enum ipsec_xmit_value
ipsec_xmit_ipcomp_setup(struct ipsec_xmit_state *ixs)
{
unsigned int flags = 0;
unsigned int tot_len, old_tot_len;
#ifdef CONFIG_KLIPS_IPV6
if (osw_ip_hdr_version(ixs) == 6)
old_tot_len = ntohs(osw_ip6_hdr(ixs)->payload_len) + sizeof(struct ipv6hdr);
else
#endif
old_tot_len = ntohs(osw_ip4_hdr(ixs)->tot_len);
ixs->ipsp->ips_comp_ratio_dbytes += old_tot_len;
ixs->skb = skb_compress(ixs->skb, ixs->ipsp, &flags);
ixs->iph = (void *)ip_hdr(ixs->skb);
#ifdef CONFIG_KLIPS_IPV6
if (osw_ip_hdr_version(ixs) == 6) {
IPSEC_FRAG_OFF_DECL(frag_off)
int nexthdroff;
unsigned char nexthdr = osw_ip6_hdr(ixs)->nexthdr;
nexthdroff = ipsec_ipv6_skip_exthdr(ixs->skb,
((void *)(osw_ip6_hdr(ixs)+1)) - (void*)ixs->skb->data,
&nexthdr, &frag_off);
ixs->iphlen = nexthdroff - (ixs->iph - (void*)ixs->skb->data);
tot_len = ntohs(osw_ip6_hdr(ixs)->payload_len) + sizeof(struct ipv6hdr);
} else
/*
* Verify that the skb can go out on this ipsp.
* Return 0 if OK, error code otherwise.
*/
static int
ipsec_mast_check_outbound_policy(struct ipsec_xmit_state *ixs)
{
int failed_outbound_check = 0;
struct ipsec_sa *ipsp = ixs->ipsp;
if (!ixs || !ixs->ipsp || !ixs->iph)
return -EFAULT;
/* Note: "xor" (^) logically replaces "not equal"
* (!=) and "bitwise or" (|) logically replaces
* "boolean or" (||). This is done to speed up
* execution by doing only bitwise operations and
* no branch operations */
if (osw_ip_hdr_version(ixs) == 4) {
struct iphdr *ipp = osw_ip4_hdr(ixs);
if (ip_address_family(&ipsp->ips_said.dst) != AF_INET) {
failed_outbound_check = 1;
} else if (((ipp->saddr & ipsp->ips_mask_s.u.v4.sin_addr.s_addr)
^ ipsp->ips_flow_s.u.v4.sin_addr.s_addr)
| ((ipp->daddr & ipsp->ips_mask_d.u.v4.sin_addr.s_addr)
^ ipsp->ips_flow_d.u.v4.sin_addr.s_addr)) {
failed_outbound_check = 1;
}
} else if (osw_ip_hdr_version(ixs) == 6) {
struct ipv6hdr *ipp6 = osw_ip6_hdr(ixs);
if (ip_address_family(&ipsp->ips_said.dst) != AF_INET6) {
failed_outbound_check = 1;
} else if (((ipp6->saddr.s6_addr32[0] & ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[0])
^ ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[0])
| ((ipp6->daddr.s6_addr32[0] & ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[0])
^ ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[0])) {
failed_outbound_check = 1;
} else if (((ipp6->saddr.s6_addr32[1] & ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[1])
^ ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[1])
| ((ipp6->daddr.s6_addr32[1] & ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[1])
^ ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[1])) {
failed_outbound_check = 1;
} else if (((ipp6->saddr.s6_addr32[2] & ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[2])
^ ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[2])
| ((ipp6->daddr.s6_addr32[2] & ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[2])
^ ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[2])) {
failed_outbound_check = 1;
} else if (((ipp6->saddr.s6_addr32[3] & ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[3])
^ ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[3])
| ((ipp6->daddr.s6_addr32[3] & ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[3])
^ ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[3])) {
failed_outbound_check = 1;
}
}
if (failed_outbound_check) {
char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
if (ipsp->ips_flow_s.u.v4.sin_family == AF_INET6) {
subnet6toa(&ipsp->ips_flow_s.u.v6.sin6_addr,
&ipsp->ips_mask_s.u.v6.sin6_addr,
0, sflow_txt, sizeof(sflow_txt));
subnet6toa(&ipsp->ips_flow_d.u.v6.sin6_addr,
&ipsp->ips_mask_d.u.v6.sin6_addr,
0, dflow_txt, sizeof(dflow_txt));
inet_addrtot(AF_INET6, &osw_ip6_hdr(ixs)->saddr, 0, saddr_txt,
sizeof(saddr_txt));
inet_addrtot(AF_INET6, &osw_ip6_hdr(ixs)->daddr, 0, daddr_txt,
sizeof(daddr_txt));
} else {
subnettoa(ipsp->ips_flow_s.u.v4.sin_addr,
ipsp->ips_mask_s.u.v4.sin_addr,
0, sflow_txt, sizeof(sflow_txt));
subnettoa(ipsp->ips_flow_d.u.v4.sin_addr,
ipsp->ips_mask_d.u.v4.sin_addr,
0, dflow_txt, sizeof(dflow_txt));
inet_addrtot(AF_INET, &osw_ip4_hdr(ixs)->saddr, 0, saddr_txt,
sizeof(saddr_txt));
inet_addrtot(AF_INET, &osw_ip4_hdr(ixs)->daddr, 0, daddr_txt,
sizeof(daddr_txt));
}
if (!ixs->sa_len) ixs->sa_len = KLIPS_SATOT(debug_mast,
&ixs->outgoing_said, 0,
ixs->sa_txt, sizeof(ixs->sa_txt));
KLIPS_PRINT(debug_mast,
"klips_debug:ipsec_mast_check_outbound_policy: "
"SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
ixs->sa_len ? ixs->sa_txt : " (error)",
sflow_txt, dflow_txt, saddr_txt, daddr_txt);
if(ixs->stats)
ixs->stats->rx_dropped++;
return -EACCES;
}
#if 0
{
char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
struct in_addr ipaddr;
subnettoa(ixs->ipsp->ips_flow_s.u.v4.sin_addr,
ixs->ipsp->ips_mask_s.u.v4.sin_addr,
0, sflow_txt, sizeof(sflow_txt));
subnettoa(ixs->ipsp->ips_flow_d.u.v4.sin_addr,
ixs->ipsp->ips_mask_d.u.v4.sin_addr,
0, dflow_txt, sizeof(dflow_txt));
ipaddr.s_addr = ixs->iph->saddr;
addrtoa(ipaddr, 0, saddr_txt, sizeof(saddr_txt));
ipaddr.s_addr = ixs->iph->daddr;
addrtoa(ipaddr, 0, daddr_txt, sizeof(daddr_txt));
if (!ixs->sa_len) ixs->sa_len = KLIPS_SATOT(debug_mast,
&ixs->outgoing_said, 0,
ixs->sa_txt, sizeof(ixs->sa_txt));
KLIPS_PRINT(debug_mast,
"klips_debug:ipsec_mast_check_outbound_policy: "
"SA:%s, inner tunnel policy [%s -> %s] agrees with pkt contents [%s -> %s].\n",
ixs->sa_len ? ixs->sa_txt : " (error)",
sflow_txt, dflow_txt, saddr_txt, daddr_txt);
}
#endif
return 0;
}
enum ipsec_rcv_value
ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs)
{
unsigned int flags = 0;
struct ipsec_sa *ipsp = irs->ipsp;
struct sk_buff *skb;
skb=irs->skb;
ipsec_xmit_dmp("ipcomp", skb_transport_header(skb), skb->len);
if(ipsp == NULL) {
return IPSEC_RCV_SAIDNOTFOUND;
}
if(sysctl_ipsec_inbound_policy_check &&
((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) != (ntohl(irs->said.spi) & 0x0000ffff)) &&
(ipsp->ips_encalg != ntohl(irs->said.spi)) /* this is a workaround for peer non-compliance with rfc2393 */
))) {
char sa2[SATOT_BUF];
size_t sa_len2 = 0;
sa_len2 = KLIPS_SATOT(debug_rcv, &ipsp->ips_said, 0, sa2, sizeof(sa2));
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
irs->sa_len ? irs->sa : " (error)",
sa_len2 ? sa2 : " (error)",
ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi),
(__u32)ntohl(irs->said.spi),
(__u32)ntohl((ipsp->ips_said.spi)),
(__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff));
if(irs->stats) {
irs->stats->rx_dropped++;
}
return IPSEC_RCV_SAIDNOTFOUND;
}
if (osw_ip_hdr_version(irs) == 6)
ipsp->ips_comp_ratio_cbytes += ntohs(osw_ip6_hdr(irs)->payload_len)
+ sizeof(struct ipv6hdr);
else
ipsp->ips_comp_ratio_cbytes += ntohs(osw_ip4_hdr(irs)->tot_len);
irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh;
#ifdef CONFIG_KLIPS_OCF
if (irs->ipsp->ocf_in_use)
return(ipsec_ocf_rcv(irs));
#endif
skb = skb_decompress(skb, ipsp, &flags);
if (!skb || flags) {
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"skb_decompress() returned error flags=%x, dropped.\n",
flags);
if (irs->stats) {
if (flags)
irs->stats->rx_errors++;
else
irs->stats->rx_dropped++;
}
return IPSEC_RCV_IPCOMPFAILED;
}
/* make sure we update the pointer */
irs->skb = skb;
irs->iph = (void *) ip_hdr(skb);
if (osw_ip_hdr_version(irs) == 6)
ipsp->ips_comp_ratio_dbytes += ntohs(osw_ip6_hdr(irs)->payload_len)
+ sizeof(struct ipv6hdr);
else
ipsp->ips_comp_ratio_dbytes += ntohs(osw_ip4_hdr(irs)->tot_len);
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
irs->sa_len ? irs->sa : " (error)",
(__u32)ntohl(irs->said.spi),
ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0,
irs->next_header);
KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->iph);
return IPSEC_RCV_OK;
}
