13
13
* for more details.
16
char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.1 2003/12/13 19:10:21 mcr Exp $";
16
char ipsec_esp_c_version[] = "RCSID $Id: ipsec_esp.c,v 1.8 2004/09/14 00:22:57 mcr Exp $";
17
17
#include <linux/config.h>
18
18
#include <linux/version.h>
21
21
#include <linux/module.h>
22
22
#include <linux/kernel.h> /* printk() */
24
#include "freeswan/ipsec_param.h"
24
#include "openswan/ipsec_param.h"
27
27
# include <linux/slab.h> /* kmalloc() */
52
52
#include <asm/checksum.h>
53
53
#include <net/ip.h>
55
#include "freeswan/radij.h"
56
#include "freeswan/ipsec_encap.h"
57
#include "freeswan/ipsec_sa.h"
59
#include "freeswan/ipsec_radij.h"
60
#include "freeswan/ipsec_xform.h"
61
#include "freeswan/ipsec_tunnel.h"
62
#include "freeswan/ipsec_rcv.h"
63
#include "freeswan/ipsec_xmit.h"
65
#include "freeswan/ipsec_auth.h"
67
#ifdef CONFIG_IPSEC_ESP
68
#include "freeswan/ipsec_esp.h"
69
#endif /* CONFIG_IPSEC_ESP */
71
#include "freeswan/ipsec_proto.h"
73
#ifdef CONFIG_IPSEC_DEBUG
75
#endif /* CONFIG_IPSEC_DEBUG */
78
#ifdef CONFIG_IPSEC_ESP
54
#include <net/protocol.h>
56
#include "openswan/radij.h"
57
#include "openswan/ipsec_encap.h"
58
#include "openswan/ipsec_sa.h"
60
#include "openswan/ipsec_radij.h"
61
#include "openswan/ipsec_xform.h"
62
#include "openswan/ipsec_tunnel.h"
63
#include "openswan/ipsec_rcv.h"
64
#include "openswan/ipsec_xmit.h"
66
#include "openswan/ipsec_auth.h"
68
#ifdef CONFIG_KLIPS_ESP
69
#include "openswan/ipsec_esp.h"
70
#endif /* CONFIG_KLIPS_ESP */
72
#include "openswan/ipsec_proto.h"
73
#include "openswan/ipsec_alg.h"
75
#ifdef CONFIG_KLIPS_ESP
79
76
enum ipsec_rcv_value
80
77
ipsec_rcv_esp_checks(struct ipsec_rcv_state *irs,
81
78
struct sk_buff *skb)
152
#ifdef CONFIG_KLIPS_ALG
153
if (irs->ipsp->ips_alg_auth) {
154
KLIPS_PRINT(debug_rcv,
155
"klips_debug:ipsec_rcv: "
156
"ipsec_alg hashing proto=%d... ",
158
if(irs->said.proto == IPPROTO_ESP) {
159
ipsec_alg_sa_esp_hash(irs->ipsp,
160
(caddr_t)espp, irs->ilen,
161
irs->hash, AHHMAC_HASHLEN);
164
return IPSEC_RCV_BADPROTO;
155
167
aa = irs->authfuncs;
157
169
/* copy the initialized keying material */
184
196
struct sk_buff *skb;
197
#ifdef CONFIG_KLIPS_ALG
198
struct ipsec_alg_enc *ixt_e=NULL;
199
#endif /* CONFIG_KLIPS_ALG */
188
203
idat = skb->data + irs->iphlen;
205
#ifdef CONFIG_KLIPS_ALG
206
if ((ixt_e=ipsp->ips_alg_enc)) {
207
esphlen = ESP_HEADER_LEN + ixt_e->ixt_ivlen/8;
208
KLIPS_PRINT(debug_rcv,
209
"klips_debug:ipsec_rcv: "
210
"encalg=%d esphlen=%d\n",
211
ipsp->ips_encalg, esphlen);
213
#endif /* CONFIG_KLIPS_ALG */
190
214
switch(ipsp->ips_encalg) {
192
216
iv[0] = *((__u32 *)(espp->esp_iv) );
205
229
irs->ilen -= esphlen;
231
#ifdef CONFIG_KLIPS_ALG
234
if (ipsec_alg_esp_encrypt(ipsp,
235
idat, irs->ilen, espp->esp_iv,
236
IPSEC_ALG_DECRYPT) <= 0)
238
printk("klips_error:ipsec_rcv: "
239
"got packet with esplen = %d "
240
"from %s -- should be on "
241
"ENC(%d) octet boundary, "
247
irs->stats->rx_errors++;
249
return IPSEC_RCV_BAD_DECRYPT;
252
#endif /* CONFIG_KLIPS_ALG */
207
253
switch(ipsp->ips_encalg) {
209
255
if ((irs->ilen) % 8) {
332
378
unsigned char *idat, *pad;
333
379
__u8 hash[AH_AMAX];
335
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
381
#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
337
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
338
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
383
#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
384
#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
340
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
386
#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
343
389
dat = (unsigned char *)ixs->iph;
347
393
espp->esp_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
349
395
switch(ixs->ipsp->ips_encalg) {
350
#if defined(CONFIG_IPSEC_ENC_3DES)
351
#ifdef CONFIG_IPSEC_ENC_3DES
396
#if defined(CONFIG_KLIPS_ENC_3DES)
397
#ifdef CONFIG_KLIPS_ENC_3DES
353
#endif /* CONFIG_IPSEC_ENC_3DES */
399
#endif /* CONFIG_KLIPS_ENC_3DES */
354
400
iv[0] = *((__u32*)&(espp->esp_iv) ) =
355
401
((__u32*)(ixs->ipsp->ips_iv))[0];
356
402
iv[1] = *((__u32*)&(espp->esp_iv) + 1) =
357
403
((__u32*)(ixs->ipsp->ips_iv))[1];
359
#endif /* defined(CONFIG_IPSEC_ENC_3DES) */
405
#endif /* defined(CONFIG_KLIPS_ENC_3DES) */
361
407
ixs->stats->tx_errors++;
362
408
return IPSEC_XMIT_ESP_BADALG;
377
423
ixs->iph->protocol = IPPROTO_ESP;
379
425
switch(ixs->ipsp->ips_encalg) {
380
#ifdef CONFIG_IPSEC_ENC_3DES
426
#ifdef CONFIG_KLIPS_ENC_3DES
382
428
des_ede3_cbc_encrypt((des_cblock *)idat,
383
429
(des_cblock *)idat,
387
433
((struct des_eks *)(ixs->ipsp->ips_key_e))[2].ks,
388
434
(des_cblock *)iv, 1);
390
#endif /* CONFIG_IPSEC_ENC_3DES */
436
#endif /* CONFIG_KLIPS_ENC_3DES */
392
438
ixs->stats->tx_errors++;
393
439
return IPSEC_XMIT_ESP_BADALG;
396
442
switch(ixs->ipsp->ips_encalg) {
397
#if defined(CONFIG_IPSEC_ENC_3DES)
398
#ifdef CONFIG_IPSEC_ENC_3DES
443
#if defined(CONFIG_KLIPS_ENC_3DES)
444
#ifdef CONFIG_KLIPS_ENC_3DES
400
#endif /* CONFIG_IPSEC_ENC_3DES */
446
#endif /* CONFIG_KLIPS_ENC_3DES */
401
447
/* XXX update IV with the last 8 octets of the encryption */
402
448
#if KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK
403
449
((__u32*)(ixs->ipsp->ips_iv))[0] =
408
454
prng_bytes(&ipsec_prng, (char *)ixs->ipsp->ips_iv, EMT_ESPDES_IV_SZ);
409
455
#endif /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */
411
#endif /* defined(CONFIG_IPSEC_ENC_3DES) */
457
#endif /* defined(CONFIG_KLIPS_ENC_3DES) */
413
459
ixs->stats->tx_errors++;
414
460
return IPSEC_XMIT_ESP_BADALG;
417
463
switch(ixs->ipsp->ips_authalg) {
418
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
464
#ifdef CONFIG_KLIPS_AUTH_HMAC_MD5
420
466
ipsec_xmit_dmp("espp", (char*)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
421
467
tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
422
468
ipsec_xmit_dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
423
MD5Update(&tctx.md5, (caddr_t)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
469
osMD5Update(&tctx.md5, (caddr_t)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
424
470
ipsec_xmit_dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
425
MD5Final(hash, &tctx.md5);
471
osMD5Final(hash, &tctx.md5);
426
472
ipsec_xmit_dmp("ictx hash", (char*)&hash, sizeof(hash));
427
473
tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
428
474
ipsec_xmit_dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
429
MD5Update(&tctx.md5, hash, AHMD596_ALEN);
475
osMD5Update(&tctx.md5, hash, AHMD596_ALEN);
430
476
ipsec_xmit_dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
431
MD5Final(hash, &tctx.md5);
477
osMD5Final(hash, &tctx.md5);
432
478
ipsec_xmit_dmp("octx hash", (char*)&hash, sizeof(hash));
433
479
memcpy(&(dat[ixs->skb->len - ixs->authlen]), hash, ixs->authlen);
436
482
memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
437
483
memset((caddr_t)hash, 0, sizeof(*hash));
439
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
440
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
485
#endif /* CONFIG_KLIPS_AUTH_HMAC_MD5 */
486
#ifdef CONFIG_KLIPS_AUTH_HMAC_SHA1
442
488
tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
443
489
SHA1Update(&tctx.sha1, (caddr_t)espp, ixs->skb->len - ixs->iphlen - ixs->authlen);
451
497
memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
452
498
memset((caddr_t)hash, 0, sizeof(*hash));
454
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
500
#endif /* CONFIG_KLIPS_AUTH_HMAC_SHA1 */
498
#endif /* !CONFIG_IPSEC_ESP */
549
#endif /* !CONFIG_KLIPS_ESP */
553
* $Log: ipsec_esp.c,v $
554
* Revision 1.8 2004/09/14 00:22:57 mcr
555
* adjustment of MD5* functions.
557
* Revision 1.7 2004/09/13 02:23:01 mcr
558
* #define inet_protocol if necessary.
560
* Revision 1.6 2004/09/06 18:35:49 mcr
561
* 2.6.8.1 gets rid of inet_protocol->net_protocol compatibility,
562
* so adjust for that.
564
* Revision 1.5 2004/08/17 03:27:23 mcr
567
* Revision 1.4 2004/08/04 15:57:07 mcr
568
* moved des .h files to include/des/ *
569
* included 2.6 protocol specific things
570
* started at NAT-T support, but it will require a kernel patch.
572
* Revision 1.3 2004/07/10 19:11:18 mcr
573
* CONFIG_IPSEC -> CONFIG_KLIPS.
575
* Revision 1.2 2004/04/06 02:49:25 mcr
576
* pullup of algo code from alg-branch.