From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 03/13] {IPv4,xfrm} Add ESN support for AH ingress part
Date: Mon, 24 Feb 2014 10:59:51 +0100 [thread overview]
Message-ID: <1393236001-2445-4-git-send-email-steffen.klassert@secunet.com> (raw)
In-Reply-To: <1393236001-2445-1-git-send-email-steffen.klassert@secunet.com>
From: Fan Du <fan.du@windriver.com>
This patch add esn support for AH input stage by attaching upper 32bits
sequence number right after packet payload as specified by RFC 4302.
Then the ICV value will guard upper 32bits sequence number as well when
packet getting in.
Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/ah4.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index c6accac..54b965d 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -309,6 +309,10 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
struct ip_auth_hdr *ah;
struct ah_data *ahp;
int err = -ENOMEM;
+ int seqhi_len = 0;
+ __be32 *seqhi;
+ int sglists = 0;
+ struct scatterlist *seqhisg;
if (!pskb_may_pull(skb, sizeof(*ah)))
goto out;
@@ -349,14 +353,22 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
iph = ip_hdr(skb);
ihl = ip_hdrlen(skb);
- work_iph = ah_alloc_tmp(ahash, nfrags, ihl + ahp->icv_trunc_len);
+ if (x->props.flags & XFRM_STATE_ESN) {
+ sglists = 1;
+ seqhi_len = sizeof(*seqhi);
+ }
+
+ work_iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl +
+ ahp->icv_trunc_len + seqhi_len);
if (!work_iph)
goto out;
- auth_data = ah_tmp_auth(work_iph, ihl);
+ seqhi = (__be32 *)((char *)work_iph + ihl);
+ auth_data = ah_tmp_auth(seqhi, seqhi_len);
icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
+ seqhisg = sg + nfrags;
memcpy(work_iph, iph, ihl);
memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
@@ -375,10 +387,15 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
skb_push(skb, ihl);
- sg_init_table(sg, nfrags);
- skb_to_sgvec(skb, sg, 0, skb->len);
+ sg_init_table(sg, nfrags + sglists);
+ skb_to_sgvec_nomark(skb, sg, 0, skb->len);
- ahash_request_set_crypt(req, sg, icv, skb->len);
+ if (x->props.flags & XFRM_STATE_ESN) {
+ /* Attach seqhi sg right after packet payload */
+ *seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
+ sg_set_buf(seqhisg, seqhi, seqhi_len);
+ }
+ ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
ahash_request_set_callback(req, 0, ah_input_done, skb);
AH_SKB_CB(skb)->tmp = work_iph;
--
1.7.9.5
next prev parent reply other threads:[~2014-02-24 10:00 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-24 9:59 pull request (net-next): ipsec-next 2014-02-24 Steffen Klassert
2014-02-24 9:59 ` [PATCH 01/13] skbuff: Introduce skb_to_sgvec_nomark to map skb without mark new end Steffen Klassert
2014-02-24 9:59 ` [PATCH 02/13] {IPv4,xfrm} Add ESN support for AH egress part Steffen Klassert
2014-02-24 9:59 ` Steffen Klassert [this message]
2014-02-24 9:59 ` [PATCH 04/13] {IPv6,xfrm} " Steffen Klassert
2014-02-24 9:59 ` [PATCH 05/13] {IPv6,xfrm} Add ESN support for AH ingress part Steffen Klassert
2014-02-24 9:59 ` [PATCH 06/13] xfrm: Don't prohibit AH from using ESN feature Steffen Klassert
2014-02-24 9:59 ` [PATCH 07/13] flowcache: Make flow cache name space aware Steffen Klassert
2014-02-24 9:59 ` [PATCH 08/13] flowcache: Bring net/core/flow.c under IPsec maintain scope Steffen Klassert
2014-02-24 9:59 ` [PATCH 09/13] xfrm: avoid creating temporary SA when there are no listeners Steffen Klassert
2014-02-24 9:59 ` [PATCH 10/13] ipsec: add support of limited SA dump Steffen Klassert
2014-02-24 9:59 ` [PATCH 11/13] xfrm: Remove caching of xfrm_policy_sk_bundles Steffen Klassert
2014-02-24 10:00 ` [PATCH 12/13] pfkey: fix SADB_X_EXT_FILTER length check Steffen Klassert
2014-02-24 10:00 ` [PATCH 13/13] xfrm: Cleanup error handling of xfrm_state_clone Steffen Klassert
2014-02-24 23:17 ` pull request (net-next): ipsec-next 2014-02-24 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1393236001-2445-4-git-send-email-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).