3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.2.2.1 2004/08/31 05:59:47 philipc Exp $";
19 #include <linux/config.h>
20 #include <linux/version.h>
22 #define __NO_VERSION__
23 #include <linux/module.h>
24 #include <linux/kernel.h> /* printk() */
26 #define IPSEC_KLIPS1_COMPAT 1
27 #include "ipsec_param.h"
30 # include <linux/slab.h> /* kmalloc() */
31 #else /* MALLOC_SLAB */
32 # include <linux/malloc.h> /* kmalloc() */
33 #endif /* MALLOC_SLAB */
34 #include <linux/errno.h> /* error codes */
35 #include <linux/types.h> /* size_t */
36 #include <linux/interrupt.h> /* mark_bh */
38 #include <linux/netdevice.h> /* struct device, and other headers */
39 #include <linux/etherdevice.h> /* eth_type_trans */
40 #include <linux/ip.h> /* struct iphdr */
41 #include <linux/skbuff.h>
45 # include <linux/spinlock.h> /* *lock* */
46 # else /* SPINLOCK_23 */
47 # include <asm/spinlock.h> /* *lock* */
48 # endif /* SPINLOCK_23 */
51 # include <asm/uaccess.h>
52 # include <linux/in6.h>
53 # define proto_priv cb
55 #include <asm/checksum.h>
58 #include <linux/ledman.h>
62 #include "ipsec_encap.h"
65 #include "ipsec_radij.h"
66 #include "ipsec_netlink.h"
67 #include "ipsec_xform.h"
68 #include "ipsec_tunnel.h"
69 #include "ipsec_rcv.h"
70 #if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
71 # include "ipsec_ah.h"
72 #endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
73 #ifdef CONFIG_IPSEC_ESP
74 # include "ipsec_esp.h"
75 #endif /* !CONFIG_IPSEC_ESP */
76 #ifdef CONFIG_IPSEC_IPCOMP
78 #endif /* CONFIG_IPSEC_COMP */
83 #include "ipsec_proto.h"
85 /* IXP425 cryptoAcc Glue Code */
86 #include "IxCryptoAcc.h"
87 #include "IxOsBuffMgt.h"
88 #include "ipsec_glue_mbuf.h"
89 #include "ipsec_glue.h"
90 #include "ipsec_glue_desc.h"
93 #define PROTO 9 /* Protocol field offset in IP Header */
94 #define MAX_RCV_TASK_IN_SOFTIRQ 384
97 spinlock_t rcv_lock = SPIN_LOCK_UNLOCKED;
99 spinlock_t rcv_lock = 0;
100 #endif /* SPINLOCK */
102 static void ipsec_rcv_next_transform (void *data);
103 static struct tq_struct rcv_task[MAX_RCV_TASK_IN_SOFTIRQ];
104 static __u32 rcvProducer = 0;
105 static __u32 rcvConsumer = 0;
107 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
108 #include <linux/udp.h>
111 #ifdef CONFIG_IPSEC_DEBUG
115 #endif /* CONFIG_IPSEC_DEBUG */
117 int sysctl_ipsec_inbound_policy_check = 1;
121 * Check-replay-window routine, adapted from the original
122 * by J. Hughes, from draft-ietf-ipsec-esp-des-md5-03.txt
124 * This is a routine that implements a 64 packet window. This is intend-
125 * ed on being an implementation sample.
129 ipsec_checkreplaywindow(struct ipsec_sa*tdbp, __u32 seq)
133 if (tdbp->tdb_replaywin == 0) /* replay shut off */
136 return 0; /* first == 0 or wrapped */
138 /* new larger sequence number */
139 if (seq > tdbp->tdb_replaywin_lastseq) {
140 return 1; /* larger is good */
142 diff = tdbp->tdb_replaywin_lastseq - seq;
144 /* too old or wrapped */ /* if wrapped, kill off SA? */
145 if (diff >= tdbp->tdb_replaywin) {
148 /* this packet already seen */
149 if (tdbp->tdb_replaywin_bitmap & (1 << diff))
151 return 1; /* out of order but good */
155 ipsec_updatereplaywindow(struct ipsec_sa*tdbp, __u32 seq)
159 if (tdbp->tdb_replaywin == 0) /* replay shut off */
162 return 0; /* first == 0 or wrapped */
164 /* new larger sequence number */
165 if (seq > tdbp->tdb_replaywin_lastseq) {
166 diff = seq - tdbp->tdb_replaywin_lastseq;
168 /* In win, set bit for this pkt */
169 if (diff < tdbp->tdb_replaywin)
170 tdbp->tdb_replaywin_bitmap =
171 (tdbp->tdb_replaywin_bitmap << diff) | 1;
173 /* This packet has way larger seq num */
174 tdbp->tdb_replaywin_bitmap = 1;
176 if(seq - tdbp->tdb_replaywin_lastseq - 1 > tdbp->tdb_replaywin_maxdiff) {
177 tdbp->tdb_replaywin_maxdiff = seq - tdbp->tdb_replaywin_lastseq - 1;
179 tdbp->tdb_replaywin_lastseq = seq;
180 return 1; /* larger is good */
182 diff = tdbp->tdb_replaywin_lastseq - seq;
184 /* too old or wrapped */ /* if wrapped, kill off SA? */
185 if (diff >= tdbp->tdb_replaywin) {
187 if(seq < 0.25*max && tdbp->tdb_replaywin_lastseq > 0.75*max) {
193 /* this packet already seen */
194 if (tdbp->tdb_replaywin_bitmap & (1 << diff))
196 tdbp->tdb_replaywin_bitmap |= (1 << diff); /* mark as seen */
197 return 1; /* out of order but good */
201 /* IXP425 cryptoAcc Glue Code : ipsec_rcv_cb */
206 IxCryptoAccStatus status)
209 IpsecRcvDesc *pRcvDesc = NULL;
211 if (pSrcMbuf == NULL)
213 KLIPS_PRINT(debug_rcv,
214 "klips_debug:ipsec_rcv: "
221 case IX_CRYPTO_ACC_STATUS_SUCCESS:
222 KLIPS_PRINT(debug_rcv,
223 "klips_debug:ipsec_rcv: "
224 "transform successful.\n");
226 spin_lock(&rcv_lock);
228 if ((rcvProducer - rcvConsumer) != MAX_RCV_TASK_IN_SOFTIRQ)
230 rcvProducer = rcvProducer % MAX_RCV_TASK_IN_SOFTIRQ;
231 INIT_LIST_HEAD(&rcv_task[rcvProducer].list);
232 rcv_task[rcvProducer].sync = 0;
233 rcv_task[rcvProducer].routine = ipsec_rcv_next_transform;
234 rcv_task[rcvProducer].data = (void *) pSrcMbuf;
235 queue_task(&rcv_task[rcvProducer], &tq_immediate);
237 mark_bh(IMMEDIATE_BH);
241 KLIPS_PRINT(debug_rcv,
242 "klips_debug:ipsec_rcv: "
243 "soft IRQ task queue full.\n");
245 /* Detach skb from mbuf */
246 skb = mbuf_swap_skb(pSrcMbuf, NULL);
247 /* get rcv desc from mbuf */
248 pRcvDesc = (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pSrcMbuf);
249 ipsec_glue_mbuf_header_rel (pSrcMbuf);
253 if(pRcvDesc->stats) {
254 (pRcvDesc->stats)->rx_dropped++;
259 spin_lock(&tdb_lock);
260 delRcvDesc_from_salist(pRcvDesc->tdbp, pRcvDesc);
261 spin_unlock(&tdb_lock);
265 ipsec_glue_rcv_desc_release (pRcvDesc);
272 kfree_skb(skb, FREE_WRITE);
279 spin_unlock(&rcv_lock);
282 case IX_CRYPTO_ACC_STATUS_AUTH_FAIL:
283 /* Detach skb from mbuf */
284 skb = mbuf_swap_skb(pSrcMbuf, NULL);
285 /* get rcv desc from mbuf */
286 pRcvDesc = (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pSrcMbuf);
287 ipsec_glue_mbuf_header_rel (pSrcMbuf);
289 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
290 "klips_debug:ipsec_rcv: "
291 "auth failed on incoming packet, dropped\n");
295 if(pRcvDesc->stats) {
296 (pRcvDesc->stats)->rx_dropped++;
301 spin_lock(&tdb_lock);
302 (pRcvDesc->tdbp)->tdb_auth_errs += 1;
303 delRcvDesc_from_salist(pRcvDesc->tdbp, pRcvDesc);
304 spin_unlock(&tdb_lock);
307 ipsec_glue_rcv_desc_release (pRcvDesc);
314 kfree_skb(skb, FREE_WRITE);
321 KLIPS_PRINT(debug_rcv,
322 "klips_debug:ipsec_rcv: "
323 "decapsulation on incoming packet failed, dropped\n");
325 /* Detach skb from mbuf */
326 skb = mbuf_swap_skb(pSrcMbuf, NULL);
327 /* get rcv desc from mbuf */
328 pRcvDesc = (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pSrcMbuf);
329 ipsec_glue_mbuf_header_rel (pSrcMbuf);
333 if(pRcvDesc->stats) {
334 (pRcvDesc->stats)->rx_dropped++;
339 spin_lock(&tdb_lock);
340 delRcvDesc_from_salist(pRcvDesc->tdbp, pRcvDesc);
341 spin_unlock(&tdb_lock);
344 ipsec_glue_rcv_desc_release (pRcvDesc);
351 kfree_skb(skb, FREE_WRITE);
357 } /* end of switch (status) */
358 } /* end of ipsec_rcv_cb () */
361 static void ipsec_rcv_next_transform (void *data)
363 struct sk_buff *skb = NULL;
364 IpsecRcvDesc *pRcvDesc = NULL;
365 IX_MBUF *pRetSrcMbuf = NULL;
370 #ifdef CONFIG_IPSEC_ESP
371 struct esp *espp = NULL;
375 char iv[ESP_IV_MAXSZ];
377 #endif /* !CONFIG_IPSEC_ESP */
378 #ifdef CONFIG_IPSEC_AH
379 struct ah *ahp = NULL;
381 #endif /* CONFIG_IPSEC_AH */
383 #ifdef CONFIG_IPSEC_IPCOMP
384 struct ipcomphdr*compp = NULL;
385 #endif /* CONFIG_IPSEC_IPCOMP */
389 struct ipsec_sa *tdbp = NULL;
394 char ipaddr_txt[ADDRTOA_BUF];
396 struct in_addr ipaddr;
397 __u8 next_header = 0;
400 int len; /* packet length */
401 int replay = 0; /* replay value in AH or ESP packet */
403 struct ipsec_sa* tdbprev = NULL; /* previous SA from outside of packet */
404 struct ipsec_sa* tdbnext = NULL; /* next SA towards inside of packet */
405 #ifdef INBOUND_POLICY_CHECK_eroute
406 struct sockaddr_encap matcher; /* eroute search key */
408 struct ipsec_sa* policy_tdb = NULL;
409 struct sa_id policy_said;
410 struct sockaddr_encap policy_eaddr;
411 struct sockaddr_encap policy_emask;
412 #endif /* INBOUND_POLICY_CHECK_eroute */
414 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
415 __u16 natt_len = 0, natt_sport = 0, natt_dport = 0;
418 __u32 auth_start_offset = 0;
419 __u32 auth_data_len = 0;
420 __u32 crypt_start_offset = 0;
421 __u32 crypt_data_len = 0;
422 __u32 icv_offset = 0;
425 pRetSrcMbuf = (IX_MBUF *) data;
427 spin_lock(&rcv_lock);
429 spin_unlock(&rcv_lock);
431 if (pRetSrcMbuf == NULL)
433 KLIPS_PRINT(debug_rcv,
434 "klips_debug:ipsec_rcv: "
435 "NULL mbuf passed in.\n");
439 /* Detach skb from mbuf */
440 skb = mbuf_swap_skb(pRetSrcMbuf, NULL);
442 /* get rcv desc from mbuf */
443 pRcvDesc = (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pRetSrcMbuf);
445 /* release src mbuf */
446 ipsec_glue_mbuf_header_rel (pRetSrcMbuf);
448 if (pRcvDesc == NULL) {
449 KLIPS_PRINT(debug_rcv,
450 "klips_debug:ipsec_rcv: "
451 "NULL Rcv Descriptor passed in.\n");
456 KLIPS_PRINT(debug_rcv,
457 "klips_debug:ipsec_rcv: "
458 "NULL skb passed in.\n");
462 if (skb->data == NULL) {
463 KLIPS_PRINT(debug_rcv,
464 "klips_debug:ipsec_rcv: "
465 "NULL skb->data passed in, packet is bogus, dropping.\n");
469 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
470 if (skb->sk && skb->nh.iph && skb->nh.iph->protocol==IPPROTO_UDP) {
472 * Packet comes from udp_queue_rcv_skb so it is already defrag,
473 * checksum verified, ... (ie safe to use)
475 * If the packet is not for us, return -1 and udp_queue_rcv_skb
476 * will continue to handle it (do not kfree skb !!).
478 struct udp_opt *tp = &(skb->sk->tp_pinfo.af_udp);
479 struct iphdr *ip = (struct iphdr *)skb->nh.iph;
480 struct udphdr *udp = (struct udphdr *)((__u32 *)ip+ip->ihl);
481 __u8 *udpdata = (__u8 *)udp + sizeof(struct udphdr);
482 __u32 *udpdata32 = (__u32 *)udpdata;
484 natt_sport = ntohs(udp->source);
485 natt_dport = ntohs(udp->dest);
487 KLIPS_PRINT(debug_rcv,
488 "klips_debug:ipsec_rcv: "
489 "suspected ESPinUDP packet (NAT-Traversal) [%d].\n",
491 KLIPS_IP_PRINT(debug_rcv, ip);
493 if (udpdata < skb->tail) {
494 unsigned int len = skb->tail - udpdata;
495 if ((len==1) && (udpdata[0]==0xff)) {
496 KLIPS_PRINT(debug_rcv,
497 "klips_debug:ipsec_rcv: "
498 /* not IPv6 compliant message */
499 "NAT-keepalive from %d.%d.%d.%d.\n", NIPQUAD(ip->saddr));
502 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_IKE) &&
503 (len > (2*sizeof(__u32) + sizeof(struct esp))) &&
504 (udpdata32[0]==0) && (udpdata32[1]==0) ) {
505 /* ESP Packet with Non-IKE header */
506 KLIPS_PRINT(debug_rcv,
507 "klips_debug:ipsec_rcv: "
508 "ESPinUDP pkt with Non-IKE - spi=0x%x\n",
510 natt_type = ESPINUDP_WITH_NON_IKE;
511 natt_len = sizeof(struct udphdr)+(2*sizeof(__u32));
513 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_ESP) &&
514 (len > sizeof(struct esp)) &&
515 (udpdata32[0]!=0) ) {
516 /* ESP Packet without Non-ESP header */
517 natt_type = ESPINUDP_WITH_NON_ESP;
518 natt_len = sizeof(struct udphdr);
519 KLIPS_PRINT(debug_rcv,
520 "klips_debug:ipsec_rcv: "
521 "ESPinUDP pkt without Non-ESP - spi=0x%x\n",
525 KLIPS_PRINT(debug_rcv,
526 "klips_debug:ipsec_rcv: "
527 "IKE packet - not handled here\n");
540 /* Restore tdbp from desc */
541 tdbp = pRcvDesc->tdbp;
545 KLIPS_PRINT(debug_rcv,
546 "klips_debug:ipsec_rcv: "
547 "Corrupted descriptor, dropping.\n");
551 /* get ip header from skb */
552 ipp = (struct iphdr *)skb->data;
553 iphlen = ipp->ihl << 2;
555 ipaddr.s_addr = ipp->saddr;
556 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
558 switch(ipp->protocol) {
559 #ifdef CONFIG_IPSEC_ESP
561 espp = (struct esp *)(skb->data + iphlen);
562 replay = ntohl(espp->esp_rpl);
563 if (!ipsec_updatereplaywindow(tdbp, replay)) {
564 spin_lock(&tdb_lock);
565 tdbp->tdb_replaywin_errs += 1;
566 delRcvDesc_from_salist(tdbp, pRcvDesc);
567 spin_unlock(&tdb_lock);
568 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
569 "klips_debug:ipsec_rcv: "
570 "duplicate frame from %s, packet dropped\n",
572 if(pRcvDesc->stats) {
573 (pRcvDesc->stats)->rx_dropped++;
577 replay = 0; /* reset */
579 next_header = skb->data[pRcvDesc->icv_offset - 1];
580 padlen = skb->data[pRcvDesc->icv_offset - 2];
581 esphlen = sizeof(struct esp);
582 pad = padlen + 2 + (len - pRcvDesc->icv_offset);
586 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
587 "klips_debug:ipsec_rcv: "
588 "padlen=%d, contents: 0x<offset>: 0x<value> 0x<value> ...\n",
591 for (i = 1; i <= padlen; i++) {
593 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
594 "klips_debug: %02x:",
597 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
599 skb->data[pRcvDesc->icv_offset - 2 - padlen + i -1]);
601 if(i != skb->data[pRcvDesc->icv_offset - 2 - padlen + i -1]) {
605 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
610 KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
614 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
615 "klips_debug:ipsec_rcv: "
616 "warning, decrypted packet from %s has bad padding\n",
618 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
619 "klips_debug:ipsec_rcv: "
620 "...may be bad decryption -- not dropped\n");
621 spin_lock(&tdb_lock);
622 (pRcvDesc->tdbp)->tdb_encpad_errs += 1;
623 delRcvDesc_from_salist(pRcvDesc->tdbp, pRcvDesc);
624 spin_unlock(&tdb_lock);
627 KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
628 "klips_debug:ipsec_rcv: "
629 "packet decrypted: next_header = %d, padding = %d\n",
631 pad - 2 - (len - pRcvDesc->icv_offset));
634 /* Discard ESP header */
635 ipp->tot_len = htons(ntohs(ipp->tot_len) - (esphlen + pRcvDesc->ivlen + pad));
636 memmove((void *)(skb->data + esphlen + pRcvDesc->ivlen),
637 (void *)(skb->data), iphlen);
638 if(skb->len < (esphlen + pRcvDesc->ivlen)) {
640 "klips_error:ipsec_rcv: "
641 "tried to skb_pull esphlen=%d, ivlen=%d, %d available. This should never happen, please report.\n",
642 esphlen, pRcvDesc->ivlen, (int)(skb->len));
643 spin_lock (&tdb_lock);
644 delRcvDesc_from_salist(tdbp, pRcvDesc);
645 spin_unlock (&tdb_lock);
648 skb_pull(skb, esphlen + pRcvDesc->ivlen);
650 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
651 "klips_debug:ipsec_rcv: "
653 len - esphlen - pad - pRcvDesc->ivlen);
654 if(pad + esphlen + pRcvDesc->ivlen <= len) {
655 skb_trim(skb, len - esphlen - pad - pRcvDesc->ivlen);
657 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
658 "klips_debug:ipsec_rcv: "
659 "bogus packet, size is zero or negative, dropping.\n");
660 spin_lock (&tdb_lock);
661 delRcvDesc_from_salist(tdbp, pRcvDesc);
662 spin_unlock (&tdb_lock);
667 #endif /* !CONFIG_IPSEC_ESP */
668 #ifdef CONFIG_IPSEC_AH
670 /* Restore original IP header */
671 ipp->frag_off = pRcvDesc->ip_frag_off;
672 ipp->ttl = pRcvDesc->ip_ttl;
674 ahp = (struct ah *) (skb->data + iphlen);
675 /* get AH header len */
676 ahhlen = (ahp->ah_hl << 2) +
677 ((caddr_t)&(ahp->ah_rpl) - (caddr_t)ahp);
678 replay = ntohl(ahp->ah_rpl);
679 if (!ipsec_updatereplaywindow(tdbp, replay)) {
680 spin_lock (&tdb_lock);
681 tdbp->tdb_replaywin_errs += 1;
682 delRcvDesc_from_salist(tdbp, pRcvDesc);
683 spin_unlock(&tdb_lock);
684 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
685 "klips_debug:ipsec_rcv: "
686 "duplicate frame from %s, packet dropped\n",
688 if (pRcvDesc->stats) {
689 (pRcvDesc->stats)->rx_dropped++;
693 replay = 0; /* reset */
695 next_header = ahp->ah_nh;
697 /* DIscard AH header */
698 ipp->tot_len = htons(ntohs(ipp->tot_len) - ahhlen);
699 memmove((void *)(skb->data + ahhlen),
700 (void *)(skb->data), iphlen);
701 if(skb->len < ahhlen) {
703 "klips_error:ipsec_rcv: "
704 "tried to skb_pull ahhlen=%d, %d available. This should never happen, please report.\n",
707 spin_lock (&tdb_lock);
708 delRcvDesc_from_salist(tdbp, pRcvDesc);
709 spin_unlock (&tdb_lock);
712 skb_pull(skb, ahhlen);
714 #endif /* CONFIG_IPSEC_AH */
717 /* set next header */
718 skb->data[PROTO] = next_header; /* Update next header protocol into IP header */
728 /* skb->h.ipiph=(struct iphdr *)skb->data; */
729 skb->nh.raw = skb->data;
730 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
732 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
734 skb->h.iph=(struct iphdr *)skb->data;
735 skb->ip_hdr=(struct iphdr *)skb->data;
736 memset(skb->proto_priv, 0, sizeof(struct options));
739 ipp = (struct iphdr *)dat;
741 ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
743 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
745 skb->protocol = htons(ETH_P_IP);
749 tdbnext = tdbp->tdb_inext;
751 if(sysctl_ipsec_inbound_policy_check) {
753 if(tdbnext->tdb_onext != tdbp) {
754 if(pRcvDesc->stats) {
755 (pRcvDesc->stats)->rx_dropped++;
757 spin_lock (&tdb_lock);
758 delRcvDesc_from_salist(tdbp, pRcvDesc);
759 spin_unlock (&tdb_lock);
763 if( ipp->protocol != IPPROTO_AH
764 && ipp->protocol != IPPROTO_ESP
765 #ifdef CONFIG_IPSEC_IPCOMP
766 && ipp->protocol != IPPROTO_COMP
767 && (tdbnext->tdb_said.proto != IPPROTO_COMP
768 || (tdbnext->tdb_said.proto == IPPROTO_COMP
769 && tdbnext->tdb_inext))
770 #endif /* CONFIG_IPSEC_IPCOMP */
771 && ipp->protocol != IPPROTO_IPIP
773 if(pRcvDesc->stats) {
774 (pRcvDesc->stats)->rx_dropped++;
776 spin_lock (&tdb_lock);
777 delRcvDesc_from_salist(tdbp, pRcvDesc);
778 spin_unlock (&tdb_lock);
785 spin_lock(&tdb_lock);
787 #ifdef CONFIG_IPSEC_IPCOMP
788 /* update ipcomp ratio counters, even if no ipcomp packet is present */
790 && tdbnext->tdb_said.proto == IPPROTO_COMP
791 && ipp->protocol != IPPROTO_COMP) {
792 tdbnext->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
793 tdbnext->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
795 #endif /* CONFIG_IPSEC_IPCOMP */
797 tdbp->ips_life.ipl_bytes.ipl_count += len;
798 tdbp->ips_life.ipl_bytes.ipl_last = len;
800 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
801 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
803 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
804 tdbp->ips_life.ipl_packets.ipl_count += 1;
806 delRcvDesc_from_salist(tdbp, pRcvDesc);
807 spin_unlock(&tdb_lock);
809 /* begin decapsulating loop here */
810 while((ipp->protocol == IPPROTO_ESP )
811 || (ipp->protocol == IPPROTO_AH )
812 #ifdef CONFIG_IPSEC_IPCOMP
813 || (ipp->protocol == IPPROTO_COMP)
814 #endif /* CONFIG_IPSEC_IPCOMP */
817 #ifdef CONFIG_IPSEC_ESP
822 #endif /* !CONFIG_IPSEC_ESP */
823 #ifdef CONFIG_IPSEC_AH
826 #endif /* CONFIG_IPSEC_AH */
827 #ifdef CONFIG_IPSEC_IPCOMP
829 #endif /* CONFIG_IPSEC_IPCOMP */
833 ipp = (struct iphdr *)skb->data;
834 proto = ipp->protocol;
835 ipaddr.s_addr = ipp->saddr;
836 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
837 iphlen = ipp->ihl << 2;
838 ipp->check = 0; /* we know the sum is good */
840 #ifdef CONFIG_IPSEC_ESP
841 #endif /* !CONFIG_IPSEC_ESP */
844 * Find tunnel control block and (indirectly) call the
845 * appropriate tranform routine. The resulting sk_buf
846 * is a valid IP packet ready to go through input processing.
849 said.dst.s_addr = ipp->daddr;
851 #ifdef CONFIG_IPSEC_ESP
853 /* XXX this will need to be 8 for IPv6 */
854 if ((len - iphlen) % 4) {
855 printk("klips_error:ipsec_rcv: "
856 "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
859 if(pRcvDesc->stats) {
860 (pRcvDesc->stats)->rx_errors++;
865 if(skb->len < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct esp))) {
866 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
867 "klips_debug:ipsec_rcv: "
868 "runt esp packet of skb->len=%d received from %s, dropped.\n",
871 if(pRcvDesc->stats) {
872 (pRcvDesc->stats)->rx_errors++;
877 espp = (struct esp *)(skb->data + iphlen);
878 /* Get IV location pointer in payload - after ESP header */
879 ivp = (char *) espp + sizeof (struct esp);
880 said.spi = espp->esp_spi;
881 replay = ntohl(espp->esp_rpl);
883 #endif /* !CONFIG_IPSEC_ESP */
884 #ifdef CONFIG_IPSEC_AH
887 < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct ah)))
889 < (pRcvDesc->hard_header_len + sizeof(struct iphdr)
890 + ((ahp = (struct ah *) (skb->data + iphlen))->ah_hl << 2)))) {
891 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
892 "klips_debug:ipsec_rcv: "
893 "runt ah packet of skb->len=%d received from %s, dropped.\n",
896 if(pRcvDesc->stats) {
897 (pRcvDesc->stats)->rx_errors++;
901 said.spi = ahp->ah_spi;
902 replay = ntohl(ahp->ah_rpl);
903 ahhlen = (ahp->ah_hl << 2) +
904 ((caddr_t)&(ahp->ah_rpl) - (caddr_t)ahp);
905 next_header = ahp->ah_nh;
906 if (ahhlen != sizeof(struct ah)) {
907 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
908 "klips_debug:ipsec_rcv: "
909 "bad authenticator length %d, expected %d from %s.\n",
910 ahhlen - ((caddr_t)(ahp->ah_data) - (caddr_t)ahp),
913 if(pRcvDesc->stats) {
914 (pRcvDesc->stats)->rx_errors++;
919 #endif /* CONFIG_IPSEC_AH */
920 #ifdef CONFIG_IPSEC_IPCOMP
922 if(skb->len < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct ipcomphdr))) {
923 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
924 "klips_debug:ipsec_rcv: "
925 "runt comp packet of skb->len=%d received from %s, dropped.\n",
928 if(pRcvDesc->stats) {
929 (pRcvDesc->stats)->rx_errors++;
934 compp = (struct ipcomphdr *)(skb->data + iphlen);
935 said.spi = htonl((__u32)ntohs(compp->ipcomp_cpi));
937 #endif /* CONFIG_IPSEC_IPCOMP */
939 if(pRcvDesc->stats) {
940 (pRcvDesc->stats)->rx_errors++;
946 sa_len = satoa(said, 0, sa, SATOA_BUF);
948 strcpy(sa, "(error)");
952 #ifdef CONFIG_IPSEC_IPCOMP
953 if (proto == IPPROTO_COMP) {
954 unsigned int flags = 0;
957 KLIPS_PRINT(debug_rcv,
958 "klips_debug:ipsec_rcv: "
959 "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
960 sa_len ? sa : " (error)");
961 if(pRcvDesc->stats) {
962 (pRcvDesc->stats)->rx_dropped++;
969 spin_lock(&tdb_lock);
972 /* store current tdbp into rcv descriptor */
973 pRcvDesc->tdbp = tdbp;
975 if(sysctl_ipsec_inbound_policy_check
977 || (((ntohl(tdbp->tdb_said.spi) & 0x0000ffff)
979 /* next line is a workaround for peer
980 non-compliance with rfc2393 */
981 && (tdbp->tdb_encalg != ntohl(said.spi))
986 spin_unlock(&tdb_lock);
989 sa_len2 = satoa(tdbp->tdb_said, 0, sa2, SATOA_BUF);
992 KLIPS_PRINT(debug_rcv,
993 "klips_debug:ipsec_rcv: "
994 "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
995 sa_len ? sa : " (error)",
996 tdbp ? (sa_len2 ? sa2 : " (error)") : "NULL",
997 ntohs(compp->ipcomp_cpi),
998 (__u32)ntohl(said.spi),
999 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
1000 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0);
1001 if(pRcvDesc->stats) {
1002 (pRcvDesc->stats)->rx_dropped++;
1007 next_header = compp->ipcomp_nh;
1010 addRcvDesc_to_salist(tdbp, pRcvDesc);
1011 tdbp->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
1012 tdbnext = tdbp->tdb_inext;
1015 skb = skb_decompress(skb, tdbp, &flags);
1016 if (!skb || flags) {
1017 delRcvDesc_from_salist(tdbp, pRcvDesc);
1018 spin_unlock(&tdb_lock);
1019 KLIPS_PRINT(debug_rcv,
1020 "klips_debug:ipsec_rcv: "
1021 "skb_decompress() returned error flags=%x, dropped.\n",
1023 if (pRcvDesc->stats) {
1025 (pRcvDesc->stats)->rx_errors++;
1027 (pRcvDesc->stats)->rx_dropped++;
1038 tdbp->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
1039 delRcvDesc_from_salist(tdbp, pRcvDesc);
1042 KLIPS_PRINT(debug_rcv,
1043 "klips_debug:ipsec_rcv: "
1044 "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
1045 sa_len ? sa : " (error)",
1046 (__u32)ntohl(said.spi),
1047 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
1048 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0,
1050 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
1052 spin_unlock(&tdb_lock);
1055 /* Skip rest of stuff and decapsulate next inner
1058 #endif /* CONFIG_IPSEC_IPCOMP */
1060 tdbp = ipsec_sa_getbyid(&said);
1061 pRcvDesc->tdbp = tdbp;
1064 KLIPS_PRINT(debug_rcv,
1065 "klips_debug:ipsec_rcv: "
1066 "no Tunnel Descriptor Block for SA:%s: incoming packet with no SA dropped\n",
1067 sa_len ? sa : " (error)");
1068 if(pRcvDesc->stats) {
1069 (pRcvDesc->stats)->rx_dropped++;
1074 spin_lock(&tdb_lock);
1075 addRcvDesc_to_salist(tdbp, pRcvDesc);
1077 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1079 ( (ipp->saddr != (((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr)) ||
1080 (natt_sport != tdbp->ips_natt_sport)
1082 struct sockaddr sipaddr;
1083 /** Advertise NAT-T addr change to pluto **/
1084 sipaddr.sa_family = AF_INET;
1085 ((struct sockaddr_in*)&sipaddr)->sin_addr.s_addr = ipp->saddr;
1086 ((struct sockaddr_in*)&sipaddr)->sin_port = htons(natt_sport);
1087 pfkey_nat_t_new_mapping(tdbp, &sipaddr, natt_sport);
1089 * Then allow or block packet depending on
1090 * sysctl_ipsec_inbound_policy_check.
1092 * In all cases, pluto will update SA if new mapping is
1095 if (sysctl_ipsec_inbound_policy_check) {
1096 spin_unlock(&tdb_lock);
1097 ipaddr.s_addr = ipp->saddr;
1098 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1099 KLIPS_PRINT(debug_rcv,
1100 "klips_debug:ipsec_rcv: "
1101 "SA:%s, src=%s:%u of pkt does not agree with expected "
1102 "SA source address policy (pluto has been informed).\n",
1103 sa_len ? sa : " (error)",
1104 ipaddr_txt, natt_sport);
1105 if(pRcvDesc->stats) {
1106 pRcvDesc->stats->rx_dropped++;
1113 if(sysctl_ipsec_inbound_policy_check) {
1114 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
1115 delRcvDesc_from_salist(tdbp, pRcvDesc);
1116 spin_unlock(&tdb_lock);
1117 ipaddr.s_addr = ipp->saddr;
1118 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1120 KLIPS_PRINT(debug_rcv,
1121 "klips_debug:ipsec_rcv: "
1122 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
1123 sa_len ? sa : " (error)",
1125 if(pRcvDesc->stats) {
1126 (pRcvDesc->stats)->rx_dropped++;
1131 ipaddr.s_addr = ipp->saddr;
1132 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1133 KLIPS_PRINT(debug_rcv,
1134 "klips_debug:ipsec_rcv: "
1135 "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
1136 sa_len ? sa : " (error)",
1139 if(tdbnext != tdbp) {
1140 delRcvDesc_from_salist(tdbp, pRcvDesc);
1141 spin_unlock(&tdb_lock);
1142 KLIPS_PRINT(debug_rcv,
1143 "klips_debug:ipsec_rcv: "
1144 "unexpected SA:%s: does not agree with tdb->inext policy, dropped\n",
1145 sa_len ? sa : " (error)");
1146 if(pRcvDesc->stats) {
1147 (pRcvDesc->stats)->rx_dropped++;
1151 KLIPS_PRINT(debug_rcv,
1152 "klips_debug:ipsec_rcv: "
1153 "SA:%s grouping from previous SA is OK.\n",
1154 sa_len ? sa : " (error)");
1156 KLIPS_PRINT(debug_rcv,
1157 "klips_debug:ipsec_rcv: "
1158 "SA:%s First SA in group.\n",
1159 sa_len ? sa : " (error)");
1162 if(tdbp->tdb_onext) {
1163 if(tdbprev != tdbp->tdb_onext) {
1164 delRcvDesc_from_salist(tdbp, pRcvDesc);
1165 spin_unlock(&tdb_lock);
1166 KLIPS_PRINT(debug_rcv,
1167 "klips_debug:ipsec_rcv: "
1168 "unexpected SA:%s: does not agree with tdb->onext policy, dropped.\n",
1169 sa_len ? sa : " (error)");
1170 if(pRcvDesc->stats) {
1171 (pRcvDesc->stats)->rx_dropped++;
1175 KLIPS_PRINT(debug_rcv,
1176 "klips_debug:ipsec_rcv: "
1177 "SA:%s grouping to previous SA is OK.\n",
1178 sa_len ? sa : " (error)");
1181 KLIPS_PRINT(debug_rcv,
1182 "klips_debug:ipsec_rcv: "
1183 "SA:%s No previous backlink in group.\n",
1184 sa_len ? sa : " (error)");
1186 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1187 KLIPS_PRINT(debug_rcv,
1188 "klips_debug:ipsec_rcv: "
1189 "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
1190 natt_type, tdbp->ips_natt_type,
1191 (natt_type==tdbp->ips_natt_type)?"ok":"bad");
1192 if (natt_type != tdbp->ips_natt_type) {
1193 spin_unlock(&tdb_lock);
1194 KLIPS_PRINT(debug_rcv,
1195 "klips_debug:ipsec_rcv: "
1196 "SA:%s does not agree with expected NAT-T policy.\n",
1197 sa_len ? sa : " (error)");
1198 if(pRcvDesc->stats) {
1199 pRcvDesc->stats->rx_dropped++;
1206 /* If it is in larval state, drop the packet, we cannot process yet. */
1207 if(tdbp->ips_state == SADB_SASTATE_LARVAL) {
1208 delRcvDesc_from_salist(tdbp, pRcvDesc);
1209 spin_unlock(&tdb_lock);
1210 KLIPS_PRINT(debug_rcv,
1211 "klips_debug:ipsec_rcv: "
1212 "TDB in larval state, cannot be used yet, dropping packet.\n");
1213 if(pRcvDesc->stats) {
1214 (pRcvDesc->stats)->rx_dropped++;
1219 if(tdbp->ips_state == SADB_SASTATE_DEAD) {
1220 delRcvDesc_from_salist(tdbp, pRcvDesc);
1221 KLIPS_PRINT(debug_rcv,
1222 "klips_debug:ipsec_rcv: "
1223 "TDB in dead state, cannot be used any more, dropping packet.\n");
1224 if(pRcvDesc->stats) {
1225 (pRcvDesc->stats)->rx_dropped++;
1227 if(tdbp->ips_teardown_initiated == 1)
1228 ipsec_sa_delchain(tdbp);
1229 spin_unlock(&tdb_lock);
1233 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
1234 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
1235 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
1236 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
1237 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "usetime",sa,
1238 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
1239 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
1240 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied){
1241 delRcvDesc_from_salist(tdbp, pRcvDesc);
1242 ipsec_sa_delchain(tdbp);
1243 spin_unlock(&tdb_lock);
1244 if(pRcvDesc->stats) {
1245 (pRcvDesc->stats)->rx_dropped++;
1250 if (!ipsec_checkreplaywindow(tdbp, replay)) {
1251 tdbp->tdb_replaywin_errs += 1;
1252 delRcvDesc_from_salist(tdbp, pRcvDesc);
1253 spin_unlock(&tdb_lock);
1254 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
1255 "klips_debug:ipsec_rcv: "
1256 "duplicate frame from %s, packet dropped\n",
1258 if(pRcvDesc->stats) {
1259 (pRcvDesc->stats)->rx_dropped++;
1264 KLIPS_PRINT(debug_rcv,
1265 "klips_debug:ipsec_rcv: "
1266 "encalg = %d, authalg = %d.\n",
1270 /* If the sequence number == 0, expire SA, it had rolled */
1271 if(tdbp->tdb_replaywin && !replay /* !tdbp->tdb_replaywin_lastseq */) {
1272 delRcvDesc_from_salist(tdbp, pRcvDesc);
1273 ipsec_sa_delchain(tdbp);
1274 spin_unlock(&tdb_lock);
1275 KLIPS_PRINT(debug_rcv,
1276 "klips_debug:ipsec_rcv: "
1277 "replay window counter rolled, expiring SA.\n");
1278 if(pRcvDesc->stats) {
1279 (pRcvDesc->stats)->rx_dropped++;
1284 spin_unlock(&tdb_lock);
1287 switch(tdbp->tdb_authalg) {
1288 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1290 authlen = AHHMAC_HASHLEN;
1292 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1293 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1295 authlen = AHHMAC_HASHLEN;
1297 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1302 spin_lock(&tdb_lock);
1303 delRcvDesc_from_salist(tdbp, pRcvDesc);
1304 tdbp->tdb_alg_errs += 1;
1305 spin_unlock(&tdb_lock);
1306 if(pRcvDesc->stats) {
1307 (pRcvDesc->stats)->rx_errors++;
1312 #ifdef CONFIG_IPSEC_ESP
1313 KLIPS_PRINT(proto == IPPROTO_ESP && debug_rcv,
1314 "klips_debug:ipsec_rcv: "
1315 "packet from %s received with seq=%d (iv)=0x%08x%08x%8x%8x iplen=%d esplen=%d sa=%s\n",
1317 (__u32)ntohl(espp->esp_rpl),
1318 (__u32)ntohl(*((__u32 *)(ivp) )),
1319 (__u32)ntohl(*((__u32 *)(ivp) + 1)),
1320 (__u32)ntohl(*((__u32 *)(ivp) + 2)),
1321 (__u32)ntohl(*((__u32 *)(ivp) + 3)),
1324 sa_len ? sa : " (error)");
1325 #endif /* !CONFIG_IPSEC_ESP */
1328 #ifdef CONFIG_IPSEC_ESP
1332 -------------------------------------------------
1333 IPv4 |orig IP hdr | ESP | | | ESP | ESP|
1334 |(any options)| Hdr | TCP | Data | Trailer |Auth|
1335 -------------------------------------------------
1336 |<----- encrypted ---->|
1337 |<------ authenticated ----->|
1340 esphlen = sizeof(struct esp);
1341 ivlen = tdbp->ips_iv_size;
1342 /* Keep IV length in descriptor for callback use */
1343 pRcvDesc->ivlen = ivlen;
1344 auth_start_offset = iphlen;
1345 auth_data_len = len - iphlen - authlen;
1346 icv_offset = len - authlen;
1347 crypt_start_offset = iphlen + esphlen + ivlen; /* IV is not included as payload for encryption */
1348 crypt_data_len = len - iphlen - authlen - esphlen - ivlen;
1350 if ((crypt_data_len) % 8) {
1351 spin_lock(&tdb_lock);
1352 delRcvDesc_from_salist(tdbp, pRcvDesc);
1353 tdbp->tdb_encsize_errs += 1;
1354 spin_unlock(&tdb_lock);
1355 if(pRcvDesc->stats) {
1356 (pRcvDesc->stats)->rx_errors++;
1361 switch(tdbp->tdb_encalg) {
1362 # ifdef CONFIG_IPSEC_ENC_DES
1364 memcpy (iv, ivp, ivlen);
1366 # endif /* CONFIG_IPSEC_ENC_DES */
1367 #ifdef CONFIG_IPSEC_ENC_3DES
1369 memcpy (iv, ivp, ivlen);
1371 #endif /* CONFIG_IPSEC_ENC_3DES */
1372 #ifdef CONFIG_IPSEC_ALG
1374 memcpy (iv, ivp, ivlen);
1376 #endif /* CONFIG_IPSEC_ALG */
1378 spin_lock(&tdb_lock);
1379 delRcvDesc_from_salist(tdbp, pRcvDesc);
1380 tdbp->tdb_alg_errs += 1;
1381 spin_unlock(&tdb_lock);
1382 if(pRcvDesc->stats) {
1383 (pRcvDesc->stats)->rx_errors++;
1388 #endif /* !CONFIG_IPSEC_ESP */
1389 #ifdef CONFIG_IPSEC_AH
1393 ---------------------------------
1394 IPv4 |orig IP hdr | | | |
1395 |(any options)| AH | TCP | Data |
1396 ---------------------------------
1397 |<------- authenticated ------->|
1398 except for mutable fields
1401 auth_start_offset = 0; /* start at the beginning */
1402 auth_data_len = len;
1403 icv_offset = iphlen + AUTH_DATA_IN_AH_OFFSET;
1405 /* IXP425 glue code : mutable field, need to keep a copy of original IP header and
1406 restore the original IP header after callback received.
1407 Modify the mutable fields in header*/
1408 pRcvDesc->ip_frag_off = ipp->frag_off;
1409 pRcvDesc->ip_ttl = ipp->ttl;
1414 #endif /* CONFIG_IPSEC_AH */
1417 if(auth_data_len <= 0) {
1418 spin_lock (&tdb_lock);
1419 delRcvDesc_from_salist(tdbp, pRcvDesc);
1420 spin_unlock (&tdb_lock);
1421 KLIPS_PRINT(debug_rcv,
1422 "klips_debug:ipsec_rcv: "
1423 "runt AH packet with no data, dropping.\n");
1424 if(pRcvDesc->stats) {
1425 (pRcvDesc->stats)->rx_dropped++;
1430 /* IXP425 glue code */
1431 #if defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)
1432 if ((proto == IPPROTO_AH) || (proto == IPPROTO_ESP))
1434 /* store ICV_offset */
1435 pRcvDesc->icv_offset = icv_offset;
1438 if(IPSEC_GLUE_STATUS_SUCCESS != ipsec_glue_mbuf_header_get(&src_mbuf))
1440 KLIPS_PRINT(debug_rcv,
1441 "klips_debug:ipsec_rcv: "
1442 "running out of mbufs, dropped\n");
1443 spin_lock (&tdb_lock);
1444 delRcvDesc_from_salist(tdbp, pRcvDesc);
1445 spin_unlock (&tdb_lock);
1446 if(pRcvDesc->stats) {
1447 (pRcvDesc->stats)->rx_dropped++;
1452 /* attach mbuf to sk_buff */
1453 mbuf_swap_skb(src_mbuf, skb);
1455 /* store rcv desc in mbuf */
1456 (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (src_mbuf) = pRcvDesc;
1458 /* call crypto perform */
1459 if (IX_CRYPTO_ACC_STATUS_SUCCESS != ixCryptoAccAuthCryptPerform (
1460 tdbp->ips_crypto_context_id,
1470 spin_lock(&tdb_lock);
1471 delRcvDesc_from_salist(tdbp, pRcvDesc);
1472 spin_unlock(&tdb_lock);
1473 KLIPS_PRINT(debug_rcv,
1474 "klips_debug:ipsec_rcv: "
1475 "warning, decrapsulation packet from %s cannot be started\n",
1478 ipsec_glue_mbuf_header_rel(src_mbuf);
1480 if(pRcvDesc->stats) {
1481 (pRcvDesc->stats)->rx_dropped++;
1486 } /* end of if ((proto == IPPROTO_AH) || (proto == IPPROTO_ESP))*/
1487 #endif /* defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)*/
1489 /* set next header */
1490 skb->data[PROTO] = next_header;
1500 /* skb->h.ipiph=(struct iphdr *)skb->data; */
1501 skb->nh.raw = skb->data;
1502 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
1504 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
1506 skb->h.iph=(struct iphdr *)skb->data;
1507 skb->ip_hdr=(struct iphdr *)skb->data;
1508 memset(skb->proto_priv, 0, sizeof(struct options));
1511 ipp = (struct iphdr *)dat;
1513 ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
1515 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1516 "klips_debug:ipsec_rcv: "
1517 "after <%s%s%s>, SA:%s:\n",
1518 IPS_XFORM_NAME(tdbp),
1519 sa_len ? sa : " (error)");
1520 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
1522 skb->protocol = htons(ETH_P_IP);
1526 tdbnext = tdbp->tdb_inext;
1528 spin_lock (&tdb_lock);
1530 if(sysctl_ipsec_inbound_policy_check) {
1532 if(tdbnext->tdb_onext != tdbp) {
1533 delRcvDesc_from_salist(tdbp, pRcvDesc);
1534 spin_unlock(&tdb_lock);
1535 KLIPS_PRINT(debug_rcv,
1536 "klips_debug:ipsec_rcv: "
1537 "SA:%s, backpolicy does not agree with fwdpolicy.\n",
1538 sa_len ? sa : " (error)");
1539 if(pRcvDesc->stats) {
1540 (pRcvDesc->stats)->rx_dropped++;
1544 KLIPS_PRINT(debug_rcv,
1545 "klips_debug:ipsec_rcv: "
1546 "SA:%s, backpolicy agrees with fwdpolicy.\n",
1547 sa_len ? sa : " (error)");
1549 #ifdef CONFIG_IPSEC_IPCOMP
1550 ipp->protocol != IPPROTO_COMP
1551 && (tdbnext->tdb_said.proto != IPPROTO_COMP
1552 || (tdbnext->tdb_said.proto == IPPROTO_COMP
1553 && tdbnext->tdb_inext))
1554 #endif /* CONFIG_IPSEC_IPCOMP */
1555 && ipp->protocol != IPPROTO_IPIP
1557 delRcvDesc_from_salist(tdbp, pRcvDesc);
1558 spin_unlock(&tdb_lock);
1559 KLIPS_PRINT(debug_rcv,
1560 "klips_debug:ipsec_rcv: "
1561 "packet with incomplete policy dropped, last successful SA:%s.\n",
1562 sa_len ? sa : " (error)");
1563 if(pRcvDesc->stats) {
1564 (pRcvDesc->stats)->rx_dropped++;
1568 KLIPS_PRINT(debug_rcv,
1569 "klips_debug:ipsec_rcv: "
1570 "SA:%s, Another IPSEC header to process.\n",
1571 sa_len ? sa : " (error)");
1573 KLIPS_PRINT(debug_rcv,
1574 "klips_debug:ipsec_rcv: "
1575 "No tdb_inext from this SA:%s.\n",
1576 sa_len ? sa : " (error)");
1577 } /* end of if(tdbnext)*/
1578 } /* end of if(sysctl_ipsec_inbound_policy_check) */
1580 #ifdef CONFIG_IPSEC_IPCOMP
1581 /* update ipcomp ratio counters, even if no ipcomp packet is present */
1583 && tdbnext->tdb_said.proto == IPPROTO_COMP
1584 && ipp->protocol != IPPROTO_COMP) {
1585 tdbnext->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
1586 tdbnext->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
1588 #endif /* CONFIG_IPSEC_IPCOMP */
1590 tdbp->ips_life.ipl_bytes.ipl_count += len;
1591 tdbp->ips_life.ipl_bytes.ipl_last = len;
1593 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1594 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1596 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1597 tdbp->ips_life.ipl_packets.ipl_count += 1;
1598 delRcvDesc_from_salist(tdbp, pRcvDesc);
1599 spin_unlock(&tdb_lock);
1600 } /* end decapsulation loop here */
1602 spin_lock(&tdb_lock);
1603 addRcvDesc_to_salist(tdbp, pRcvDesc);
1605 #ifdef CONFIG_IPSEC_IPCOMP
1606 if(tdbnext && tdbnext->tdb_said.proto == IPPROTO_COMP) {
1608 delRcvDesc_from_salist(tdbp, pRcvDesc);
1610 pRcvDesc->tdbp = tdbp;
1611 addRcvDesc_to_salist(tdbp, pRcvDesc);
1612 tdbnext = tdbp->tdb_inext;
1614 #endif /* CONFIG_IPSEC_IPCOMP */
1616 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1617 if ((natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
1619 * NAT-Traversal and Transport Mode:
1620 * we need to correct TCP/UDP checksum
1622 * If we've got NAT-OA, we can fix checksum without recalculation.
1624 __u32 natt_oa = tdbp->ips_natt_oa ?
1625 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
1626 __u16 pkt_len = skb->tail - (unsigned char *)ipp;
1627 __u16 data_len = pkt_len - (ipp->ihl << 2);
1629 switch (ipp->protocol) {
1631 if (data_len >= sizeof(struct tcphdr)) {
1632 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ipp+ipp->ihl);
1634 __u32 buff[2] = { ~natt_oa, ipp->saddr };
1635 KLIPS_PRINT(debug_rcv,
1636 "klips_debug:ipsec_rcv: "
1637 "NAT-T & TRANSPORT: "
1638 "fix TCP checksum using NAT-OA\n");
1639 tcp->check = csum_fold(
1640 csum_partial((unsigned char *)buff, sizeof(buff),
1641 tcp->check^0xffff));
1644 KLIPS_PRINT(debug_rcv,
1645 "klips_debug:ipsec_rcv: "
1646 "NAT-T & TRANSPORT: recalc TCP checksum\n");
1647 if (pkt_len > (ntohs(ipp->tot_len)))
1648 data_len -= (pkt_len - ntohs(ipp->tot_len));
1650 tcp->check = csum_tcpudp_magic(ipp->saddr, ipp->daddr,
1651 data_len, IPPROTO_TCP,
1652 csum_partial((unsigned char *)tcp, data_len, 0));
1656 KLIPS_PRINT(debug_rcv,
1657 "klips_debug:ipsec_rcv: "
1658 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
1662 if (data_len >= sizeof(struct udphdr)) {
1663 struct udphdr *udp = (struct udphdr *)((__u32 *)ipp+ipp->ihl);
1664 if (udp->check == 0) {
1665 KLIPS_PRINT(debug_rcv,
1666 "klips_debug:ipsec_rcv: "
1667 "NAT-T & TRANSPORT: UDP checksum already 0\n");
1670 __u32 buff[2] = { ~natt_oa, ipp->saddr };
1671 KLIPS_PRINT(debug_rcv,
1672 "klips_debug:ipsec_rcv: "
1673 "NAT-T & TRANSPORT: "
1674 "fix UDP checksum using NAT-OA\n");
1675 udp->check = csum_fold(
1676 csum_partial((unsigned char *)buff, sizeof(buff),
1677 udp->check^0xffff));
1680 KLIPS_PRINT(debug_rcv,
1681 "klips_debug:ipsec_rcv: "
1682 "NAT-T & TRANSPORT: zero UDP checksum\n");
1687 KLIPS_PRINT(debug_rcv,
1688 "klips_debug:ipsec_rcv: "
1689 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
1693 KLIPS_PRINT(debug_rcv,
1694 "klips_debug:ipsec_rcv: "
1695 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
1702 * XXX this needs to be locked from when it was first looked
1703 * up in the decapsulation loop. Perhaps it is better to put
1704 * the IPIP decap inside the loop.
1707 delRcvDesc_from_salist(tdbp, pRcvDesc);
1709 addRcvDesc_to_salist(tdbp, pRcvDesc);
1710 pRcvDesc->tdbp = tdbp;
1713 #ifdef CONFIG_IPSEC_DEBUG
1714 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
1715 #endif /* CONFIG_IPSEC_DEBUG */
1716 if(ipp->protocol != IPPROTO_IPIP) {
1717 delRcvDesc_from_salist(tdbp, pRcvDesc);
1718 spin_unlock(&tdb_lock);
1719 KLIPS_PRINT(debug_rcv,
1720 "klips_debug:ipsec_rcv: "
1721 "SA:%s, Hey! How did this get through? Dropped.\n",
1722 sa_len ? sa : " (error)");
1723 if(pRcvDesc->stats) {
1724 (pRcvDesc->stats)->rx_dropped++;
1728 if(sysctl_ipsec_inbound_policy_check) {
1729 tdbnext = tdbp->tdb_inext;
1731 char sa2[SATOA_BUF];
1733 sa_len2 = satoa(tdbnext->tdb_said, 0, sa2, SATOA_BUF);
1734 delRcvDesc_from_salist(tdbp, pRcvDesc);
1735 spin_unlock(&tdb_lock);
1736 KLIPS_PRINT(debug_rcv,
1737 "klips_debug:ipsec_rcv: "
1738 "unexpected SA:%s after IPIP SA:%s\n",
1739 sa_len2 ? sa2 : " (error)",
1740 sa_len ? sa : " (error)");
1741 if(pRcvDesc->stats) {
1742 (pRcvDesc->stats)->rx_dropped++;
1746 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
1747 delRcvDesc_from_salist(tdbp, pRcvDesc);
1748 spin_unlock(&tdb_lock);
1749 ipaddr.s_addr = ipp->saddr;
1750 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
1751 KLIPS_PRINT(debug_rcv,
1752 "klips_debug:ipsec_rcv: "
1753 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
1754 sa_len ? sa : " (error)",
1756 if(pRcvDesc->stats) {
1757 (pRcvDesc->stats)->rx_dropped++;
1761 } /* end of if(sysctl_ipsec_inbound_policy_check) */
1764 * XXX this needs to be locked from when it was first looked
1765 * up in the decapsulation loop. Perhaps it is better to put
1766 * the IPIP decap inside the loop.
1768 tdbp->ips_life.ipl_bytes.ipl_count += len;
1769 tdbp->ips_life.ipl_bytes.ipl_last = len;
1771 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1772 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1774 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1775 tdbp->ips_life.ipl_packets.ipl_count += 1;
1777 if(skb->len < iphlen) {
1778 printk(KERN_WARNING "klips_debug:ipsec_rcv: "
1779 "tried to skb_pull iphlen=%d, %d available. This should never happen, please report.\n",
1783 delRcvDesc_from_salist(tdbp, pRcvDesc);
1784 spin_unlock (&tdb_lock);
1787 skb_pull(skb, iphlen);
1790 ipp = (struct iphdr *)skb->nh.raw = skb->data;
1791 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
1793 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
1795 ipp = skb->ip_hdr = skb->h.iph = (struct iphdr *)skb->data;
1797 memset(skb->proto_priv, 0, sizeof(struct options));
1800 skb->protocol = htons(ETH_P_IP);
1802 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1803 "klips_debug:ipsec_rcv: "
1804 "IPIP tunnel stripped.\n");
1805 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
1807 if(sysctl_ipsec_inbound_policy_check
1809 Note: "xor" (^) logically replaces "not equal"
1810 (!=) and "bitwise or" (|) logically replaces
1811 "boolean or" (||). This is done to speed up
1812 execution by doing only bitwise operations and
1813 no branch operations
1815 && (((ipp->saddr & tdbp->tdb_mask_s.u.v4.sin_addr.s_addr)
1816 ^ tdbp->tdb_flow_s.u.v4.sin_addr.s_addr)
1817 | ((ipp->daddr & tdbp->tdb_mask_d.u.v4.sin_addr.s_addr)
1818 ^ tdbp->tdb_flow_d.u.v4.sin_addr.s_addr)) )
1820 struct in_addr daddr, saddr;
1821 char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
1822 char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
1824 subnettoa(tdbp->tdb_flow_s.u.v4.sin_addr,
1825 tdbp->tdb_mask_s.u.v4.sin_addr,
1826 0, sflow_txt, sizeof(sflow_txt));
1827 subnettoa(tdbp->tdb_flow_d.u.v4.sin_addr,
1828 tdbp->tdb_mask_d.u.v4.sin_addr,
1829 0, dflow_txt, sizeof(dflow_txt));
1830 saddr.s_addr = ipp->saddr;
1831 daddr.s_addr = ipp->daddr;
1832 addrtoa(saddr, 0, saddr_txt, sizeof(saddr_txt));
1833 addrtoa(daddr, 0, daddr_txt, sizeof(daddr_txt));
1834 KLIPS_PRINT(debug_rcv,
1835 "klips_debug:ipsec_rcv: "
1836 "SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
1837 sa_len ? sa : " (error)",
1842 if(pRcvDesc->stats) {
1843 (pRcvDesc->stats)->rx_dropped++;
1845 delRcvDesc_from_salist(tdbp, pRcvDesc);
1846 spin_unlock (&tdb_lock);
1849 } /* end of if(tdbnext) */
1851 delRcvDesc_from_salist(tdbp, pRcvDesc);
1852 spin_unlock(&tdb_lock);
1855 #ifdef INBOUND_POLICY_CHECK_eroute
1857 Do *not* enable this without thoroughly checking spinlock issues
1858 first. In particular, nesting an eroute spinlock within a tdb
1859 spinlock could result in a deadlock. (Well, only on a SMP machine
1864 * First things first -- look us up in the erouting tables.
1866 matcher.sen_len = sizeof (struct sockaddr_encap);
1867 matcher.sen_family = AF_ENCAP;
1868 matcher.sen_type = SENT_IP4;
1869 if(ipp->protocol == IPPROTO_IPIP) {
1872 ipp2 = (struct iphdr*) (((char*)ipp) + (ipp->ihl << 2));
1873 matcher.sen_ip_src.s_addr = ipp2->saddr;
1874 matcher.sen_ip_dst.s_addr = ipp2->daddr;
1876 matcher.sen_ip_src.s_addr = ipp->saddr;
1877 matcher.sen_ip_dst.s_addr = ipp->daddr;
1881 * The spinlock is to prevent any other process from accessing or
1882 * deleting the eroute while we are using and updating it.
1884 spin_lock(&eroute_lock);
1886 er = ipsec_findroute(&matcher);
1888 policy_said = er->er_said;
1889 policy_eaddr = er->er_eaddr;
1890 policy_emask = er->er_emask;
1892 er->er_lasttime = jiffies/HZ;
1895 spin_unlock(&eroute_lock);
1899 * The spinlock is to prevent any other process from
1900 * accessing or deleting the tdb while we are using and
1903 spin_lock(&tdb_lock);
1905 policy_tdb = gettdb(&policy_said);
1906 if (policy_tdb == NULL) {
1907 spin_unlock(&tdb_lock);
1908 KLIPS_PRINT(debug_rcv,
1909 "klips_debug:ipsec_rcv: "
1910 "no Tunnel Descriptor Block for SA%s: incoming packet with no policy SA, dropped.\n",
1911 sa_len ? sa : " (error)");
1915 sa_len = satoa(policy_said, 0, sa, SATOA_BUF);
1917 KLIPS_PRINT(debug_rcv,
1918 "klips_debug:ipsec_rcv: "
1919 "found policy Tunnel Descriptor Block -- SA:%s\n",
1920 sa_len ? sa : " (error)");
1922 if(policy_tdb->tdb_inext) {
1923 policy_tdb = policy_tdb->tdb_inext;
1929 if(policy_tdb != tdbp) {
1930 spin_unlock(&tdb_lock);
1931 KLIPS_PRINT(debug_rcv,
1932 "klips_debug:ipsec_rcv: "
1933 "Tunnel Descriptor Block for SA%s: incoming packet with different policy SA, dropped.\n",
1934 sa_len ? sa : " (error)");
1938 spin_unlock(&tdb_lock);
1939 } /* end of if(er) */
1940 #endif /* INBOUND_POLICY_CHECK_eroute */
1943 if(pRcvDesc->stats) {
1944 (pRcvDesc->stats)->rx_bytes += skb->len;
1947 dst_release(skb->dst);
1950 skb->pkt_type = PACKET_HOST;
1951 if(pRcvDesc->hard_header_len &&
1952 (skb->mac.raw != (skb->data - pRcvDesc->hard_header_len)) &&
1953 (pRcvDesc->hard_header_len <= skb_headroom(skb))) {
1954 /* copy back original MAC header */
1955 memmove(skb->data - pRcvDesc->hard_header_len, skb->mac.raw, pRcvDesc->hard_header_len);
1956 skb->mac.raw = skb->data - pRcvDesc->hard_header_len;
1960 #ifdef CONFIG_IPSEC_IPCOMP
1961 if(ipp->protocol == IPPROTO_COMP) {
1962 unsigned int flags = 0;
1964 if(sysctl_ipsec_inbound_policy_check) {
1965 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1966 "klips_debug:ipsec_rcv: "
1967 "inbound policy checking enabled, IPCOMP follows IPIP, dropped.\n");
1968 if (pRcvDesc->stats) {
1969 (pRcvDesc->stats)->rx_errors++;
1974 XXX need a TDB for updating ratio counters but it is not
1975 following policy anyways so it is not a priority
1977 skb = skb_decompress(skb, NULL, &flags);
1978 if (!skb || flags) {
1979 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
1980 "klips_debug:ipsec_rcv: "
1981 "skb_decompress() returned error flags: %d, dropped.\n",
1983 if (pRcvDesc->stats) {
1984 (pRcvDesc->stats)->rx_errors++;
1989 #endif /* CONFIG_IPSEC_IPCOMP */
1991 #ifdef SKB_RESET_NFCT
1992 nf_conntrack_put(skb->nfct);
1994 #ifdef CONFIG_NETFILTER_DEBUG
1996 #endif /* CONFIG_NETFILTER_DEBUG */
1997 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
1998 nf_bridge_put(skb->nf_bridge);
1999 skb->nf_bridge = NULL;
2001 #endif /* SKB_RESET_NFCT */
2003 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
2004 "klips_debug:ipsec_rcv: "
2005 "netif_rx() called.\n");
2010 ipsec_glue_rcv_desc_release (pRcvDesc);
2018 ipsec_glue_rcv_desc_release (pRcvDesc);
2024 kfree_skb(skb, FREE_WRITE);
2034 #ifdef PROTO_HANDLER_SINGLE_PARM
2035 ipsec_rcv(struct sk_buff *skb)
2036 #else /* PROTO_HANDLER_SINGLE_PARM */
2038 ipsec_rcv(struct sk_buff *skb, unsigned short xlen)
2040 ipsec_rcv(struct sk_buff *skb, struct device *dev, struct options *opt,
2041 __u32 daddr_unused, unsigned short xlen, __u32 saddr,
2042 int redo, struct inet_protocol *protocol)
2044 #endif /* PROTO_HANDLER_SINGLE_PARM */
2047 #ifdef CONFIG_IPSEC_DEBUG
2048 struct device *dev = skb->dev;
2049 #endif /* CONFIG_IPSEC_DEBUG */
2051 unsigned char protoc;
2054 #ifdef CONFIG_IPSEC_ESP
2055 struct esp *espp = NULL;
2059 char iv[ESP_IV_MAXSZ];
2060 #endif /* !CONFIG_IPSEC_ESP */
2061 #ifdef CONFIG_IPSEC_AH
2062 struct ah *ahp = NULL;
2064 #endif /* CONFIG_IPSEC_AH */
2066 #ifdef CONFIG_IPSEC_IPCOMP
2067 struct ipcomphdr*compp = NULL;
2068 #endif /* CONFIG_IPSEC_IPCOMP */
2072 struct ipsec_sa *tdbp = NULL;
2075 struct device *ipsecdev = NULL, *prvdev;
2076 struct ipsecpriv *prv;
2080 char ipaddr_txt[ADDRTOA_BUF];
2082 struct in_addr ipaddr;
2083 __u8 next_header = 0;
2086 int len; /* packet length */
2087 int replay = 0; /* replay value in AH or ESP packet */
2089 struct ipsec_sa* tdbprev = NULL; /* previous SA from outside of packet */
2090 struct ipsec_sa* tdbnext = NULL; /* next SA towards inside of packet */
2091 #ifdef INBOUND_POLICY_CHECK_eroute
2092 struct sockaddr_encap matcher; /* eroute search key */
2094 struct ipsec_sa* policy_tdb = NULL;
2095 struct sa_id policy_said;
2096 struct sockaddr_encap policy_eaddr;
2097 struct sockaddr_encap policy_emask;
2098 #endif /* INBOUND_POLICY_CHECK_eroute */
2100 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2101 __u16 natt_len = 0, natt_sport = 0, natt_dport = 0;
2105 __u32 auth_start_offset = 0;
2106 __u32 auth_data_len = 0;
2107 __u32 crypt_start_offset = 0;
2108 __u32 crypt_data_len = 0;
2109 __u32 icv_offset = 0;
2111 IpsecRcvDesc *pRcvDesc = NULL;
2113 /* Don't unlink in the middle of a turnaround */
2117 KLIPS_PRINT(debug_rcv,
2118 "klips_debug:ipsec_rcv: "
2119 "NULL skb passed in.\n");
2123 if (skb->data == NULL) {
2124 KLIPS_PRINT(debug_rcv,
2125 "klips_debug:ipsec_rcv: "
2126 "NULL skb->data passed in, packet is bogus, dropping.\n");
2131 if (ipsec_glue_rcv_desc_get(&pRcvDesc) != IPSEC_GLUE_STATUS_SUCCESS){
2132 KLIPS_PRINT(debug_rcv,
2133 "klips_debug:ipsec_rcv: "
2134 "run out of rcv descriptors, dropping.\n");
2138 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2139 if (skb->sk && skb->nh.iph && skb->nh.iph->protocol==IPPROTO_UDP) {
2141 * Packet comes from udp_queue_rcv_skb so it is already defrag,
2142 * checksum verified, ... (ie safe to use)
2144 * If the packet is not for us, return -1 and udp_queue_rcv_skb
2145 * will continue to handle it (do not kfree skb !!).
2147 struct udp_opt *tp = &(skb->sk->tp_pinfo.af_udp);
2148 struct iphdr *ip = (struct iphdr *)skb->nh.iph;
2149 struct udphdr *udp = (struct udphdr *)((__u32 *)ip+ip->ihl);
2150 __u8 *udpdata = (__u8 *)udp + sizeof(struct udphdr);
2151 __u32 *udpdata32 = (__u32 *)udpdata;
2153 natt_sport = ntohs(udp->source);
2154 natt_dport = ntohs(udp->dest);
2156 KLIPS_PRINT(debug_rcv,
2157 "klips_debug:ipsec_rcv: "
2158 "suspected ESPinUDP packet (NAT-Traversal) [%d].\n",
2160 KLIPS_IP_PRINT(debug_rcv, ip);
2162 if (udpdata < skb->tail) {
2163 unsigned int len = skb->tail - udpdata;
2164 if ((len==1) && (udpdata[0]==0xff)) {
2165 KLIPS_PRINT(debug_rcv,
2166 "klips_debug:ipsec_rcv: "
2167 /* not IPv6 compliant message */
2168 "NAT-keepalive from %d.%d.%d.%d.\n", NIPQUAD(ip->saddr));
2171 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_IKE) &&
2172 (len > (2*sizeof(__u32) + sizeof(struct esp))) &&
2173 (udpdata32[0]==0) && (udpdata32[1]==0) ) {
2174 /* ESP Packet with Non-IKE header */
2175 KLIPS_PRINT(debug_rcv,
2176 "klips_debug:ipsec_rcv: "
2177 "ESPinUDP pkt with Non-IKE - spi=0x%x\n",
2179 natt_type = ESPINUDP_WITH_NON_IKE;
2180 natt_len = sizeof(struct udphdr)+(2*sizeof(__u32));
2182 else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_ESP) &&
2183 (len > sizeof(struct esp)) &&
2184 (udpdata32[0]!=0) ) {
2185 /* ESP Packet without Non-ESP header */
2186 natt_type = ESPINUDP_WITH_NON_ESP;
2187 natt_len = sizeof(struct udphdr);
2188 KLIPS_PRINT(debug_rcv,
2189 "klips_debug:ipsec_rcv: "
2190 "ESPinUDP pkt without Non-ESP - spi=0x%x\n",
2194 KLIPS_PRINT(debug_rcv,
2195 "klips_debug:ipsec_rcv: "
2196 "IKE packet - not handled here\n");
2199 ipsec_glue_rcv_desc_release (pRcvDesc);
2207 ipsec_glue_rcv_desc_release (pRcvDesc);
2214 #ifdef IPH_is_SKB_PULLED
2215 /* In Linux 2.4.4, the IP header has been skb_pull()ed before the
2216 packet is passed to us. So we'll skb_push() to get back to it. */
2217 if (skb->data == skb->h.raw) {
2218 skb_push(skb, skb->h.raw - skb->nh.raw);
2220 #endif /* IPH_is_SKB_PULLED */
2222 ipp = (struct iphdr *)skb->data;
2223 iphlen = ipp->ihl << 2;
2225 /* dev->hard_header_len is unreliable and should not be used */
2226 pRcvDesc->hard_header_len = skb->mac.raw ? (skb->data - skb->mac.raw) : 0;
2227 if((pRcvDesc->hard_header_len < 0) || (pRcvDesc->hard_header_len > skb_headroom(skb)))
2228 pRcvDesc->hard_header_len = 0;
2231 /* if skb was cloned (most likely due to a packet sniffer such as
2232 tcpdump being momentarily attached to the interface), make
2233 a copy of our own to modify */
2234 if(skb_cloned(skb)) {
2235 /* include any mac header while copying.. */
2236 if(skb_headroom(skb) < pRcvDesc->hard_header_len) {
2237 printk(KERN_WARNING "klips_error:ipsec_rcv: "
2238 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
2239 pRcvDesc->hard_header_len,
2243 skb_push(skb, pRcvDesc->hard_header_len);
2246 (skb_cow(skb, skb_headroom(skb)) != 0)
2247 #else /* SKB_COW_NEW */
2248 ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
2249 #endif /* SKB_COW_NEW */
2253 if(skb->len < pRcvDesc->hard_header_len) {
2254 printk(KERN_WARNING "klips_error:ipsec_rcv: "
2255 "tried to skb_pull hhlen=%d, %d available. This should never happen, please report.\n",
2256 pRcvDesc->hard_header_len,
2260 skb_pull(skb, pRcvDesc->hard_header_len);
2265 #if IP_FRAGMENT_LINEARIZE
2266 /* In Linux 2.4.4, we may have to reassemble fragments. They are
2267 not assembled automatically to save TCP from having to copy
2270 if (skb_is_nonlinear(skb)) {
2271 if (skb_linearize(skb, GFP_ATOMIC) != 0) {
2275 ipp = (struct iphdr *)skb->nh.iph;
2276 iphlen = ipp->ihl << 2;
2279 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2282 * Now, we are sure packet is ESPinUDP. Remove natt_len bytes from
2283 * packet and modify protocol to ESP.
2285 if (((unsigned char *)skb->data > (unsigned char *)skb->nh.iph) &&
2286 ((unsigned char *)skb->nh.iph > (unsigned char *)skb->head)) {
2287 unsigned int _len = (unsigned char *)skb->data -
2288 (unsigned char *)skb->nh.iph;
2289 KLIPS_PRINT(debug_rcv,
2290 "klips_debug:ipsec_rcv: adjusting skb: skb_push(%u)\n",
2292 skb_push(skb, _len);
2294 KLIPS_PRINT(debug_rcv,
2295 "klips_debug:ipsec_rcv: "
2296 "removing %d bytes from ESPinUDP packet\n", natt_len);
2297 ipp = (struct iphdr *)skb->data;
2298 iphlen = ipp->ihl << 2;
2299 ipp->tot_len = htons(ntohs(ipp->tot_len) - natt_len);
2300 if (skb->len < iphlen + natt_len) {
2302 "klips_error:ipsec_rcv: "
2303 "ESPinUDP packet is too small (%d < %d+%d). "
2304 "This should never happen, please report.\n",
2305 (int)(skb->len), iphlen, natt_len);
2308 memmove(skb->data + natt_len, skb->data, iphlen);
2309 skb_pull(skb, natt_len);
2312 ipp = skb->nh.iph = (struct iphdr *)skb->data;
2314 /* modify protocol */
2315 ipp->protocol = IPPROTO_ESP;
2319 KLIPS_IP_PRINT(debug_rcv, skb->nh.iph);
2323 KLIPS_PRINT(debug_rcv,
2324 "klips_debug:ipsec_rcv: "
2326 KLIPS_PRINTMORE(debug_rcv && skb->dev, "skb->dev=%s ",
2327 skb->dev->name ? skb->dev->name : "NULL");
2328 KLIPS_PRINTMORE(debug_rcv && dev, "dev=%s ",
2329 dev->name ? dev->name : "NULL");
2330 KLIPS_PRINTMORE(debug_rcv, "\n");
2332 KLIPS_PRINT(debug_rcv && !(skb->dev && dev && (skb->dev == dev)),
2333 "klips_debug:ipsec_rcv: "
2334 "Informational -- **if this happens, find out why** skb->dev:%s is not equal to dev:%s\n",
2335 skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL",
2336 dev ? (dev->name ? dev->name : "NULL") : "NULL");
2338 protoc = ipp->protocol;
2340 if((!protocol) || (protocol->protocol != protoc)) {
2341 KLIPS_PRINT(debug_rcv & DB_RX_TDB,
2342 "klips_debug:ipsec_rcv: "
2343 "protocol arg is NULL or unequal to the packet contents, this is odd, using value in packet.\n");
2345 #endif /* !NET_21 */
2347 if( (protoc != IPPROTO_AH) &&
2348 #ifdef CONFIG_IPSEC_IPCOMP_disabled_until_we_register_IPCOMP_HANDLER
2349 (protoc != IPPROTO_COMP) &&
2350 #endif /* CONFIG_IPSEC_IPCOMP */
2351 (protoc != IPPROTO_ESP) ) {
2352 KLIPS_PRINT(debug_rcv & DB_RX_TDB,
2353 "klips_debug:ipsec_rcv: Why the hell is someone "
2354 "passing me a non-ipsec protocol = %d packet? -- dropped.\n",
2360 for(i = 0; i < IPSEC_NUM_IF; i++) {
2361 sprintf(name, "ipsec%d", i);
2362 if(!strcmp(name, skb->dev->name)) {
2363 prv = (struct ipsecpriv *)(skb->dev->priv);
2365 pRcvDesc->stats = (struct net_device_stats *) &(prv->mystats);
2367 ipsecdev = skb->dev;
2368 KLIPS_PRINT(debug_rcv,
2369 "klips_debug:ipsec_rcv: "
2370 "Info -- pkt already proc'ed a group of ipsec headers, processing next group of ipsec headers.\n");
2373 if((ipsecdev = ipsec_dev_get(name)) == NULL) {
2374 KLIPS_PRINT(debug_rcv,
2375 "klips_error:ipsec_rcv: "
2376 "device %s does not exist\n",
2379 prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
2380 prvdev = prv ? (struct device *)(prv->dev) : NULL;
2383 KLIPS_PRINT(debug_rcv && prvdev,
2384 "klips_debug:ipsec_rcv: "
2385 "physical device for device %s is %s\n",
2389 if(prvdev && skb->dev &&
2390 !strcmp(prvdev->name, skb->dev->name)) {
2391 pRcvDesc->stats = prv ? ((struct net_device_stats *) &(prv->mystats)) : NULL;
2392 skb->dev = ipsecdev;
2393 #if (defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)) && defined(CONFIG_NETFILTER)
2395 skb->nf_bridge->physindev = ipsecdev;
2397 KLIPS_PRINT(debug_rcv && prvdev,
2398 "klips_debug:ipsec_rcv: "
2399 "assigning packet ownership to virtual device %s from physical device %s.\n",
2400 name, prvdev->name);
2401 if(pRcvDesc->stats) {
2402 pRcvDesc->stats->rx_packets++;
2408 KLIPS_PRINT(debug_rcv,
2409 "klips_debug:ipsec_rcv: "
2410 "device supplied with skb is NULL\n");
2413 if(!pRcvDesc->stats) {
2416 KLIPS_PRINT((debug_rcv && !pRcvDesc->stats),
2417 "klips_error:ipsec_rcv: "
2418 "packet received from physical I/F (%s) not connected to ipsec I/F. Cannot record stats. May not have SA for decoding. Is IPSEC traffic expected on this I/F? Check routing.\n",
2419 skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL");
2421 KLIPS_IP_PRINT(debug_rcv, ipp);
2423 #ifdef CONFIG_LEDMAN
2424 ledman_cmd(LEDMAN_CMD_SET, LEDMAN_VPN_RX);
2427 /* begin decapsulating loop here */
2430 #ifdef CONFIG_IPSEC_ESP
2435 #endif /* !CONFIG_IPSEC_ESP */
2436 #ifdef CONFIG_IPSEC_AH
2439 #endif /* CONFIG_IPSEC_AH */
2440 #ifdef CONFIG_IPSEC_IPCOMP
2442 #endif /* CONFIG_IPSEC_IPCOMP */
2446 ipp = (struct iphdr *)skb->data;
2447 proto = ipp->protocol;
2448 ipaddr.s_addr = ipp->saddr;
2449 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
2451 iphlen = ipp->ihl << 2;
2452 ipp->check = 0; /* we know the sum is good */
2454 #ifdef CONFIG_IPSEC_ESP
2455 #endif /* !CONFIG_IPSEC_ESP */
2458 * Find tunnel control block and (indirectly) call the
2459 * appropriate tranform routine. The resulting sk_buf
2460 * is a valid IP packet ready to go through input processing.
2463 said.dst.s_addr = ipp->daddr;
2465 #ifdef CONFIG_IPSEC_ESP
2467 /* XXX this will need to be 8 for IPv6 */
2468 if ((len - iphlen) % 4) {
2469 printk("klips_error:ipsec_rcv: "
2470 "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
2473 if(pRcvDesc->stats) {
2474 (pRcvDesc->stats)->rx_errors++;
2479 if(skb->len < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct esp))) {
2480 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
2481 "klips_debug:ipsec_rcv: "
2482 "runt esp packet of skb->len=%d received from %s, dropped.\n",
2485 if(pRcvDesc->stats) {
2486 (pRcvDesc->stats)->rx_errors++;
2491 espp = (struct esp *)(skb->data + iphlen);
2492 /* Get IV location pointer in payload - after ESP header */
2493 ivp = (char *) espp + sizeof (struct esp);
2494 said.spi = espp->esp_spi;
2495 replay = ntohl(espp->esp_rpl);
2498 #endif /* !CONFIG_IPSEC_ESP */
2499 #ifdef CONFIG_IPSEC_AH
2502 < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct ah)))
2504 < (pRcvDesc->hard_header_len + sizeof(struct iphdr)
2505 + ((ahp = (struct ah *) (skb->data + iphlen))->ah_hl << 2)))) {
2506 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
2507 "klips_debug:ipsec_rcv: "
2508 "runt ah packet of skb->len=%d received from %s, dropped.\n",
2511 if(pRcvDesc->stats) {
2512 (pRcvDesc->stats)->rx_errors++;
2516 said.spi = ahp->ah_spi;
2517 replay = ntohl(ahp->ah_rpl);
2518 ahhlen = (ahp->ah_hl << 2) +
2519 ((caddr_t)&(ahp->ah_rpl) - (caddr_t)ahp);
2520 next_header = ahp->ah_nh;
2521 if (ahhlen != sizeof(struct ah)) {
2522 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
2523 "klips_debug:ipsec_rcv: "
2524 "bad authenticator length %d, expected %d from %s.\n",
2525 ahhlen - ((caddr_t)(ahp->ah_data) - (caddr_t)ahp),
2528 if(pRcvDesc->stats) {
2529 (pRcvDesc->stats)->rx_errors++;
2534 #endif /* CONFIG_IPSEC_AH */
2535 #ifdef CONFIG_IPSEC_IPCOMP
2537 if(skb->len < (pRcvDesc->hard_header_len + sizeof(struct iphdr) + sizeof(struct ipcomphdr))) {
2538 KLIPS_PRINT(debug_rcv & DB_RX_INAU,
2539 "klips_debug:ipsec_rcv: "
2540 "runt comp packet of skb->len=%d received from %s, dropped.\n",
2543 if(pRcvDesc->stats) {
2544 (pRcvDesc->stats)->rx_errors++;
2549 compp = (struct ipcomphdr *)(skb->data + iphlen);
2550 said.spi = htonl((__u32)ntohs(compp->ipcomp_cpi));
2552 #endif /* CONFIG_IPSEC_IPCOMP */
2554 if(pRcvDesc->stats) {
2555 (pRcvDesc->stats)->rx_errors++;
2561 sa_len = satoa(said, 0, sa, SATOA_BUF);
2563 strcpy(sa, "(error)");
2567 #ifdef CONFIG_IPSEC_IPCOMP
2568 if (proto == IPPROTO_COMP) {
2569 unsigned int flags = 0;
2571 KLIPS_PRINT(debug_rcv,
2572 "klips_debug:ipsec_rcv: "
2573 "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
2574 sa_len ? sa : " (error)");
2575 if(pRcvDesc->stats) {
2576 (pRcvDesc->stats)->rx_dropped++;
2584 spin_lock(&tdb_lock);
2587 /* store current tdbp into rcv descriptor */
2588 pRcvDesc->tdbp = tdbp;
2590 if(sysctl_ipsec_inbound_policy_check
2592 || (((ntohl(tdbp->tdb_said.spi) & 0x0000ffff)
2594 /* next line is a workaround for peer
2595 non-compliance with rfc2393 */
2596 && (tdbp->tdb_encalg != ntohl(said.spi))
2599 char sa2[SATOA_BUF];
2601 spin_unlock(&tdb_lock);
2604 sa_len2 = satoa(tdbp->tdb_said, 0, sa2, SATOA_BUF);
2607 KLIPS_PRINT(debug_rcv,
2608 "klips_debug:ipsec_rcv: "
2609 "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
2610 sa_len ? sa : " (error)",
2611 tdbp ? (sa_len2 ? sa2 : " (error)") : "NULL",
2612 ntohs(compp->ipcomp_cpi),
2613 (__u32)ntohl(said.spi),
2614 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
2615 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0);
2616 if(pRcvDesc->stats) {
2617 (pRcvDesc->stats)->rx_dropped++;
2622 next_header = compp->ipcomp_nh;
2625 addRcvDesc_to_salist(tdbp, pRcvDesc);
2626 tdbp->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
2627 tdbnext = tdbp->tdb_inext;
2630 skb = skb_decompress(skb, tdbp, &flags);
2631 if (!skb || flags) {
2632 delRcvDesc_from_salist(tdbp, pRcvDesc);
2633 spin_unlock(&tdb_lock);
2634 KLIPS_PRINT(debug_rcv,
2635 "klips_debug:ipsec_rcv: "
2636 "skb_decompress() returned error flags=%x, dropped.\n",
2638 if (pRcvDesc->stats) {
2640 (pRcvDesc->stats)->rx_errors++;
2642 (pRcvDesc->stats)->rx_dropped++;
2653 tdbp->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
2654 delRcvDesc_from_salist(tdbp, pRcvDesc);
2657 KLIPS_PRINT(debug_rcv,
2658 "klips_debug:ipsec_rcv: "
2659 "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
2660 sa_len ? sa : " (error)",
2661 (__u32)ntohl(said.spi),
2662 tdbp ? (__u32)ntohl((tdbp->tdb_said.spi)) : 0,
2663 tdbp ? (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff) : 0,
2665 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
2667 spin_unlock(&tdb_lock);
2670 /* Skip rest of stuff and decapsulate next inner
2673 #endif /* CONFIG_IPSEC_IPCOMP */
2675 tdbp = ipsec_sa_getbyid(&said);
2676 pRcvDesc->tdbp = tdbp;
2679 KLIPS_PRINT(debug_rcv,
2680 "klips_debug:ipsec_rcv: "
2681 "no Tunnel Descriptor Block for SA:%s: incoming packet with no SA dropped\n",
2682 sa_len ? sa : " (error)");
2683 if(pRcvDesc->stats) {
2684 (pRcvDesc->stats)->rx_dropped++;
2689 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2691 ( (ipp->saddr != (((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr)) ||
2692 (natt_sport != tdbp->ips_natt_sport)
2694 struct sockaddr sipaddr;
2695 /** Advertise NAT-T addr change to pluto **/
2696 sipaddr.sa_family = AF_INET;
2697 ((struct sockaddr_in*)&sipaddr)->sin_addr.s_addr = ipp->saddr;
2698 ((struct sockaddr_in*)&sipaddr)->sin_port = htons(natt_sport);
2699 pfkey_nat_t_new_mapping(tdbp, &sipaddr, natt_sport);
2701 * Then allow or block packet depending on
2702 * sysctl_ipsec_inbound_policy_check.
2704 * In all cases, pluto will update SA if new mapping is
2707 if (sysctl_ipsec_inbound_policy_check) {
2708 spin_unlock(&tdb_lock);
2709 ipaddr.s_addr = ipp->saddr;
2710 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
2711 KLIPS_PRINT(debug_rcv,
2712 "klips_debug:ipsec_rcv: "
2713 "SA:%s, src=%s:%u of pkt does not agree with expected "
2714 "SA source address policy (pluto has been informed).\n",
2715 sa_len ? sa : " (error)",
2716 ipaddr_txt, natt_sport);
2717 if(pRcvDesc->stats) {
2718 pRcvDesc->stats->rx_dropped++;
2726 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2727 KLIPS_PRINT(debug_rcv,
2728 "klips_debug:ipsec_rcv: "
2729 "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
2730 natt_type, tdbp->ips_natt_type,
2731 (natt_type==tdbp->ips_natt_type)?"ok":"bad");
2732 if (natt_type != tdbp->ips_natt_type) {
2733 spin_unlock(&tdb_lock);
2734 KLIPS_PRINT(debug_rcv,
2735 "klips_debug:ipsec_rcv: "
2736 "SA:%s does not agree with expected NAT-T policy.\n",
2737 sa_len ? sa : " (error)");
2738 if(pRcvDesc->stats) {
2739 pRcvDesc->stats->rx_dropped++;
2745 spin_lock(&tdb_lock);
2746 addRcvDesc_to_salist(tdbp, pRcvDesc);
2747 if(sysctl_ipsec_inbound_policy_check) {
2748 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
2749 delRcvDesc_from_salist(tdbp, pRcvDesc);
2750 spin_unlock(&tdb_lock);
2751 ipaddr.s_addr = ipp->saddr;
2752 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
2754 KLIPS_PRINT(debug_rcv,
2755 "klips_debug:ipsec_rcv: "
2756 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
2757 sa_len ? sa : " (error)",
2759 if(pRcvDesc->stats) {
2760 (pRcvDesc->stats)->rx_dropped++;
2765 ipaddr.s_addr = ipp->saddr;
2766 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
2767 KLIPS_PRINT(debug_rcv,
2768 "klips_debug:ipsec_rcv: "
2769 "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
2770 sa_len ? sa : " (error)",
2773 if(tdbnext != tdbp) {
2774 delRcvDesc_from_salist(tdbp, pRcvDesc);
2775 spin_unlock(&tdb_lock);
2776 KLIPS_PRINT(debug_rcv,
2777 "klips_debug:ipsec_rcv: "
2778 "unexpected SA:%s: does not agree with tdb->inext policy, dropped\n",
2779 sa_len ? sa : " (error)");
2780 if(pRcvDesc->stats) {
2781 (pRcvDesc->stats)->rx_dropped++;
2785 KLIPS_PRINT(debug_rcv,
2786 "klips_debug:ipsec_rcv: "
2787 "SA:%s grouping from previous SA is OK.\n",
2788 sa_len ? sa : " (error)");
2790 KLIPS_PRINT(debug_rcv,
2791 "klips_debug:ipsec_rcv: "
2792 "SA:%s First SA in group.\n",
2793 sa_len ? sa : " (error)");
2796 if(tdbp->tdb_onext) {
2797 if(tdbprev != tdbp->tdb_onext) {
2798 delRcvDesc_from_salist(tdbp, pRcvDesc);
2799 spin_unlock(&tdb_lock);
2800 KLIPS_PRINT(debug_rcv,
2801 "klips_debug:ipsec_rcv: "
2802 "unexpected SA:%s: does not agree with tdb->onext policy, dropped.\n",
2803 sa_len ? sa : " (error)");
2804 if(pRcvDesc->stats) {
2805 (pRcvDesc->stats)->rx_dropped++;
2809 KLIPS_PRINT(debug_rcv,
2810 "klips_debug:ipsec_rcv: "
2811 "SA:%s grouping to previous SA is OK.\n",
2812 sa_len ? sa : " (error)");
2815 KLIPS_PRINT(debug_rcv,
2816 "klips_debug:ipsec_rcv: "
2817 "SA:%s No previous backlink in group.\n",
2818 sa_len ? sa : " (error)");
2820 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2821 KLIPS_PRINT(debug_rcv,
2822 "klips_debug:ipsec_rcv: "
2823 "natt_type=%u tdbp->ips_natt_type=%u : %s\n",
2824 natt_type, tdbp->ips_natt_type,
2825 (natt_type==tdbp->ips_natt_type)?"ok":"bad");
2826 if (natt_type != tdbp->ips_natt_type) {
2827 spin_unlock(&tdb_lock);
2828 KLIPS_PRINT(debug_rcv,
2829 "klips_debug:ipsec_rcv: "
2830 "SA:%s does not agree with expected NAT-T policy.\n",
2831 sa_len ? sa : " (error)");
2832 if((pRcvDesc->stats)) {
2833 (pRcvDesc->stats)->rx_dropped++;
2840 /* If it is in larval state, drop the packet, we cannot process yet. */
2841 if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
2842 spin_unlock(&tdb_lock);
2843 KLIPS_PRINT(debug_rcv,
2844 "klips_debug:ipsec_rcv: "
2845 "TDB in larval state, cannot be used yet, dropping packet.\n");
2846 if(pRcvDesc->stats) {
2847 pRcvDesc->stats->rx_dropped++;
2852 if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
2853 spin_unlock(&tdb_lock);
2854 KLIPS_PRINT(debug_rcv,
2855 "klips_debug:ipsec_rcv: "
2856 "TDB in dead state, cannot be used any more, dropping packet.\n");
2857 if(pRcvDesc->stats) {
2858 pRcvDesc->stats->rx_dropped++;
2863 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
2864 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
2865 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
2866 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
2867 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "usetime",sa,
2868 ipsec_life_timebased, ipsec_incoming, tdbp) == ipsec_life_harddied ||
2869 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
2870 ipsec_life_countbased, ipsec_incoming, tdbp) == ipsec_life_harddied) {
2871 ipsec_sa_delchain(tdbp);
2872 spin_unlock(&tdb_lock);
2873 if(pRcvDesc->stats) {
2874 pRcvDesc->stats->rx_dropped++;
2879 if (!ipsec_checkreplaywindow(tdbp, replay)) {
2880 tdbp->tdb_replaywin_errs += 1;
2881 delRcvDesc_from_salist(tdbp, pRcvDesc);
2882 spin_unlock(&tdb_lock);
2883 KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
2884 "klips_debug:ipsec_rcv: "
2885 "duplicate frame from %s, packet dropped\n",
2887 if(pRcvDesc->stats) {
2888 (pRcvDesc->stats)->rx_dropped++;
2893 KLIPS_PRINT(debug_rcv,
2894 "klips_debug:ipsec_rcv: "
2895 "encalg = %d, authalg = %d.\n",
2899 /* If the sequence number == 0, expire SA, it had rolled */
2900 if(tdbp->tdb_replaywin && !replay /* !tdbp->tdb_replaywin_lastseq */) {
2901 delRcvDesc_from_salist(tdbp, pRcvDesc);
2902 ipsec_sa_delchain(tdbp);
2903 spin_unlock(&tdb_lock);
2904 KLIPS_PRINT(debug_rcv,
2905 "klips_debug:ipsec_rcv: "
2906 "replay window counter rolled, expiring SA.\n");
2907 if(pRcvDesc->stats) {
2908 (pRcvDesc->stats)->rx_dropped++;
2913 spin_unlock(&tdb_lock);
2915 switch(tdbp->tdb_authalg) {
2916 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
2918 authlen = AHHMAC_HASHLEN;
2920 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
2921 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
2923 authlen = AHHMAC_HASHLEN;
2925 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
2930 spin_lock(&tdb_lock);
2931 delRcvDesc_from_salist(tdbp, pRcvDesc);
2932 tdbp->tdb_alg_errs += 1;
2933 spin_unlock(&tdb_lock);
2934 if(pRcvDesc->stats) {
2935 pRcvDesc->stats->rx_errors++;
2940 #ifdef CONFIG_IPSEC_ESP
2941 KLIPS_PRINT(proto == IPPROTO_ESP && debug_rcv,
2942 "klips_debug:ipsec_rcv: "
2943 "packet from %s received with seq=%d (iv)=0x%08x%08x%8x%8x iplen=%d esplen=%d sa=%s\n",
2945 (__u32)ntohl(espp->esp_rpl),
2946 (__u32)ntohl(*((__u32 *)(ivp) )),
2947 (__u32)ntohl(*((__u32 *)(ivp) + 1)),
2948 (__u32)ntohl(*((__u32 *)(ivp) + 2)),
2949 (__u32)ntohl(*((__u32 *)(ivp) + 3)),
2952 sa_len ? sa : " (error)");
2953 #endif /* !CONFIG_IPSEC_ESP */
2956 #ifdef CONFIG_IPSEC_ESP
2960 -------------------------------------------------
2961 IPv4 |orig IP hdr | ESP | | | ESP | ESP|
2962 |(any options)| Hdr | TCP | Data | Trailer |Auth|
2963 -------------------------------------------------
2964 |<----- encrypted ---->|
2965 |<------ authenticated ----->|
2968 esphlen = sizeof(struct esp);
2969 ivlen = tdbp->ips_iv_size;
2970 /* Keep IV length in descriptor for callback use */
2971 pRcvDesc->ivlen = ivlen;
2972 auth_start_offset = iphlen;
2973 auth_data_len = len - iphlen - authlen;
2974 icv_offset = len - authlen;
2975 crypt_start_offset = iphlen + esphlen + ivlen; /* IV is not included as payload for encryption */
2976 crypt_data_len = len - iphlen - authlen - esphlen - ivlen;
2978 if ((crypt_data_len) % 8) {
2979 spin_lock(&tdb_lock);
2980 delRcvDesc_from_salist(tdbp, pRcvDesc);
2981 tdbp->tdb_encsize_errs += 1;
2982 spin_unlock(&tdb_lock);
2983 if(pRcvDesc->stats) {
2984 (pRcvDesc->stats)->rx_errors++;
2989 switch(tdbp->tdb_encalg) {
2990 # ifdef CONFIG_IPSEC_ENC_DES
2992 memcpy (iv, ivp, ivlen);
2994 # endif /* CONFIG_IPSEC_ENC_DES */
2995 #ifdef CONFIG_IPSEC_ENC_3DES
2997 memcpy (iv, ivp, ivlen);
2999 #endif /* CONFIG_IPSEC_ENC_3DES */
3000 #ifdef CONFIG_IPSEC_ALG
3002 memcpy (iv, ivp, ivlen);
3004 #endif /* CONFIG_IPSEC_ALG */
3006 spin_lock(&tdb_lock);
3007 delRcvDesc_from_salist(tdbp, pRcvDesc);
3008 tdbp->tdb_alg_errs += 1;
3009 spin_unlock(&tdb_lock);
3010 if(pRcvDesc->stats) {
3011 (pRcvDesc->stats)->rx_errors++;
3016 #endif /* !CONFIG_IPSEC_ESP */
3017 #ifdef CONFIG_IPSEC_AH
3021 ---------------------------------
3022 IPv4 |orig IP hdr | | | |
3023 |(any options)| AH | TCP | Data |
3024 ---------------------------------
3025 |<------- authenticated ------->|
3026 except for mutable fields
3029 auth_start_offset = 0; /* start at the beginning */
3030 auth_data_len = len;
3031 icv_offset = iphlen + AUTH_DATA_IN_AH_OFFSET;
3033 /* IXP425 glue code : mutable field, need to keep a copy of original IP header and
3034 restore the original IP header after callback received.
3035 Modify the mutable fields in header*/
3036 pRcvDesc->ip_frag_off = ipp->frag_off;
3037 pRcvDesc->ip_ttl = ipp->ttl;
3042 #endif /* CONFIG_IPSEC_AH */
3045 if(auth_data_len <= 0) {
3046 spin_lock (&tdb_lock);
3047 delRcvDesc_from_salist(tdbp, pRcvDesc);
3048 spin_unlock (&tdb_lock);
3049 KLIPS_PRINT(debug_rcv,
3050 "klips_debug:ipsec_rcv: "
3051 "runt AH packet with no data, dropping.\n");
3052 if(pRcvDesc->stats) {
3053 (pRcvDesc->stats)->rx_dropped++;
3058 /* IXP425 glue code */
3059 #if defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)
3061 if ((proto == IPPROTO_AH) || (proto == IPPROTO_ESP))
3063 /* store ICV_offset */
3064 pRcvDesc->icv_offset = icv_offset;
3067 if(IPSEC_GLUE_STATUS_SUCCESS != ipsec_glue_mbuf_header_get(&src_mbuf))
3069 KLIPS_PRINT(debug_rcv,
3070 "klips_debug:ipsec_rcv: "
3071 "running out of mbufs, dropped\n");
3072 spin_lock (&tdb_lock);
3073 delRcvDesc_from_salist(tdbp, pRcvDesc);
3074 spin_unlock (&tdb_lock);
3075 if(pRcvDesc->stats) {
3076 (pRcvDesc->stats)->rx_dropped++;
3081 /* attach mbuf to sk_buff */
3082 mbuf_swap_skb(src_mbuf, skb);
3084 /* store rcv desc in mbuf */
3085 (IpsecRcvDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (src_mbuf) = pRcvDesc;
3087 /* call crypto perform */
3088 if (IX_CRYPTO_ACC_STATUS_SUCCESS != ixCryptoAccAuthCryptPerform (
3089 tdbp->ips_crypto_context_id,
3099 spin_lock(&tdb_lock);
3100 delRcvDesc_from_salist(tdbp, pRcvDesc);
3101 spin_unlock(&tdb_lock);
3102 KLIPS_PRINT(debug_rcv,
3103 "klips_debug:ipsec_rcv: "
3104 "warning, decrapsulation packet from %s cannot be started\n",
3107 ipsec_glue_mbuf_header_rel(src_mbuf);
3109 if(pRcvDesc->stats) {
3110 (pRcvDesc->stats)->rx_dropped++;
3115 } /* end of if ((proto == IPPROTO_AH) || (proto == IPPROTO_ESP))*/
3116 #endif /* defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)*/
3118 /* set next header */
3119 skb->data[PROTO] = next_header;
3129 /* skb->h.ipiph=(struct iphdr *)skb->data; */
3130 skb->nh.raw = skb->data;
3131 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
3133 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
3135 skb->h.iph=(struct iphdr *)skb->data;
3136 skb->ip_hdr=(struct iphdr *)skb->data;
3137 memset(skb->proto_priv, 0, sizeof(struct options));
3140 ipp = (struct iphdr *)dat;
3142 ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
3144 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
3145 "klips_debug:ipsec_rcv: "
3146 "after <%s%s%s>, SA:%s:\n",
3147 IPS_XFORM_NAME(tdbp),
3148 sa_len ? sa : " (error)");
3149 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
3151 skb->protocol = htons(ETH_P_IP);
3155 tdbnext = tdbp->tdb_inext;
3157 spin_lock(&tdb_lock);
3159 if(sysctl_ipsec_inbound_policy_check) {
3161 if(tdbnext->tdb_onext != tdbp) {
3162 delRcvDesc_from_salist(tdbp, pRcvDesc);
3163 spin_unlock(&tdb_lock);
3164 KLIPS_PRINT(debug_rcv,
3165 "klips_debug:ipsec_rcv: "
3166 "SA:%s, backpolicy does not agree with fwdpolicy.\n",
3167 sa_len ? sa : " (error)");
3168 if(pRcvDesc->stats) {
3169 (pRcvDesc->stats)->rx_dropped++;
3173 KLIPS_PRINT(debug_rcv,
3174 "klips_debug:ipsec_rcv: "
3175 "SA:%s, backpolicy agrees with fwdpolicy.\n",
3176 sa_len ? sa : " (error)");
3178 #ifdef CONFIG_IPSEC_IPCOMP
3179 ipp->protocol != IPPROTO_COMP
3180 && (tdbnext->tdb_said.proto != IPPROTO_COMP
3181 || (tdbnext->tdb_said.proto == IPPROTO_COMP
3182 && tdbnext->tdb_inext))
3183 #endif /* CONFIG_IPSEC_IPCOMP */
3184 && ipp->protocol != IPPROTO_IPIP
3186 delRcvDesc_from_salist(tdbp, pRcvDesc);
3187 spin_unlock(&tdb_lock);
3188 KLIPS_PRINT(debug_rcv,
3189 "klips_debug:ipsec_rcv: "
3190 "packet with incomplete policy dropped, last successful SA:%s.\n",
3191 sa_len ? sa : " (error)");
3192 if(pRcvDesc->stats) {
3193 (pRcvDesc->stats)->rx_dropped++;
3197 KLIPS_PRINT(debug_rcv,
3198 "klips_debug:ipsec_rcv: "
3199 "SA:%s, Another IPSEC header to process.\n",
3200 sa_len ? sa : " (error)");
3202 KLIPS_PRINT(debug_rcv,
3203 "klips_debug:ipsec_rcv: "
3204 "No tdb_inext from this SA:%s.\n",
3205 sa_len ? sa : " (error)");
3206 } /* end of if(tdbnext)*/
3207 } /* end of if(sysctl_ipsec_inbound_policy_check) */
3209 #ifdef CONFIG_IPSEC_IPCOMP
3210 /* update ipcomp ratio counters, even if no ipcomp packet is present */
3212 && tdbnext->tdb_said.proto == IPPROTO_COMP
3213 && ipp->protocol != IPPROTO_COMP) {
3214 tdbnext->tdb_comp_ratio_cbytes += ntohs(ipp->tot_len);
3215 tdbnext->tdb_comp_ratio_dbytes += ntohs(ipp->tot_len);
3217 #endif /* CONFIG_IPSEC_IPCOMP */
3219 tdbp->ips_life.ipl_bytes.ipl_count += len;
3220 tdbp->ips_life.ipl_bytes.ipl_last = len;
3222 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
3223 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
3225 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
3226 tdbp->ips_life.ipl_packets.ipl_count += 1;
3227 delRcvDesc_from_salist(tdbp, pRcvDesc);
3228 spin_unlock(&tdb_lock);
3230 } while( (ipp->protocol == IPPROTO_ESP )
3231 || (ipp->protocol == IPPROTO_AH )
3232 #ifdef CONFIG_IPSEC_IPCOMP
3233 || (ipp->protocol == IPPROTO_COMP)
3234 #endif /* CONFIG_IPSEC_IPCOMP */
3236 /* end decapsulation loop here */
3238 spin_lock(&tdb_lock);
3239 addRcvDesc_to_salist(tdbp, pRcvDesc);
3241 #ifdef CONFIG_IPSEC_IPCOMP
3242 if(tdbnext && tdbnext->tdb_said.proto == IPPROTO_COMP) {
3245 delRcvDesc_from_salist(tdbp, pRcvDesc);
3247 pRcvDesc->tdbp = tdbp;
3248 addRcvDesc_to_salist(tdbp, pRcvDesc);
3249 tdbnext = tdbp->tdb_inext;
3251 #endif /* CONFIG_IPSEC_IPCOMP */
3253 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3254 if ((natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
3256 * NAT-Traversal and Transport Mode:
3257 * we need to correct TCP/UDP checksum
3259 * If we've got NAT-OA, we can fix checksum without recalculation.
3261 __u32 natt_oa = tdbp->ips_natt_oa ?
3262 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
3263 __u16 pkt_len = skb->tail - (unsigned char *)ipp;
3264 __u16 data_len = pkt_len - (ipp->ihl << 2);
3266 switch (ipp->protocol) {
3268 if (data_len >= sizeof(struct tcphdr)) {
3269 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ipp+ipp->ihl);
3271 __u32 buff[2] = { ~natt_oa, ipp->saddr };
3272 KLIPS_PRINT(debug_rcv,
3273 "klips_debug:ipsec_rcv: "
3274 "NAT-T & TRANSPORT: "
3275 "fix TCP checksum using NAT-OA\n");
3276 tcp->check = csum_fold(
3277 csum_partial((unsigned char *)buff, sizeof(buff),
3278 tcp->check^0xffff));
3281 KLIPS_PRINT(debug_rcv,
3282 "klips_debug:ipsec_rcv: "
3283 "NAT-T & TRANSPORT: recalc TCP checksum\n");
3284 if (pkt_len > (ntohs(ipp->tot_len)))
3285 data_len -= (pkt_len - ntohs(ipp->tot_len));
3287 tcp->check = csum_tcpudp_magic(ipp->saddr, ipp->daddr,
3288 data_len, IPPROTO_TCP,
3289 csum_partial((unsigned char *)tcp, data_len, 0));
3293 KLIPS_PRINT(debug_rcv,
3294 "klips_debug:ipsec_rcv: "
3295 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
3299 if (data_len >= sizeof(struct udphdr)) {
3300 struct udphdr *udp = (struct udphdr *)((__u32 *)ipp+ipp->ihl);
3301 if (udp->check == 0) {
3302 KLIPS_PRINT(debug_rcv,
3303 "klips_debug:ipsec_rcv: "
3304 "NAT-T & TRANSPORT: UDP checksum already 0\n");
3307 __u32 buff[2] = { ~natt_oa, ipp->saddr };
3308 KLIPS_PRINT(debug_rcv,
3309 "klips_debug:ipsec_rcv: "
3310 "NAT-T & TRANSPORT: "
3311 "fix UDP checksum using NAT-OA\n");
3312 udp->check = csum_fold(
3313 csum_partial((unsigned char *)buff, sizeof(buff),
3314 udp->check^0xffff));
3317 KLIPS_PRINT(debug_rcv,
3318 "klips_debug:ipsec_rcv: "
3319 "NAT-T & TRANSPORT: zero UDP checksum\n");
3324 KLIPS_PRINT(debug_rcv,
3325 "klips_debug:ipsec_rcv: "
3326 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
3330 KLIPS_PRINT(debug_rcv,
3331 "klips_debug:ipsec_rcv: "
3332 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
3339 * XXX this needs to be locked from when it was first looked
3340 * up in the decapsulation loop. Perhaps it is better to put
3341 * the IPIP decap inside the loop.
3344 delRcvDesc_from_salist(tdbp, pRcvDesc);
3346 addRcvDesc_to_salist(tdbp, pRcvDesc);
3347 pRcvDesc->tdbp = tdbp;
3350 #ifdef CONFIG_IPSEC_DEBUG
3351 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
3352 #endif /* CONFIG_IPSEC_DEBUG */
3353 if(ipp->protocol != IPPROTO_IPIP) {
3354 delRcvDesc_from_salist(tdbp, pRcvDesc);
3355 spin_unlock(&tdb_lock);
3356 KLIPS_PRINT(debug_rcv,
3357 "klips_debug:ipsec_rcv: "
3358 "SA:%s, Hey! How did this get through? Dropped.\n",
3359 sa_len ? sa : " (error)");
3360 if(pRcvDesc->stats) {
3361 (pRcvDesc->stats)->rx_dropped++;
3365 if(sysctl_ipsec_inbound_policy_check) {
3366 tdbnext = tdbp->tdb_inext;
3368 char sa2[SATOA_BUF];
3370 sa_len2 = satoa(tdbnext->tdb_said, 0, sa2, SATOA_BUF);
3371 delRcvDesc_from_salist(tdbp, pRcvDesc);
3372 spin_unlock(&tdb_lock);
3373 KLIPS_PRINT(debug_rcv,
3374 "klips_debug:ipsec_rcv: "
3375 "unexpected SA:%s after IPIP SA:%s\n",
3376 sa_len2 ? sa2 : " (error)",
3377 sa_len ? sa : " (error)");
3378 if(pRcvDesc->stats) {
3379 (pRcvDesc->stats)->rx_dropped++;
3383 if(ipp->saddr != ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr) {
3384 delRcvDesc_from_salist(tdbp, pRcvDesc);
3385 spin_unlock(&tdb_lock);
3386 ipaddr.s_addr = ipp->saddr;
3387 addrtoa(ipaddr, 0, ipaddr_txt, sizeof(ipaddr_txt));
3388 KLIPS_PRINT(debug_rcv,
3389 "klips_debug:ipsec_rcv: "
3390 "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
3391 sa_len ? sa : " (error)",
3393 if(pRcvDesc->stats) {
3394 (pRcvDesc->stats)->rx_dropped++;
3398 } /* end of if(sysctl_ipsec_inbound_policy_check) */
3401 * XXX this needs to be locked from when it was first looked
3402 * up in the decapsulation loop. Perhaps it is better to put
3403 * the IPIP decap inside the loop.
3405 tdbp->ips_life.ipl_bytes.ipl_count += len;
3406 tdbp->ips_life.ipl_bytes.ipl_last = len;
3408 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
3409 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
3411 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
3412 tdbp->ips_life.ipl_packets.ipl_count += 1;
3414 if(skb->len < iphlen) {
3415 printk(KERN_WARNING "klips_debug:ipsec_rcv: "
3416 "tried to skb_pull iphlen=%d, %d available. This should never happen, please report.\n",
3420 delRcvDesc_from_salist(tdbp, pRcvDesc);
3421 spin_unlock (&tdb_lock);
3424 skb_pull(skb, iphlen);
3427 ipp = (struct iphdr *)skb->nh.raw = skb->data;
3428 skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
3430 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
3432 ipp = skb->ip_hdr = skb->h.iph = (struct iphdr *)skb->data;
3434 memset(skb->proto_priv, 0, sizeof(struct options));
3437 skb->protocol = htons(ETH_P_IP);
3439 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
3440 "klips_debug:ipsec_rcv: "
3441 "IPIP tunnel stripped.\n");
3442 KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
3444 if(sysctl_ipsec_inbound_policy_check
3446 Note: "xor" (^) logically replaces "not equal"
3447 (!=) and "bitwise or" (|) logically replaces
3448 "boolean or" (||). This is done to speed up
3449 execution by doing only bitwise operations and
3450 no branch operations
3452 && (((ipp->saddr & tdbp->tdb_mask_s.u.v4.sin_addr.s_addr)
3453 ^ tdbp->tdb_flow_s.u.v4.sin_addr.s_addr)
3454 | ((ipp->daddr & tdbp->tdb_mask_d.u.v4.sin_addr.s_addr)
3455 ^ tdbp->tdb_flow_d.u.v4.sin_addr.s_addr)) )
3457 struct in_addr daddr, saddr;
3458 #ifdef CONFIG_IPSEC_DEBUG
3459 char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
3460 char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
3462 subnettoa(tdbp->tdb_flow_s.u.v4.sin_addr,
3463 tdbp->tdb_mask_s.u.v4.sin_addr,
3464 0, sflow_txt, sizeof(sflow_txt));
3465 subnettoa(tdbp->tdb_flow_d.u.v4.sin_addr,
3466 tdbp->tdb_mask_d.u.v4.sin_addr,
3467 0, dflow_txt, sizeof(dflow_txt));
3468 #endif /* CONFIG_IPSEC_DEBUG */
3469 saddr.s_addr = ipp->saddr;
3470 daddr.s_addr = ipp->daddr;
3471 #ifdef CONFIG_IPSEC_DEBUG
3472 addrtoa(saddr, 0, saddr_txt, sizeof(saddr_txt));
3473 addrtoa(daddr, 0, daddr_txt, sizeof(daddr_txt));
3474 KLIPS_PRINT(debug_rcv,
3475 "klips_debug:ipsec_rcv: "
3476 "SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
3477 sa_len ? sa : " (error)",
3483 if(pRcvDesc->stats) {
3484 (pRcvDesc->stats)->rx_dropped++;
3486 delRcvDesc_from_salist(tdbp, pRcvDesc);
3487 spin_unlock (&tdb_lock);
3490 } /* end of if(tdbnext) */
3492 delRcvDesc_from_salist(tdbp, pRcvDesc);
3493 spin_unlock(&tdb_lock);
3496 #ifdef INBOUND_POLICY_CHECK_eroute
3498 Do *not* enable this without thoroughly checking spinlock issues
3499 first. In particular, nesting an eroute spinlock within a tdb
3500 spinlock could result in a deadlock. (Well, only on a SMP machine
3505 * First things first -- look us up in the erouting tables.
3507 matcher.sen_len = sizeof (struct sockaddr_encap);
3508 matcher.sen_family = AF_ENCAP;
3509 matcher.sen_type = SENT_IP4;
3510 if(ipp->protocol == IPPROTO_IPIP) {
3513 ipp2 = (struct iphdr*) (((char*)ipp) + (ipp->ihl << 2));
3514 matcher.sen_ip_src.s_addr = ipp2->saddr;
3515 matcher.sen_ip_dst.s_addr = ipp2->daddr;
3517 matcher.sen_ip_src.s_addr = ipp->saddr;
3518 matcher.sen_ip_dst.s_addr = ipp->daddr;
3522 * The spinlock is to prevent any other process from accessing or
3523 * deleting the eroute while we are using and updating it.
3525 spin_lock(&eroute_lock);
3527 er = ipsec_findroute(&matcher);
3529 policy_said = er->er_said;
3530 policy_eaddr = er->er_eaddr;
3531 policy_emask = er->er_emask;
3533 er->er_lasttime = jiffies/HZ;
3536 spin_unlock(&eroute_lock);
3540 * The spinlock is to prevent any other process from
3541 * accessing or deleting the tdb while we are using and
3544 spin_lock(&tdb_lock);
3546 policy_tdb = gettdb(&policy_said);
3547 if (policy_tdb == NULL) {
3548 spin_unlock(&tdb_lock);
3549 KLIPS_PRINT(debug_rcv,
3550 "klips_debug:ipsec_rcv: "
3551 "no Tunnel Descriptor Block for SA%s: incoming packet with no policy SA, dropped.\n",
3552 sa_len ? sa : " (error)");
3556 sa_len = satoa(policy_said, 0, sa, SATOA_BUF);
3558 KLIPS_PRINT(debug_rcv,
3559 "klips_debug:ipsec_rcv: "
3560 "found policy Tunnel Descriptor Block -- SA:%s\n",
3561 sa_len ? sa : " (error)");
3563 if(policy_tdb->tdb_inext) {
3564 policy_tdb = policy_tdb->tdb_inext;
3570 if(policy_tdb != tdbp) {
3571 spin_unlock(&tdb_lock);
3572 KLIPS_PRINT(debug_rcv,
3573 "klips_debug:ipsec_rcv: "
3574 "Tunnel Descriptor Block for SA%s: incoming packet with different policy SA, dropped.\n",
3575 sa_len ? sa : " (error)");
3579 spin_unlock(&tdb_lock);
3580 } /* end of if(er) */
3581 #endif /* INBOUND_POLICY_CHECK_eroute */
3584 if(pRcvDesc->stats) {
3585 (pRcvDesc->stats)->rx_bytes += skb->len;
3588 dst_release(skb->dst);
3591 skb->pkt_type = PACKET_HOST;
3592 if(pRcvDesc->hard_header_len &&
3593 (skb->mac.raw != (skb->data - pRcvDesc->hard_header_len)) &&
3594 (pRcvDesc->hard_header_len <= skb_headroom(skb))) {
3595 /* copy back original MAC header */
3596 memmove(skb->data - pRcvDesc->hard_header_len, skb->mac.raw, pRcvDesc->hard_header_len);
3597 skb->mac.raw = skb->data - pRcvDesc->hard_header_len;
3601 #ifdef CONFIG_IPSEC_IPCOMP
3602 if(ipp->protocol == IPPROTO_COMP) {
3603 unsigned int flags = 0;
3605 if(sysctl_ipsec_inbound_policy_check) {
3606 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
3607 "klips_debug:ipsec_rcv: "
3608 "inbound policy checking enabled, IPCOMP follows IPIP, dropped.\n");
3609 if (pRcvDesc->stats) {
3610 (pRcvDesc->stats)->rx_errors++;
3615 XXX need a TDB for updating ratio counters but it is not
3616 following policy anyways so it is not a priority
3618 skb = skb_decompress(skb, NULL, &flags);
3619 if (!skb || flags) {
3620 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
3621 "klips_debug:ipsec_rcv: "
3622 "skb_decompress() returned error flags: %d, dropped.\n",
3624 if (pRcvDesc->stats) {
3625 (pRcvDesc->stats)->rx_errors++;
3630 #endif /* CONFIG_IPSEC_IPCOMP */
3632 #ifdef SKB_RESET_NFCT
3633 nf_conntrack_put(skb->nfct);
3635 #ifdef CONFIG_NETFILTER_DEBUG
3637 #endif /* CONFIG_NETFILTER_DEBUG */
3638 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
3639 nf_bridge_put(skb->nf_bridge);
3640 skb->nf_bridge = NULL;
3642 #endif /* SKB_RESET_NFCT */
3644 KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
3645 "klips_debug:ipsec_rcv: "
3646 "netif_rx() called.\n");
3651 ipsec_glue_rcv_desc_release (pRcvDesc);
3659 ipsec_glue_rcv_desc_release (pRcvDesc);
3665 kfree_skb(skb, FREE_WRITE);
3673 struct inet_protocol ah_protocol =
3675 ipsec_rcv, /* AH handler */
3676 NULL, /* TUNNEL error control */
3678 IPPROTO_AH, /* protocol ID */
3684 struct inet_protocol esp_protocol =
3686 ipsec_rcv, /* ESP handler */
3687 NULL, /* TUNNEL error control */
3689 IPPROTO_ESP, /* protocol ID */
3696 /* We probably don't want to install a pure IPCOMP protocol handler, but
3697 only want to handle IPCOMP if it is encapsulated inside an ESP payload
3698 (which is already handled) */
3699 #ifdef CONFIG_IPSEC_IPCOMP
3700 struct inet_protocol comp_protocol =
3702 ipsec_rcv, /* COMP handler */
3703 NULL, /* COMP error control */
3705 IPPROTO_COMP, /* protocol ID */
3710 #endif /* CONFIG_IPSEC_IPCOMP */
3714 * $Log: ipsec_rcv.c,v $
3715 * Revision 1.2.2.1 2004/08/31 05:59:47 philipc
3716 * The NAT traversal support was not releasing descriptors for IKE packets.
3717 * This happens even if NAT traversal is not being used. Result was that
3718 * 1000 IKE packets later we ran out of descriptors.
3720 * Additionally, once we did run out of descriptors, we started releasing
3721 * uninitialised pointers back to the descriptor pool. If you were lucky
3722 * this would merely result in a null pointer access; other values cause
3723 * varying unusual effects.
3727 * Revision 1.2 2004/06/11 01:15:08 davidm
3729 * Allow kernel to compile with ipsec debug disabled.
3732 * Revision 1.1 2004/05/11 00:38:42 danield
3733 * Added support for hardware acceleration on the xscale. To make use of this
3734 * ability you will need to select CONFIG_IXP4XX_CRYPTO in your kernel config
3738 * Revision 1.9.2.1 2003/06/30 05:04:07 matthewn
3739 * We need to set the physindev when we receive a packet via IPSec.
3741 * Revision 1.102 2002/01/29 17:17:56 mcr
3742 * moved include of ipsec_param.h to after include of linux/kernel.h
3743 * otherwise, it seems that some option that is set in ipsec_param.h
3744 * screws up something subtle in the include path to kernel.h, and
3745 * it complains on the snprintf() prototype.
3747 * Revision 1.101 2002/01/29 04:00:52 mcr
3748 * more excise of kversions.h header.
3750 * Revision 1.100 2002/01/29 02:13:17 mcr
3751 * introduction of ipsec_kversion.h means that include of
3752 * ipsec_param.h must preceed any decisions about what files to
3753 * include to deal with differences in kernel source.
3755 * Revision 1.99 2002/01/28 21:40:59 mcr
3756 * should use #if to test boolean option rather than #ifdef.
3758 * Revision 1.98 2002/01/20 20:19:36 mcr
3759 * renamed option to IP_FRAGMENT_LINEARIZE.
3761 * Revision 1.97 2002/01/12 02:55:36 mcr
3762 * fix for post-2.4.4 to linearize skb's when ESP packet
3763 * was assembled from fragments.
3765 * Revision 1.96 2001/11/26 09:23:49 rgb
3766 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
3768 * Revision 1.93.2.2 2001/10/22 20:54:07 mcr
3769 * include des.h, removed phony prototypes and fixed calling
3770 * conventions to match real prototypes.
3772 * Revision 1.93.2.1 2001/09/25 02:22:22 mcr
3773 * struct tdb -> struct ipsec_sa.
3774 * lifetime checks moved to ipsec_life.c
3775 * some sa(tdb) manipulation functions renamed.
3777 * Revision 1.95 2001/11/06 19:49:07 rgb
3778 * Added variable descriptions.
3779 * Removed unauthenticated sequence==0 check to prevent DoS.
3781 * Revision 1.94 2001/10/18 04:45:20 rgb
3782 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
3783 * lib/freeswan.h version macros moved to lib/kversions.h.
3784 * Other compiler directive cleanups.
3786 * Revision 1.93 2001/09/07 22:17:24 rgb
3787 * Fix for removal of transport layer protocol handler arg in 2.4.4.
3788 * Fix to accomodate peer non-conformance to IPCOMP rfc2393.
3790 * Revision 1.92 2001/08/27 19:44:41 rgb
3791 * Fix error in comment.
3793 * Revision 1.91 2001/07/20 19:31:48 dhr
3794 * [DHR] fix source and destination subnets of policy in diagnostic
3796 * Revision 1.90 2001/07/06 19:51:09 rgb
3797 * Added inbound policy checking code for IPIP SAs.
3798 * Renamed unused function argument for ease and intuitive naming.
3800 * Revision 1.89 2001/06/22 19:35:23 rgb
3801 * Disable ipcomp processing if we are handed a ipcomp packet with no esp
3803 * Print protocol if we are handed a non-ipsec packet.
3805 * Revision 1.88 2001/06/20 06:30:47 rgb
3806 * Fixed transport mode IPCOMP policy check bug.
3808 * Revision 1.87 2001/06/13 20:58:40 rgb
3809 * Added parentheses around assignment used as truth value to silence
3812 * Revision 1.86 2001/06/07 22:25:23 rgb
3813 * Added a source address policy check for tunnel mode. It still does
3814 * not check client addresses and masks.
3815 * Only decapsulate IPIP if it is expected.
3817 * Revision 1.85 2001/05/30 08:14:02 rgb
3818 * Removed vestiges of esp-null transforms.
3820 * Revision 1.84 2001/05/27 06:12:11 rgb
3821 * Added structures for pid, packet count and last access time to eroute.
3822 * Added packet count to beginning of /proc/net/ipsec_eroute.
3824 * Revision 1.83 2001/05/04 16:45:47 rgb
3825 * Remove unneeded code. ipp is not used after this point.
3827 * Revision 1.82 2001/05/04 16:36:00 rgb
3828 * Fix skb_cow() call for 2.4.4. (SS)
3830 * Revision 1.81 2001/05/02 14:46:53 rgb
3831 * Fix typo for compiler directive to pull IPH back.
3833 * Revision 1.80 2001/04/30 19:46:34 rgb
3834 * Update for 2.4.4. We now receive the skb with skb->data pointing to
3837 * Revision 1.79 2001/04/23 15:01:15 rgb
3838 * Added spin_lock() check to prevent double-locking for multiple
3839 * transforms and hence kernel lock-ups with SMP kernels.
3840 * Minor spin_unlock() adjustments to unlock before non-dependant prints
3841 * and IPSEC device stats updates.
3843 * Revision 1.78 2001/04/21 23:04:24 rgb
3844 * Check if soft expire has already been sent before sending another to
3845 * prevent ACQUIRE flooding.
3847 * Revision 1.77 2001/03/16 07:35:20 rgb
3848 * Ditch extra #if 1 around now permanent policy checking code.
3850 * Revision 1.76 2001/02/27 22:24:54 rgb
3851 * Re-formatting debug output (line-splitting, joining, 1arg/line).
3852 * Check for satoa() return codes.
3854 * Revision 1.75 2001/02/19 22:28:30 rgb
3855 * Minor change to virtual device discovery code to assert which I/F has
3858 * Revision 1.74 2000/11/25 03:50:36 rgb
3859 * Oops fix by minor re-arrangement of code to avoid accessing a freed tdb.
3861 * Revision 1.73 2000/11/09 20:52:15 rgb
3862 * More spinlock shuffling, locking earlier and unlocking later in rcv to
3863 * include ipcomp and prevent races, renaming some tdb variables that got
3864 * forgotten, moving some unlocks to include tdbs and adding a missing
3865 * unlock. Thanks to Svenning for some of these.
3867 * Revision 1.72 2000/11/09 20:11:22 rgb
3868 * Minor shuffles to fix non-standard kernel config option selection.
3870 * Revision 1.71 2000/11/06 04:36:18 rgb
3871 * Ditched spin_lock_irqsave in favour of spin_lock.
3872 * Minor initial protocol check rewrite.
3873 * Clean up debug printing.
3874 * Clean up tdb handling on ipcomp.
3875 * Fixed transport mode null pointer de-reference without ipcomp.
3876 * Add Svenning's adaptive content compression.
3877 * Disabled registration of ipcomp handler.
3879 * Revision 1.70 2000/10/30 23:41:43 henry
3880 * Hans-Joerg Hoexer's null-pointer fix
3882 * Revision 1.69 2000/10/10 18:54:16 rgb
3883 * Added a fix for incoming policy check with ipcomp enabled but
3886 * Revision 1.68 2000/09/22 17:53:12 rgb
3887 * Fixed ipcomp tdb pointers update for policy checking.
3889 * Revision 1.67 2000/09/21 03:40:58 rgb
3890 * Added more debugging to try and track down the cpi outward copy problem.
3892 * Revision 1.66 2000/09/20 04:00:10 rgb
3893 * Changed static functions to DEBUG_NO_STATIC to reveal function names for
3896 * Revision 1.65 2000/09/19 07:07:16 rgb
3897 * Added debugging to inbound policy check for ipcomp.
3898 * Added missing spin_unlocks (thanks Svenning!).
3899 * Fixed misplaced tdbnext pointers causing mismatched ipip policy check.
3900 * Protect ipcomp policy check following ipip decap with sysctl switch.
3902 * Revision 1.64 2000/09/18 21:27:29 rgb
3905 * Revision 1.63 2000/09/18 02:35:50 rgb
3906 * Added policy checking to ipcomp and re-enabled policy checking by
3908 * Optimised satoa calls.
3910 * Revision 1.62 2000/09/17 21:02:32 rgb
3911 * Clean up debugging, removing slow timestamp debug code.
3913 * Revision 1.61 2000/09/16 01:07:55 rgb
3914 * Fixed erroneous ref from struct ipcomp to struct ipcomphdr.
3916 * Revision 1.60 2000/09/15 11:37:01 rgb
3917 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
3918 * IPCOMP zlib deflate code.
3920 * Revision 1.59 2000/09/15 04:56:20 rgb
3921 * Remove redundant satoa() call, reformat comment.
3923 * Revision 1.58 2000/09/13 08:00:52 rgb
3924 * Flick on inbound policy checking.
3926 * Revision 1.57 2000/09/12 03:22:19 rgb
3927 * Converted inbound_policy_check to sysctl.
3928 * Re-enabled policy backcheck.
3929 * Moved policy checks to top and within tdb lock.
3931 * Revision 1.56 2000/09/08 19:12:56 rgb
3932 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
3934 * Revision 1.55 2000/08/28 18:15:46 rgb
3935 * Added MB's nf-debug reset patch.
3937 * Revision 1.54 2000/08/27 01:41:26 rgb
3938 * More minor tweaks to the bad padding debug code.
3940 * Revision 1.53 2000/08/24 16:54:16 rgb
3941 * Added KLIPS_PRINTMORE macro to continue lines without KERN_INFO level
3943 * Tidied up device reporting at the start of ipsec_rcv.
3944 * Tidied up bad padding debugging and processing.
3946 * Revision 1.52 2000/08/20 21:36:03 rgb
3947 * Activated pfkey_expire() calls.
3948 * Added a hard/soft expiry parameter to pfkey_expire().
3949 * Added sanity checking to avoid propagating zero or smaller-length skbs
3950 * from a bogus decryption.
3951 * Re-arranged the order of soft and hard expiry to conform to RFC2367.
3952 * Clean up references to CONFIG_IPSEC_PFKEYv2.
3954 * Revision 1.51 2000/08/18 21:23:30 rgb
3955 * Improve bad padding warning so that the printk buffer doesn't get
3958 * Revision 1.50 2000/08/01 14:51:51 rgb
3959 * Removed _all_ remaining traces of DES.
3961 * Revision 1.49 2000/07/28 13:50:53 rgb
3962 * Changed enet_statistics to net_device_stats and added back compatibility
3965 * Revision 1.48 2000/05/10 19:14:40 rgb
3966 * Only check usetime against soft and hard limits if the tdb has been
3968 * Cast output of ntohl so that the broken prototype doesn't make our
3971 * Revision 1.47 2000/05/09 17:45:43 rgb
3972 * Fix replay bitmap corruption bug upon receipt of bogus packet
3973 * with correct SPI. This was a DoS.
3975 * Revision 1.46 2000/03/27 02:31:58 rgb
3976 * Fixed authentication failure printout bug.
3978 * Revision 1.45 2000/03/22 16:15:37 rgb
3979 * Fixed renaming of dev_get (MB).
3981 * Revision 1.44 2000/03/16 08:17:24 rgb
3982 * Hardcode PF_KEYv2 support.
3983 * Fixed minor bug checking AH header length.
3985 * Revision 1.43 2000/03/14 12:26:59 rgb
3986 * Added skb->nfct support for clearing netfilter conntrack bits (MB).
3988 * Revision 1.42 2000/01/26 10:04:04 rgb
3989 * Fixed inbound policy checking on transport mode bug.
3990 * Fixed noisy 2.0 printk arguments.
3992 * Revision 1.41 2000/01/24 20:58:02 rgb
3993 * Improve debugging/reporting support for (disabled) inbound
3996 * Revision 1.40 2000/01/22 23:20:10 rgb
3997 * Fixed up inboud policy checking code.
3998 * Cleaned out unused crud.
4000 * Revision 1.39 2000/01/21 06:15:29 rgb
4001 * Added sanity checks on skb_push(), skb_pull() to prevent panics.
4002 * Fixed cut-and-paste debug_tunnel to debug_rcv.
4003 * Added inbound policy checking code, disabled.
4004 * Simplified output code by updating ipp to post-IPIP decapsulation.
4006 * Revision 1.38 1999/12/22 05:08:36 rgb
4007 * Checked for null skb, skb->dev, skb->data, skb->dev->name, dev->name,
4008 * protocol and take appropriate action for sanity.
4009 * Set ipsecdev to NULL if device could not be determined.
4010 * Fixed NULL stats access bug if device could not be determined.
4012 * Revision 1.37 1999/12/14 20:07:59 rgb
4013 * Added a default switch case to catch bogus encalg values.
4015 * Revision 1.36 1999/12/07 18:57:57 rgb
4016 * Fix PFKEY symbol compile error (SADB_*) without pfkey enabled.
4018 * Revision 1.35 1999/12/01 22:15:35 rgb
4019 * Add checks for LARVAL and DEAD SAs.
4020 * Change state of SA from MATURE to DYING when a soft lifetime is
4021 * reached and print debug warning.
4023 * Revision 1.34 1999/11/23 23:04:03 rgb
4024 * Use provided macro ADDRTOA_BUF instead of hardcoded value.
4025 * Sort out pfkey and freeswan headers, putting them in a library path.
4027 * Revision 1.33 1999/11/19 01:10:06 rgb
4028 * Enable protocol handler structures for static linking.
4030 * Revision 1.32 1999/11/18 04:09:19 rgb
4031 * Replaced all kernel version macros to shorter, readable form.
4033 * Revision 1.31 1999/11/17 15:53:39 rgb
4034 * Changed all occurrences of #include "../../../lib/freeswan.h"
4035 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
4036 * klips/net/ipsec/Makefile.
4038 * Revision 1.30 1999/10/26 15:09:07 rgb
4039 * Used debug compiler directives to shut up compiler for decl/assign
4042 * Revision 1.29 1999/10/16 18:25:37 rgb
4043 * Moved SA lifetime expiry checks before packet processing.
4044 * Expire SA on replay counter rollover.
4046 * Revision 1.28 1999/10/16 04:23:07 rgb
4047 * Add stats for replaywin_errs, replaywin_max_sequence_difference,
4048 * authentication errors, encryption size errors, encryption padding
4049 * errors, and time since last packet.
4051 * Revision 1.27 1999/10/16 00:30:47 rgb
4052 * Added SA lifetime counting.
4054 * Revision 1.26 1999/10/15 22:14:37 rgb
4057 * Revision 1.25 1999/10/08 18:37:34 rgb
4058 * Fix end-of-line spacing to sate whining PHMs.
4060 * Revision 1.24 1999/10/03 18:54:51 rgb
4061 * Spinlock support for 2.3.xx.
4062 * Don't forget to undo spinlocks on error!
4064 * Revision 1.23 1999/10/01 15:44:53 rgb
4065 * Move spinlock header include to 2.1> scope.
4067 * Revision 1.22 1999/10/01 00:01:54 rgb
4068 * Added tdb structure locking.
4070 * Revision 1.21 1999/09/18 11:42:12 rgb
4071 * Add Marc Boucher's tcpdump cloned packet fix.
4073 * Revision 1.20 1999/09/17 23:50:25 rgb
4074 * Add Marc Boucher's hard_header_len patches.
4076 * Revision 1.19 1999/09/10 05:31:36 henry
4077 * tentative fix for 2.0.38-crash bug (move chunk of new code into 2.2 #ifdef)
4079 * Revision 1.18 1999/08/28 08:28:06 rgb
4080 * Delete redundant sanity check.
4082 * Revision 1.17 1999/08/28 02:00:58 rgb
4083 * Add an extra sanity check for null skbs.
4085 * Revision 1.16 1999/08/27 05:21:38 rgb
4086 * Clean up skb->data/raw/nh/h manipulation.
4087 * Add Marc Boucher's mods to aid tcpdump.
4089 * Revision 1.15 1999/08/25 14:22:40 rgb
4090 * Require 4-octet boundary check only for ESP.
4092 * Revision 1.14 1999/08/11 08:36:44 rgb
4093 * Add compiler directives to allow configuring out AH, ESP or transforms.
4095 * Revision 1.13 1999/08/03 17:10:49 rgb
4096 * Cosmetic fixes and clarification to debug output.
4098 * Revision 1.12 1999/05/09 03:25:36 rgb
4099 * Fix bug introduced by 2.2 quick-and-dirty patch.
4101 * Revision 1.11 1999/05/08 21:23:57 rgb
4102 * Add casting to silence the 2.2.x compile.
4104 * Revision 1.10 1999/05/05 22:02:31 rgb
4105 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
4107 * Revision 1.9 1999/04/29 15:18:01 rgb
4108 * hange debugging to respond only to debug_rcv.
4109 * Change gettdb parameter to a pointer to reduce stack loading and
4110 * facilitate parameter sanity checking.
4112 * Revision 1.8 1999/04/15 15:37:24 rgb
4113 * Forward check changes from POST1_00 branch.
4115 * Revision 1.4.2.2 1999/04/13 20:32:45 rgb
4116 * Move null skb sanity check.
4117 * Silence debug a bit more when off.
4118 * Use stats more effectively.
4120 * Revision 1.4.2.1 1999/03/30 17:10:32 rgb
4121 * Update AH+ESP bugfix.
4123 * Revision 1.7 1999/04/11 00:28:59 henry
4126 * Revision 1.6 1999/04/06 04:54:27 rgb
4127 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
4128 * patch shell fixes.
4130 * Revision 1.5 1999/03/17 15:39:23 rgb
4133 * ESP_NULL esphlen and IV bug fix.
4135 * Revision 1.4 1999/02/17 16:51:02 rgb
4136 * Ditch NET_IPIP dependancy.
4137 * Decapsulate recursively for an entire bundle.
4139 * Revision 1.3 1999/02/12 21:22:47 rgb
4140 * Convert debugging printks to KLIPS_PRINT macro.
4142 * Process IPIP tunnels internally.
4144 * Revision 1.2 1999/01/26 02:07:36 rgb
4145 * Clean up debug code when switched off.
4146 * Remove references to INET_GET_PROTOCOL.
4148 * Revision 1.1 1999/01/21 20:29:11 rgb
4149 * Converted from transform switching to algorithm switching.
4152 * Id: ipsec_esp.c,v 1.16 1998/12/02 03:08:11 rgb Exp $
4154 * Log: ipsec_esp.c,v $
4155 * Revision 1.16 1998/12/02 03:08:11 rgb
4156 * Fix incoming I/F bug in AH and clean up inconsistencies in the I/F
4157 * discovery routine in both AH and ESP.
4159 * Revision 1.15 1998/11/30 13:22:51 rgb
4160 * Rationalised all the klips kernel file headers. They are much shorter
4161 * now and won't conflict under RH5.2.
4163 * Revision 1.14 1998/11/10 05:55:37 rgb
4164 * Add even more detail to 'wrong I/F' debug statement.
4166 * Revision 1.13 1998/11/10 05:01:30 rgb
4167 * Clean up debug output to be quiet when disabled.
4168 * Add more detail to 'wrong I/F' debug statement.
4170 * Revision 1.12 1998/10/31 06:39:32 rgb
4171 * Fixed up comments in #endif directives.
4172 * Tidied up debug printk output.
4173 * Convert to addrtoa and satoa where possible.
4175 * Revision 1.11 1998/10/27 00:49:30 rgb
4176 * AH+ESP bundling bug has been squished.
4177 * Cosmetic brace fixing in code.
4178 * Newlines added before calls to ipsec_print_ip.
4179 * Fix debug output function ID's.
4181 * Revision 1.10 1998/10/22 06:37:22 rgb
4182 * Fixed run-on error message to fit 80 columns.
4184 * Revision 1.9 1998/10/20 02:41:04 rgb
4185 * Fixed a replay window size sanity test bug.
4187 * Revision 1.8 1998/10/19 18:55:27 rgb
4188 * Added inclusion of freeswan.h.
4189 * sa_id structure implemented and used: now includes protocol.
4190 * \n bugfix to printk debug message.
4192 * Revision 1.7 1998/10/09 04:23:03 rgb
4193 * Fixed possible DoS caused by invalid transform called from an ESP
4194 * packet. This should not be a problem when protocol is added to the SA.
4195 * Sanity check added for null xf_input routine. Sanity check added for null
4196 * socket buffer returned from xf_input routine.
4197 * Added 'klips_debug' prefix to all klips printk debug statements.
4199 * Revision 1.6 1998/07/14 15:56:04 rgb
4200 * Set sdb->dev to virtual ipsec I/F.
4202 * Revision 1.5 1998/06/30 18:07:46 rgb
4203 * Change for ah/esp_protocol stuct visible only if module.
4205 * Revision 1.4 1998/06/30 00:12:46 rgb
4206 * Clean up a module compile error.
4208 * Revision 1.3 1998/06/25 19:28:06 rgb
4209 * Readjust premature unloading of module on packet receipt.
4210 * Make protocol structure abailable to rest of kernel.
4211 * Use macro for protocol number.
4213 * Revision 1.2 1998/06/23 02:49:34 rgb
4214 * Fix minor #include bug that prevented compiling without debugging.
4215 * Added code to check for presence of IPIP protocol if an incoming packet
4218 * Revision 1.1 1998/06/18 21:27:44 henry
4219 * move sources from klips/src to klips/net/ipsec, to keep stupid
4220 * kernel-build scripts happier in the presence of symlinks
4222 * Revision 1.9 1998/06/14 23:48:42 rgb
4223 * Fix I/F name comparison oops bug.
4225 * Revision 1.8 1998/06/11 07:20:04 rgb
4226 * Stats fixed for rx_packets.
4228 * Revision 1.7 1998/06/11 05:53:34 rgb
4229 * Added stats for rx error and good packet reporting.
4231 * Revision 1.6 1998/06/05 02:27:28 rgb
4232 * Add rx_errors stats.
4233 * Fix DoS bug: skb's not being freed on dropped packets.
4235 * Revision 1.5 1998/05/27 21:21:29 rgb
4236 * Fix DoS potential bug. skb was not being freed if the packet was bad.
4238 * Revision 1.4 1998/05/18 22:31:37 rgb
4239 * Minor change in debug output and comments.
4241 * Revision 1.3 1998/04/21 21:29:02 rgb
4242 * Rearrange debug switches to change on the fly debug output from user
4243 * space. Only kernel changes checked in at this time. radij.c was also
4244 * changed to temporarily remove buggy debugging code in rj_delete causing
4245 * an OOPS and hence, netlink device open errors.
4247 * Revision 1.2 1998/04/12 22:03:19 rgb
4248 * Updated ESP-3DES-HMAC-MD5-96,
4249 * ESP-DES-HMAC-MD5-96,
4251 * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
4252 * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
4254 * Fixed eroute references in /proc/net/ipsec*.
4256 * Started to patch module unloading memory leaks in ipsec_netlink and
4257 * radij tree unloading.
4259 * Revision 1.1 1998/04/09 03:05:59 henry
4260 * sources moved up from linux/net/ipsec
4262 * Revision 1.1.1.1 1998/04/08 05:35:04 henry
4263 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
4265 * Revision 0.4 1997/01/15 01:28:15 ji
4266 * Minor cosmetic changes.
4268 * Revision 0.3 1996/11/20 14:35:48 ji
4270 * Rationalized debugging code.
4272 * Revision 0.2 1996/11/02 00:18:33 ji
4273 * First limited release.