn_t)(struct hash_desc *, struct scatterlist *, unsigned int); -static inline int xfrm_addr_cmp(xfrm_address_t *a, xfrm_address_t *b, +static inline int xfrm_addr_cmp(const xfrm_address_t *a, + const xfrm_address_t *b, int family) { switch (family) { -- cgit v1.1 From 6cc329610f2a1698576a2a8a94dbad8f82a66363 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:19:59 -0500 Subject: xfrm: Const'ify address argument to xfrm_addr_any() Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1c82b94..b60f956 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -954,7 +954,7 @@ secpath_reset(struct sk_buff *skb) } static inline int -xfrm_addr_any(xfrm_address_t *addr, unsigned short family) +xfrm_addr_any(const xfrm_address_t *addr, unsigned short family) { switch (family) { case AF_INET: -- cgit v1.1 From 183cad12785ffc036571c4b789dc084ec61a1bad Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:28:01 -0500 Subject: xfrm: Const'ify pointer args to km_migrate() and implementations. Signed-off-by: David S. Miller --- include/net/xfrm.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b60f956..17b296b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -556,7 +556,11 @@ struct xfrm_mgr { int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c); int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); - int (*migrate)(struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k); + int (*migrate)(const struct xfrm_selector *sel, + u8 dir, u8 type, + const struct xfrm_migrate *m, + int num_bundles, + const struct xfrm_kmaddress *k); }; extern int xfrm_register_km(struct xfrm_mgr *km); @@ -1483,9 +1487,9 @@ struct xfrm_state *xfrm_find_acq(struct net *net, struct xfrm_mark *mark, extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); #ifdef CONFIG_XFRM_MIGRATE -extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, - struct xfrm_migrate *m, int num_bundles, - struct xfrm_kmaddress *k); +extern int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + const struct xfrm_migrate *m, int num_bundles, + const struct xfrm_kmaddress *k); extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m); extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, struct xfrm_migrate *m); -- cgit v1.1 From b4b7c0b389131c34b6c3a6bf3f3c4d17fe59155f Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 00:35:06 -0500 Subject: xfrm: Const'ify selector args in xfrm_migrate paths. Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 17b296b..1806c91 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1493,7 +1493,7 @@ extern int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, extern struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m); extern struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, struct xfrm_migrate *m); -extern int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, +extern int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, struct xfrm_migrate *m, int num_bundles, struct xfrm_kmaddress *k); #endif -- cgit v1.1 From 63eb23f5d80d7158fa575aaca240cb8497e2c06f Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 01:25:19 -0500 Subject: xfrm: Const'ify policy arg to xp_net. Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 1806c91..5402a1e 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -506,7 +506,7 @@ struct xfrm_policy { struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; }; -static inline struct net *xp_net(struct xfrm_policy *xp) +static inline struct net *xp_net(const struct xfrm_policy *xp) { return read_pnet(&xp->xp_net); } -- cgit v1.1 From 21eddb5c1e972727fadec57d8c340dcf814d7902 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 01:35:16 -0500 Subject: xfrm: Const'ify xfrm_tmpl and xfrm_state args to xfrm_state_addr_cmp. Signed-off-by: David S. Miller --- include/net/xfrm.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 5402a1e..f6d2f63 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -970,21 +970,21 @@ xfrm_addr_any(const xfrm_address_t *addr, unsigned short family) } static inline int -__xfrm4_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x) +__xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) { return (tmpl->saddr.a4 && tmpl->saddr.a4 != x->props.saddr.a4); } static inline int -__xfrm6_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x) +__xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) { return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); } static inline int -xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family) +xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family) { switch (family) { case AF_INET: -- cgit v1.1 From f8848067caff97ce03ee9beef8b6dd5c70f7e736 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 01:42:28 -0500 Subject: xfrm: Const'ify ptr args to xfrm_state_*_check and xfrm_state_kern. Signed-off-by: David S. Miller --- include/net/xfrm.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index f6d2f63..3205e5e 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1178,8 +1178,8 @@ void xfrm_flowi_addr_get(const struct flowi *fl, } static __inline__ int -__xfrm4_state_addr_check(struct xfrm_state *x, - xfrm_address_t *daddr, xfrm_address_t *saddr) +__xfrm4_state_addr_check(const struct xfrm_state *x, + const xfrm_address_t *daddr, const xfrm_address_t *saddr) { if (daddr->a4 == x->id.daddr.a4 && (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) @@ -1188,8 +1188,8 @@ __xfrm4_state_addr_check(struct xfrm_state *x, } static __inline__ int -__xfrm6_state_addr_check(struct xfrm_state *x, - xfrm_address_t *daddr, xfrm_address_t *saddr) +__xfrm6_state_addr_check(const struct xfrm_state *x, + const xfrm_address_t *daddr, const xfrm_address_t *saddr) { if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| @@ -1200,8 +1200,8 @@ __xfrm6_state_addr_check(struct xfrm_state *x, } static __inline__ int -xfrm_state_addr_check(struct xfrm_state *x, - xfrm_address_t *daddr, xfrm_address_t *saddr, +xfrm_state_addr_check(const struct xfrm_state *x, + const xfrm_address_t *daddr, const xfrm_address_t *saddr, unsigned short family) { switch (family) { @@ -1214,23 +1214,23 @@ xfrm_state_addr_check(struct xfrm_state *x, } static __inline__ int -xfrm_state_addr_flow_check(struct xfrm_state *x, const struct flowi *fl, +xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl, unsigned short family) { switch (family) { case AF_INET: return __xfrm4_state_addr_check(x, - (xfrm_address_t *)&fl->fl4_dst, - (xfrm_address_t *)&fl->fl4_src); + (const xfrm_address_t *)&fl->fl4_dst, + (const xfrm_address_t *)&fl->fl4_src); case AF_INET6: return __xfrm6_state_addr_check(x, - (xfrm_address_t *)&fl->fl6_dst, - (xfrm_address_t *)&fl->fl6_src); + (const xfrm_address_t *)&fl->fl6_dst, + (const xfrm_address_t *)&fl->fl6_src); } return 0; } -static inline int xfrm_state_kern(struct xfrm_state *x) +static inline int xfrm_state_kern(const struct xfrm_state *x) { return atomic_read(&x->tunnel_users); } -- cgit v1.1 From 33765d06033cc4ba4d9ae6d3d606ef3f28773c1b Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Thu, 24 Feb 2011 01:55:45 -0500 Subject: xfrm: Const'ify xfrm_address_t args to xfrm_state_find. This required a const'ification in xfrm_init_tempstate() too. Signed-off-by: David S. Miller --- include/net/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 3205e5e..44dccfc 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1334,8 +1334,8 @@ extern int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, int (*func)(struct xfrm_state *, int, void*), void *); extern void xfrm_state_walk_done(struct xfrm_state_walk *walk); extern struct xfrm_state *xfrm_state_alloc(struct net *net); -extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, - xfrm_address_t *saddr, +extern struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, + const xfrm_address_t *saddr, const struct flowi *fl, struct xfrm_tmpl *tmpl, struct xfrm_policy *pol, int *err, -- cgit v1.1 From 6f2f19ed955e62a6789495da512d510f26ad4885 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 27 Feb 2011 23:04:45 -0800 Subject: xfrm: Pass name as const to xfrm_*_get_byname(). Signed-off-by: David S. Miller --- include/net/xfrm.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 44dccfc..86ecfc1 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1513,10 +1513,10 @@ extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); extern struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id); extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); -extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe); -extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe); -extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe); -extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len, +extern struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe); +extern struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe); +extern struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe); +extern struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, int probe); struct hash_desc; -- cgit v1.1 From 851586218f5d463bbd62af40dfa264c5e3539572 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 27 Feb 2011 23:07:02 -0800 Subject: xfrm: Pass const arg to xfrm_alg_len and xfrm_alg_auth_len. Signed-off-by: David S. Miller --- include/net/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 86ecfc1..15e310f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1558,12 +1558,12 @@ static inline int xfrm_aevent_is_on(struct net *net) } #endif -static inline int xfrm_alg_len(struct xfrm_algo *alg) +static inline int xfrm_alg_len(const struct xfrm_algo *alg) { return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); } -static inline int xfrm_alg_auth_len(struct xfrm_algo_auth *alg) +static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) { return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); } -- cgit v1.1 From a70486f0e669730bad6713063e3f59e2e870044f Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 27 Feb 2011 23:17:24 -0800 Subject: xfrm: Pass const xfrm_address_t objects to xfrm_state_lookup* and xfrm_find_acq. Signed-off-by: David S. Miller --- include/net/xfrm.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 15e310f..437c289 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1350,11 +1350,11 @@ extern void xfrm_state_insert(struct xfrm_state *x); extern int xfrm_state_add(struct xfrm_state *x); extern int xfrm_state_update(struct xfrm_state *x); extern struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark, - xfrm_address_t *daddr, __be32 spi, + const xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark, - xfrm_address_t *daddr, - xfrm_address_t *saddr, + const xfrm_address_t *daddr, + const xfrm_address_t *saddr, u8 proto, unsigned short family); #ifdef CONFIG_XFRM_SUB_POLICY @@ -1481,8 +1481,8 @@ u32 xfrm_get_acqseq(void); extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state *xfrm_find_acq(struct net *net, struct xfrm_mark *mark, u8 mode, u32 reqid, u8 proto, - xfrm_address_t *daddr, - xfrm_address_t *saddr, int create, + const xfrm_address_t *daddr, + const xfrm_address_t *saddr, int create, unsigned short family); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); -- cgit v1.1 From e3dfa389fd2c79526b4bbf295726b66d21001664 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sun, 27 Feb 2011 23:20:19 -0800 Subject: xfrm: Pass const xfrm_mark to xfrm_mark_put(). Signed-off-by: David S. Miller --- include/net/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 437c289..efded23 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1611,7 +1611,7 @@ static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m) return m->v & m->m; } -static inline int xfrm_mark_put(struct sk_buff *skb, struct xfrm_mark *m) +static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m) { if (m->m | m->v) NLA_PUT(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m); -- cgit v1.1 From 2774c131b1d19920b4587db1cfbd6f0750ad1f15 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 1 Mar 2011 14:59:04 -0800 Subject: xfrm: Handle blackhole route creation via afinfo. That way we don't have to potentially do this in every xfrm_lookup() caller. Signed-off-by: David S. Miller --- include/net/xfrm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index efded23..d5dcf39 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -280,6 +280,7 @@ struct xfrm_policy_afinfo { int (*fill_dst)(struct xfrm_dst *xdst, struct net_device *dev, const struct flowi *fl); + struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig); }; extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo); -- cgit v1.1 From 1d28f42c1bd4bb2363d88df74d0128b4da135b4a Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 12 Mar 2011 00:29:39 -0500 Subject: net: Put flowi_* prefix on AF independent members of struct flowi I intend to turn struct flowi into a union of AF specific flowi structs. There will be a common structure that each variant includes first, much like struct sock_common. This is the first step to move in that direction. Signed-off-by: David S. Miller --- include/net/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index d5dcf39..d5a12d1 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -803,7 +803,7 @@ static __inline__ __be16 xfrm_flowi_sport(const struct flowi *fl) { __be16 port; - switch(fl->proto) { + switch(fl->flowi_proto) { case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_UDPLITE: @@ -830,7 +830,7 @@ static __inline__ __be16 xfrm_flowi_dport(const struct flowi *fl) { __be16 port; - switch(fl->proto) { + switch(fl->flowi_proto) { case IPPROTO_TCP: case IPPROTO_UDP: case IPPROTO_UDPLITE: -- cgit v1.1 From 6281dcc94a96bd73017b2baa8fa83925405109ef Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 12 Mar 2011 00:43:55 -0500 Subject: net: Make flowi ports AF dependent. Create two sets of port member accessors, one set prefixed by fl4_* and the other prefixed by fl6_* This will let us to create AF optimal flow instances. It will work because every context in which we access the ports, we have to be fully aware of which AF the flowi is anyways. Signed-off-by: David S. Miller --- include/net/xfrm.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index d5a12d1..aa860ad 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -800,7 +800,7 @@ static inline bool addr_match(const void *token1, const void *token2, } static __inline__ -__be16 xfrm_flowi_sport(const struct flowi *fl) +__be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli) { __be16 port; switch(fl->flowi_proto) { @@ -808,17 +808,17 @@ __be16 xfrm_flowi_sport(const struct flowi *fl) case IPPROTO_UDP: case IPPROTO_UDPLITE: case IPPROTO_SCTP: - port = fl->fl_ip_sport; + port = uli->ports.sport; break; case IPPROTO_ICMP: case IPPROTO_ICMPV6: - port = htons(fl->fl_icmp_type); + port = htons(uli->icmpt.type); break; case IPPROTO_MH: - port = htons(fl->fl_mh_type); + port = htons(uli->mht.type); break; case IPPROTO_GRE: - port = htons(ntohl(fl->fl_gre_key) >> 16); + port = htons(ntohl(uli->gre_key) >> 16); break; default: port = 0; /*XXX*/ @@ -827,7 +827,7 @@ __be16 xfrm_flowi_sport(const struct flowi *fl) } static __inline__ -__be16 xfrm_flowi_dport(const struct flowi *fl) +__be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli) { __be16 port; switch(fl->flowi_proto) { @@ -835,14 +835,14 @@ __be16 xfrm_flowi_dport(const struct flowi *fl) case IPPROTO_UDP: case IPPROTO_UDPLITE: case IPPROTO_SCTP: - port = fl->fl_ip_dport; + port = uli->ports.dport; break; case IPPROTO_ICMP: case IPPROTO_ICMPV6: - port = htons(fl->fl_icmp_code); + port = htons(uli->icmpt.code); break; case IPPROTO_GRE: - port = htons(ntohl(fl->fl_gre_key) & 0xffff); + port = htons(ntohl(uli->gre_key) & 0xffff); break; default: port = 0; /*XXX*/ -- cgit v1.1 From 7e1dc7b6f709dfc1a9ab4b320dbe723f45992693 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 12 Mar 2011 02:42:11 -0500 Subject: net: Use flowi4 and flowi6 in xfrm layer. Signed-off-by: David S. Miller --- include/net/xfrm.h | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index aa860ad..8f8bd82 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1142,9 +1142,9 @@ xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family) { switch (family){ case AF_INET: - return (xfrm_address_t *)&fl->fl4_dst; + return (xfrm_address_t *)&fl->u.ip4.daddr; case AF_INET6: - return (xfrm_address_t *)&fl->fl6_dst; + return (xfrm_address_t *)&fl->u.ip6.daddr; } return NULL; } @@ -1154,9 +1154,9 @@ xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family) { switch (family){ case AF_INET: - return (xfrm_address_t *)&fl->fl4_src; + return (xfrm_address_t *)&fl->u.ip4.saddr; case AF_INET6: - return (xfrm_address_t *)&fl->fl6_src; + return (xfrm_address_t *)&fl->u.ip6.saddr; } return NULL; } @@ -1168,12 +1168,12 @@ void xfrm_flowi_addr_get(const struct flowi *fl, { switch(family) { case AF_INET: - memcpy(&saddr->a4, &fl->fl4_src, sizeof(saddr->a4)); - memcpy(&daddr->a4, &fl->fl4_dst, sizeof(daddr->a4)); + memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); + memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); break; case AF_INET6: - ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->fl6_src); - ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->fl6_dst); + ipv6_addr_copy((struct in6_addr *)&saddr->a6, &fl->u.ip6.saddr); + ipv6_addr_copy((struct in6_addr *)&daddr->a6, &fl->u.ip6.daddr); break; } } @@ -1221,12 +1221,12 @@ xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl, switch (family) { case AF_INET: return __xfrm4_state_addr_check(x, - (const xfrm_address_t *)&fl->fl4_dst, - (const xfrm_address_t *)&fl->fl4_src); + (const xfrm_address_t *)&fl->u.ip4.daddr, + (const xfrm_address_t *)&fl->u.ip4.saddr); case AF_INET6: return __xfrm6_state_addr_check(x, - (const xfrm_address_t *)&fl->fl6_dst, - (const xfrm_address_t *)&fl->fl6_src); + (const xfrm_address_t *)&fl->u.ip6.daddr, + (const xfrm_address_t *)&fl->u.ip6.saddr); } return 0; } -- cgit v1.1 From 9736acf395d3608583a7be70f62800b494fa103c Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 8 Mar 2011 00:05:43 +0000 Subject: xfrm: Add basic infrastructure to support IPsec extended sequence numbers This patch adds the struct xfrm_replay_state_esn which will be used to support IPsec extended sequence numbers and anti replay windows bigger than 32 packets. Also we add a function that returns the actual size of the xfrm_replay_state_esn, a xfrm netlink atribute and a xfrm state flag for the use of extended sequence numbers. Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 8f8bd82..7640822 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -186,9 +186,11 @@ struct xfrm_state { /* State for replay detection */ struct xfrm_replay_state replay; + struct xfrm_replay_state_esn *replay_esn; /* Replay detection state at the time we sent the last notification */ struct xfrm_replay_state preplay; + struct xfrm_replay_state_esn *preplay_esn; /* internal flag that only holds state for delayed aevent at the * moment @@ -1569,6 +1571,11 @@ static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); } +static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn) +{ + return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); +} + #ifdef CONFIG_XFRM_MIGRATE static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) { -- cgit v1.1 From 1ce3644ade9c865c755bf0f6a4e109b7bb6eb60f Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 8 Mar 2011 00:06:31 +0000 Subject: xfrm: Use separate low and high order bits of the sequence numbers in xfrm_skb_cb To support IPsec extended sequence numbers, we split the output sequence numbers of xfrm_skb_cb in low and high order 32 bits and we add the high order 32 bits to the input sequence numbers. All users are updated accordingly. Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 7640822..cb6d9b3 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -582,8 +582,14 @@ struct xfrm_skb_cb { /* Sequence number for replay protection. */ union { - u64 output; - __be32 input; + struct { + __u32 low; + __u32 hi; + } output; + struct { + __be32 low; + __be32 hi; + } input; } seq; }; -- cgit v1.1 From 9fdc4883d92d20842c5acea77a4a21bb1574b495 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 8 Mar 2011 00:08:32 +0000 Subject: xfrm: Move IPsec replay detection functions to a separate file To support multiple versions of replay detection, we move the replay detection functions to a separate file and make them accessible via function pointers contained in the struct xfrm_replay. Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index cb6d9b3..41def09 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -192,6 +192,9 @@ struct xfrm_state { struct xfrm_replay_state preplay; struct xfrm_replay_state_esn *preplay_esn; + /* The functions for replay detection. */ + struct xfrm_replay *repl; + /* internal flag that only holds state for delayed aevent at the * moment */ @@ -261,6 +264,15 @@ struct km_event { struct net *net; }; +struct xfrm_replay { + void (*advance)(struct xfrm_state *x, __be32 net_seq); + int (*check)(struct xfrm_state *x, + struct sk_buff *skb, + __be32 net_seq); + void (*notify)(struct xfrm_state *x, int event); + int (*overflow)(struct xfrm_state *x, struct sk_buff *skb); +}; + struct net_device; struct xfrm_type; struct xfrm_dst; @@ -693,6 +705,8 @@ extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 ses, u32 secid); extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); +extern void xfrm_audit_state_replay(struct xfrm_state *x, + struct sk_buff *skb, __be32 net_seq); extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi, __be32 net_seq); @@ -725,6 +739,11 @@ static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x, { } +static inline void xfrm_audit_state_replay(struct xfrm_state *x, + struct sk_buff *skb, __be32 net_seq) +{ +} + static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) { @@ -1408,10 +1427,7 @@ extern int xfrm_state_delete(struct xfrm_state *x); extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info); extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); -extern int xfrm_replay_check(struct xfrm_state *x, - struct sk_buff *skb, __be32 seq); -extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); -extern void xfrm_replay_notify(struct xfrm_state *x, int event); +extern int xfrm_init_replay(struct xfrm_state *x); extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); extern int xfrm_init_state(struct xfrm_state *x); extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb); -- cgit v1.1 From 2cd084678fc1eb75aec4f7ae3d339d232c00ec61 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 8 Mar 2011 00:09:51 +0000 Subject: xfrm: Add support for IPsec extended sequence numbers This patch adds support for IPsec extended sequence numbers (esn) as defined in RFC 4303. The bits to manage the anti-replay window are based on a patch from Alex Badea. Signed-off-by: Steffen Klassert Acked-by: Herbert Xu Signed-off-by: David S. Miller --- include/net/xfrm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 41def09..42a8c32 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1427,6 +1427,7 @@ extern int xfrm_state_delete(struct xfrm_state *x); extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info); extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); +extern u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); extern int xfrm_init_replay(struct xfrm_state *x); extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); extern int xfrm_init_state(struct xfrm_state *x); -- cgit v1.1