aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-12-21 17:58:11 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:00:01 -0500
commitafeb14b49098ba7a51c96e083a4105a0301f94c4 (patch)
tree2675451596adbea8aa261704c356d074136abbbd /net/ipv6
parentdfd4f0ae2e111e2b93c295938c0e64ebbb69ae6e (diff)
[XFRM]: RFC4303 compliant auditing
This patch adds a number of new IPsec audit events to meet the auditing requirements of RFC4303. This includes audit hooks for the following events: * Could not find a valid SA [sections 2.1, 3.4.2] . xfrm_audit_state_notfound() . xfrm_audit_state_notfound_simple() * Sequence number overflow [section 3.3.3] . xfrm_audit_state_replay_overflow() * Replayed packet [section 3.4.3] . xfrm_audit_state_replay() * Integrity check failure [sections 3.4.4.1, 3.4.4.2] . xfrm_audit_state_icvfail() While RFC4304 deals only with ESP most of the changes in this patch apply to IPsec in general, i.e. both AH and ESP. The one case, integrity check failure, where ESP specific code had to be modified the same was done to the AH code for the sake of consistency. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/ah6.c2
-rw-r--r--net/ipv6/esp6.c1
-rw-r--r--net/ipv6/xfrm6_input.c1
3 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 1b51d1eedbde..2d32772c87c3 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -381,7 +381,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
381 if (err) 381 if (err)
382 goto unlock; 382 goto unlock;
383 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { 383 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
384 LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); 384 xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
385 err = -EBADMSG; 385 err = -EBADMSG;
386 } 386 }
387 } 387 }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 5bd5292ad9fa..e10f10bfe2c9 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -186,6 +186,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
186 BUG(); 186 BUG();
187 187
188 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { 188 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
189 xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
189 ret = -EBADMSG; 190 ret = -EBADMSG;
190 goto unlock; 191 goto unlock;
191 } 192 }
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 6644fc6d5427..063ce6ed1bd0 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -152,6 +152,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
152 152
153 if (!x) { 153 if (!x) {
154 XFRM_INC_STATS(LINUX_MIB_XFRMINNOSTATES); 154 XFRM_INC_STATS(LINUX_MIB_XFRMINNOSTATES);
155 xfrm_audit_state_notfound_simple(skb, AF_INET6);
155 goto drop; 156 goto drop;
156 } 157 }
157 158