3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_rcv_c_version[] = "RCSID $Id$";
19 #include <linux/config.h>
20 #include <linux/version.h>
22 #define __NO_VERSION__
23 #include <linux/module.h>
24 #include <linux/kernel.h> /* printk() */
26 #define IPSEC_KLIPS1_COMPAT 1
27 #include "ipsec_param.h"
30 # include <linux/slab.h> /* kmalloc() */
31 #else /* MALLOC_SLAB */
32 # include <linux/malloc.h> /* kmalloc() */
33 #endif /* MALLOC_SLAB */
34 #include <linux/errno.h> /* error codes */
35 #include <linux/types.h> /* size_t */
36 #include <linux/interrupt.h> /* mark_bh */
38 #include <linux/netdevice.h> /* struct device, and other headers */
39 #include <linux/etherdevice.h> /* eth_type_trans */
40 #include <linux/ip.h> /* struct iphdr */
41 #include <linux/skbuff.h>
45 # include <linux/spinlock.h> /* *lock* */
46 # else /* SPINLOCK_23 */
47 # include <asm/spinlock.h> /* *lock* */
48 # endif /* SPINLOCK_23 */
51 # include <asm/uaccess.h>
52 # include <linux/in6.h>
53 # define proto_priv cb
55 #include <asm/checksum.h>
58 #include <linux/ledman.h>
62 #include "ipsec_encap.h"
65 #include "ipsec_radij.h"
66 #include "ipsec_netlink.h"
67 #include "ipsec_xform.h"
68 #include "ipsec_tunnel.h"
69 #include "ipsec_rcv.h"
70 #if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
71 # include "ipsec_ah.h"
72 #endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
73 #ifdef CONFIG_IPSEC_ESP
74 # include "ipsec_esp.h"
75 #endif /* !CONFIG_IPSEC_ESP */
76 #ifdef CONFIG_IPSEC_IPCOMP
78 #endif /* CONFIG_IPSEC_COMP */
83 #include "ipsec_proto.h"
85 #include "ipsec_alg.h"
87 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
88 #include <linux/udp.h>
91 #ifdef CONFIG_IPSEC_DEBUG
95 #endif /* CONFIG_IPSEC_DEBUG */
97 int sysctl_ipsec_inbound_policy_check = 1;
99 #if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
100 __u32 zeroes[AH_AMAX];
101 #endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
104 * Check-replay-window routine, adapted from the original
105 * by J. Hughes, from draft-ietf-ipsec-esp-des-md5-03.txt
107 * This is a routine that implements a 64 packet window. This is intend-
108 * ed on being an implementation sample.
112 ipsec_checkreplaywindow(struct ipsec_sa*tdbp, __u32 seq)
116 if (tdbp->tdb_replaywin == 0) /* replay shut off */
119 return 0; /* first == 0 or wrapped */
121 /* new larger sequence number */
122 if (seq > tdbp->tdb_replaywin_lastseq) {
123 return 1; /* larger is good */
125 diff = tdbp->tdb_replaywin_lastseq - seq;
127 /* too old or wrapped */ /* if wrapped, kill off SA? */
128 if (diff >= tdbp->tdb_replaywin) {
131 /* this packet already seen */
132 if (tdbp->tdb_replaywin_bitmap & (1 << diff))
134 return 1; /* out of order but good */
138 ipsec_updatereplaywindow(struct ipsec_sa*tdbp, __u32 seq)
142 if (tdbp->tdb_replaywin == 0) /* replay shut off */
145 return 0; /* first == 0 or wrapped */
147 /* new larger sequence number */
148 if (seq > tdbp->tdb_replaywin_lastseq) {
149 diff = seq - tdbp->tdb_replaywin_lastseq;
151 /* In win, set bit for this pkt */
152 if (diff < tdbp->tdb_replaywin)
153 tdbp->tdb_replaywin_bitmap =
154 (tdbp->tdb_replaywin_bitmap << diff) | 1;
156 /* This packet has way larger seq num */
157 tdbp->tdb_replaywin_bitmap = 1;
159 if(seq - tdbp->tdb_replaywin_lastseq - 1 > tdbp->tdb_replaywin_maxdiff) {
160 tdbp->tdb_replaywin_maxdiff = seq - tdbp->tdb_replaywin_lastseq - 1;
162 tdbp->tdb_replaywin_lastseq = seq;
163 return 1; /* larger is good */
165 diff = tdbp->tdb_replaywin_lastseq - seq;
167 /* too old or wrapped */ /* if wrapped, kill off SA? */
168 if (diff >= tdbp->tdb_replaywin) {
170 if(seq < 0.25*max && tdbp->tdb_replaywin_lastseq > 0.75*max) {
176 /* this packet already seen */
177 if (tdbp->tdb_replaywin_bitmap & (1 << diff))
179 tdbp->tdb_replaywin_bitmap |= (1 << diff); /* mark as seen */
180 return 1; /* out of order but good */
184 #ifdef PROTO_HANDLER_SINGLE_PARM
185 ipsec_rcv(struct sk_buff *skb)
186 #else /* PROTO_HANDLER_SINGLE_PARM */
188 ipsec_rcv(struct sk_buff *skb, unsigned short xlen)
190 ipsec_rcv(struct sk_buff *skb, struct device *dev, struct options *opt,
191 __u32 daddr_unused, unsigned short xlen, __u32 saddr,
192 int redo, struct inet_protocol *protocol)
194 #endif /* PROTO_HANDLER_SINGLE_PARM */
197 #ifdef CONFIG_IPSEC_DEBUG
198 struct device *dev = skb->dev;
199 #endif /* CONFIG_IPSEC_DEBUG */
201 unsigned char protoc;
204 #ifdef CONFIG_IPSEC_ESP
205 struct esp *espp = NULL;
207 __u32 iv[ESP_IV_MAXSZ_INT];
208 #endif /* !CONFIG_IPSEC_ESP */
209 #ifdef CONFIG_IPSEC_AH
210 struct ah *ahp = NULL;
213 #endif /* CONFIG_IPSEC_AH */
214 unsigned char *authenticator = NULL;
220 #if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
221 #endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
222 #ifdef CONFIG_IPSEC_IPCOMP
223 struct ipcomphdr*compp = NULL;
224 #endif /* CONFIG_IPSEC_IPCOMP */
229 struct ipsec_sa *tdbp = NULL;
231 struct net_device_stats *stats = NULL; /* This device's statistics */
232 struct device *ipsecdev = NULL, *prvdev;
233 struct ipsecpriv *prv;
237 char ipaddr_txt[ADDRTOA_BUF];
239 struct in_addr ipaddr;
240 __u8 next_header = 0;
243 #ifdef CONFIG_IPSEC_ESP
245 #endif /* CONFIG_IPSEC_ESP */
246 int ilen; /* content to be decrypted/authenticated */
247 int len; /* packet length */
248 int replay = 0; /* replay value in AH or ESP packet */
249 __u8 *idat; /* pointer to content to be decrypted/authenticated */
250 struct ipsec_sa* tdbprev = NULL; /* previous SA from outside of packet */
251 struct ipsec_sa* tdbnext = NULL; /* next SA towards inside of packet */
252 #ifdef INBOUND_POLICY_CHECK_eroute
253 struct sockaddr_encap matcher; /* eroute search key */
255 struct ipsec_sa* policy_tdb = NULL;
256 struct sa_id policy_said;
257 struct sockaddr_encap policy_eaddr;
258 struct sockaddr_encap policy_emask;
259 #endif /* INBOUND_POLICY_CHECK_eroute */
260 #ifdef CONFIG_IPSEC_ALG
261 struct ipsec_alg_enc *ixt_e=NULL;
262 struct ipsec_alg_auth *ixt_a=NULL;
263 #endif /* CONFIG_IPSEC_ALG */
265 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
266 __u16 natt_len = 0, natt_sport = 0, natt_dport = 0;
270 /* Don't unlink in the middle of a turnaround */
274 KLIPS_PRINT(debug_rcv,
275 "klips_debug:ipsec_rcv: "
276 "NULL skb passed in.\n");
280 if (skb->data == NULL) {
281 KLIPS_PRINT(debug_rcv,
282 "klips_debug:ipsec_rcv: "
283 "NULL skb->data passed in, packet is bogus, dropping.\n");
287 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
288 if (skb->sk && skb->nh.iph && skb->nh.iph->protocol==IPPROTO_UDP) {
290 * Packet comes from udp_queue_rcv_skb so it is already defrag,
291 * checksum verified, ... (ie safe to use)
293 * If the packet is not for us, return -1 and udp_queue_rcv_skb
294 * will continue to handle it (do not kfree skb !!).
296 struct udp_opt *tp = &(skb->sk->tp_pinfo.af_udp);
297 struct iphdr *ip = (struct iphdr *)skb->nh.iph;
298 struct udphdr *udp = (struct udphdr *)((__u32 *)ip+ip->ihl);
299 __u8 *udpdata = (__u8 *)udp + sizeof(struct udphdr);
300 __u32 *udpdata32 = (__u32 *)udpdata;
302 natt_sport = ntohs(udp->source);
303 natt_dport = ntohs(udp->dest);
305 KLIPS_PRINT(debug_rcv,
306 "klips_debug:ipsec_rcv: "
307 "suspected ESPinUDP packet (NAT-Traversal) [%d].\n",
309 KLIPS_IP_PRINT(debug_rcv, ip);
311 if (udpdata < skb->tail) {
312 unsigned int len = skb->tail - udpdata;
313 if ((len==1) && (udpdata[0]==0xff)) {
314 KLIPS_PRINT(debug_rcv,
315 "klips_debug:ipsec_rcv: "
316 /* not IPv6 compliant message */
317 "NAT-keepalive from %d.%d.%d.%d.\n", NIPQUAD(ip->saddr));
320 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_IKE) &&
321 (len > (2*sizeof(__u32) + sizeof(struct esp))) &&
322 (udpdata32[0]==0) && (udpdata32[1]==0) ) {
323 /* ESP Packet with Non-IKE header */
324 KLIPS_PRINT(debug_rcv,
325 "klips_debug:ipsec_rcv: "
326 "ESPinUDP pkt with Non-IKE - spi=0x%x\n",
328 natt_type = ESPINUDP_WITH_NON_IKE;
329 natt_len = sizeof(struct udphdr)+(2*sizeof(__u32));
331 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_ESP) &&
332 (len > sizeof(struct esp)) &&
333 (udpdata32[0]!=0) ) {
334 /* ESP Packet without Non-ESP header */
335 natt_type = ESPINUDP_WITH_NON_ESP;
336 natt_len = sizeof(struct udphdr);
337 KLIPS_PRINT(debug_rcv,
338 "klips_debug:ipsec_rcv: "
339 "ESPinUDP pkt without Non-ESP - spi=0x%x\n",
343 KLIPS_PRINT(debug_rcv,
344 "klips_debug:ipsec_rcv: "
345 "IKE packet - not handled here\n");
357 #ifdef IPH_is_SKB_PULLED
358 /* In Linux 2.4.4, the IP header has been skb_pull()ed before the
359 packet is passed to us. So we'll skb_push() to get back to it. */
360 if (skb->data == skb->h.raw) {
361 skb_push(skb, skb->h.raw - skb->nh.raw);
363 #endif /* IPH_is_SKB_PULLED */
365 ipp = (struct iphdr *)skb->data;
366 iphlen = ipp->ihl << 2;
367 /* dev->hard_header_len is unreliable and should not be used */
368 hard_header_len = skb->mac.raw ? (skb->data - skb->mac.raw) : 0;
369 if((hard_header_len < 0) || (hard_header_len > skb_headroom(skb)))
373 /* if skb was cloned (most likely due to a packet sniffer such as
374 tcpdump being momentarily attached to the interface), make
375 a copy of our own to modify */
376 if(skb_cloned(skb)) {
377 /* include any mac header while copying.. */
378 if(skb_headroom(skb) < hard_header_len) {
379 printk(KERN_WARNING "klips_error:ipsec_rcv: "
380 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
385 skb_push(skb, hard_header_len);
388 (skb_cow(skb, skb_headroom(skb)) != 0)
389 #else /* SKB_COW_NEW */
390 ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
391 #endif /* SKB_COW_NEW */
395 if(skb->len < hard_header_len) {
396 printk(KERN_WARNING "klips_error:ipsec_rcv: "
397 "tried to skb_pull hhlen=%d, %d available. This should never happen, please report.\n",
402 skb_pull(skb, hard_header_len);
407 #if IP_FRAGMENT_LINEARIZE
408 /* In Linux 2.4.4, we may have to reassemble fragments. They are
409 not assembled automatically to save TCP from having to copy
412 if (skb_is_nonlinear(skb)) {
413 if (skb_linearize(skb, GFP_ATOMIC) != 0) {
417 ipp = (struct iphdr *)skb->nh.iph;
418 iphlen = ipp->ihl << 2;
421 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
424 * Now, we are sure packet is ESPinUDP. Remove natt_len bytes from
425 * packet and modify protocol to ESP.
427 if (((unsigned char *)skb->data > (unsigned char *)skb->nh.iph) &&
428 ((unsigned char *)skb->nh.iph > (unsigned char *)skb->head)) {
429 unsigned int _len = (unsigned char *)skb->data -
430 (unsigned char *)skb->nh.iph;
431 KLIPS_PRINT(debug_rcv,
432 "klips_debug:ipsec_rcv: adjusting skb: skb_push(%u)\n",
436 KLIPS_PRINT(debug_rcv,
437 "klips_debug:ipsec_rcv: "
438 "removing %d bytes from ESPinUDP packet\n", natt_len);
439 ipp = (struct iphdr *)skb->data;
440 iphlen = ipp->ihl << 2;
441 ipp->tot_len = htons(ntohs(ipp->tot_len) - natt_len);
442 if (skb->len < iphlen + natt_len) {
444 "klips_error:ipsec_rcv: "
445 "ESPinUDP packet is too small (%d < %d+%d). "
446 "This should never happen, please report.\n",
447 (int)(skb->len), iphlen, natt_len);
450 memmove(skb->data + natt_len, skb->data, iphlen);
451 skb_pull(skb, natt_len);
454 ipp = skb->nh.iph = (struct iphdr *)skb->data;
456 /* modify protocol */
457 ipp->protocol = IPPROTO_ESP;
461 KLIPS_IP_PRINT(debug_rcv, skb->nh.iph);
465 KLIPS_PRINT(debug_rcv,
466 "klips_debug:ipsec_rcv: "
468 KLIPS_PRINTMORE(debug_rcv && skb->dev, "skb->dev=%s ",
469 skb->dev->name ? skb->dev->name : "NULL");
470 KLIPS_PRINTMORE(debug_rcv && dev, "dev=%s ",
471 dev->name ? dev->name : "NULL");
472 KLIPS_PRINTMORE(debug_rcv, "\n");
474 KLIPS_PRINT(debug_rcv && !(skb->dev && dev && (skb->dev == dev)),
475 "klips_debug:ipsec_rcv: "
476 "Informational -- **if this happens, find out why** skb->dev:%s is not equal to dev:%s\n",
477 skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL",
478 dev ? (dev->name ? dev->name : "NULL") : "NULL");
480 protoc = ipp->protocol;
482 if((!protocol) || (protocol->protocol != protoc)) {
483 KLIPS_PRINT(debug_rcv & DB_RX_TDB,
484 "klips_debug:ipsec_rcv: "
485 "protocol arg is NULL or unequal to the packet contents, this is odd, using value in packet.\n");
489 if( (protoc != IPPROTO_AH) &&
490 #ifdef CONFIG_IPSEC_IPCOMP_disabled_until_we_register_IPCOMP_HANDLER
491 (protoc != IPPROTO_COMP) &&
492 #endif /* CONFIG_IPSEC_IPCOMP */
493 (protoc != IPPROTO_ESP) ) {
494 KLIPS_PRINT(debug_rcv & DB_RX_TDB,
495 "klips_debug:ipsec_rcv: Why the hell is someone "
496 "passing me a non-ipsec protocol = %d packet? -- dropped.\n",
502 for(i = 0; i < IPSEC_NUM_IF; i++) {
503 sprintf(name, "ipsec%d", i);
504 if(!strcmp(name, skb->dev->name)) {
505 prv = (struct ipsecpriv *)(skb->dev->priv);
507 stats = (struct net_device_stats *) &(prv->mystats);
510 KLIPS_PRINT(debug_rcv,
511 "klips_debug:ipsec_rcv: "
512 "Info -- pkt already proc'ed a group of ipsec headers, processing next group of ipsec headers.\n");
515 if((ipsecdev = ipsec_dev_get(name)) == NULL) {
516 KLIPS_PRINT(debug_rcv,
517 "klips_error:ipsec_rcv: "
518 "device %s does not exist\n",
521 prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
522 prvdev = prv ? (struct device *)(prv->dev) : NULL;
525 KLIPS_PRINT(debug_rcv && prvdev,
526 "klips_debug:ipsec_rcv: "
527 "physical device for device %s is %s\n",
531 if(prvdev && skb->dev &&
532 !strcmp(prvdev->name, skb->dev->name)) {
533 stats = prv ? ((struct net_device_stats *) &(prv->mystats)) : NULL;
535 #if (defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)) && defined(CONFIG_NETFILTER)
537 skb->nf_bridge->physindev = ipsecdev;
539 KLIPS_PRINT(debug_rcv && prvdev,
540 "klips_debug:ipsec_rcv: "
541 "assigning packet ownership to virtual device %s from physical device %s.\n",
550 KLIPS_PRINT(debug_rcv,
551 "klips_debug:ipsec_rcv: "
552 "device supplied with skb is NULL\n");
558 KLIPS_PRINT((debug_rcv && !stats),
559 "klips_error:ipsec_rcv: "
560 "packet received from physical I/F (%s) not connected to ipsec I/F. Cannot record stats. May not have SA for decoding. Is IPSEC traffic expected on this I/F? Check routing.\n",
561 skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL");
563 KLIPS_IP_PRINT(debug_rcv, ipp);
566 ledman_cmd(LEDMAN_CMD_SET, LEDMAN_VPN_RX);
569 /* begin decapsulating loop here */
572 #ifdef CONFIG_IPSEC_ESP
575 #endif /* !CONFIG_IPSEC_ESP */
576 #ifdef CONFIG_IPSEC_AH
579 #endif /* CONFIG_IPSEC_AH */
580 #ifdef CONFIG_IPSEC_IPCOMP
582 #endif /* CONFIG_IPSEC_IPCOMP */
586 ipp = (struct iphdr *)skb->data;
587 proto = ipp->protocol;
588 ipaddr.s_addr = ipp->saddr;
589 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
591 iphlen = ipp->ihl << 2;
592 ipp->check = 0; /* we know the sum is good */
594 #ifdef CONFIG_IPSEC_ESP
595 /* XXX this will need to be 8 for IPv6 */
596 if ((proto == IPPROTO_ESP) && ((len - iphlen) % 4)) {
597 printk("klips_error:ipsec_rcv: "
598 "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
606 #endif /* !CONFIG_IPSEC_ESP */
609 * Find tunnel control block and (indirectly) call the
610 * appropriate tranform routine. The resulting sk_buf
611 * is a valid IP packet ready to go through input processing.
614 said.dst.s_addr = ipp->daddr;
616 #ifdef CONFIG_IPSEC_ESP
618 espp = (struct esp *)(skb->data + iphlen);
619 said.spi = espp->esp_spi;
621 #endif /* !CONFIG_IPSEC_ESP */
622 #ifdef CONFIG_IPSEC_AH
624 ahp = (struct ah *)(skb->data + iphlen);
625 said.spi = ahp->ah_spi;
627 #endif /* CONFIG_IPSEC_AH */
628 #ifdef CONFIG_IPSEC_IPCOMP
630 compp = (struct ipcomphdr *)(skb->data + iphlen);
631 said.spi = htonl((__u32)ntohs(compp->ipcomp_cpi));
633 #endif /* CONFIG_IPSEC_IPCOMP */
641 sa_len = satoa(said, 0, sa, SATOA_BUF);
643 strcpy(sa, "(error)");
646 #ifdef CONFIG_IPSEC_AH
647 if(proto == IPPROTO_AH) {
648 ahhlen = (ahp->ah_hl << 2) +
649 ((caddr_t)&(ahp->ah_rpl) - (caddr_t)ahp);
650 next_header = ahp->ah_nh;
651 if (ahhlen != sizeof(struct ah)) {
652 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
653 "klips_debug:ipsec_rcv: "
654 "bad authenticator length %d, expected %d from %s\n",
655 ahhlen - ((caddr_t)(ahp->ah_data) - (caddr_t)ahp),
665 #endif /* CONFIG_IPSEC_AH */
668 The spinlock is to prevent any other process from
669 accessing or deleting the TDB hash table or any of the
670 TDBs while we are using and updating them.
672 This is not optimal, but was relatively straightforward
673 at the time. A better way to do it has been planned for
674 more than a year, to lock the hash table and put reference
675 counts on each TDB instead. This is not likely to happen
676 in KLIPS1 unless a volunteer contributes it, but will be
677 designed into KLIPS2.
679 if(tdbprev == NULL) {
680 spin_lock(&tdb_lock);
683 #ifdef CONFIG_IPSEC_IPCOMP
684 if (proto == IPPROTO_COMP) {
685 unsigned int flags = 0;
687 spin_unlock(&tdb_lock);
688 KLIPS_PRINT(debug_rcv,
689 "klips_debug:ipsec_rcv: "
690 "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
691 sa_len ? sa : " (error)");
702 if(sysctl_ipsec_inbound_policy_check
704 || (((ntohl(tdbp->tdb_said.spi) & 0x0000ffff)
706 /* next line is a workaround for peer
707 non-compliance with rfc2393 */
708 && (tdbp->tdb_encalg != ntohl(said.spi))
714 sa_len2 = satoa(tdbp->tdb_said, 0, sa2, SATOA_BUF);
716 KLIPS_PRINT(debug_rcv,
717 "klips_debug:ipsec_rcv: "
718 "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
719 sa_len ? sa : " (error)",
720 tdbp ? (sa_len2 ? sa2 : " (error)") : "NULL",
721 ntohs(compp->ipcomp_cpi),
722 (__u32)ntohl(said.spi),
723 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
724 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0);
725 spin_unlock(&tdb_lock);
733 tdbp->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
734 tdbnext = tdbp->tdb_inext;
736 next_header = compp->ipcomp_nh;
738 skb = skb_decompress(skb, tdbp, &flags);
740 spin_unlock(&tdb_lock);
741 KLIPS_PRINT(debug_rcv,
742 "klips_debug:ipsec_rcv: "
743 "skb_decompress() returned error flags=%x, dropped.\n",
760 tdbp->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
763 KLIPS_PRINT(debug_rcv,
764 "klips_debug:ipsec_rcv: "
765 "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
766 sa_len ? sa : " (error)",
767 (__u32)ntohl(said.spi),
768 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
769 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0,
771 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
774 /* Skip rest of stuff and decapsulate next inner
777 #endif /* CONFIG_IPSEC_IPCOMP */
779 tdbp = ipsec_sa_getbyid(&said);
781 spin_unlock(&tdb_lock);
782 KLIPS_PRINT(debug_rcv,
783 "klips_debug:ipsec_rcv: "
784 "no Tunnel Descriptor Block for SA:%s: incoming packet with no SA dropped\n",
785 sa_len ? sa : " (error)");
792 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
794 ( (ipp->saddr != (((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr)) ||
795 (natt_sport != tdbp->ips_natt_sport)
797 struct sockaddr sipaddr;
798 /** Advertise NAT-T addr change to pluto **/
799 sipaddr.sa_family = AF_INET;
800 ((struct sockaddr_in*)&sipaddr)->sin_addr.s_addr = ipp->saddr;
801 ((struct sockaddr_in*)&sipaddr)->sin_port = htons(natt_sport);
802 pfkey_nat_t_new_mapping(tdbp, &sipaddr, natt_sport);
804 * Then allow or block packet depending on
805 * sysctl_ipsec_inbound_policy_check.
807 * In all cases, pluto will update SA if new mapping is
810 if (sysctl_ipsec_inbound_policy_check) {
811 spin_unlock(&tdb_lock);
812 ipaddr.s_addr = ipp->saddr;
813 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
814 KLIPS_PRINT(debug_rcv,
815 "klips_debug:ipsec_rcv: "
816 "SA:%s, src=%s:%u of pkt does not agree with expected "
817 "SA source address policy (pluto has been informed).\n",
818 sa_len ? sa : " (error)",
819 ipaddr_txt, natt_sport);
828 if(sysctl_ipsec_inbound_policy_check) {
829 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
830 spin_unlock(&tdb_lock);
831 ipaddr.s_addr = ipp->saddr;
832 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
833 KLIPS_PRINT(debug_rcv,
834 "klips_debug:ipsec_rcv: "
835 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
836 sa_len ? sa : " (error)",
843 ipaddr.s_addr = ipp->saddr;
844 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
845 KLIPS_PRINT(debug_rcv,
846 "klips_debug:ipsec_rcv: "
847 "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
848 sa_len ? sa : " (error)",
851 if(tdbnext != tdbp) {
852 spin_unlock(&tdb_lock);
853 KLIPS_PRINT(debug_rcv,
854 "klips_debug:ipsec_rcv: "
855 "unexpected SA:%s: does not agree with tdb->inext policy, dropped\n",
856 sa_len ? sa : " (error)");
862 KLIPS_PRINT(debug_rcv,
863 "klips_debug:ipsec_rcv: "
864 "SA:%s grouping from previous SA is OK.\n",
865 sa_len ? sa : " (error)");
867 KLIPS_PRINT(debug_rcv,
868 "klips_debug:ipsec_rcv: "
869 "SA:%s First SA in group.\n",
870 sa_len ? sa : " (error)");
873 if(tdbp->tdb_onext) {
874 if(tdbprev != tdbp->tdb_onext) {
875 spin_unlock(&tdb_lock);
876 KLIPS_PRINT(debug_rcv,
877 "klips_debug:ipsec_rcv: "
878 "unexpected SA:%s: does not agree with tdb->onext policy, dropped.\n",
879 sa_len ? sa : " (error)");
885 KLIPS_PRINT(debug_rcv,
886 "klips_debug:ipsec_rcv: "
887 "SA:%s grouping to previous SA is OK.\n",
888 sa_len ? sa : " (error)");
891 KLIPS_PRINT(debug_rcv,
892 "klips_debug:ipsec_rcv: "
893 "SA:%s No previous backlink in group.\n",
894 sa_len ? sa : " (error)");
896 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
897 KLIPS_PRINT(debug_rcv,
898 "klips_debug:ipsec_rcv: "
899 "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
900 natt_type, tdbp->ips_natt_type,
901 (natt_type==tdbp->ips_natt_type)?"ok":"bad");
902 if (natt_type != tdbp->ips_natt_type) {
903 spin_unlock(&tdb_lock);
904 KLIPS_PRINT(debug_rcv,
905 "klips_debug:ipsec_rcv: "
906 "SA:%s does not agree with expected NAT-T policy.\n",
907 sa_len ? sa : " (error)");
916 /* If it is in larval state, drop the packet, we cannot process yet. */
917 if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
918 spin_unlock(&tdb_lock);
919 KLIPS_PRINT(debug_rcv,
920 "klips_debug:ipsec_rcv: "
921 "TDB in larval state, cannot be used yet, dropping packet.\n");
928 if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
929 spin_unlock(&tdb_lock);
930 KLIPS_PRINT(debug_rcv,
931 "klips_debug:ipsec_rcv: "
932 "TDB in dead state, cannot be used any more, dropping packet.\n");
939 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
940 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
941 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
942 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
943 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "usetime",sa,
944 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
945 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
946 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied) {
947 ipsec_sa_delchain(tdbp);
948 spin_unlock(&tdb_lock);
955 /* authenticate, if required */
957 #ifdef CONFIG_IPSEC_ALG
958 if ((ixt_a=IPSEC_ALG_SA_ESP_AUTH(tdbp))) {
959 authlen = AHHMAC_HASHLEN;
960 KLIPS_PRINT(debug_rcv,
961 "klips_debug:ipsec_rcv: "
962 "authalg=%d authlen=%d\n",
963 tdbp->tdb_authalg, authlen);
965 #endif /* CONFIG_IPSEC_ALG */
966 switch(tdbp->tdb_authalg) {
967 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
969 authlen = AHHMAC_HASHLEN;
971 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
972 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
974 authlen = AHHMAC_HASHLEN;
976 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
981 tdbp->tdb_alg_errs += 1;
982 spin_unlock(&tdb_lock);
988 ilen = len - iphlen - authlen;
990 #ifdef CONFIG_IPSEC_ESP
991 KLIPS_PRINT(proto == IPPROTO_ESP && debug_rcv,
992 "klips_debug:ipsec_rcv: "
993 "packet from %s received with seq=%d (iv)=0x%08x%08x iplen=%d esplen=%d sa=%s\n",
995 (__u32)ntohl(espp->esp_rpl),
996 (__u32)ntohl(*((__u32 *)(espp->esp_iv) )),
997 (__u32)ntohl(*((__u32 *)(espp->esp_iv) + 1)),
1000 sa_len ? sa : " (error)");
1001 #endif /* !CONFIG_IPSEC_ESP */
1004 #ifdef CONFIG_IPSEC_ESP
1006 replay = ntohl(espp->esp_rpl);
1007 authenticator = &(dat[len - authlen]);
1008 KLIPS_PRINT(debug_rcv,
1009 "klips_debug:ipsec_rcv: "
1010 "auth on incoming packet from %s: auth=%08x%08x%08x, dropped\n",
1012 *(__u32*)authenticator,
1013 *((__u32*)authenticator + 1),
1014 *((__u32*)authenticator + 2));
1016 #endif /* !CONFIG_IPSEC_ESP */
1017 #ifdef CONFIG_IPSEC_AH
1019 replay = ntohl(ahp->ah_rpl);
1020 authenticator = ahp->ah_data;
1022 #endif /* CONFIG_IPSEC_AH */
1025 if (!ipsec_checkreplaywindow(tdbp, replay)) {
1026 tdbp->tdb_replaywin_errs += 1;
1027 spin_unlock(&tdb_lock);
1028 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
1029 "klips_debug:ipsec_rcv: "
1030 "duplicate frame from %s, packet dropped\n",
1033 stats->rx_dropped++;
1039 * verify authenticator
1042 KLIPS_PRINT(debug_rcv,
1043 "klips_debug:ipsec_rcv: "
1044 "encalg = %d, authalg = %d.\n",
1047 KLIPS_PRINT(debug_rcv,
1048 "klips_debug:ipsec_rcv: "
1049 "verify authenticator.\n");
1050 #ifdef CONFIG_IPSEC_ALG
1052 KLIPS_PRINT(debug_rcv,
1053 "klips_debug:ipsec_rcv: "
1054 "ipsec_alg hashing ... ");
1055 if(proto == IPPROTO_ESP) {
1056 ipsec_alg_sa_esp_hash(tdbp,
1057 (caddr_t)espp, ilen,
1058 hash, AHHMAC_HASHLEN);
1059 #ifdef CONFIG_IPSEC_AH
1060 #ifdef IPSEC_ALG_WHEN_AH_IS_READY
1068 ipsec_alg_hmac_update(tdbp->tdb_key_a,
1070 sizeof(struct iphdr));
1071 ipsec_alg_hmac_update(tdbp->tdb_key_a,
1073 ahhlen - AHHMAC_HASHLEN);
1074 ipsec_alg_hmac_update(tdbp->tdb_key_a,
1077 ipsec_alg_hmac_hash(tdbp->tdb_key_a,
1078 (caddr_t)dat + iphlen + ahhlen,
1079 len - iphlen - ahhlen,
1080 hash, AHHMAC_HASHLEN);
1082 #endif /* CONFIG_IPSEC_AH */
1085 #endif /* CONFIG_IPSEC_ALG */
1086 if(tdbp->tdb_authalg) {
1087 switch(tdbp->tdb_authalg) {
1088 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1090 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->ictx;
1091 KLIPS_PRINT(debug_rcv,
1092 "klips_debug:ipsec_rcv: "
1094 if(proto == IPPROTO_ESP) {
1095 MD5Update(&tctx.md5, (caddr_t)espp, ilen);
1096 #ifdef CONFIG_IPSEC_AH
1099 ipo.tos = 0; /* mutable RFC 2402 3.3.3.1.1.1 */
1104 MD5Update(&tctx.md5, (caddr_t)&ipo,
1105 sizeof(struct iphdr));
1106 MD5Update(&tctx.md5, (caddr_t)ahp,
1107 ahhlen - AHHMAC_HASHLEN);
1108 MD5Update(&tctx.md5, (caddr_t)zeroes,
1110 MD5Update(&tctx.md5,
1111 (caddr_t)dat + iphlen + ahhlen,
1112 len - iphlen - ahhlen);
1113 #endif /* CONFIG_IPSEC_AH */
1115 MD5Final(hash, &tctx.md5);
1116 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->octx;
1117 MD5Update(&tctx.md5, hash, AHMD596_ALEN);
1118 MD5Final(hash, &tctx.md5);
1120 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1121 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1123 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->ictx;
1124 KLIPS_PRINT(debug_rcv,
1125 "klips_debug:ipsec_rcv: "
1127 if(proto == IPPROTO_ESP) {
1128 SHA1Update(&tctx.sha1, (caddr_t)espp, ilen);
1129 #ifdef CONFIG_IPSEC_AH
1137 SHA1Update(&tctx.sha1, (caddr_t)&ipo,
1138 sizeof(struct iphdr));
1139 SHA1Update(&tctx.sha1, (caddr_t)ahp,
1140 ahhlen - AHHMAC_HASHLEN);
1141 SHA1Update(&tctx.sha1, (caddr_t)zeroes,
1143 SHA1Update(&tctx.sha1,
1144 (caddr_t)dat + iphlen + ahhlen,
1145 len - iphlen - ahhlen);
1146 #endif /* CONFIG_IPSEC_AH */
1148 SHA1Final(hash, &tctx.sha1);
1149 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->octx;
1150 SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
1151 SHA1Final(hash, &tctx.sha1);
1152 KLIPS_PRINT(debug_rcv,
1153 "klips_debug:ipsec_rcv: "
1154 "hash on incoming packet from %s: auth=%08x%08x%08x\n",
1160 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1165 if(!authenticator) {
1166 tdbp->tdb_auth_errs += 1;
1167 spin_unlock(&tdb_lock);
1169 stats->rx_dropped++;
1174 if (memcmp(hash, authenticator, authlen)) {
1175 tdbp->tdb_auth_errs += 1;
1176 spin_unlock(&tdb_lock);
1177 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
1178 "klips_debug:ipsec_rcv: "
1179 "auth failed on incoming packet from %s: hash=%08x%08x%08x auth=%08x%08x%08x, dropped\n",
1184 *(__u32*)authenticator,
1185 *((__u32*)authenticator + 1),
1186 *((__u32*)authenticator + 2));
1188 stats->rx_dropped++;
1192 KLIPS_PRINT(debug_rcv,
1193 "klips_debug:ipsec_rcv: "
1194 "authentication successful!\n");
1195 KLIPS_PRINT(debug_rcv,
1196 "klips_debug:ipsec_rcv: "
1197 "auth successful on incoming packet from %s: hash=%08x%08x%08x auth=%08x%08x%08x, dropped\n",
1202 *(__u32*)authenticator,
1203 *((__u32*)authenticator + 1),
1204 *((__u32*)authenticator + 2));
1207 memset((caddr_t)&tctx, 0, sizeof(tctx));
1208 memset(hash, 0, sizeof(hash));
1211 /* If the sequence number == 0, expire SA, it had rolled */
1212 if(tdbp->tdb_replaywin && !replay /* !tdbp->tdb_replaywin_lastseq */) {
1213 ipsec_sa_delchain(tdbp);
1214 spin_unlock(&tdb_lock);
1215 KLIPS_PRINT(debug_rcv,
1216 "klips_debug:ipsec_rcv: "
1217 "replay window counter rolled, expiring SA.\n");
1219 stats->rx_dropped++;
1224 if (!ipsec_updatereplaywindow(tdbp, replay)) {
1225 tdbp->tdb_replaywin_errs += 1;
1226 spin_unlock(&tdb_lock);
1227 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
1228 "klips_debug:ipsec_rcv: "
1229 "duplicate frame from %s, packet dropped\n",
1232 stats->rx_dropped++;
1238 #ifdef CONFIG_IPSEC_ESP
1240 #ifdef CONFIG_IPSEC_ALG
1241 if ((ixt_e=IPSEC_ALG_SA_ESP_ENC(tdbp))) {
1242 esphlen = ESP_HEADER_LEN + ixt_e->ixt_blocksize;
1243 KLIPS_PRINT(debug_rcv,
1244 "klips_debug:ipsec_rcv: "
1245 "encalg=%d esphlen=%d\n",
1246 tdbp->tdb_encalg, esphlen);
1248 #endif /* CONFIG_IPSEC_ALG */
1249 switch(tdbp->tdb_encalg) {
1250 #ifdef CONFIG_IPSEC_ENC_DES
1252 #endif /* CONFIG_IPSEC_ENC_DES */
1253 #ifdef CONFIG_IPSEC_ENC_3DES
1255 iv[0] = *((__u32 *)(espp->esp_iv) );
1256 iv[1] = *((__u32 *)(espp->esp_iv) + 1);
1257 esphlen = sizeof(struct esp);
1259 #endif /* CONFIG_IPSEC_ENC_3DES */
1261 tdbp->tdb_alg_errs += 1;
1262 spin_unlock(&tdb_lock);
1271 #ifdef CONFIG_IPSEC_ALG
1274 if (ipsec_alg_esp_encrypt(tdbp,
1275 idat, ilen, espp->esp_iv,
1276 IPSEC_ALG_DECRYPT) <= 0)
1278 spin_unlock(&tdb_lock);
1279 printk("klips_error:ipsec_rcv: "
1280 "got packet with esplen = %d "
1281 "from %s -- should be on "
1282 "ENC(%d) octet boundary, "
1291 #endif /* CONFIG_IPSEC_ALG */
1292 switch(tdbp->tdb_encalg) {
1293 #ifdef CONFIG_IPSEC_ENC_DES
1296 tdbp->tdb_encsize_errs += 1;
1297 spin_unlock(&tdb_lock);
1298 printk("klips_error:ipsec_rcv: "
1299 "got packet with esplen = %d from %s "
1300 "-- should be on 8 octet boundary, packet dropped\n",
1307 des_cbc_encrypt(idat, idat, ilen,
1311 #endif /* CONFIG_IPSEC_ENC_DES */
1312 #ifdef CONFIG_IPSEC_ENC_3DES
1315 tdbp->tdb_encsize_errs += 1;
1316 spin_unlock(&tdb_lock);
1317 printk("klips_error:ipsec_rcv: "
1318 "got packet with esplen = %d from %s -- should be on 8 octet boundary, packet dropped\n",
1326 des_ede3_cbc_encrypt((des_cblock *)idat,
1329 ((struct des_eks *)(tdbp->tdb_key_e))[0].ks,
1330 ((struct des_eks *)(tdbp->tdb_key_e))[1].ks,
1331 ((struct des_eks *)(tdbp->tdb_key_e))[2].ks,
1332 (des_cblock *)iv, 0);
1334 #endif /* CONFIG_IPSEC_ENC_3DES */
1338 next_header = idat[ilen - 1];
1339 padlen = idat[ilen - 2];
1340 pad = padlen + 2 + authlen;
1344 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
1345 "klips_debug:ipsec_rcv: "
1346 "padlen=%d, contents: 0x<offset>: 0x<value> 0x<value> ...\n",
1349 for (i = 1; i <= padlen; i++) {
1351 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
1352 "klips_debug: %02x:",
1355 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
1357 idat[ilen - 2 - padlen + i - 1]);
1358 if(i != idat[ilen - 2 - padlen + i - 1]) {
1362 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
1367 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
1371 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
1372 "klips_debug:ipsec_rcv: "
1373 "warning, decrypted packet from %s has bad padding\n",
1375 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
1376 "klips_debug:ipsec_rcv: "
1377 "...may be bad decryption -- not dropped\n");
1378 tdbp->tdb_encpad_errs += 1;
1381 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
1382 "klips_debug:ipsec_rcv: "
1383 "packet decrypted from %s: next_header = %d, padding = %d\n",
1388 #endif /* !CONFIG_IPSEC_ESP */
1389 #ifdef CONFIG_IPSEC_AH
1392 #endif /* CONFIG_IPSEC_AH */
1396 * Discard the original ESP/AH header
1399 ipp->protocol = next_header;
1402 #ifdef CONFIG_IPSEC_ESP
1404 ipp->tot_len = htons(ntohs(ipp->tot_len) - (esphlen + pad));
1405 memmove((void *)(skb->data + esphlen),
1406 (void *)(skb->data), iphlen);
1407 if(skb->len < esphlen) {
1408 spin_unlock(&tdb_lock);
1410 "klips_error:ipsec_rcv: "
1411 "tried to skb_pull esphlen=%d, %d available. This should never happen, please report.\n",
1412 esphlen, (int)(skb->len));
1415 skb_pull(skb, esphlen);
1417 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1418 "klips_debug:ipsec_rcv: "
1419 "trimming to %d.\n",
1420 len - esphlen - pad);
1421 if(pad + esphlen <= len) {
1422 skb_trim(skb, len - esphlen - pad);
1424 spin_unlock(&tdb_lock);
1425 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1426 "klips_debug:ipsec_rcv: "
1427 "bogus packet, size is zero or negative, dropping.\n");
1431 #endif /* !CONFIG_IPSEC_ESP */
1432 #ifdef CONFIG_IPSEC_AH
1434 ipp->tot_len = htons(ntohs(ipp->tot_len) - ahhlen);
1435 memmove((void *)(skb->data + ahhlen),
1436 (void *)(skb->data), iphlen);
1437 if(skb->len < ahhlen) {
1438 spin_unlock(&tdb_lock);
1440 "klips_error:ipsec_rcv: "
1441 "tried to skb_pull ahhlen=%d, %d available. This should never happen, please report.\n",
1446 skb_pull(skb, ahhlen);
1448 #endif /* CONFIG_IPSEC_AH */
1460 /* skb->h.ipiph=(struct iphdr *)skb->data; */
1461 skb->nh.raw = skb->data;
1462 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
1464 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
1466 skb->h.iph=(struct iphdr *)skb->data;
1467 skb->ip_hdr=(struct iphdr *)skb->data;
1468 memset(skb->proto_priv, 0, sizeof(struct options));
1471 ipp = (struct iphdr *)dat;
1473 ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
1475 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1476 "klips_debug:ipsec_rcv: "
1477 "after <%s%s%s>, SA:%s:\n",
1478 IPS_XFORM_NAME(tdbp),
1479 sa_len ? sa : " (error)");
1480 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
1482 skb->protocol = htons(ETH_P_IP);
1486 tdbnext = tdbp->tdb_inext;
1487 if(sysctl_ipsec_inbound_policy_check) {
1489 if(tdbnext->tdb_onext != tdbp) {
1490 spin_unlock(&tdb_lock);
1491 KLIPS_PRINT(debug_rcv,
1492 "klips_debug:ipsec_rcv: "
1493 "SA:%s, backpolicy does not agree with fwdpolicy.\n",
1494 sa_len ? sa : " (error)");
1496 stats->rx_dropped++;
1500 KLIPS_PRINT(debug_rcv,
1501 "klips_debug:ipsec_rcv: "
1502 "SA:%s, backpolicy agrees with fwdpolicy.\n",
1503 sa_len ? sa : " (error)");
1505 ipp->protocol != IPPROTO_AH
1506 && ipp->protocol != IPPROTO_ESP
1507 #ifdef CONFIG_IPSEC_IPCOMP
1508 && ipp->protocol != IPPROTO_COMP
1509 && (tdbnext->tdb_said.proto != IPPROTO_COMP
1510 || (tdbnext->tdb_said.proto == IPPROTO_COMP
1511 && tdbnext->tdb_inext))
1512 #endif /* CONFIG_IPSEC_IPCOMP */
1513 && ipp->protocol != IPPROTO_IPIP
1515 spin_unlock(&tdb_lock);
1516 KLIPS_PRINT(debug_rcv,
1517 "klips_debug:ipsec_rcv: "
1518 "packet with incomplete policy dropped, last successful SA:%s.\n",
1519 sa_len ? sa : " (error)");
1521 stats->rx_dropped++;
1525 KLIPS_PRINT(debug_rcv,
1526 "klips_debug:ipsec_rcv: "
1527 "SA:%s, Another IPSEC header to process.\n",
1528 sa_len ? sa : " (error)");
1530 KLIPS_PRINT(debug_rcv,
1531 "klips_debug:ipsec_rcv: "
1532 "No tdb_inext from this SA:%s.\n",
1533 sa_len ? sa : " (error)");
1537 #ifdef CONFIG_IPSEC_IPCOMP
1538 /* update ipcomp ratio counters, even if no ipcomp packet is present */
1540 && tdbnext->tdb_said.proto == IPPROTO_COMP
1541 && ipp->protocol != IPPROTO_COMP) {
1542 tdbnext->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
1543 tdbnext->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
1545 #endif /* CONFIG_IPSEC_IPCOMP */
1547 tdbp->ips_life.ipl_bytes.ipl_count += len;
1548 tdbp->ips_life.ipl_bytes.ipl_last = len;
1550 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1551 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1553 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1554 tdbp->ips_life.ipl_packets.ipl_count += 1;
1556 /* end decapsulation loop here */
1557 } while( (ipp->protocol == IPPROTO_ESP )
1558 || (ipp->protocol == IPPROTO_AH )
1559 #ifdef CONFIG_IPSEC_IPCOMP
1560 || (ipp->protocol == IPPROTO_COMP)
1561 #endif /* CONFIG_IPSEC_IPCOMP */
1564 #ifdef CONFIG_IPSEC_IPCOMP
1565 if(tdbnext && tdbnext->tdb_said.proto == IPPROTO_COMP) {
1568 tdbnext = tdbp->tdb_inext;
1570 #endif /* CONFIG_IPSEC_IPCOMP */
1572 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1573 if ((natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
1575 * NAT-Traversal and Transport Mode:
1576 * we need to correct TCP/UDP checksum
1578 * If we've got NAT-OA, we can fix checksum without recalculation.
1580 __u32 natt_oa = tdbp->ips_natt_oa ?
1581 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
1582 __u16 pkt_len = skb->tail - (unsigned char *)ipp;
1583 __u16 data_len = pkt_len - (ipp->ihl << 2);
1585 switch (ipp->protocol) {
1587 if (data_len >= sizeof(struct tcphdr)) {
1588 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ipp+ipp->ihl);
1590 __u32 buff[2] = { ~natt_oa, ipp->saddr };
1591 KLIPS_PRINT(debug_rcv,
1592 "klips_debug:ipsec_rcv: "
1593 "NAT-T & TRANSPORT: "
1594 "fix TCP checksum using NAT-OA\n");
1595 tcp->check = csum_fold(
1596 csum_partial((unsigned char *)buff, sizeof(buff),
1597 tcp->check^0xffff));
1600 KLIPS_PRINT(debug_rcv,
1601 "klips_debug:ipsec_rcv: "
1602 "NAT-T & TRANSPORT: recalc TCP checksum\n");
1603 if (pkt_len > (ntohs(ipp->tot_len)))
1604 data_len -= (pkt_len - ntohs(ipp->tot_len));
1606 tcp->check = csum_tcpudp_magic(ipp->saddr, ipp->daddr,
1607 data_len, IPPROTO_TCP,
1608 csum_partial((unsigned char *)tcp, data_len, 0));
1612 KLIPS_PRINT(debug_rcv,
1613 "klips_debug:ipsec_rcv: "
1614 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
1618 if (data_len >= sizeof(struct udphdr)) {
1619 struct udphdr *udp = (struct udphdr *)((__u32 *)ipp+ipp->ihl);
1620 if (udp->check == 0) {
1621 KLIPS_PRINT(debug_rcv,
1622 "klips_debug:ipsec_rcv: "
1623 "NAT-T & TRANSPORT: UDP checksum already 0\n");
1626 __u32 buff[2] = { ~natt_oa, ipp->saddr };
1627 KLIPS_PRINT(debug_rcv,
1628 "klips_debug:ipsec_rcv: "
1629 "NAT-T & TRANSPORT: "
1630 "fix UDP checksum using NAT-OA\n");
1631 udp->check = csum_fold(
1632 csum_partial((unsigned char *)buff, sizeof(buff),
1633 udp->check^0xffff));
1636 KLIPS_PRINT(debug_rcv,
1637 "klips_debug:ipsec_rcv: "
1638 "NAT-T & TRANSPORT: zero UDP checksum\n");
1643 KLIPS_PRINT(debug_rcv,
1644 "klips_debug:ipsec_rcv: "
1645 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
1649 KLIPS_PRINT(debug_rcv,
1650 "klips_debug:ipsec_rcv: "
1651 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
1658 * XXX this needs to be locked from when it was first looked
1659 * up in the decapsulation loop. Perhaps it is better to put
1660 * the IPIP decap inside the loop.
1664 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
1665 if(ipp->protocol != IPPROTO_IPIP) {
1666 spin_unlock(&tdb_lock);
1667 KLIPS_PRINT(debug_rcv,
1668 "klips_debug:ipsec_rcv: "
1669 "SA:%s, Hey! How did this get through? Dropped.\n",
1670 sa_len ? sa : " (error)");
1672 stats->rx_dropped++;
1676 if(sysctl_ipsec_inbound_policy_check) {
1677 if((tdbnext = tdbp->tdb_inext)) {
1678 char sa2[SATOA_BUF];
1680 sa_len2 = satoa(tdbnext->tdb_said, 0, sa2, SATOA_BUF);
1681 spin_unlock(&tdb_lock);
1682 KLIPS_PRINT(debug_rcv,
1683 "klips_debug:ipsec_rcv: "
1684 "unexpected SA:%s after IPIP SA:%s\n",
1685 sa_len2 ? sa2 : " (error)",
1686 sa_len ? sa : " (error)");
1688 stats->rx_dropped++;
1692 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
1693 spin_unlock(&tdb_lock);
1694 ipaddr.s_addr = ipp->saddr;
1695 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1696 KLIPS_PRINT(debug_rcv,
1697 "klips_debug:ipsec_rcv: "
1698 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
1699 sa_len ? sa : " (error)",
1702 stats->rx_dropped++;
1709 * XXX this needs to be locked from when it was first looked
1710 * up in the decapsulation loop. Perhaps it is better to put
1711 * the IPIP decap inside the loop.
1713 tdbp->ips_life.ipl_bytes.ipl_count += len;
1714 tdbp->ips_life.ipl_bytes.ipl_last = len;
1716 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1717 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1719 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1720 tdbp->ips_life.ipl_packets.ipl_count += 1;
1722 if(skb->len < iphlen) {
1723 spin_unlock(&tdb_lock);
1724 printk(KERN_WARNING "klips_debug:ipsec_rcv: "
1725 "tried to skb_pull iphlen=%d, %d available. This should never happen, please report.\n",
1731 skb_pull(skb, iphlen);
1734 skb->nh.raw = skb->data;
1735 ipp = (struct iphdr *)skb->nh.raw;
1736 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
1738 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
1740 ipp = skb->ip_hdr = skb->h.iph = (struct iphdr *)skb->data;
1742 memset(skb->proto_priv, 0, sizeof(struct options));
1745 skb->protocol = htons(ETH_P_IP);
1747 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1748 "klips_debug:ipsec_rcv: "
1749 "IPIP tunnel stripped.\n");
1750 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
1752 if(sysctl_ipsec_inbound_policy_check
1754 Note: "xor" (^) logically replaces "not equal"
1755 (!=) and "bitwise or" (|) logically replaces
1756 "boolean or" (||). This is done to speed up
1757 execution by doing only bitwise operations and
1758 no branch operations
1760 && (((ipp->saddr & tdbp->tdb_mask_s.u.v4.sin_addr.s_addr)
1761 ^ tdbp->tdb_flow_s.u.v4.sin_addr.s_addr)
1762 | ((ipp->daddr & tdbp->tdb_mask_d.u.v4.sin_addr.s_addr)
1763 ^ tdbp->tdb_flow_d.u.v4.sin_addr.s_addr)) )
1765 struct in_addr daddr, saddr;
1766 char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
1767 char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
1769 subnettoa(tdbp->tdb_flow_s.u.v4.sin_addr,
1770 tdbp->tdb_mask_s.u.v4.sin_addr,
1771 0, sflow_txt, sizeof(sflow_txt));
1772 subnettoa(tdbp->tdb_flow_d.u.v4.sin_addr,
1773 tdbp->tdb_mask_d.u.v4.sin_addr,
1774 0, dflow_txt, sizeof(dflow_txt));
1775 spin_unlock(&tdb_lock);
1776 saddr.s_addr = ipp->saddr;
1777 daddr.s_addr = ipp->daddr;
1778 addrtoa(saddr, 0, saddr_txt, sizeof(saddr_txt));
1779 addrtoa(daddr, 0, daddr_txt, sizeof(daddr_txt));
1780 KLIPS_PRINT(debug_rcv,
1781 "klips_debug:ipsec_rcv: "
1782 "SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
1783 sa_len ? sa : " (error)",
1789 stats->rx_dropped++;
1795 #ifdef INBOUND_POLICY_CHECK_eroute
1797 Do *not* enable this without thoroughly checking spinlock issues
1798 first. In particular, nesting an eroute spinlock within a tdb
1799 spinlock could result in a deadlock. (Well, only on a SMP machine
1804 * First things first -- look us up in the erouting tables.
1806 matcher.sen_len = sizeof (struct sockaddr_encap);
1807 matcher.sen_family = AF_ENCAP;
1808 matcher.sen_type = SENT_IP4;
1809 if(ipp->protocol == IPPROTO_IPIP) {
1812 ipp2 = (struct iphdr*) (((char*)ipp) + (ipp->ihl << 2));
1813 matcher.sen_ip_src.s_addr = ipp2->saddr;
1814 matcher.sen_ip_dst.s_addr = ipp2->daddr;
1816 matcher.sen_ip_src.s_addr = ipp->saddr;
1817 matcher.sen_ip_dst.s_addr = ipp->daddr;
1821 * The spinlock is to prevent any other process from accessing or
1822 * deleting the eroute while we are using and updating it.
1824 spin_lock(&eroute_lock);
1826 er = ipsec_findroute(&matcher);
1828 policy_said = er->er_said;
1829 policy_eaddr = er->er_eaddr;
1830 policy_emask = er->er_emask;
1832 er->er_lasttime = jiffies/HZ;
1835 spin_unlock(&eroute_lock);
1839 * The spinlock is to prevent any other process from
1840 * accessing or deleting the tdb while we are using and
1843 spin_lock(&tdb_lock);
1845 policy_tdb = gettdb(&policy_said);
1846 if (policy_tdb == NULL) {
1847 spin_unlock(&tdb_lock);
1848 KLIPS_PRINT(debug_rcv,
1849 "klips_debug:ipsec_rcv: "
1850 "no Tunnel Descriptor Block for SA%s: incoming packet with no policy SA, dropped.\n",
1851 sa_len ? sa : " (error)");
1855 sa_len = satoa(policy_said, 0, sa, SATOA_BUF);
1857 KLIPS_PRINT(debug_rcv,
1858 "klips_debug:ipsec_rcv: "
1859 "found policy Tunnel Descriptor Block -- SA:%s\n",
1860 sa_len ? sa : " (error)");
1862 if(policy_tdb->tdb_inext) {
1863 policy_tdb = policy_tdb->tdb_inext;
1868 if(policy_tdb != tdbp) {
1869 spin_unlock(&tdb_lock);
1870 KLIPS_PRINT(debug_rcv,
1871 "klips_debug:ipsec_rcv: "
1872 "Tunnel Descriptor Block for SA%s: incoming packet with different policy SA, dropped.\n",
1873 sa_len ? sa : " (error)");
1877 /* spin_unlock(&tdb_lock); */
1879 #endif /* INBOUND_POLICY_CHECK_eroute */
1881 spin_unlock(&tdb_lock);
1885 stats->rx_bytes += skb->len;
1888 dst_release(skb->dst);
1891 skb->pkt_type = PACKET_HOST;
1892 if(hard_header_len &&
1893 (skb->mac.raw != (skb->data - hard_header_len)) &&
1894 (hard_header_len <= skb_headroom(skb))) {
1895 /* copy back original MAC header */
1896 memmove(skb->data - hard_header_len, skb->mac.raw, hard_header_len);
1897 skb->mac.raw = skb->data - hard_header_len;
1901 #ifdef CONFIG_IPSEC_IPCOMP
1902 if(ipp->protocol == IPPROTO_COMP) {
1903 unsigned int flags = 0;
1905 if(sysctl_ipsec_inbound_policy_check) {
1906 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1907 "klips_debug:ipsec_rcv: "
1908 "inbound policy checking enabled, IPCOMP follows IPIP, dropped.\n");
1915 XXX need a TDB for updating ratio counters but it is not
1916 following policy anyways so it is not a priority
1918 skb = skb_decompress(skb, NULL, &flags);
1919 if (!skb || flags) {
1920 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1921 "klips_debug:ipsec_rcv: "
1922 "skb_decompress() returned error flags: %d, dropped.\n",
1930 #endif /* CONFIG_IPSEC_IPCOMP */
1932 #ifdef SKB_RESET_NFCT
1933 nf_conntrack_put(skb->nfct);
1935 #ifdef CONFIG_NETFILTER_DEBUG
1937 #endif /* CONFIG_NETFILTER_DEBUG */
1938 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
1939 nf_bridge_put(skb->nf_bridge);
1940 skb->nf_bridge = NULL;
1942 #endif /* SKB_RESET_NFCT */
1943 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1944 "klips_debug:ipsec_rcv: "
1945 "netif_rx() called.\n");
1956 kfree_skb(skb, FREE_WRITE);
1964 struct inet_protocol ah_protocol =
1966 ipsec_rcv, /* AH handler */
1967 NULL, /* TUNNEL error control */
1969 IPPROTO_AH, /* protocol ID */
1975 struct inet_protocol esp_protocol =
1977 ipsec_rcv, /* ESP handler */
1978 NULL, /* TUNNEL error control */
1980 IPPROTO_ESP, /* protocol ID */
1987 /* We probably don't want to install a pure IPCOMP protocol handler, but
1988 only want to handle IPCOMP if it is encapsulated inside an ESP payload
1989 (which is already handled) */
1990 #ifdef CONFIG_IPSEC_IPCOMP
1991 struct inet_protocol comp_protocol =
1993 ipsec_rcv, /* COMP handler */
1994 NULL, /* COMP error control */
1996 IPPROTO_COMP, /* protocol ID */
2001 #endif /* CONFIG_IPSEC_IPCOMP */
2006 * Revision 1.9.2.1 2003/06/30 05:04:07 matthewn
2007 * We need to set the physindev when we receive a packet via IPSec.
2009 * Revision 1.102 2002/01/29 17:17:56 mcr
2010 * moved include of ipsec_param.h to after include of linux/kernel.h
2011 * otherwise, it seems that some option that is set in ipsec_param.h
2012 * screws up something subtle in the include path to kernel.h, and
2013 * it complains on the snprintf() prototype.
2015 * Revision 1.101 2002/01/29 04:00:52 mcr
2016 * more excise of kversions.h header.
2018 * Revision 1.100 2002/01/29 02:13:17 mcr
2019 * introduction of ipsec_kversion.h means that include of
2020 * ipsec_param.h must preceed any decisions about what files to
2021 * include to deal with differences in kernel source.
2023 * Revision 1.99 2002/01/28 21:40:59 mcr
2024 * should use #if to test boolean option rather than #ifdef.
2026 * Revision 1.98 2002/01/20 20:19:36 mcr
2027 * renamed option to IP_FRAGMENT_LINEARIZE.
2029 * Revision 1.97 2002/01/12 02:55:36 mcr
2030 * fix for post-2.4.4 to linearize skb's when ESP packet
2031 * was assembled from fragments.
2033 * Revision 1.96 2001/11/26 09:23:49 rgb
2034 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
2036 * Revision 1.93.2.2 2001/10/22 20:54:07 mcr
2037 * include des.h, removed phony prototypes and fixed calling
2038 * conventions to match real prototypes.
2040 * Revision 1.93.2.1 2001/09/25 02:22:22 mcr
2041 * struct tdb -> struct ipsec_sa.
2042 * lifetime checks moved to ipsec_life.c
2043 * some sa(tdb) manipulation functions renamed.
2045 * Revision 1.95 2001/11/06 19:49:07 rgb
2046 * Added variable descriptions.
2047 * Removed unauthenticated sequence==0 check to prevent DoS.
2049 * Revision 1.94 2001/10/18 04:45:20 rgb
2050 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
2051 * lib/freeswan.h version macros moved to lib/kversions.h.
2052 * Other compiler directive cleanups.
2054 * Revision 1.93 2001/09/07 22:17:24 rgb
2055 * Fix for removal of transport layer protocol handler arg in 2.4.4.
2056 * Fix to accomodate peer non-conformance to IPCOMP rfc2393.
2058 * Revision 1.92 2001/08/27 19:44:41 rgb
2059 * Fix error in comment.
2061 * Revision 1.91 2001/07/20 19:31:48 dhr
2062 * [DHR] fix source and destination subnets of policy in diagnostic
2064 * Revision 1.90 2001/07/06 19:51:09 rgb
2065 * Added inbound policy checking code for IPIP SAs.
2066 * Renamed unused function argument for ease and intuitive naming.
2068 * Revision 1.89 2001/06/22 19:35:23 rgb
2069 * Disable ipcomp processing if we are handed a ipcomp packet with no esp
2071 * Print protocol if we are handed a non-ipsec packet.
2073 * Revision 1.88 2001/06/20 06:30:47 rgb
2074 * Fixed transport mode IPCOMP policy check bug.
2076 * Revision 1.87 2001/06/13 20:58:40 rgb
2077 * Added parentheses around assignment used as truth value to silence
2080 * Revision 1.86 2001/06/07 22:25:23 rgb
2081 * Added a source address policy check for tunnel mode. It still does
2082 * not check client addresses and masks.
2083 * Only decapsulate IPIP if it is expected.
2085 * Revision 1.85 2001/05/30 08:14:02 rgb
2086 * Removed vestiges of esp-null transforms.
2088 * Revision 1.84 2001/05/27 06:12:11 rgb
2089 * Added structures for pid, packet count and last access time to eroute.
2090 * Added packet count to beginning of /proc/net/ipsec_eroute.
2092 * Revision 1.83 2001/05/04 16:45:47 rgb
2093 * Remove unneeded code. ipp is not used after this point.
2095 * Revision 1.82 2001/05/04 16:36:00 rgb
2096 * Fix skb_cow() call for 2.4.4. (SS)
2098 * Revision 1.81 2001/05/02 14:46:53 rgb
2099 * Fix typo for compiler directive to pull IPH back.
2101 * Revision 1.80 2001/04/30 19:46:34 rgb
2102 * Update for 2.4.4. We now receive the skb with skb->data pointing to
2105 * Revision 1.79 2001/04/23 15:01:15 rgb
2106 * Added spin_lock() check to prevent double-locking for multiple
2107 * transforms and hence kernel lock-ups with SMP kernels.
2108 * Minor spin_unlock() adjustments to unlock before non-dependant prints
2109 * and IPSEC device stats updates.
2111 * Revision 1.78 2001/04/21 23:04:24 rgb
2112 * Check if soft expire has already been sent before sending another to
2113 * prevent ACQUIRE flooding.
2115 * Revision 1.77 2001/03/16 07:35:20 rgb
2116 * Ditch extra #if 1 around now permanent policy checking code.
2118 * Revision 1.76 2001/02/27 22:24:54 rgb
2119 * Re-formatting debug output (line-splitting, joining, 1arg/line).
2120 * Check for satoa() return codes.
2122 * Revision 1.75 2001/02/19 22:28:30 rgb
2123 * Minor change to virtual device discovery code to assert which I/F has
2126 * Revision 1.74 2000/11/25 03:50:36 rgb
2127 * Oops fix by minor re-arrangement of code to avoid accessing a freed tdb.
2129 * Revision 1.73 2000/11/09 20:52:15 rgb
2130 * More spinlock shuffling, locking earlier and unlocking later in rcv to
2131 * include ipcomp and prevent races, renaming some tdb variables that got
2132 * forgotten, moving some unlocks to include tdbs and adding a missing
2133 * unlock. Thanks to Svenning for some of these.
2135 * Revision 1.72 2000/11/09 20:11:22 rgb
2136 * Minor shuffles to fix non-standard kernel config option selection.
2138 * Revision 1.71 2000/11/06 04:36:18 rgb
2139 * Ditched spin_lock_irqsave in favour of spin_lock.
2140 * Minor initial protocol check rewrite.
2141 * Clean up debug printing.
2142 * Clean up tdb handling on ipcomp.
2143 * Fixed transport mode null pointer de-reference without ipcomp.
2144 * Add Svenning's adaptive content compression.
2145 * Disabled registration of ipcomp handler.
2147 * Revision 1.70 2000/10/30 23:41:43 henry
2148 * Hans-Joerg Hoexer's null-pointer fix
2150 * Revision 1.69 2000/10/10 18:54:16 rgb
2151 * Added a fix for incoming policy check with ipcomp enabled but
2154 * Revision 1.68 2000/09/22 17:53:12 rgb
2155 * Fixed ipcomp tdb pointers update for policy checking.
2157 * Revision 1.67 2000/09/21 03:40:58 rgb
2158 * Added more debugging to try and track down the cpi outward copy problem.
2160 * Revision 1.66 2000/09/20 04:00:10 rgb
2161 * Changed static functions to DEBUG_NO_STATIC to reveal function names for
2164 * Revision 1.65 2000/09/19 07:07:16 rgb
2165 * Added debugging to inbound policy check for ipcomp.
2166 * Added missing spin_unlocks (thanks Svenning!).
2167 * Fixed misplaced tdbnext pointers causing mismatched ipip policy check.
2168 * Protect ipcomp policy check following ipip decap with sysctl switch.
2170 * Revision 1.64 2000/09/18 21:27:29 rgb
2173 * Revision 1.63 2000/09/18 02:35:50 rgb
2174 * Added policy checking to ipcomp and re-enabled policy checking by
2176 * Optimised satoa calls.
2178 * Revision 1.62 2000/09/17 21:02:32 rgb
2179 * Clean up debugging, removing slow timestamp debug code.
2181 * Revision 1.61 2000/09/16 01:07:55 rgb
2182 * Fixed erroneous ref from struct ipcomp to struct ipcomphdr.
2184 * Revision 1.60 2000/09/15 11:37:01 rgb
2185 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
2186 * IPCOMP zlib deflate code.
2188 * Revision 1.59 2000/09/15 04:56:20 rgb
2189 * Remove redundant satoa() call, reformat comment.
2191 * Revision 1.58 2000/09/13 08:00:52 rgb
2192 * Flick on inbound policy checking.
2194 * Revision 1.57 2000/09/12 03:22:19 rgb
2195 * Converted inbound_policy_check to sysctl.
2196 * Re-enabled policy backcheck.
2197 * Moved policy checks to top and within tdb lock.
2199 * Revision 1.56 2000/09/08 19:12:56 rgb
2200 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
2202 * Revision 1.55 2000/08/28 18:15:46 rgb
2203 * Added MB's nf-debug reset patch.
2205 * Revision 1.54 2000/08/27 01:41:26 rgb
2206 * More minor tweaks to the bad padding debug code.
2208 * Revision 1.53 2000/08/24 16:54:16 rgb
2209 * Added KLIPS_PRINTMORE macro to continue lines without KERN_INFO level
2211 * Tidied up device reporting at the start of ipsec_rcv.
2212 * Tidied up bad padding debugging and processing.
2214 * Revision 1.52 2000/08/20 21:36:03 rgb
2215 * Activated pfkey_expire() calls.
2216 * Added a hard/soft expiry parameter to pfkey_expire().
2217 * Added sanity checking to avoid propagating zero or smaller-length skbs
2218 * from a bogus decryption.
2219 * Re-arranged the order of soft and hard expiry to conform to RFC2367.
2220 * Clean up references to CONFIG_IPSEC_PFKEYv2.
2222 * Revision 1.51 2000/08/18 21:23:30 rgb
2223 * Improve bad padding warning so that the printk buffer doesn't get
2226 * Revision 1.50 2000/08/01 14:51:51 rgb
2227 * Removed _all_ remaining traces of DES.
2229 * Revision 1.49 2000/07/28 13:50:53 rgb
2230 * Changed enet_statistics to net_device_stats and added back compatibility
2233 * Revision 1.48 2000/05/10 19:14:40 rgb
2234 * Only check usetime against soft and hard limits if the tdb has been
2236 * Cast output of ntohl so that the broken prototype doesn't make our
2239 * Revision 1.47 2000/05/09 17:45:43 rgb
2240 * Fix replay bitmap corruption bug upon receipt of bogus packet
2241 * with correct SPI. This was a DoS.
2243 * Revision 1.46 2000/03/27 02:31:58 rgb
2244 * Fixed authentication failure printout bug.
2246 * Revision 1.45 2000/03/22 16:15:37 rgb
2247 * Fixed renaming of dev_get (MB).
2249 * Revision 1.44 2000/03/16 08:17:24 rgb
2250 * Hardcode PF_KEYv2 support.
2251 * Fixed minor bug checking AH header length.
2253 * Revision 1.43 2000/03/14 12:26:59 rgb
2254 * Added skb->nfct support for clearing netfilter conntrack bits (MB).
2256 * Revision 1.42 2000/01/26 10:04:04 rgb
2257 * Fixed inbound policy checking on transport mode bug.
2258 * Fixed noisy 2.0 printk arguments.
2260 * Revision 1.41 2000/01/24 20:58:02 rgb
2261 * Improve debugging/reporting support for (disabled) inbound
2264 * Revision 1.40 2000/01/22 23:20:10 rgb
2265 * Fixed up inboud policy checking code.
2266 * Cleaned out unused crud.
2268 * Revision 1.39 2000/01/21 06:15:29 rgb
2269 * Added sanity checks on skb_push(), skb_pull() to prevent panics.
2270 * Fixed cut-and-paste debug_tunnel to debug_rcv.
2271 * Added inbound policy checking code, disabled.
2272 * Simplified output code by updating ipp to post-IPIP decapsulation.
2274 * Revision 1.38 1999/12/22 05:08:36 rgb
2275 * Checked for null skb, skb->dev, skb->data, skb->dev->name, dev->name,
2276 * protocol and take appropriate action for sanity.
2277 * Set ipsecdev to NULL if device could not be determined.
2278 * Fixed NULL stats access bug if device could not be determined.
2280 * Revision 1.37 1999/12/14 20:07:59 rgb
2281 * Added a default switch case to catch bogus encalg values.
2283 * Revision 1.36 1999/12/07 18:57:57 rgb
2284 * Fix PFKEY symbol compile error (SADB_*) without pfkey enabled.
2286 * Revision 1.35 1999/12/01 22:15:35 rgb
2287 * Add checks for LARVAL and DEAD SAs.
2288 * Change state of SA from MATURE to DYING when a soft lifetime is
2289 * reached and print debug warning.
2291 * Revision 1.34 1999/11/23 23:04:03 rgb
2292 * Use provided macro ADDRTOA_BUF instead of hardcoded value.
2293 * Sort out pfkey and freeswan headers, putting them in a library path.
2295 * Revision 1.33 1999/11/19 01:10:06 rgb
2296 * Enable protocol handler structures for static linking.
2298 * Revision 1.32 1999/11/18 04:09:19 rgb
2299 * Replaced all kernel version macros to shorter, readable form.
2301 * Revision 1.31 1999/11/17 15:53:39 rgb
2302 * Changed all occurrences of #include "../../../lib/freeswan.h"
2303 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
2304 * klips/net/ipsec/Makefile.
2306 * Revision 1.30 1999/10/26 15:09:07 rgb
2307 * Used debug compiler directives to shut up compiler for decl/assign
2310 * Revision 1.29 1999/10/16 18:25:37 rgb
2311 * Moved SA lifetime expiry checks before packet processing.
2312 * Expire SA on replay counter rollover.
2314 * Revision 1.28 1999/10/16 04:23:07 rgb
2315 * Add stats for replaywin_errs, replaywin_max_sequence_difference,
2316 * authentication errors, encryption size errors, encryption padding
2317 * errors, and time since last packet.
2319 * Revision 1.27 1999/10/16 00:30:47 rgb
2320 * Added SA lifetime counting.
2322 * Revision 1.26 1999/10/15 22:14:37 rgb
2325 * Revision 1.25 1999/10/08 18:37:34 rgb
2326 * Fix end-of-line spacing to sate whining PHMs.
2328 * Revision 1.24 1999/10/03 18:54:51 rgb
2329 * Spinlock support for 2.3.xx.
2330 * Don't forget to undo spinlocks on error!
2332 * Revision 1.23 1999/10/01 15:44:53 rgb
2333 * Move spinlock header include to 2.1> scope.
2335 * Revision 1.22 1999/10/01 00:01:54 rgb
2336 * Added tdb structure locking.
2338 * Revision 1.21 1999/09/18 11:42:12 rgb
2339 * Add Marc Boucher's tcpdump cloned packet fix.
2341 * Revision 1.20 1999/09/17 23:50:25 rgb
2342 * Add Marc Boucher's hard_header_len patches.
2344 * Revision 1.19 1999/09/10 05:31:36 henry
2345 * tentative fix for 2.0.38-crash bug (move chunk of new code into 2.2 #ifdef)
2347 * Revision 1.18 1999/08/28 08:28:06 rgb
2348 * Delete redundant sanity check.
2350 * Revision 1.17 1999/08/28 02:00:58 rgb
2351 * Add an extra sanity check for null skbs.
2353 * Revision 1.16 1999/08/27 05:21:38 rgb
2354 * Clean up skb->data/raw/nh/h manipulation.
2355 * Add Marc Boucher's mods to aid tcpdump.
2357 * Revision 1.15 1999/08/25 14:22:40 rgb
2358 * Require 4-octet boundary check only for ESP.
2360 * Revision 1.14 1999/08/11 08:36:44 rgb
2361 * Add compiler directives to allow configuring out AH, ESP or transforms.
2363 * Revision 1.13 1999/08/03 17:10:49 rgb
2364 * Cosmetic fixes and clarification to debug output.
2366 * Revision 1.12 1999/05/09 03:25:36 rgb
2367 * Fix bug introduced by 2.2 quick-and-dirty patch.
2369 * Revision 1.11 1999/05/08 21:23:57 rgb
2370 * Add casting to silence the 2.2.x compile.
2372 * Revision 1.10 1999/05/05 22:02:31 rgb
2373 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
2375 * Revision 1.9 1999/04/29 15:18:01 rgb
2376 * hange debugging to respond only to debug_rcv.
2377 * Change gettdb parameter to a pointer to reduce stack loading and
2378 * facilitate parameter sanity checking.
2380 * Revision 1.8 1999/04/15 15:37:24 rgb
2381 * Forward check changes from POST1_00 branch.
2383 * Revision 1.4.2.2 1999/04/13 20:32:45 rgb
2384 * Move null skb sanity check.
2385 * Silence debug a bit more when off.
2386 * Use stats more effectively.
2388 * Revision 1.4.2.1 1999/03/30 17:10:32 rgb
2389 * Update AH+ESP bugfix.
2391 * Revision 1.7 1999/04/11 00:28:59 henry
2394 * Revision 1.6 1999/04/06 04:54:27 rgb
2395 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
2396 * patch shell fixes.
2398 * Revision 1.5 1999/03/17 15:39:23 rgb
2401 * ESP_NULL esphlen and IV bug fix.
2403 * Revision 1.4 1999/02/17 16:51:02 rgb
2404 * Ditch NET_IPIP dependancy.
2405 * Decapsulate recursively for an entire bundle.
2407 * Revision 1.3 1999/02/12 21:22:47 rgb
2408 * Convert debugging printks to KLIPS_PRINT macro.
2410 * Process IPIP tunnels internally.
2412 * Revision 1.2 1999/01/26 02:07:36 rgb
2413 * Clean up debug code when switched off.
2414 * Remove references to INET_GET_PROTOCOL.
2416 * Revision 1.1 1999/01/21 20:29:11 rgb
2417 * Converted from transform switching to algorithm switching.
2420 * Id: ipsec_esp.c,v 1.16 1998/12/02 03:08:11 rgb Exp $
2422 * Log: ipsec_esp.c,v $
2423 * Revision 1.16 1998/12/02 03:08:11 rgb
2424 * Fix incoming I/F bug in AH and clean up inconsistencies in the I/F
2425 * discovery routine in both AH and ESP.
2427 * Revision 1.15 1998/11/30 13:22:51 rgb
2428 * Rationalised all the klips kernel file headers. They are much shorter
2429 * now and won't conflict under RH5.2.
2431 * Revision 1.14 1998/11/10 05:55:37 rgb
2432 * Add even more detail to 'wrong I/F' debug statement.
2434 * Revision 1.13 1998/11/10 05:01:30 rgb
2435 * Clean up debug output to be quiet when disabled.
2436 * Add more detail to 'wrong I/F' debug statement.
2438 * Revision 1.12 1998/10/31 06:39:32 rgb
2439 * Fixed up comments in #endif directives.
2440 * Tidied up debug printk output.
2441 * Convert to addrtoa and satoa where possible.
2443 * Revision 1.11 1998/10/27 00:49:30 rgb
2444 * AH+ESP bundling bug has been squished.
2445 * Cosmetic brace fixing in code.
2446 * Newlines added before calls to ipsec_print_ip.
2447 * Fix debug output function ID's.
2449 * Revision 1.10 1998/10/22 06:37:22 rgb
2450 * Fixed run-on error message to fit 80 columns.
2452 * Revision 1.9 1998/10/20 02:41:04 rgb
2453 * Fixed a replay window size sanity test bug.
2455 * Revision 1.8 1998/10/19 18:55:27 rgb
2456 * Added inclusion of freeswan.h.
2457 * sa_id structure implemented and used: now includes protocol.
2458 * \n bugfix to printk debug message.
2460 * Revision 1.7 1998/10/09 04:23:03 rgb
2461 * Fixed possible DoS caused by invalid transform called from an ESP
2462 * packet. This should not be a problem when protocol is added to the SA.
2463 * Sanity check added for null xf_input routine. Sanity check added for null
2464 * socket buffer returned from xf_input routine.
2465 * Added 'klips_debug' prefix to all klips printk debug statements.
2467 * Revision 1.6 1998/07/14 15:56:04 rgb
2468 * Set sdb->dev to virtual ipsec I/F.
2470 * Revision 1.5 1998/06/30 18:07:46 rgb
2471 * Change for ah/esp_protocol stuct visible only if module.
2473 * Revision 1.4 1998/06/30 00:12:46 rgb
2474 * Clean up a module compile error.
2476 * Revision 1.3 1998/06/25 19:28:06 rgb
2477 * Readjust premature unloading of module on packet receipt.
2478 * Make protocol structure abailable to rest of kernel.
2479 * Use macro for protocol number.
2481 * Revision 1.2 1998/06/23 02:49:34 rgb
2482 * Fix minor #include bug that prevented compiling without debugging.
2483 * Added code to check for presence of IPIP protocol if an incoming packet
2486 * Revision 1.1 1998/06/18 21:27:44 henry
2487 * move sources from klips/src to klips/net/ipsec, to keep stupid
2488 * kernel-build scripts happier in the presence of symlinks
2490 * Revision 1.9 1998/06/14 23:48:42 rgb
2491 * Fix I/F name comparison oops bug.
2493 * Revision 1.8 1998/06/11 07:20:04 rgb
2494 * Stats fixed for rx_packets.
2496 * Revision 1.7 1998/06/11 05:53:34 rgb
2497 * Added stats for rx error and good packet reporting.
2499 * Revision 1.6 1998/06/05 02:27:28 rgb
2500 * Add rx_errors stats.
2501 * Fix DoS bug: skb's not being freed on dropped packets.
2503 * Revision 1.5 1998/05/27 21:21:29 rgb
2504 * Fix DoS potential bug. skb was not being freed if the packet was bad.
2506 * Revision 1.4 1998/05/18 22:31:37 rgb
2507 * Minor change in debug output and comments.
2509 * Revision 1.3 1998/04/21 21:29:02 rgb
2510 * Rearrange debug switches to change on the fly debug output from user
2511 * space. Only kernel changes checked in at this time. radij.c was also
2512 * changed to temporarily remove buggy debugging code in rj_delete causing
2513 * an OOPS and hence, netlink device open errors.
2515 * Revision 1.2 1998/04/12 22:03:19 rgb
2516 * Updated ESP-3DES-HMAC-MD5-96,
2517 * ESP-DES-HMAC-MD5-96,
2519 * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
2520 * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
2522 * Fixed eroute references in /proc/net/ipsec*.
2524 * Started to patch module unloading memory leaks in ipsec_netlink and
2525 * radij tree unloading.
2527 * Revision 1.1 1998/04/09 03:05:59 henry
2528 * sources moved up from linux/net/ipsec
2530 * Revision 1.1.1.1 1998/04/08 05:35:04 henry
2531 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
2533 * Revision 0.4 1997/01/15 01:28:15 ji
2534 * Minor cosmetic changes.
2536 * Revision 0.3 1996/11/20 14:35:48 ji
2538 * Rationalized debugging code.
2540 * Revision 0.2 1996/11/02 00:18:33 ji
2541 * First limited release.