enum ipsec_xmit_value ipsec_xmit_ipcomp_setup(struct ipsec_xmit_state *ixs)
{
unsigned int flags = 0;
unsigned int tot_len, old_tot_len;
#ifdef CONFIG_KLIPS_IPV6
if (lsw_ip_hdr_version(ixs) == 6)
old_tot_len = ntohs(lsw_ip6_hdr(ixs)->payload_len) +
sizeof(struct ipv6hdr);
else
#endif
old_tot_len = ntohs(lsw_ip4_hdr(ixs)->tot_len);
ixs->ipsp->ips_comp_ratio_dbytes += old_tot_len;
ixs->skb = skb_compress(ixs->skb, ixs->ipsp, &flags);
ixs->iph = (void *)ip_hdr(ixs->skb);
#ifdef CONFIG_KLIPS_IPV6
if (lsw_ip_hdr_version(ixs) == 6) {
IPSEC_FRAG_OFF_DECL(frag_off)
int nexthdroff;
unsigned char nexthdr = lsw_ip6_hdr(ixs)->nexthdr;
nexthdroff = ipsec_ipv6_skip_exthdr(ixs->skb,
((void *)(lsw_ip6_hdr(ixs) + 1)) -
(void*)ixs->skb->data,
&nexthdr, &frag_off);
ixs->iphlen = nexthdroff - (ixs->iph - (void*)ixs->skb->data);
tot_len = ntohs(lsw_ip6_hdr(ixs)->payload_len) +
sizeof(struct ipv6hdr);
} else
enum ipsec_xmit_value ipsec_ocf_xmit(struct ipsec_xmit_state *ixs)
{
struct cryptop *crp;
struct cryptodesc *crde = NULL, *crda = NULL, *crdc = NULL;
struct ipsec_sa *ipsp;
int req_count, payload_size;
int err;
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, "klips_debug:ipsec_ocf_xmit\n");
ipsp = ixs->ipsp;
if (!ipsp) {
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, "klips_debug:ipsec_ocf_xmit: "
"no SA for rcv processing\n");
return IPSEC_XMIT_SAIDNOTFOUND;
}
if (!ixs->skb) {
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit: no skb\n");
return IPSEC_XMIT_SAIDNOTFOUND;
}
switch (ipsp->ips_said.proto) {
case IPPROTO_COMP:
/*
* skip packets that have less then 90 bytes of payload to
* compress
*/
#ifdef CONFIG_KLIPS_IPV6
if (lsw_ip_hdr_version(ixs) == 6) {
IPSEC_FRAG_OFF_DECL(frag_off)
int nexthdroff;
unsigned char nexthdr = lsw_ip6_hdr(ixs)->nexthdr;
nexthdroff = ipsec_ipv6_skip_exthdr(ixs->skb,
((void *)(
lsw_ip6_hdr(
ixs)
+
1)) -
(void*)ixs->skb->data,
&nexthdr,
&frag_off);
ixs->iphlen = nexthdroff -
(ixs->iph - (void*)ixs->skb->data);
payload_size = ntohs(lsw_ip6_hdr(ixs)->payload_len);
} else
#endif /* CONFIG_KLIPS_IPV6 */
{
/*
* We need to grow the skb to accommodate the expanssion of the ipcomp packet.
*
* The following comment comes from the skb_decompress() which does the
* same...
*
* We have no way of knowing the exact length of the resulting
* decompressed output before we have actually done the decompression.
* For now, we guess that the packet will not be bigger than the
* attached ipsec device's mtu or 16260, whichever is biggest.
* This may be wrong, since the sender's mtu may be bigger yet.
* XXX This must be dealt with later XXX
*/
static int ipsec_ocf_ipcomp_copy_expand(struct ipsec_rcv_state *irs)
{
struct sk_buff *nskb;
unsigned grow_to, grow_by;
ptrdiff_t ptr_delta;
if (!irs->skb)
return IPSEC_RCV_IPCOMPFAILED;
if (irs->skb->dev) {
grow_to = irs->skb->dev->mtu <
16260 ? 16260 : irs->skb->dev->mtu;
} else {
int tot_len;
if (lsw_ip_hdr_version(irs) == 6)
tot_len = ntohs(lsw_ip6_hdr(irs)->payload_len) +
sizeof(struct ipv6hdr);
else
tot_len = ntohs(lsw_ip4_hdr(irs)->tot_len);
grow_to = 65520 - tot_len;
}
grow_by = grow_to - irs->skb->len;
grow_by -= skb_headroom(irs->skb);
grow_by -= skb_tailroom(irs->skb);
/* it's big enough */
if (!grow_by)
return IPSEC_RCV_OK;
nskb = skb_copy_expand(irs->skb, skb_headroom(irs->skb),
skb_tailroom(irs->skb) + grow_by, GFP_ATOMIC);
if (!nskb)
return IPSEC_RCV_ERRMEMALLOC;
memcpy(nskb->head, irs->skb->head, skb_headroom(irs->skb));
skb_set_network_header(nskb,
ipsec_skb_offset(irs->skb,
skb_network_header(irs->skb)));
skb_set_transport_header(nskb,
ipsec_skb_offset(irs->skb,
skb_transport_header(
irs->skb)));
/* update all irs pointers */
ptr_delta = nskb->data - irs->skb->data;
irs->authenticator = (void*)((char*)irs->authenticator + ptr_delta);
irs->iph = (void*)((char*)irs->iph + ptr_delta);
/* flip in the large one */
irs->pre_ipcomp_skb = irs->skb;
irs->skb = nskb;
/* move the tail up to the end to let OCF know how big the buffer is */
if (grow_by > (irs->skb->end - irs->skb->tail))
grow_by = irs->skb->end - irs->skb->tail;
skb_put(irs->skb, grow_by);
return IPSEC_RCV_OK;
}
enum ipsec_rcv_value ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs)
{
unsigned int flags = 0;
struct ipsec_sa *ipsp = irs->ipsp;
struct sk_buff *skb;
skb = irs->skb;
ipsec_xmit_dmp("ipcomp", skb_transport_header(skb), skb->len);
if (ipsp == NULL)
return IPSEC_RCV_SAIDNOTFOUND;
if (sysctl_ipsec_inbound_policy_check &&
((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) !=
(ntohl(irs->said.spi) & 0x0000ffff)) &&
(ipsp->ips_encalg != ntohl(irs->said.spi)) /* this is a workaround for peer non-compliance with rfc2393 */
))) {
char sa2[SATOT_BUF];
size_t sa_len2 = 0;
sa_len2 = KLIPS_SATOT(debug_rcv, &ipsp->ips_said, 0, sa2,
sizeof(sa2));
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
irs->sa_len ? irs->sa : " (error)",
sa_len2 ? sa2 : " (error)",
ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi),
(__u32)ntohl(irs->said.spi),
(__u32)ntohl((ipsp->ips_said.spi)),
(__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff));
if (irs->stats)
irs->stats->rx_dropped++;
return IPSEC_RCV_SAIDNOTFOUND;
}
if (lsw_ip_hdr_version(irs) == 6)
ipsp->ips_comp_ratio_cbytes +=
ntohs(lsw_ip6_hdr(irs)->payload_len) +
sizeof(struct ipv6hdr);
else
ipsp->ips_comp_ratio_cbytes +=
ntohs(lsw_ip4_hdr(irs)->tot_len);
irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh;
#ifdef CONFIG_KLIPS_OCF
if (irs->ipsp->ocf_in_use)
return ipsec_ocf_rcv(irs);
#endif
skb = skb_decompress(skb, ipsp, &flags);
if (!skb || flags) {
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"skb_decompress() returned error flags=%x, dropped.\n",
flags);
if (irs->stats) {
if (flags)
irs->stats->rx_errors++;
else
irs->stats->rx_dropped++;
}
return IPSEC_RCV_IPCOMPFAILED;
}
/* make sure we update the pointer */
irs->skb = skb;
irs->iph = (void *) ip_hdr(skb);
if (lsw_ip_hdr_version(irs) == 6)
ipsp->ips_comp_ratio_dbytes +=
ntohs(lsw_ip6_hdr(irs)->payload_len) +
sizeof(struct ipv6hdr);
else
ipsp->ips_comp_ratio_dbytes +=
ntohs(lsw_ip4_hdr(irs)->tot_len);
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv_ipcomp_decomp: "
"packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
irs->sa_len ? irs->sa : " (error)",
(__u32)ntohl(irs->said.spi),
ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
ipsp != NULL ?
(__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0,
irs->next_header);
KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->iph);
return IPSEC_RCV_OK;
}
static int ipsec_ocf_xmit_cb(struct cryptop *crp)
{
struct ipsec_xmit_state *ixs =
(struct ipsec_xmit_state *)crp->crp_opaque;
struct iphdr *newiph;
struct ipcomphdr *cmph;
unsigned orig_len, comp_len;
struct cryptodesc *crdc = NULL;
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb\n");
if (ixs == NULL) {
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, "klips_debug:ipsec_ocf_xmit_cb: "
"NULL ixs in callback\n");
return 0;
}
/*
* we must update the state before returning to the state machine.
* if we have an error, terminate the processing by moving to the DONE
* state
*/
ixs->state = IPSEC_XSM_DONE; /* assume bad xmit */
if (crp->crp_etype) {
ptrdiff_t ptr_delta;
if (crp->crp_etype == EAGAIN) {
/* Session has been migrated. Store the new session id and retry */
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb: crypto session migrated\n");
ixs->ipsp->ocf_cryptoid = crp->crp_sid;
/* resubmit request */
if (crypto_dispatch(crp) == 0)
return 0;
/* resubmit failed */
}
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, "klips_debug:ipsec_ocf_xmit_cb: "
"error in processing 0x%x\n",
crp->crp_etype);
switch (ixs->ipsp->ips_said.proto) {
case IPPROTO_COMP:
/*
* It's ok for compression to fail... we made a clone
* of the packet, so we just revert it now...
*/
if (!ixs->pre_ipcomp_skb) {
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb: "
"IPcomp on %u bytes failed, "
"but we have no clone!\n",
(unsigned int)
(lsw_ip_hdr_version(ixs) == 6 ?
(ntohs(lsw_ip6_hdr(ixs)->
payload_len) +
sizeof(struct ipv6hdr))
:
ntohs(lsw_ip4_hdr(
ixs)->tot_len)) -
ixs->iphlen);
/* this is a fail. */
break;
}
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb: "
"IPcomp on %u bytes failed, "
"using backup clone.\n",
(unsigned int)
(lsw_ip_hdr_version(ixs) == 6 ?
(ntohs(lsw_ip6_hdr(ixs)->payload_len) +
sizeof(struct ipv6hdr)) :
ntohs(lsw_ip4_hdr(ixs)->tot_len)) -
ixs->iphlen);
ptr_delta = ixs->pre_ipcomp_skb->data - ixs->skb->data;
ixs->iph =
(void*)((char*)ixs->iph + ptr_delta);
/*
* can not free it here, because we are under
* IRQ, potentially, so queue it for later
*/
kfree_skb(ixs->skb);
ixs->skb = ixs->pre_ipcomp_skb;
ixs->pre_ipcomp_skb = NULL;
skb_set_network_header(ixs->skb,
ipsec_skb_offset(ixs->skb,
((
void
*)
skb_network_header(
ixs->
skb))
+
ptr_delta));
skb_set_transport_header(ixs->skb,
ipsec_skb_offset(ixs->skb,
((
void
*)
skb_transport_header(
ixs
->
skb))
+
ptr_delta));
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
/* this means we don't compress */
ixs->state = IPSEC_XSM_CONT;
break;
}
goto bail;
}
switch (ixs->ipsp->ips_said.proto) {
case IPPROTO_ESP:
/* ESP, nothing to do */
break;
case IPPROTO_AH:
/* AH post processing, put back fields we had to zero */
if (lsw_ip_hdr_version(ixs) == 4) {
lsw_ip4_hdr(ixs)->ttl = ixs->ttl;
lsw_ip4_hdr(ixs)->check = ixs->check;
lsw_ip4_hdr(ixs)->frag_off = ixs->frag_off;
lsw_ip4_hdr(ixs)->tos = ixs->tos;
}
break;
case IPPROTO_COMP:
/* IPcomp fill in the header */
crdc = crp->crp_desc;
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb: "
"after <%s%s%s>, SA:%s:\n",
IPS_XFORM_NAME(ixs->ipsp),
ixs->sa_len ? ixs->sa_txt : " (error)");
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
orig_len = (lsw_ip_hdr_version(ixs) == 6 ?
(ntohs(lsw_ip6_hdr(ixs)->payload_len) +
sizeof(struct ipv6hdr)) :
ntohs(lsw_ip4_hdr(ixs)->tot_len)) -
ixs->iphlen;
comp_len = crp->crp_olen;
if (sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
ipsec_dmp_block("compress after",
((unsigned char*)ixs->iph) + ixs->iphlen,
comp_len);
}
newiph =
(struct iphdr *)((char*)ixs->iph -
sizeof(struct ipcomphdr));
cmph = (struct ipcomphdr *)((char*)newiph + ixs->iphlen);
/* move the ip header to make room for the new ipcomp header */
memmove(((unsigned char *) ixs->skb->data) -
sizeof(struct ipcomphdr),
ixs->skb->data,
(((unsigned char *) ixs->iph) + ixs->iphlen) -
((unsigned char *) ixs->skb->data));
/* DAVIDM check for head room */
skb_push(ixs->skb, sizeof(struct ipcomphdr));
ixs->iph = newiph;
skb_set_network_header(ixs->skb,
ipsec_skb_offset(ixs->skb, newiph));
skb_set_transport_header(ixs->skb,
ipsec_skb_offset(ixs->skb,
newiph) +
ixs->iphlen);
/* now we can fill in the ipcomp header */
cmph->ipcomp_nh = ixs->next_header;
cmph->ipcomp_flags = 0;
cmph->ipcomp_cpi =
htons((__u16)(ntohl(ixs->ipsp->ips_said.spi) &
0x0000ffff));
/* update the ip header to reflect the compression */
if (lsw_ip_hdr_version(ixs) == 6) {
lsw_ip6_hdr(ixs)->nexthdr = IPPROTO_COMP;
lsw_ip6_hdr(ixs)->payload_len = htons(ixs->iphlen +
sizeof(struct
ipcomphdr) + comp_len -
sizeof(struct
ipv6hdr));
} else {
lsw_ip4_hdr(ixs)->protocol = IPPROTO_COMP;
lsw_ip4_hdr(ixs)->tot_len = htons(ixs->iphlen +
sizeof(struct
ipcomphdr) +
comp_len);
lsw_ip4_hdr(ixs)->check = 0;
lsw_ip4_hdr(ixs)->check =
ip_fast_csum((char *) ixs->iph, lsw_ip4_hdr(
ixs)->ihl);
}
/* Update skb length/tail by "unputting" the shrinkage */
safe_skb_put(ixs->skb, comp_len - orig_len);
ixs->ipsp->ips_comp_adapt_skip = 0;
ixs->ipsp->ips_comp_adapt_tries = 0;
/* release the backup copy */
if (ixs->pre_ipcomp_skb) {
kfree_skb(ixs->pre_ipcomp_skb);
ixs->pre_ipcomp_skb = NULL;
}
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_ocf_xmit_cb: "
"after <%s%s%s>, SA:%s:\n",
IPS_XFORM_NAME(ixs->ipsp),
ixs->sa_len ? ixs->sa_txt : " (error)");
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
break;
}
/* all good */
ixs->state = IPSEC_XSM_CONT;
bail:
crypto_freereq(crp);
crp = NULL;
ipsec_ocf_queue_task(ipsec_xsm, ixs);
return 0;
}
enum ipsec_rcv_value ipsec_ocf_rcv(struct ipsec_rcv_state *irs)
{
struct cryptop *crp;
struct cryptodesc *crde = NULL, *crda = NULL, *crdc = NULL;
struct ipsec_sa *ipsp;
int req_count = 0;
int rc, err;
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv\n");
ipsp = irs->ipsp;
if (!ipsp) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"no SA for rcv processing\n");
return IPSEC_RCV_SAIDNOTFOUND;
}
if (!irs->skb) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: no skb\n");
return IPSEC_RCV_SAIDNOTFOUND;
}
switch (ipsp->ips_said.proto) {
case IPPROTO_COMP:
rc = ipsec_ocf_ipcomp_copy_expand(irs);
if (rc != IPSEC_RCV_OK) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"growing skb for ipcomp failed, rc=%d\n",
rc);
return rc;
}
break;
case IPPROTO_ESP:
case IPPROTO_AH:
break;
default:
KLIPS_PRINT(debug_rcv & DB_RX_XF, "klips_debug:ipsec_ocf_rcv: "
"bad protocol %d\n", ipsp->ips_said.proto);
return IPSEC_RCV_BADPROTO;
}
req_count = (ipsp->ips_authalg ? 1 : 0) +
(ipsp->ips_encalg ? 1 : 0);
crp = crypto_getreq(req_count);
if (!crp) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"crypto_getreq returned NULL\n");
return IPSEC_RCV_REALLYBAD;
}
/* we currently don't support any chaining across protocols */
switch (ipsp->ips_said.proto) {
case IPPROTO_ESP:
/*
* we are decrypting, from the setup in ipsec_ocf_sa_init above, we
* need to flip the order of hash/cipher for recieve so that it is
* hash first then decrypt. Transmit is ok.
*/
if (crp->crp_desc && crp->crp_desc->crd_next) {
crda = crp->crp_desc;
crde = crda->crd_next;
} else {
crde = crp->crp_desc;
crda = crde->crd_next;
}
break;
case IPPROTO_COMP:
crdc = crp->crp_desc;
break;
case IPPROTO_AH:
crda = crp->crp_desc;
break;
}
if (crda) {
/* Authentication descriptor */
crda->crd_alg = ipsec_ocf_authalg(ipsp->ips_authalg);
if (!crda->crd_alg) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"bad auth alg 0x%x\n", ipsp->ips_authalg);
crypto_freereq(crp);
return IPSEC_RCV_BADPROTO;
}
if (!crde) { /* assuming AH processing */
/* push the IP header so we can authenticate it */
skb_push(irs->skb,
((unsigned char *)irs->protostuff.ahstuff.ahp) -
((unsigned char *)irs->iph));
}
crda->crd_key = ipsp->ips_key_a;
crda->crd_klen = ipsp->ips_key_bits_a;
crda->crd_inject = irs->authenticator - irs->skb->data;
/* OCF needs cri_mlen initialized in order to properly migrate the
* session to another driver */
crda->crd_mlen = 12;
/* Copy the authenticator to check aganinst later */
memcpy(irs->hash, irs->authenticator, 12);
if (!crde) { /* assume AH processing */
/* AH processing, save fields we have to zero */
if (lsw_ip_hdr_version(irs) == 4) {
irs->ttl =
lsw_ip4_hdr(irs)->ttl;
irs->check =
lsw_ip4_hdr(irs)->check;
irs->frag_off =
lsw_ip4_hdr(irs)->frag_off;
irs->tos =
lsw_ip4_hdr(irs)->tos;
lsw_ip4_hdr(irs)->ttl = 0;
lsw_ip4_hdr(irs)->check = 0;
lsw_ip4_hdr(irs)->frag_off = 0;
lsw_ip4_hdr(irs)->tos = 0;
}
crda->crd_len = irs->skb->len;
crda->crd_skip = ((unsigned char *)irs->iph) -
irs->skb->data;
memset(irs->authenticator, 0, 12);
} else {
crda->crd_len = irs->ilen;
crda->crd_skip =
((unsigned char *) irs->protostuff.espstuff.
espp) -
irs->skb->data;
/*
* It would be nice to clear the authenticator here
* to be sure we do not see it again later when checking.
* We cannot. Some HW actually expects to check the in-data
* hash and and flag an error if it is incorrect.
*
* What we do to allow this is to pass in the current in-data
* value. Your OCF driver must ensure that it fails a request
* for hash+decrypt with an invalid hash value, or returns the
* computed in-data hash as requested.
*
* If your driver does not check the in-data hash but just
* computes it value, you must ensure that it does not return
* the original in-data hash by accident. It must invalidate the
* in-data hash itself to force an auth check error.
*
* All existing drivers that do not care about the current
* in-data hash do this by clearing the in-data hash before
* processing, either directly or via their implementation.
*/
#if 0
memset(irs->authenticator, 0, 12);
#endif
}
}
if (crde) {
crde->crd_alg = ipsec_ocf_encalg(ipsp->ips_encalg);
if (!crde->crd_alg) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"bad enc alg 0x%x\n", ipsp->ips_encalg);
crypto_freereq(crp);
return IPSEC_RCV_BADPROTO;
}
irs->esphlen = ESP_HEADER_LEN + ipsp->ips_iv_size;
irs->ilen -= irs->esphlen;
crde->crd_skip =
(skb_transport_header(irs->skb) -
irs->skb->data) + irs->esphlen;
crde->crd_len = irs->ilen;
crde->crd_inject = crde->crd_skip - ipsp->ips_iv_size;
crde->crd_klen = ipsp->ips_key_bits_e;
crde->crd_key = ipsp->ips_key_e;
}
if (crdc) {
struct ipcomphdr *cmph;
int compalg = ipsp->ips_encalg;
/* Decompression descriptor */
crdc->crd_alg = ipsec_ocf_compalg(compalg);
if (!crdc->crd_alg) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv: "
"bad decomp alg 0x%x\n",
ipsp->ips_encalg);
crypto_freereq(crp);
return IPSEC_RCV_BADPROTO;
}
crdc->crd_flags = 0;
/* this is where the current ipcomp header is */
cmph = (struct ipcomphdr*)((char*)irs->iph + irs->iphlen);
/* store the nested protocol */
irs->next_header = cmph->ipcomp_nh;
/* start decompressing after ip header and the ipcomp header */
crdc->crd_skip = ((unsigned char*)irs->iph) + irs->iphlen +
sizeof(struct ipcomphdr) - irs->skb->data;
/* decompress all ip data past the ipcomp header */
if (lsw_ip_hdr_version(irs) == 6) {
crdc->crd_len =
(ntohs(lsw_ip6_hdr(irs)->payload_len) +
sizeof(struct ipv6hdr)) -
irs->iphlen -
sizeof(struct ipcomphdr);
} else {
crdc->crd_len = ntohs(lsw_ip4_hdr(irs)->tot_len) -
irs->iphlen -
sizeof(struct ipcomphdr);
}
/* decompress inplace (some hardware can only do inplace) */
crdc->crd_inject = crdc->crd_skip;
}
crp->crp_ilen = irs->skb->len; /* Total input length */
crp->crp_olen = irs->skb->len; /* Total output length */
crp->crp_flags =
CRYPTO_F_SKBUF |
(ipsec_ocf_cbimm ? CRYPTO_F_BATCH : 0) |
(ipsec_ocf_batch ? CRYPTO_F_BATCH : 0) |
0;
crp->crp_buf = (caddr_t) irs->skb;
crp->crp_callback = ipsec_ocf_rcv_cb;
crp->crp_sid = ipsp->ocf_cryptoid;
crp->crp_opaque = (caddr_t) irs;
rcv_migrate:
if ((err = crypto_dispatch(crp))) {
KLIPS_PRINT(debug_rcv, "crypto_dispatch rcv failure %u\n",
err);
crypto_freereq(crp);
return IPSEC_RCV_REALLYBAD;
}
if (crp->crp_etype == EAGAIN) {
/* Session has been migrated. Store the new session id and retry */
ipsp->ocf_cryptoid = crp->crp_sid;
goto rcv_migrate;
}
return IPSEC_RCV_PENDING;
}
static int ipsec_ocf_rcv_cb(struct cryptop *crp)
{
struct ipsec_rcv_state *irs =
(struct ipsec_rcv_state *)crp->crp_opaque;
struct iphdr *newiph;
unsigned orig_len, decomp_len;
struct cryptodesc *crdc = NULL;
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv_cb\n");
if (irs == NULL) {
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv_cb: "
"NULL irs in callback\n");
return 0;
}
/*
* we must update the state before returning to the state machine.
* if we have an error, terminate the processing by moving to the DONE
* state
*/
irs->state = IPSEC_RSM_DONE; /* assume it went badly */
if (crp->crp_etype) {
ptrdiff_t ptr_delta;
if (crp->crp_etype == EAGAIN) {
/* Session has been migrated. Store the new session id and retry */
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_ocf_rcv_cb: crypto session migrated\n");
irs->ipsp->ocf_cryptoid = crp->crp_sid;
/* resubmit request */
if (crypto_dispatch(crp) == 0)
return 0;
/* resubmit failed */
}
KLIPS_PRINT(debug_rcv, "klips_debug:ipsec_ocf_rcv_cb: "
"error in processing 0x%x\n", crp->crp_etype);
switch (irs->ipsp->ips_said.proto) {
case IPPROTO_COMP:
/*
* we restore the previous skb on error and pretend nothing
* happened, just no compression
*/
ptr_delta = irs->pre_ipcomp_skb->data - irs->skb->data;
irs->authenticator =
(void*)((char*)irs->authenticator + ptr_delta);
irs->iph =
(void*)((char*)irs->iph + ptr_delta);
kfree_skb(irs->skb);
irs->skb = irs->pre_ipcomp_skb;
irs->pre_ipcomp_skb = NULL;
break;
}
goto bail;
}
switch (irs->ipsp->ips_said.proto) {
case IPPROTO_ESP:
/* ESP, process it */
if (ipsec_rcv_esp_post_decrypt(irs) == IPSEC_RCV_OK) {
/* this one came up good, set next state */
irs->state = IPSEC_RSM_DECAP_CONT;
}
break;
case IPPROTO_AH:
/* AH post processing, put back fields we had to zero */
if (lsw_ip_hdr_version(irs) == 4) {
lsw_ip4_hdr(irs)->ttl = irs->ttl;
lsw_ip4_hdr(irs)->check = irs->check;
lsw_ip4_hdr(irs)->frag_off = irs->frag_off;
lsw_ip4_hdr(irs)->tos = irs->tos;
}
irs->state = IPSEC_RSM_AUTH_CHK;
/* pull up the IP header again after processing */
skb_pull(irs->skb,
((unsigned char *)irs->protostuff.ahstuff.ahp) -
((unsigned char *)irs->iph));
break;
case IPPROTO_COMP:
crdc = crp->crp_desc;
KLIPS_PRINT(debug_rcv, "comp before adjustments:\n");
KLIPS_IP_PRINT(debug_rcv & DB_TN_XMIT, irs->iph);
orig_len = irs->skb->len - sizeof(struct ipcomphdr);
decomp_len = crp->crp_olen;
newiph =
(struct iphdr*)((char*)irs->iph +
sizeof(struct ipcomphdr));
KLIPS_PRINT(debug_rcv,
"comp results: olen: %u, inject: %u (len=%d) iph->totlen=%u\n",
crp->crp_olen, crdc->crd_inject, decomp_len,
ntohs(newiph->tot_len));
/*
* move the ip header to consume room previously taken by
* the ipcomp header
*/
skb_pull(irs->skb, sizeof(struct ipcomphdr));
memmove(newiph, irs->iph, irs->iphlen);
/* adjust the ipp pointer to point to the header we decoded */
irs->iph = newiph;
skb_set_network_header(irs->skb, ipsec_skb_offset(irs->skb,
((unsigned
char *)
skb_network_header(
irs
->
skb))
+
sizeof(struct
ipcomphdr)));
skb_set_transport_header(irs->skb, ipsec_skb_offset(irs->skb,
((unsigned
char *)
skb_transport_header(
irs
->
skb))
+
sizeof(
struct
ipcomphdr)));
if (lsw_ip_hdr_version(irs) == 6) {
lsw_ip6_hdr(irs)->nexthdr = irs->next_header;
} else {
lsw_ip4_hdr(irs)->protocol = irs->next_header;
lsw_ip4_hdr(irs)->tot_len = htons(
irs->iphlen + decomp_len);
lsw_ip4_hdr(irs)->check = 0;
lsw_ip4_hdr(irs)->check = ip_fast_csum(irs->iph, lsw_ip4_hdr(
irs)->ihl);
}
KLIPS_PRINT(debug_rcv, "comp after len adjustments:\n");
KLIPS_IP_PRINT(debug_rcv & DB_TN_XMIT, irs->iph);
/* Update skb length/tail by "putting" the growth */
safe_skb_put(irs->skb, decomp_len - crp->crp_olen);
/* set the new header in the skb */
skb_set_network_header(irs->skb,
ipsec_skb_offset(irs->skb, irs->iph));
KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ip_hdr(irs->skb));
/* relese the backup copy */
if (irs->pre_ipcomp_skb) {
kfree_skb(irs->pre_ipcomp_skb);
irs->pre_ipcomp_skb = NULL;
}
/* IPcomp finished, continue processing */
irs->state = IPSEC_RSM_DECAP_CONT;
break;
}
bail:
crypto_freereq(crp);
crp = NULL;
ipsec_ocf_queue_task(ipsec_rsm, irs);
return 0;
}
/*
* Verify that the skb can go out on this ipsp.
* Return 0 if OK, error code otherwise.
*/
static int ipsec_mast_check_outbound_policy(struct ipsec_xmit_state *ixs)
{
int failed_outbound_check = 0;
struct ipsec_sa *ipsp = ixs->ipsp;
if (!ixs || !ixs->ipsp || !ixs->iph)
return -EFAULT;
/* Note: "xor" (^) logically replaces "not equal"
* (!=) and "bitwise or" (|) logically replaces
* "boolean or" (||). This is done to speed up
* execution by doing only bitwise operations and
* no branch operations */
if (lsw_ip_hdr_version(ixs) == 4) {
struct iphdr *ipp = lsw_ip4_hdr(ixs);
if (ip_address_family(&ipsp->ips_said.dst) != AF_INET)
failed_outbound_check = 1;
else if (((ipp->saddr &
ipsp->ips_mask_s.u.v4.sin_addr.s_addr) ^
ipsp->ips_flow_s.u.v4.sin_addr.s_addr) |
((ipp->daddr &
ipsp->ips_mask_d.u.v4.sin_addr.s_addr) ^
ipsp->ips_flow_d.u.v4.sin_addr.s_addr))
failed_outbound_check = 1;
} else if (lsw_ip_hdr_version(ixs) == 6) {
struct ipv6hdr *ipp6 = lsw_ip6_hdr(ixs);
if (ip_address_family(&ipsp->ips_said.dst) != AF_INET6)
failed_outbound_check = 1;
else if (((ipp6->saddr.s6_addr32[0] &
ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[0]) ^
ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[0]) |
((ipp6->daddr.s6_addr32[0] &
ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[0]) ^
ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[0]))
failed_outbound_check = 1;
else if (((ipp6->saddr.s6_addr32[1] &
ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[1]) ^
ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[1]) |
((ipp6->daddr.s6_addr32[1] &
ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[1]) ^
ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[1]))
failed_outbound_check = 1;
else if (((ipp6->saddr.s6_addr32[2] &
ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[2]) ^
ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[2]) |
((ipp6->daddr.s6_addr32[2] &
ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[2]) ^
ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[2]))
failed_outbound_check = 1;
else if (((ipp6->saddr.s6_addr32[3] &
ipsp->ips_mask_s.u.v6.sin6_addr.s6_addr32[3]) ^
ipsp->ips_flow_s.u.v6.sin6_addr.s6_addr32[3]) |
((ipp6->daddr.s6_addr32[3] &
ipsp->ips_mask_d.u.v6.sin6_addr.s6_addr32[3]) ^
ipsp->ips_flow_d.u.v6.sin6_addr.s6_addr32[3]))
failed_outbound_check = 1;
}
if (failed_outbound_check) {
char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
if (ipsp->ips_flow_s.u.v4.sin_family == AF_INET6) {
subnet6toa(&ipsp->ips_flow_s.u.v6.sin6_addr,
&ipsp->ips_mask_s.u.v6.sin6_addr,
0, sflow_txt, sizeof(sflow_txt));
subnet6toa(&ipsp->ips_flow_d.u.v6.sin6_addr,
&ipsp->ips_mask_d.u.v6.sin6_addr,
0, dflow_txt, sizeof(dflow_txt));
inet_addrtot(AF_INET6,
&lsw_ip6_hdr(ixs)->saddr, 0, saddr_txt,
sizeof(saddr_txt));
inet_addrtot(AF_INET6,
&lsw_ip6_hdr(ixs)->daddr, 0, daddr_txt,
sizeof(daddr_txt));
} else {
subnettoa(ipsp->ips_flow_s.u.v4.sin_addr,
ipsp->ips_mask_s.u.v4.sin_addr,
0, sflow_txt, sizeof(sflow_txt));
subnettoa(ipsp->ips_flow_d.u.v4.sin_addr,
ipsp->ips_mask_d.u.v4.sin_addr,
0, dflow_txt, sizeof(dflow_txt));
inet_addrtot(AF_INET,
&lsw_ip4_hdr(ixs)->saddr, 0, saddr_txt,
sizeof(saddr_txt));
inet_addrtot(AF_INET,
&lsw_ip4_hdr(ixs)->daddr, 0, daddr_txt,
sizeof(daddr_txt));
}
if (!ixs->sa_len) {
ixs->sa_len = KLIPS_SATOT(debug_mast,
&ixs->outgoing_said, 0,
ixs->sa_txt,
sizeof(ixs->sa_txt));
}
KLIPS_PRINT(debug_mast,
"klips_debug:ipsec_mast_check_outbound_policy: "
"SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
ixs->sa_len ? ixs->sa_txt : " (error)",
sflow_txt, dflow_txt, saddr_txt, daddr_txt);
if (ixs->stats)
ixs->stats->rx_dropped++;
return -EACCES;
}
#if 0
{
char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
char saddr_txt[ADDRTOA_BUF], daddr_txt[ADDRTOA_BUF];
struct in_addr ipaddr;
subnettoa(ixs->ipsp->ips_flow_s.u.v4.sin_addr,
ixs->ipsp->ips_mask_s.u.v4.sin_addr,
0, sflow_txt, sizeof(sflow_txt));
subnettoa(ixs->ipsp->ips_flow_d.u.v4.sin_addr,
ixs->ipsp->ips_mask_d.u.v4.sin_addr,
0, dflow_txt, sizeof(dflow_txt));
ipaddr.s_addr = ixs->iph->saddr;
addrtoa(ipaddr, 0, saddr_txt, sizeof(saddr_txt));
ipaddr.s_addr = ixs->iph->daddr;
addrtoa(ipaddr, 0, daddr_txt, sizeof(daddr_txt));
if (!ixs->sa_len)
ixs->sa_len = KLIPS_SATOT(debug_mast,
&ixs->outgoing_said, 0,
ixs->sa_txt,
sizeof(ixs->sa_txt));
KLIPS_PRINT(debug_mast,
"klips_debug:ipsec_mast_check_outbound_policy: "
"SA:%s, inner tunnel policy [%s -> %s] agrees with pkt contents [%s -> %s].\n",
ixs->sa_len ? ixs->sa_txt : " (error)",
sflow_txt, dflow_txt, saddr_txt, daddr_txt);
}
#endif
return 0;
}
