diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2011-03-07 19:08:32 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-03-13 23:22:30 -0400 |
| commit | 9fdc4883d92d20842c5acea77a4a21bb1574b495 (patch) | |
| tree | 87019e64093d90a4f2b42149231d0ad3a864c5f9 /net/xfrm | |
| parent | d212a4c29096484e5e83b5006e695add126260af (diff) | |
xfrm: Move IPsec replay detection functions to a separate file
To support multiple versions of replay detection, we move the replay
detection functions to a separate file and make them accessible
via function pointers contained in the struct xfrm_replay.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/Makefile | 2 | ||||
| -rw-r--r-- | net/xfrm/xfrm_input.c | 5 | ||||
| -rw-r--r-- | net/xfrm/xfrm_output.c | 15 | ||||
| -rw-r--r-- | net/xfrm/xfrm_replay.c | 141 | ||||
| -rw-r--r-- | net/xfrm/xfrm_state.c | 111 | ||||
| -rw-r--r-- | net/xfrm/xfrm_user.c | 4 |
6 files changed, 154 insertions, 124 deletions
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile index c631047e1b27..aa429eefe919 100644 --- a/net/xfrm/Makefile +++ b/net/xfrm/Makefile | |||
| @@ -4,7 +4,7 @@ | |||
| 4 | 4 | ||
| 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ | 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ |
| 6 | xfrm_input.o xfrm_output.o xfrm_algo.o \ | 6 | xfrm_input.o xfrm_output.o xfrm_algo.o \ |
| 7 | xfrm_sysctl.o | 7 | xfrm_sysctl.o xfrm_replay.o |
| 8 | obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o | 8 | obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o |
| 9 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o | 9 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o |
| 10 | obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o | 10 | obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index b173b7fdc433..55d5f5c3d119 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
| @@ -172,7 +172,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) | |||
| 172 | goto drop_unlock; | 172 | goto drop_unlock; |
| 173 | } | 173 | } |
| 174 | 174 | ||
| 175 | if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) { | 175 | if (x->props.replay_window && x->repl->check(x, skb, seq)) { |
| 176 | XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); | 176 | XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR); |
| 177 | goto drop_unlock; | 177 | goto drop_unlock; |
| 178 | } | 178 | } |
| @@ -206,8 +206,7 @@ resume: | |||
| 206 | /* only the first xfrm gets the encap type */ | 206 | /* only the first xfrm gets the encap type */ |
| 207 | encap_type = 0; | 207 | encap_type = 0; |
| 208 | 208 | ||
| 209 | if (x->props.replay_window) | 209 | x->repl->advance(x, seq); |
| 210 | xfrm_replay_advance(x, seq); | ||
| 211 | 210 | ||
| 212 | x->curlft.bytes += skb->len; | 211 | x->curlft.bytes += skb->len; |
| 213 | x->curlft.packets++; | 212 | x->curlft.packets++; |
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 4b63776a0264..1aba03f449cc 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -67,17 +67,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err) | |||
| 67 | goto error; | 67 | goto error; |
| 68 | } | 68 | } |
| 69 | 69 | ||
| 70 | if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { | 70 | err = x->repl->overflow(x, skb); |
| 71 | XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq; | 71 | if (err) { |
| 72 | if (unlikely(x->replay.oseq == 0)) { | 72 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR); |
| 73 | XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR); | 73 | goto error; |
| 74 | x->replay.oseq--; | ||
| 75 | xfrm_audit_state_replay_overflow(x, skb); | ||
| 76 | err = -EOVERFLOW; | ||
| 77 | goto error; | ||
| 78 | } | ||
| 79 | if (xfrm_aevent_is_on(net)) | ||
| 80 | xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); | ||
| 81 | } | 74 | } |
| 82 | 75 | ||
| 83 | x->curlft.bytes += skb->len; | 76 | x->curlft.bytes += skb->len; |
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c new file mode 100644 index 000000000000..42d68f324874 --- /dev/null +++ b/net/xfrm/xfrm_replay.c | |||
| @@ -0,0 +1,141 @@ | |||
| 1 | /* | ||
| 2 | * xfrm_replay.c - xfrm replay detection, derived from xfrm_state.c. | ||
| 3 | */ | ||
| 4 | |||
| 5 | #include <net/xfrm.h> | ||
| 6 | |||
| 7 | static void xfrm_replay_notify(struct xfrm_state *x, int event) | ||
| 8 | { | ||
| 9 | struct km_event c; | ||
| 10 | /* we send notify messages in case | ||
| 11 | * 1. we updated on of the sequence numbers, and the seqno difference | ||
| 12 | * is at least x->replay_maxdiff, in this case we also update the | ||
| 13 | * timeout of our timer function | ||
| 14 | * 2. if x->replay_maxage has elapsed since last update, | ||
| 15 | * and there were changes | ||
| 16 | * | ||
| 17 | * The state structure must be locked! | ||
| 18 | */ | ||
| 19 | |||
| 20 | switch (event) { | ||
| 21 | case XFRM_REPLAY_UPDATE: | ||
| 22 | if (x->replay_maxdiff && | ||
| 23 | (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && | ||
| 24 | (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { | ||
| 25 | if (x->xflags & XFRM_TIME_DEFER) | ||
| 26 | event = XFRM_REPLAY_TIMEOUT; | ||
| 27 | else | ||
| 28 | return; | ||
| 29 | } | ||
| 30 | |||
| 31 | break; | ||
| 32 | |||
| 33 | case XFRM_REPLAY_TIMEOUT: | ||
| 34 | if (memcmp(&x->replay, &x->preplay, | ||
| 35 | sizeof(struct xfrm_replay_state)) == 0) { | ||
| 36 | x->xflags |= XFRM_TIME_DEFER; | ||
| 37 | return; | ||
| 38 | } | ||
| 39 | |||
| 40 | break; | ||
| 41 | } | ||
| 42 | |||
| 43 | memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); | ||
| 44 | c.event = XFRM_MSG_NEWAE; | ||
| 45 | c.data.aevent = event; | ||
| 46 | km_state_notify(x, &c); | ||
| 47 | |||
| 48 | if (x->replay_maxage && | ||
| 49 | !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) | ||
| 50 | x->xflags &= ~XFRM_TIME_DEFER; | ||
| 51 | } | ||
| 52 | |||
| 53 | static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb) | ||
| 54 | { | ||
| 55 | int err = 0; | ||
| 56 | struct net *net = xs_net(x); | ||
| 57 | |||
| 58 | if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { | ||
| 59 | XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq; | ||
| 60 | if (unlikely(x->replay.oseq == 0)) { | ||
| 61 | x->replay.oseq--; | ||
| 62 | xfrm_audit_state_replay_overflow(x, skb); | ||
| 63 | err = -EOVERFLOW; | ||
| 64 | |||
| 65 | return err; | ||
| 66 | } | ||
| 67 | if (xfrm_aevent_is_on(net)) | ||
| 68 | x->repl->notify(x, XFRM_REPLAY_UPDATE); | ||
| 69 | } | ||
| 70 | |||
| 71 | return err; | ||
| 72 | } | ||
| 73 | |||
| 74 | static int xfrm_replay_check(struct xfrm_state *x, | ||
| 75 | struct sk_buff *skb, __be32 net_seq) | ||
| 76 | { | ||
| 77 | u32 diff; | ||
| 78 | u32 seq = ntohl(net_seq); | ||
| 79 | |||
| 80 | if (unlikely(seq == 0)) | ||
| 81 | goto err; | ||
| 82 | |||
| 83 | if (likely(seq > x->replay.seq)) | ||
| 84 | return 0; | ||
| 85 | |||
| 86 | diff = x->replay.seq - seq; | ||
| 87 | if (diff >= min_t(unsigned int, x->props.replay_window, | ||
| 88 | sizeof(x->replay.bitmap) * 8)) { | ||
| 89 | x->stats.replay_window++; | ||
| 90 | goto err; | ||
| 91 | } | ||
| 92 | |||
| 93 | if (x->replay.bitmap & (1U << diff)) { | ||
| 94 | x->stats.replay++; | ||
| 95 | goto err; | ||
| 96 | } | ||
| 97 | return 0; | ||
| 98 | |||
| 99 | err: | ||
| 100 | xfrm_audit_state_replay(x, skb, net_seq); | ||
| 101 | return -EINVAL; | ||
| 102 | } | ||
| 103 | |||
| 104 | static void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) | ||
| 105 | { | ||
| 106 | u32 diff; | ||
| 107 | u32 seq = ntohl(net_seq); | ||
| 108 | |||
| 109 | if (!x->props.replay_window) | ||
| 110 | return; | ||
| 111 | |||
| 112 | if (seq > x->replay.seq) { | ||
| 113 | diff = seq - x->replay.seq; | ||
| 114 | if (diff < x->props.replay_window) | ||
| 115 | x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; | ||
| 116 | else | ||
| 117 | x->replay.bitmap = 1; | ||
| 118 | x->replay.seq = seq; | ||
| 119 | } else { | ||
| 120 | diff = x->replay.seq - seq; | ||
| 121 | x->replay.bitmap |= (1U << diff); | ||
| 122 | } | ||
| 123 | |||
| 124 | if (xfrm_aevent_is_on(xs_net(x))) | ||
| 125 | xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); | ||
| 126 | } | ||
| 127 | |||
| 128 | static struct xfrm_replay xfrm_replay_legacy = { | ||
| 129 | .advance = xfrm_replay_advance, | ||
| 130 | .check = xfrm_replay_check, | ||
| 131 | .notify = xfrm_replay_notify, | ||
| 132 | .overflow = xfrm_replay_overflow, | ||
| 133 | }; | ||
| 134 | |||
| 135 | int xfrm_init_replay(struct xfrm_state *x) | ||
| 136 | { | ||
| 137 | x->repl = &xfrm_replay_legacy; | ||
| 138 | |||
| 139 | return 0; | ||
| 140 | } | ||
| 141 | EXPORT_SYMBOL(xfrm_init_replay); | ||
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index cd6be49f2ae8..23779d19fe02 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
| @@ -42,13 +42,6 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; | |||
| 42 | static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); | 42 | static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); |
| 43 | static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); | 43 | static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); |
| 44 | 44 | ||
| 45 | #ifdef CONFIG_AUDITSYSCALL | ||
| 46 | static void xfrm_audit_state_replay(struct xfrm_state *x, | ||
| 47 | struct sk_buff *skb, __be32 net_seq); | ||
| 48 | #else | ||
| 49 | #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0) | ||
| 50 | #endif /* CONFIG_AUDITSYSCALL */ | ||
| 51 | |||
| 52 | static inline unsigned int xfrm_dst_hash(struct net *net, | 45 | static inline unsigned int xfrm_dst_hash(struct net *net, |
| 53 | const xfrm_address_t *daddr, | 46 | const xfrm_address_t *daddr, |
| 54 | const xfrm_address_t *saddr, | 47 | const xfrm_address_t *saddr, |
| @@ -1619,54 +1612,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk) | |||
| 1619 | } | 1612 | } |
| 1620 | EXPORT_SYMBOL(xfrm_state_walk_done); | 1613 | EXPORT_SYMBOL(xfrm_state_walk_done); |
| 1621 | 1614 | ||
| 1622 | |||
| 1623 | void xfrm_replay_notify(struct xfrm_state *x, int event) | ||
| 1624 | { | ||
| 1625 | struct km_event c; | ||
| 1626 | /* we send notify messages in case | ||
| 1627 | * 1. we updated on of the sequence numbers, and the seqno difference | ||
| 1628 | * is at least x->replay_maxdiff, in this case we also update the | ||
| 1629 | * timeout of our timer function | ||
| 1630 | * 2. if x->replay_maxage has elapsed since last update, | ||
| 1631 | * and there were changes | ||
| 1632 | * | ||
| 1633 | * The state structure must be locked! | ||
| 1634 | */ | ||
| 1635 | |||
| 1636 | switch (event) { | ||
| 1637 | case XFRM_REPLAY_UPDATE: | ||
| 1638 | if (x->replay_maxdiff && | ||
| 1639 | (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && | ||
| 1640 | (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { | ||
| 1641 | if (x->xflags & XFRM_TIME_DEFER) | ||
| 1642 | event = XFRM_REPLAY_TIMEOUT; | ||
| 1643 | else | ||
| 1644 | return; | ||
| 1645 | } | ||
| 1646 | |||
| 1647 | break; | ||
| 1648 | |||
| 1649 | case XFRM_REPLAY_TIMEOUT: | ||
| 1650 | if ((x->replay.seq == x->preplay.seq) && | ||
| 1651 | (x->replay.bitmap == x->preplay.bitmap) && | ||
| 1652 | (x->replay.oseq == x->preplay.oseq)) { | ||
| 1653 | x->xflags |= XFRM_TIME_DEFER; | ||
| 1654 | return; | ||
| 1655 | } | ||
| 1656 | |||
| 1657 | break; | ||
| 1658 | } | ||
| 1659 | |||
| 1660 | memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); | ||
| 1661 | c.event = XFRM_MSG_NEWAE; | ||
| 1662 | c.data.aevent = event; | ||
| 1663 | km_state_notify(x, &c); | ||
| 1664 | |||
| 1665 | if (x->replay_maxage && | ||
| 1666 | !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) | ||
| 1667 | x->xflags &= ~XFRM_TIME_DEFER; | ||
| 1668 | } | ||
| 1669 | |||
| 1670 | static void xfrm_replay_timer_handler(unsigned long data) | 1615 | static void xfrm_replay_timer_handler(unsigned long data) |
| 1671 | { | 1616 | { |
| 1672 | struct xfrm_state *x = (struct xfrm_state*)data; | 1617 | struct xfrm_state *x = (struct xfrm_state*)data; |
| @@ -1675,7 +1620,7 @@ static void xfrm_replay_timer_handler(unsigned long data) | |||
| 1675 | 1620 | ||
| 1676 | if (x->km.state == XFRM_STATE_VALID) { | 1621 | if (x->km.state == XFRM_STATE_VALID) { |
| 1677 | if (xfrm_aevent_is_on(xs_net(x))) | 1622 | if (xfrm_aevent_is_on(xs_net(x))) |
| 1678 | xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); | 1623 | x->repl->notify(x, XFRM_REPLAY_TIMEOUT); |
| 1679 | else | 1624 | else |
| 1680 | x->xflags |= XFRM_TIME_DEFER; | 1625 | x->xflags |= XFRM_TIME_DEFER; |
| 1681 | } | 1626 | } |
| @@ -1683,57 +1628,6 @@ static void xfrm_replay_timer_handler(unsigned long data) | |||
| 1683 | spin_unlock(&x->lock); | 1628 | spin_unlock(&x->lock); |
| 1684 | } | 1629 | } |
| 1685 | 1630 | ||
| 1686 | int xfrm_replay_check(struct xfrm_state *x, | ||
| 1687 | struct sk_buff *skb, __be32 net_seq) | ||
| 1688 | { | ||
| 1689 | u32 diff; | ||
| 1690 | u32 seq = ntohl(net_seq); | ||
| 1691 | |||
| 1692 | if (unlikely(seq == 0)) | ||
| 1693 | goto err; | ||
| 1694 | |||
| 1695 | if (likely(seq > x->replay.seq)) | ||
| 1696 | return 0; | ||
| 1697 | |||
| 1698 | diff = x->replay.seq - seq; | ||
| 1699 | if (diff >= min_t(unsigned int, x->props.replay_window, | ||
| 1700 | sizeof(x->replay.bitmap) * 8)) { | ||
| 1701 | x->stats.replay_window++; | ||
| 1702 | goto err; | ||
| 1703 | } | ||
| 1704 | |||
| 1705 | if (x->replay.bitmap & (1U << diff)) { | ||
| 1706 | x->stats.replay++; | ||
| 1707 | goto err; | ||
| 1708 | } | ||
| 1709 | return 0; | ||
| 1710 | |||
| 1711 | err: | ||
| 1712 | xfrm_audit_state_replay(x, skb, net_seq); | ||
| 1713 | return -EINVAL; | ||
| 1714 | } | ||
| 1715 | |||
| 1716 | void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) | ||
| 1717 | { | ||
| 1718 | u32 diff; | ||
| 1719 | u32 seq = ntohl(net_seq); | ||
| 1720 | |||
| 1721 | if (seq > x->replay.seq) { | ||
| 1722 | diff = seq - x->replay.seq; | ||
| 1723 | if (diff < x->props.replay_window) | ||
| 1724 | x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; | ||
| 1725 | else | ||
| 1726 | x->replay.bitmap = 1; | ||
| 1727 | x->replay.seq = seq; | ||
| 1728 | } else { | ||
| 1729 | diff = x->replay.seq - seq; | ||
| 1730 | x->replay.bitmap |= (1U << diff); | ||
| 1731 | } | ||
| 1732 | |||
| 1733 | if (xfrm_aevent_is_on(xs_net(x))) | ||
| 1734 | xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); | ||
| 1735 | } | ||
| 1736 | |||
| 1737 | static LIST_HEAD(xfrm_km_list); | 1631 | static LIST_HEAD(xfrm_km_list); |
| 1738 | static DEFINE_RWLOCK(xfrm_km_lock); | 1632 | static DEFINE_RWLOCK(xfrm_km_lock); |
| 1739 | 1633 | ||
| @@ -2246,7 +2140,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x, | |||
| 2246 | } | 2140 | } |
| 2247 | EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); | 2141 | EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); |
| 2248 | 2142 | ||
| 2249 | static void xfrm_audit_state_replay(struct xfrm_state *x, | 2143 | void xfrm_audit_state_replay(struct xfrm_state *x, |
| 2250 | struct sk_buff *skb, __be32 net_seq) | 2144 | struct sk_buff *skb, __be32 net_seq) |
| 2251 | { | 2145 | { |
| 2252 | struct audit_buffer *audit_buf; | 2146 | struct audit_buffer *audit_buf; |
| @@ -2261,6 +2155,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x, | |||
| 2261 | spi, spi, ntohl(net_seq)); | 2155 | spi, spi, ntohl(net_seq)); |
| 2262 | audit_log_end(audit_buf); | 2156 | audit_log_end(audit_buf); |
| 2263 | } | 2157 | } |
| 2158 | EXPORT_SYMBOL_GPL(xfrm_audit_state_replay); | ||
| 2264 | 2159 | ||
| 2265 | void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) | 2160 | void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) |
| 2266 | { | 2161 | { |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 468ab60d3dc0..f7b3c857c989 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -475,8 +475,10 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, | |||
| 475 | x->preplay.seq = x->replay.seq+x->replay_maxdiff; | 475 | x->preplay.seq = x->replay.seq+x->replay_maxdiff; |
| 476 | x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; | 476 | x->preplay.oseq = x->replay.oseq +x->replay_maxdiff; |
| 477 | 477 | ||
| 478 | /* override default values from above */ | 478 | if ((err = xfrm_init_replay(x))) |
| 479 | goto error; | ||
| 479 | 480 | ||
| 481 | /* override default values from above */ | ||
| 480 | xfrm_update_ae_params(x, attrs); | 482 | xfrm_update_ae_params(x, attrs); |
| 481 | 483 | ||
| 482 | return x; | 484 | return x; |