2 * Common routines for IPSEC transformations.
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * RCSID $Id: ipsec_xform.c,v 1.59 2002/03/29 15:01:36 rgb Exp $
19 #include <linux/config.h>
20 #include <linux/version.h>
21 #include <linux/kernel.h> /* printk() */
23 #include "ipsec_param.h"
26 # include <linux/slab.h> /* kmalloc() */
27 #else /* MALLOC_SLAB */
28 # include <linux/malloc.h> /* kmalloc() */
29 #endif /* MALLOC_SLAB */
30 #include <linux/errno.h> /* error codes */
31 #include <linux/types.h> /* size_t */
32 #include <linux/interrupt.h> /* mark_bh */
34 #include <linux/netdevice.h> /* struct device, and other headers */
35 #include <linux/etherdevice.h> /* eth_type_trans */
36 #include <linux/ip.h> /* struct iphdr */
37 #include <linux/skbuff.h>
38 #include <linux/random.h> /* get_random_bytes() */
42 # include <linux/spinlock.h> /* *lock* */
43 # else /* SPINLOCK_23 */
44 # include <asm/spinlock.h> /* *lock* */
45 # endif /* SPINLOCK_23 */
48 # include <asm/uaccess.h>
49 # include <linux/in6.h>
51 #include <asm/checksum.h>
55 #include "ipsec_encap.h"
56 #include "ipsec_radij.h"
57 #include "ipsec_netlink.h"
58 #include "ipsec_xform.h"
59 #include "ipsec_ipe4.h"
61 #include "ipsec_esp.h"
66 #ifdef CONFIG_IPSEC_DEBUG
68 #endif /* CONFIG_IPSEC_DEBUG */
70 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
72 extern int des_set_key(caddr_t, caddr_t);
74 struct xformsw xformsw[] = {
75 { XF_IP4, 0, "IPv4_Encapsulation"},
76 { XF_AHHMACMD5, XFT_AUTH, "HMAC_MD5_Authentication"},
77 { XF_AHHMACSHA1, XFT_AUTH, "HMAC_SHA-1_Authentication"},
78 { XF_ESPDES, XFT_CONF, "DES_Encryption"},
79 { XF_ESPDESMD596, XFT_CONF, "DES-MD5-96_Encryption"},
80 { XF_ESPDESSHA196, XFT_CONF, "DES-SHA1-96_Encryption"},
81 { XF_ESP3DES, XFT_CONF, "3DES_Encryption"},
82 { XF_ESP3DESMD596, XFT_CONF, "3DES-MD5-96_Encryption"},
83 { XF_ESP3DESSHA196, XFT_CONF, "3DES-SHA1-96_Encryption"},
84 { XF_ESPNULLMD596, XFT_CONF, "NULL-MD5-96_ESP_*Plaintext*"},
85 { XF_ESPNULLSHA196, XFT_CONF, "NULL-SHA1-96_ESP_*Plaintext*"},
88 struct tdb *tdbh[TDB_HASHMOD];
90 spinlock_t tdb_lock = SPIN_LOCK_UNLOCKED;
94 struct xformsw *xformswNXFORMSW = &xformsw[sizeof(xformsw)/sizeof(xformsw[0])];
101 for(i = 1; i < TDB_HASHMOD; i++) {
108 * $Log: ipsec_xform.c,v $
109 * Revision 1.59 2002/03/29 15:01:36 rgb
110 * Delete decommissioned code.
112 * Revision 1.58 2002/01/29 17:17:57 mcr
113 * moved include of ipsec_param.h to after include of linux/kernel.h
114 * otherwise, it seems that some option that is set in ipsec_param.h
115 * screws up something subtle in the include path to kernel.h, and
116 * it complains on the snprintf() prototype.
118 * Revision 1.57 2002/01/29 04:00:53 mcr
119 * more excise of kversions.h header.
121 * Revision 1.56 2001/11/27 05:17:22 mcr
122 * turn off the worst of the per-packet debugging.
124 * Revision 1.55 2001/11/26 09:23:50 rgb
125 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
127 * Revision 1.54 2001/10/18 04:45:21 rgb
128 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
129 * lib/freeswan.h version macros moved to lib/kversions.h.
130 * Other compiler directive cleanups.
132 * Revision 1.53 2001/09/08 21:13:34 rgb
133 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
135 * Revision 1.52 2001/06/14 19:35:11 rgb
136 * Update copyright date.
138 * Revision 1.51 2001/05/30 08:14:03 rgb
139 * Removed vestiges of esp-null transforms.
141 * Revision 1.50 2001/05/03 19:43:18 rgb
142 * Initialise error return variable.
143 * Update SENDERR macro.
144 * Fix sign of error return code for ipsec_tdbcleanup().
145 * Use more appropriate return code for ipsec_tdbwipe().
147 * Revision 1.49 2001/04/19 18:56:17 rgb
148 * Fixed tdb table locking comments.
150 * Revision 1.48 2001/02/27 22:24:55 rgb
151 * Re-formatting debug output (line-splitting, joining, 1arg/line).
152 * Check for satoa() return codes.
154 * Revision 1.47 2000/11/06 04:32:08 rgb
155 * Ditched spin_lock_irqsave in favour of spin_lock_bh.
157 * Revision 1.46 2000/09/20 16:21:57 rgb
158 * Cleaned up ident string alloc/free.
160 * Revision 1.45 2000/09/08 19:16:51 rgb
161 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
162 * Removed all references to CONFIG_IPSEC_PFKEYv2.
164 * Revision 1.44 2000/08/30 05:29:04 rgb
165 * Compiler-define out no longer used tdb_init() in ipsec_xform.c.
167 * Revision 1.43 2000/08/18 21:30:41 rgb
168 * Purged all tdb_spi, tdb_proto and tdb_dst macros. They are unclear.
170 * Revision 1.42 2000/08/01 14:51:51 rgb
171 * Removed _all_ remaining traces of DES.
173 * Revision 1.41 2000/07/28 14:58:31 rgb
174 * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
176 * Revision 1.40 2000/06/28 05:50:11 rgb
177 * Actually set iv_bits.
179 * Revision 1.39 2000/05/10 23:11:09 rgb
180 * Added netlink debugging output.
181 * Added a cast to quiet down the ntohl bug.
183 * Revision 1.38 2000/05/10 19:18:42 rgb
184 * Cast output of ntohl so that the broken prototype doesn't make our
187 * Revision 1.37 2000/03/16 14:04:59 rgb
188 * Hardwired CONFIG_IPSEC_PFKEYv2 on.
190 * Revision 1.36 2000/01/26 10:11:28 rgb
191 * Fixed spacing in error text causing run-in words.
193 * Revision 1.35 2000/01/21 06:17:16 rgb
194 * Tidied up compiler directive indentation for readability.
195 * Added ictx,octx vars for simplification.(kravietz)
196 * Added macros for HMAC padding magic numbers.(kravietz)
197 * Fixed missing key length reporting bug.
198 * Fixed bug in tdbwipe to return immediately on NULL tdbp passed in.
200 * Revision 1.34 1999/12/08 00:04:19 rgb
201 * Fixed SA direction overwriting bug for netlink users.
203 * Revision 1.33 1999/12/01 22:16:44 rgb
204 * Minor formatting changes in ESP MD5 initialisation.
206 * Revision 1.32 1999/11/25 09:06:36 rgb
207 * Fixed error return messages, should be returning negative numbers.
208 * Implemented SENDERR macro for propagating error codes.
209 * Added debug message and separate error code for algorithms not compiled
212 * Revision 1.31 1999/11/23 23:06:26 rgb
213 * Sort out pfkey and freeswan headers, putting them in a library path.
215 * Revision 1.30 1999/11/18 04:09:20 rgb
216 * Replaced all kernel version macros to shorter, readable form.
218 * Revision 1.29 1999/11/17 15:53:40 rgb
219 * Changed all occurrences of #include "../../../lib/freeswan.h"
220 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
221 * klips/net/ipsec/Makefile.
223 * Revision 1.28 1999/10/18 20:04:01 rgb
224 * Clean-out unused cruft.
226 * Revision 1.27 1999/10/03 19:01:03 rgb
227 * Spinlock support for 2.3.xx and 2.0.xx kernels.
229 * Revision 1.26 1999/10/01 16:22:24 rgb
230 * Switch from assignment init. to functional init. of spinlocks.
232 * Revision 1.25 1999/10/01 15:44:54 rgb
233 * Move spinlock header include to 2.1> scope.
235 * Revision 1.24 1999/10/01 00:03:46 rgb
236 * Added tdb structure locking.
237 * Minor formatting changes.
238 * Add function to initialize tdb hash table.
240 * Revision 1.23 1999/05/25 22:42:12 rgb
241 * Add deltdbchain() debugging.
243 * Revision 1.22 1999/05/25 21:24:31 rgb
244 * Add debugging statements to deltdbchain().
246 * Revision 1.21 1999/05/25 03:51:48 rgb
247 * Refix error return code.
249 * Revision 1.20 1999/05/25 03:34:07 rgb
250 * Fix error return for flush.
252 * Revision 1.19 1999/05/09 03:25:37 rgb
253 * Fix bug introduced by 2.2 quick-and-dirty patch.
255 * Revision 1.18 1999/05/05 22:02:32 rgb
256 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
258 * Revision 1.17 1999/04/29 15:20:16 rgb
259 * Change gettdb parameter to a pointer to reduce stack loading and
260 * facilitate parameter sanity checking.
261 * Add sanity checking for null pointer arguments.
262 * Add debugging instrumentation.
263 * Add function deltdbchain() which will take care of unlinking,
264 * zeroing and deleting a chain of tdbs.
265 * Add a parameter to tdbcleanup to be able to delete a class of SAs.
266 * tdbwipe now actually zeroes the tdb as well as any of its pointed
269 * Revision 1.16 1999/04/16 15:36:29 rgb
270 * Fix cut-and-paste error causing a memory leak in IPIP TDB freeing.
272 * Revision 1.15 1999/04/11 00:29:01 henry
275 * Revision 1.14 1999/04/06 04:54:28 rgb
276 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
279 * Revision 1.13 1999/02/19 18:23:01 rgb
280 * Nix debug off compile warning.
282 * Revision 1.12 1999/02/17 16:52:16 rgb
283 * Consolidate satoa()s for space and speed efficiency.
284 * Convert DEBUG_IPSEC to KLIPS_PRINT
285 * Clean out unused cruft.
286 * Ditch NET_IPIP dependancy.
287 * Loop for 3des key setting.
289 * Revision 1.11 1999/01/26 02:09:05 rgb
290 * Remove ah/esp/IPIP switching on include files.
291 * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
293 * Clean up debug code when switched off.
294 * Remove references to INET_GET_PROTOCOL.
295 * Added code exclusion macros to reduce code from unused algorithms.
297 * Revision 1.10 1999/01/22 06:28:55 rgb
299 * Put random IV generation in kernel.
300 * Added algorithm switch code.
301 * Enhanced debugging.
304 * Revision 1.9 1998/11/30 13:22:55 rgb
305 * Rationalised all the klips kernel file headers. They are much shorter
306 * now and won't conflict under RH5.2.
308 * Revision 1.8 1998/11/25 04:59:06 rgb
309 * Add conditionals for no IPIP tunnel code.
310 * Delete commented out code.
312 * Revision 1.7 1998/10/31 06:50:41 rgb
313 * Convert xform ASCII names to no spaces.
314 * Fixed up comments in #endif directives.
316 * Revision 1.6 1998/10/19 14:44:28 rgb
317 * Added inclusion of freeswan.h.
318 * sa_id structure implemented and used: now includes protocol.
320 * Revision 1.5 1998/10/09 04:32:19 rgb
321 * Added 'klips_debug' prefix to all klips printk debug statements.
323 * Revision 1.4 1998/08/12 00:11:31 rgb
324 * Added new xform functions to the xform table.
325 * Fixed minor debug output spelling error.
327 * Revision 1.3 1998/07/09 17:45:31 rgb
328 * Clarify algorithm not available message.
330 * Revision 1.2 1998/06/23 03:00:51 rgb
331 * Check for presence of IPIP protocol if it is setup one way (we don't
332 * know what has been set up the other way and can only assume it will be
333 * symmetrical with the exception of keys).
335 * Revision 1.1 1998/06/18 21:27:51 henry
336 * move sources from klips/src to klips/net/ipsec, to keep stupid
337 * kernel-build scripts happier in the presence of symlinks
339 * Revision 1.3 1998/06/11 05:54:59 rgb
340 * Added transform version string pointer to xformsw initialisations.
342 * Revision 1.2 1998/04/21 21:28:57 rgb
343 * Rearrange debug switches to change on the fly debug output from user
344 * space. Only kernel changes checked in at this time. radij.c was also
345 * changed to temporarily remove buggy debugging code in rj_delete causing
346 * an OOPS and hence, netlink device open errors.
348 * Revision 1.1 1998/04/09 03:06:13 henry
349 * sources moved up from linux/net/ipsec
351 * Revision 1.1.1.1 1998/04/08 05:35:02 henry
352 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
354 * Revision 0.5 1997/06/03 04:24:48 ji
355 * Added ESP-3DES-MD5-96
357 * Revision 0.4 1997/01/15 01:28:15 ji
358 * Added new transforms.
360 * Revision 0.3 1996/11/20 14:39:04 ji
362 * Rationalized debugging code.
364 * Revision 0.2 1996/11/02 00:18:33 ji
365 * First limited release.