diff options
| -rw-r--r-- | include/net/xfrm.h | 20 | ||||
| -rw-r--r-- | net/ipv4/ah4.c | 4 | ||||
| -rw-r--r-- | net/ipv4/esp4.c | 4 | ||||
| -rw-r--r-- | net/ipv6/ah6.c | 4 | ||||
| -rw-r--r-- | net/ipv6/esp6.c | 4 | ||||
| -rw-r--r-- | net/xfrm/xfrm_output.c | 5 |
6 files changed, 32 insertions, 9 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index bb9193434eb3..a267725f9753 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | #define _NET_XFRM_H | 2 | #define _NET_XFRM_H |
| 3 | 3 | ||
| 4 | #include <linux/compiler.h> | 4 | #include <linux/compiler.h> |
| 5 | #include <linux/in.h> | ||
| 6 | #include <linux/xfrm.h> | 5 | #include <linux/xfrm.h> |
| 7 | #include <linux/spinlock.h> | 6 | #include <linux/spinlock.h> |
| 8 | #include <linux/list.h> | 7 | #include <linux/list.h> |
| @@ -16,6 +15,7 @@ | |||
| 16 | 15 | ||
| 17 | #include <net/sock.h> | 16 | #include <net/sock.h> |
| 18 | #include <net/dst.h> | 17 | #include <net/dst.h> |
| 18 | #include <net/ip.h> | ||
| 19 | #include <net/route.h> | 19 | #include <net/route.h> |
| 20 | #include <net/ipv6.h> | 20 | #include <net/ipv6.h> |
| 21 | #include <net/ip6_fib.h> | 21 | #include <net/ip6_fib.h> |
| @@ -279,6 +279,7 @@ struct xfrm_type | |||
| 279 | __u8 proto; | 279 | __u8 proto; |
| 280 | __u8 flags; | 280 | __u8 flags; |
| 281 | #define XFRM_TYPE_NON_FRAGMENT 1 | 281 | #define XFRM_TYPE_NON_FRAGMENT 1 |
| 282 | #define XFRM_TYPE_REPLAY_PROT 2 | ||
| 282 | 283 | ||
| 283 | int (*init_state)(struct xfrm_state *x); | 284 | int (*init_state)(struct xfrm_state *x); |
| 284 | void (*destructor)(struct xfrm_state *); | 285 | void (*destructor)(struct xfrm_state *); |
| @@ -419,6 +420,23 @@ extern int xfrm_unregister_km(struct xfrm_mgr *km); | |||
| 419 | 420 | ||
| 420 | extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; | 421 | extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; |
| 421 | 422 | ||
| 423 | /* | ||
| 424 | * This structure is used for the duration where packets are being | ||
| 425 | * transformed by IPsec. As soon as the packet leaves IPsec the | ||
| 426 | * area beyond the generic IP part may be overwritten. | ||
| 427 | */ | ||
| 428 | struct xfrm_skb_cb { | ||
| 429 | union { | ||
| 430 | struct inet_skb_parm h4; | ||
| 431 | struct inet6_skb_parm h6; | ||
| 432 | } header; | ||
| 433 | |||
| 434 | /* Sequence number for replay protection. */ | ||
| 435 | u64 seq; | ||
| 436 | }; | ||
| 437 | |||
| 438 | #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) | ||
| 439 | |||
| 422 | /* Audit Information */ | 440 | /* Audit Information */ |
| 423 | struct xfrm_audit | 441 | struct xfrm_audit |
| 424 | { | 442 | { |
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index dc1d8e871b24..58af298e1941 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c | |||
| @@ -96,8 +96,7 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 96 | 96 | ||
| 97 | ah->reserved = 0; | 97 | ah->reserved = 0; |
| 98 | ah->spi = x->id.spi; | 98 | ah->spi = x->id.spi; |
| 99 | ah->seq_no = htonl(++x->replay.oseq); | 99 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 100 | xfrm_aevent_doreplay(x); | ||
| 101 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 100 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 102 | if (err) | 101 | if (err) |
| 103 | goto error; | 102 | goto error; |
| @@ -297,6 +296,7 @@ static struct xfrm_type ah_type = | |||
| 297 | .description = "AH4", | 296 | .description = "AH4", |
| 298 | .owner = THIS_MODULE, | 297 | .owner = THIS_MODULE, |
| 299 | .proto = IPPROTO_AH, | 298 | .proto = IPPROTO_AH, |
| 299 | .flags = XFRM_TYPE_REPLAY_PROT, | ||
| 300 | .init_state = ah_init_state, | 300 | .init_state = ah_init_state, |
| 301 | .destructor = ah_destroy, | 301 | .destructor = ah_destroy, |
| 302 | .input = ah_input, | 302 | .input = ah_input, |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index d233e2e62500..0f62af9a7f15 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
| @@ -95,8 +95,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 95 | top_iph->protocol = IPPROTO_ESP; | 95 | top_iph->protocol = IPPROTO_ESP; |
| 96 | 96 | ||
| 97 | esph->spi = x->id.spi; | 97 | esph->spi = x->id.spi; |
| 98 | esph->seq_no = htonl(++x->replay.oseq); | 98 | esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 99 | xfrm_aevent_doreplay(x); | ||
| 100 | 99 | ||
| 101 | if (esp->conf.ivlen) { | 100 | if (esp->conf.ivlen) { |
| 102 | if (unlikely(!esp->conf.ivinitted)) { | 101 | if (unlikely(!esp->conf.ivinitted)) { |
| @@ -437,6 +436,7 @@ static struct xfrm_type esp_type = | |||
| 437 | .description = "ESP4", | 436 | .description = "ESP4", |
| 438 | .owner = THIS_MODULE, | 437 | .owner = THIS_MODULE, |
| 439 | .proto = IPPROTO_ESP, | 438 | .proto = IPPROTO_ESP, |
| 439 | .flags = XFRM_TYPE_REPLAY_PROT, | ||
| 440 | .init_state = esp_init_state, | 440 | .init_state = esp_init_state, |
| 441 | .destructor = esp_destroy, | 441 | .destructor = esp_destroy, |
| 442 | .get_mtu = esp4_get_mtu, | 442 | .get_mtu = esp4_get_mtu, |
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 69a2030407b8..ae68a900f605 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c | |||
| @@ -283,8 +283,7 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 283 | 283 | ||
| 284 | ah->reserved = 0; | 284 | ah->reserved = 0; |
| 285 | ah->spi = x->id.spi; | 285 | ah->spi = x->id.spi; |
| 286 | ah->seq_no = htonl(++x->replay.oseq); | 286 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 287 | xfrm_aevent_doreplay(x); | ||
| 288 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 287 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 289 | if (err) | 288 | if (err) |
| 290 | goto error_free_iph; | 289 | goto error_free_iph; |
| @@ -506,6 +505,7 @@ static struct xfrm_type ah6_type = | |||
| 506 | .description = "AH6", | 505 | .description = "AH6", |
| 507 | .owner = THIS_MODULE, | 506 | .owner = THIS_MODULE, |
| 508 | .proto = IPPROTO_AH, | 507 | .proto = IPPROTO_AH, |
| 508 | .flags = XFRM_TYPE_REPLAY_PROT, | ||
| 509 | .init_state = ah6_init_state, | 509 | .init_state = ah6_init_state, |
| 510 | .destructor = ah6_destroy, | 510 | .destructor = ah6_destroy, |
| 511 | .input = ah6_input, | 511 | .input = ah6_input, |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 77281068d0f9..0c5fb81451b7 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
| @@ -95,8 +95,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 95 | *skb_network_header(skb) = IPPROTO_ESP; | 95 | *skb_network_header(skb) = IPPROTO_ESP; |
| 96 | 96 | ||
| 97 | esph->spi = x->id.spi; | 97 | esph->spi = x->id.spi; |
| 98 | esph->seq_no = htonl(++x->replay.oseq); | 98 | esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 99 | xfrm_aevent_doreplay(x); | ||
| 100 | 99 | ||
| 101 | if (esp->conf.ivlen) { | 100 | if (esp->conf.ivlen) { |
| 102 | if (unlikely(!esp->conf.ivinitted)) { | 101 | if (unlikely(!esp->conf.ivinitted)) { |
| @@ -373,6 +372,7 @@ static struct xfrm_type esp6_type = | |||
| 373 | .description = "ESP6", | 372 | .description = "ESP6", |
| 374 | .owner = THIS_MODULE, | 373 | .owner = THIS_MODULE, |
| 375 | .proto = IPPROTO_ESP, | 374 | .proto = IPPROTO_ESP, |
| 375 | .flags = XFRM_TYPE_REPLAY_PROT, | ||
| 376 | .init_state = esp6_init_state, | 376 | .init_state = esp6_init_state, |
| 377 | .destructor = esp6_destroy, | 377 | .destructor = esp6_destroy, |
| 378 | .get_mtu = esp6_get_mtu, | 378 | .get_mtu = esp6_get_mtu, |
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 5b1c978a323c..20e789d8c63e 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -58,6 +58,11 @@ int xfrm_output(struct sk_buff *skb) | |||
| 58 | if (err) | 58 | if (err) |
| 59 | goto error; | 59 | goto error; |
| 60 | 60 | ||
| 61 | if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { | ||
| 62 | XFRM_SKB_CB(skb)->seq = ++x->replay.oseq; | ||
| 63 | xfrm_aevent_doreplay(x); | ||
| 64 | } | ||
| 65 | |||
| 61 | err = x->mode->output(x, skb); | 66 | err = x->mode->output(x, skb); |
| 62 | if (err) | 67 | if (err) |
| 63 | goto error; | 68 | goto error; |