xfrm: Move IPsec replay detection functions to a separate file

To support multiple versions of replay detection, we move the replay detection functions to a separate file and make them accessible via function pointers contained in the struct xfrm_replay. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Steffen Klassert <steffen.klassert@secunet.com> 2011-03-07 19:08:32 -0500
committer: David S. Miller <davem@davemloft.net> 2011-03-13 23:22:30 -0400
commit: 9fdc4883d92d20842c5acea77a4a21bb1574b495 (patch)
tree: 87019e64093d90a4f2b42149231d0ad3a864c5f9 /net/xfrm/xfrm_state.c
parent: d212a4c29096484e5e83b5006e695add126260af (diff)
1 files changed, 3 insertions, 108 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index cd6be49f2ae8..23779d19fe02 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -42,13 +42,6 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
-#ifdef CONFIG_AUDITSYSCALL
-static void xfrm_audit_state_replay(struct xfrm_state *x,
-                                    struct sk_buff *skb, __be32 net_seq);
-#else
-#define xfrm_audit_state_replay(x, s, sq)       do { ; } while (0)
-#endif /* CONFIG_AUDITSYSCALL */
 static inline unsigned int xfrm_dst_hash(struct net *net,
                                         const xfrm_address_t *daddr,
                                         const xfrm_address_t *saddr,
@@ -1619,54 +1612,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
 }
 EXPORT_SYMBOL(xfrm_state_walk_done);
-void xfrm_replay_notify(struct xfrm_state *x, int event)
-{
-        struct km_event c;
-        /* we send notify messages in case
-         *  1. we updated on of the sequence numbers, and the seqno difference
-         *     is at least x->replay_maxdiff, in this case we also update the
-         *     timeout of our timer function
-         *  2. if x->replay_maxage has elapsed since last update,
-         *     and there were changes
-         *
-         *  The state structure must be locked!
-         */
-        switch (event) {
-        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
-                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
-                        if (x->xflags & XFRM_TIME_DEFER)
-                                event = XFRM_REPLAY_TIMEOUT;
-                        else
-                                return;
-                }
-                break;
-        case XFRM_REPLAY_TIMEOUT:
-                if ((x->replay.seq == x->preplay.seq) &&
-                    (x->replay.bitmap == x->preplay.bitmap) &&
-                    (x->replay.oseq == x->preplay.oseq)) {
-                        x->xflags |= XFRM_TIME_DEFER;
-                        return;
-                }
-                break;
-        }
-        memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
-        c.event = XFRM_MSG_NEWAE;
-        c.data.aevent = event;
-        km_state_notify(x, &c);
-        if (x->replay_maxage &&
-            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
-                x->xflags &= ~XFRM_TIME_DEFER;
-}
 static void xfrm_replay_timer_handler(unsigned long data)
 {
        struct xfrm_state *x = (struct xfrm_state*)data;
@@ -1675,7 +1620,7 @@ static void xfrm_replay_timer_handler(unsigned long data)
        if (x->km.state == XFRM_STATE_VALID) {
                if (xfrm_aevent_is_on(xs_net(x)))
-                        xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
+                        x->repl->notify(x, XFRM_REPLAY_TIMEOUT);
                else
                        x->xflags |= XFRM_TIME_DEFER;
        }
@@ -1683,57 +1628,6 @@ static void xfrm_replay_timer_handler(unsigned long data)
        spin_unlock(&x->lock);
 }
-int xfrm_replay_check(struct xfrm_state *x,
-                      struct sk_buff *skb, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (unlikely(seq == 0))
-                goto err;
-        if (likely(seq > x->replay.seq))
-                return 0;
-        diff = x->replay.seq - seq;
-        if (diff >= min_t(unsigned int, x->props.replay_window,
-                          sizeof(x->replay.bitmap) * 8)) {
-                x->stats.replay_window++;
-                goto err;
-        }
-        if (x->replay.bitmap & (1U << diff)) {
-                x->stats.replay++;
-                goto err;
-        }
-        return 0;
-err:
-        xfrm_audit_state_replay(x, skb, net_seq);
-        return -EINVAL;
-}
-void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (seq > x->replay.seq) {
-                diff = seq - x->replay.seq;
-                if (diff < x->props.replay_window)
-                        x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
-                else
-                        x->replay.bitmap = 1;
-                x->replay.seq = seq;
-        } else {
-                diff = x->replay.seq - seq;
-                x->replay.bitmap |= (1U << diff);
-        }
-        if (xfrm_aevent_is_on(xs_net(x)))
-                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
-}
 static LIST_HEAD(xfrm_km_list);
 static DEFINE_RWLOCK(xfrm_km_lock);
@@ -2246,7 +2140,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 }
 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
-static void xfrm_audit_state_replay(struct xfrm_state *x,
+void xfrm_audit_state_replay(struct xfrm_state *x,
                             struct sk_buff *skb, __be32 net_seq)
 {
        struct audit_buffer *audit_buf;
@@ -2261,6 +2155,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x,
                         spi, spi, ntohl(net_seq));
        audit_log_end(audit_buf);
 }
+EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
 {
author	Steffen Klassert <steffen.klassert@secunet.com>	2011-03-07 19:08:32 -0500
committer	David S. Miller <davem@davemloft.net>	2011-03-13 23:22:30 -0400
commit	9fdc4883d92d20842c5acea77a4a21bb1574b495 (patch)
tree	87019e64093d90a4f2b42149231d0ad3a864c5f9 /net/xfrm/xfrm_state.c
parent	d212a4c29096484e5e83b5006e695add126260af (diff)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index cd6be49f2ae8..23779d19fe02 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c
@@ -42,13 +42,6 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
42	static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);	42	static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
43	static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);	43	static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
44		44
45	#ifdef CONFIG_AUDITSYSCALL
46	static void xfrm_audit_state_replay(struct xfrm_state *x,
47	struct sk_buff *skb, __be32 net_seq);
48	#else
49	#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
50	#endif /* CONFIG_AUDITSYSCALL */
51
52	static inline unsigned int xfrm_dst_hash(struct net *net,	45	static inline unsigned int xfrm_dst_hash(struct net *net,
53	const xfrm_address_t *daddr,	46	const xfrm_address_t *daddr,
54	const xfrm_address_t *saddr,	47	const xfrm_address_t *saddr,
@@ -1619,54 +1612,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1619	}	1612	}
1620	EXPORT_SYMBOL(xfrm_state_walk_done);	1613	EXPORT_SYMBOL(xfrm_state_walk_done);
1621		1614
1622
1623	void xfrm_replay_notify(struct xfrm_state *x, int event)
1624	{
1625	struct km_event c;
1626	/* we send notify messages in case
1627	* 1. we updated on of the sequence numbers, and the seqno difference
1628	* is at least x->replay_maxdiff, in this case we also update the
1629	* timeout of our timer function
1630	* 2. if x->replay_maxage has elapsed since last update,
1631	* and there were changes
1632	*
1633	* The state structure must be locked!
1634	*/
1635
1636	switch (event) {
1637	case XFRM_REPLAY_UPDATE:
1638	if (x->replay_maxdiff &&
1639	(x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1640	(x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1641	if (x->xflags & XFRM_TIME_DEFER)
1642	event = XFRM_REPLAY_TIMEOUT;
1643	else
1644	return;
1645	}
1646
1647	break;
1648
1649	case XFRM_REPLAY_TIMEOUT:
1650	if ((x->replay.seq == x->preplay.seq) &&
1651	(x->replay.bitmap == x->preplay.bitmap) &&
1652	(x->replay.oseq == x->preplay.oseq)) {
1653	x->xflags \|= XFRM_TIME_DEFER;
1654	return;
1655	}
1656
1657	break;
1658	}
1659
1660	memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1661	c.event = XFRM_MSG_NEWAE;
1662	c.data.aevent = event;
1663	km_state_notify(x, &c);
1664
1665	if (x->replay_maxage &&
1666	!mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1667	x->xflags &= ~XFRM_TIME_DEFER;
1668	}
1669
1670	static void xfrm_replay_timer_handler(unsigned long data)	1615	static void xfrm_replay_timer_handler(unsigned long data)
1671	{	1616	{
1672	struct xfrm_state x = (struct xfrm_state)data;	1617	struct xfrm_state x = (struct xfrm_state)data;
@@ -1675,7 +1620,7 @@ static void xfrm_replay_timer_handler(unsigned long data)
1675		1620
1676	if (x->km.state == XFRM_STATE_VALID) {	1621	if (x->km.state == XFRM_STATE_VALID) {
1677	if (xfrm_aevent_is_on(xs_net(x)))	1622	if (xfrm_aevent_is_on(xs_net(x)))
1678	xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);	1623	x->repl->notify(x, XFRM_REPLAY_TIMEOUT);
1679	else	1624	else
1680	x->xflags \|= XFRM_TIME_DEFER;	1625	x->xflags \|= XFRM_TIME_DEFER;
1681	}	1626	}
@@ -1683,57 +1628,6 @@ static void xfrm_replay_timer_handler(unsigned long data)
1683	spin_unlock(&x->lock);	1628	spin_unlock(&x->lock);
1684	}	1629	}
1685		1630
1686	int xfrm_replay_check(struct xfrm_state *x,
1687	struct sk_buff *skb, __be32 net_seq)
1688	{
1689	u32 diff;
1690	u32 seq = ntohl(net_seq);
1691
1692	if (unlikely(seq == 0))
1693	goto err;
1694
1695	if (likely(seq > x->replay.seq))
1696	return 0;
1697
1698	diff = x->replay.seq - seq;
1699	if (diff >= min_t(unsigned int, x->props.replay_window,
1700	sizeof(x->replay.bitmap) * 8)) {
1701	x->stats.replay_window++;
1702	goto err;
1703	}
1704
1705	if (x->replay.bitmap & (1U << diff)) {
1706	x->stats.replay++;
1707	goto err;
1708	}
1709	return 0;
1710
1711	err:
1712	xfrm_audit_state_replay(x, skb, net_seq);
1713	return -EINVAL;
1714	}
1715
1716	void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1717	{
1718	u32 diff;
1719	u32 seq = ntohl(net_seq);
1720
1721	if (seq > x->replay.seq) {
1722	diff = seq - x->replay.seq;
1723	if (diff < x->props.replay_window)
1724	x->replay.bitmap = ((x->replay.bitmap) << diff) \| 1;
1725	else
1726	x->replay.bitmap = 1;
1727	x->replay.seq = seq;
1728	} else {
1729	diff = x->replay.seq - seq;
1730	x->replay.bitmap \|= (1U << diff);
1731	}
1732
1733	if (xfrm_aevent_is_on(xs_net(x)))
1734	xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1735	}
1736
1737	static LIST_HEAD(xfrm_km_list);	1631	static LIST_HEAD(xfrm_km_list);
1738	static DEFINE_RWLOCK(xfrm_km_lock);	1632	static DEFINE_RWLOCK(xfrm_km_lock);
1739		1633
@@ -2246,7 +2140,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2246	}	2140	}
2247	EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);	2141	EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2248		2142
2249	static void xfrm_audit_state_replay(struct xfrm_state *x,	2143	void xfrm_audit_state_replay(struct xfrm_state *x,
2250	struct sk_buff *skb, __be32 net_seq)	2144	struct sk_buff *skb, __be32 net_seq)
2251	{	2145	{
2252	struct audit_buffer *audit_buf;	2146	struct audit_buffer *audit_buf;
@@ -2261,6 +2155,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x,
2261	spi, spi, ntohl(net_seq));	2155	spi, spi, ntohl(net_seq));
2262	audit_log_end(audit_buf);	2156	audit_log_end(audit_buf);
2263	}	2157	}
		2158	EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
2264		2159
2265	void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)	2160	void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2266	{	2161	{