diff options
Diffstat (limited to 'include/net/xfrm.h')
| -rw-r--r-- | include/net/xfrm.h | 83 |
1 files changed, 69 insertions, 14 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index ae959e950174..77be396ca633 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
| @@ -2,7 +2,6 @@ | |||
| 2 | #define _NET_XFRM_H | 2 | #define _NET_XFRM_H |
| 3 | 3 | ||
| 4 | #include <linux/compiler.h> | 4 | #include <linux/compiler.h> |
| 5 | #include <linux/in.h> | ||
| 6 | #include <linux/xfrm.h> | 5 | #include <linux/xfrm.h> |
| 7 | #include <linux/spinlock.h> | 6 | #include <linux/spinlock.h> |
| 8 | #include <linux/list.h> | 7 | #include <linux/list.h> |
| @@ -12,9 +11,11 @@ | |||
| 12 | #include <linux/ipsec.h> | 11 | #include <linux/ipsec.h> |
| 13 | #include <linux/in6.h> | 12 | #include <linux/in6.h> |
| 14 | #include <linux/mutex.h> | 13 | #include <linux/mutex.h> |
| 14 | #include <linux/audit.h> | ||
| 15 | 15 | ||
| 16 | #include <net/sock.h> | 16 | #include <net/sock.h> |
| 17 | #include <net/dst.h> | 17 | #include <net/dst.h> |
| 18 | #include <net/ip.h> | ||
| 18 | #include <net/route.h> | 19 | #include <net/route.h> |
| 19 | #include <net/ipv6.h> | 20 | #include <net/ipv6.h> |
| 20 | #include <net/ip6_fib.h> | 21 | #include <net/ip6_fib.h> |
| @@ -278,6 +279,7 @@ struct xfrm_type | |||
| 278 | __u8 proto; | 279 | __u8 proto; |
| 279 | __u8 flags; | 280 | __u8 flags; |
| 280 | #define XFRM_TYPE_NON_FRAGMENT 1 | 281 | #define XFRM_TYPE_NON_FRAGMENT 1 |
| 282 | #define XFRM_TYPE_REPLAY_PROT 2 | ||
| 281 | 283 | ||
| 282 | int (*init_state)(struct xfrm_state *x); | 284 | int (*init_state)(struct xfrm_state *x); |
| 283 | void (*destructor)(struct xfrm_state *); | 285 | void (*destructor)(struct xfrm_state *); |
| @@ -298,6 +300,18 @@ extern void xfrm_put_type(struct xfrm_type *type); | |||
| 298 | 300 | ||
| 299 | struct xfrm_mode { | 301 | struct xfrm_mode { |
| 300 | int (*input)(struct xfrm_state *x, struct sk_buff *skb); | 302 | int (*input)(struct xfrm_state *x, struct sk_buff *skb); |
| 303 | |||
| 304 | /* | ||
| 305 | * Add encapsulation header. | ||
| 306 | * | ||
| 307 | * On exit, the transport header will be set to the start of the | ||
| 308 | * encapsulation header to be filled in by x->type->output and | ||
| 309 | * the mac header will be set to the nextheader (protocol for | ||
| 310 | * IPv4) field of the extension header directly preceding the | ||
| 311 | * encapsulation header, or in its absence, that of the top IP | ||
| 312 | * header. The value of the network header will always point | ||
| 313 | * to the top IP header while skb->data will point to the payload. | ||
| 314 | */ | ||
| 301 | int (*output)(struct xfrm_state *x,struct sk_buff *skb); | 315 | int (*output)(struct xfrm_state *x,struct sk_buff *skb); |
| 302 | 316 | ||
| 303 | struct module *owner; | 317 | struct module *owner; |
| @@ -418,18 +432,66 @@ extern int xfrm_unregister_km(struct xfrm_mgr *km); | |||
| 418 | 432 | ||
| 419 | extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; | 433 | extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; |
| 420 | 434 | ||
| 435 | /* | ||
| 436 | * This structure is used for the duration where packets are being | ||
| 437 | * transformed by IPsec. As soon as the packet leaves IPsec the | ||
| 438 | * area beyond the generic IP part may be overwritten. | ||
| 439 | */ | ||
| 440 | struct xfrm_skb_cb { | ||
| 441 | union { | ||
| 442 | struct inet_skb_parm h4; | ||
| 443 | struct inet6_skb_parm h6; | ||
| 444 | } header; | ||
| 445 | |||
| 446 | /* Sequence number for replay protection. */ | ||
| 447 | u64 seq; | ||
| 448 | }; | ||
| 449 | |||
| 450 | #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) | ||
| 451 | |||
| 421 | /* Audit Information */ | 452 | /* Audit Information */ |
| 422 | struct xfrm_audit | 453 | struct xfrm_audit |
| 423 | { | 454 | { |
| 424 | uid_t loginuid; | 455 | u32 loginuid; |
| 425 | u32 secid; | 456 | u32 secid; |
| 426 | }; | 457 | }; |
| 427 | 458 | ||
| 428 | #ifdef CONFIG_AUDITSYSCALL | 459 | #ifdef CONFIG_AUDITSYSCALL |
| 429 | extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, | 460 | static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) |
| 430 | struct xfrm_policy *xp, struct xfrm_state *x); | 461 | { |
| 462 | struct audit_buffer *audit_buf = NULL; | ||
| 463 | char *secctx; | ||
| 464 | u32 secctx_len; | ||
| 465 | |||
| 466 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, | ||
| 467 | AUDIT_MAC_IPSEC_EVENT); | ||
| 468 | if (audit_buf == NULL) | ||
| 469 | return NULL; | ||
| 470 | |||
| 471 | audit_log_format(audit_buf, "auid=%u", auid); | ||
| 472 | |||
| 473 | if (sid != 0 && | ||
| 474 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { | ||
| 475 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
| 476 | security_release_secctx(secctx, secctx_len); | ||
| 477 | } else | ||
| 478 | audit_log_task_context(audit_buf); | ||
| 479 | return audit_buf; | ||
| 480 | } | ||
| 481 | |||
| 482 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | ||
| 483 | u32 auid, u32 sid); | ||
| 484 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | ||
| 485 | u32 auid, u32 sid); | ||
| 486 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, | ||
| 487 | u32 auid, u32 sid); | ||
| 488 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, | ||
| 489 | u32 auid, u32 sid); | ||
| 431 | #else | 490 | #else |
| 432 | #define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) | 491 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) |
| 492 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) | ||
| 493 | #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) | ||
| 494 | #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) | ||
| 433 | #endif /* CONFIG_AUDITSYSCALL */ | 495 | #endif /* CONFIG_AUDITSYSCALL */ |
| 434 | 496 | ||
| 435 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) | 497 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) |
| @@ -585,7 +647,6 @@ static inline int xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ct | |||
| 585 | struct xfrm_dst | 647 | struct xfrm_dst |
| 586 | { | 648 | { |
| 587 | union { | 649 | union { |
| 588 | struct xfrm_dst *next; | ||
| 589 | struct dst_entry dst; | 650 | struct dst_entry dst; |
| 590 | struct rtable rt; | 651 | struct rtable rt; |
| 591 | struct rt6_info rt6; | 652 | struct rt6_info rt6; |
| @@ -982,9 +1043,9 @@ extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); | |||
| 982 | extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); | 1043 | extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); |
| 983 | extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); | 1044 | extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); |
| 984 | extern void xfrm_replay_notify(struct xfrm_state *x, int event); | 1045 | extern void xfrm_replay_notify(struct xfrm_state *x, int event); |
| 985 | extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); | ||
| 986 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); | 1046 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); |
| 987 | extern int xfrm_init_state(struct xfrm_state *x); | 1047 | extern int xfrm_init_state(struct xfrm_state *x); |
| 1048 | extern int xfrm_output(struct sk_buff *skb); | ||
| 988 | extern int xfrm4_rcv(struct sk_buff *skb); | 1049 | extern int xfrm4_rcv(struct sk_buff *skb); |
| 989 | extern int xfrm4_output(struct sk_buff *skb); | 1050 | extern int xfrm4_output(struct sk_buff *skb); |
| 990 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); | 1051 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); |
| @@ -1035,7 +1096,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir, | |||
| 1035 | struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err); | 1096 | struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err); |
| 1036 | int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); | 1097 | int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); |
| 1037 | u32 xfrm_get_acqseq(void); | 1098 | u32 xfrm_get_acqseq(void); |
| 1038 | void xfrm_alloc_spi(struct xfrm_state *x, __be32 minspi, __be32 maxspi); | 1099 | extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); |
| 1039 | struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, | 1100 | struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, |
| 1040 | xfrm_address_t *daddr, xfrm_address_t *saddr, | 1101 | xfrm_address_t *daddr, xfrm_address_t *saddr, |
| 1041 | int create, unsigned short family); | 1102 | int create, unsigned short family); |
| @@ -1114,12 +1175,6 @@ static inline int xfrm_aevent_is_on(void) | |||
| 1114 | return ret; | 1175 | return ret; |
| 1115 | } | 1176 | } |
| 1116 | 1177 | ||
| 1117 | static inline void xfrm_aevent_doreplay(struct xfrm_state *x) | ||
| 1118 | { | ||
| 1119 | if (xfrm_aevent_is_on()) | ||
| 1120 | xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); | ||
| 1121 | } | ||
| 1122 | |||
| 1123 | #ifdef CONFIG_XFRM_MIGRATE | 1178 | #ifdef CONFIG_XFRM_MIGRATE |
| 1124 | static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) | 1179 | static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) |
| 1125 | { | 1180 | { |