Merge nuts.ninka.net:/home/davem/src/BK/network-2.5

into nuts.ninka.net:/home/davem/src/BK/net-2.5

include/linux/in.h

@@ -70,6 +70,7 @@ struct in_addr {
 #define IP_MTU		14
 #define IP_FREEBIND	15
 #define IP_IPSEC_POLICY	16
+#define IP_XFRM_POLICY	17
 
 /* BSD compatibility */
 #define IP_RECVRETOPTS	IP_RETOPTS

include/linux/xfrm.h

@@ -91,6 +91,22 @@ struct xfrm_stats {
 	__u32	integrity_failed;
 };
 
+enum
+{
+	XFRM_POLICY_IN	= 0,
+	XFRM_POLICY_OUT	= 1,
+	XFRM_POLICY_FWD	= 2,
+	XFRM_POLICY_MAX	= 3
+};
+
+enum
+{
+	XFRM_SHARE_ANY,		/* No limitations */
+	XFRM_SHARE_SESSION,	/* For this session only */
+	XFRM_SHARE_USER,	/* For this user only */
+	XFRM_SHARE_UNIQUE	/* Use once */
+};
+
 /* Netlink configuration messages.  */
 #define XFRM_MSG_BASE		0x10
 
@@ -104,8 +120,9 @@ struct xfrm_stats {
 
 #define XFRM_MSG_ALLOCSPI	(RTM_BASE + 6)
 #define XFRM_MSG_ACQUIRE	(RTM_BASE + 7)
+#define XFRM_MSG_EXPIRE		(RTM_BASE + 8)
 
-#define XFRM_MSG_MAX		(XFRM_MSG_ACQUIRE+1)
+#define XFRM_MSG_MAX		(XFRM_MSG_EXPIRE+1)
 
 struct xfrm_user_tmpl {
 	struct xfrm_id		id;
@@ -113,6 +130,7 @@ struct xfrm_user_tmpl {
 	__u16			reqid;
 	__u8			mode;
 	__u8			share;
+	__u8			optional;
 	__u32			aalgos;
 	__u32			ealgos;
 	__u32			calgos;
@@ -135,9 +153,9 @@ struct xfrm_usersa_info {
 	struct xfrm_lifetime_cfg	lft;
 	struct xfrm_lifetime_cur	curlft;
 	struct xfrm_stats		stats;
+	__u32				seq;
 	__u16				family;
 	__u16				reqid;
-	__u8				sa_type;
 	__u8				mode; /* 0=transport,1=tunnel */
 	__u8				replay_window;
 };
@@ -148,15 +166,26 @@ struct xfrm_usersa_id {
 	__u8				proto;
 };
 
+struct xfrm_userspi_info {
+	struct xfrm_usersa_info		info;
+	u32				min;
+	u32				max;
+};
+
 struct xfrm_userpolicy_info {
 	struct xfrm_selector		sel;
-	struct xfrm_id			id;
 	struct xfrm_lifetime_cfg	lft;
 	struct xfrm_lifetime_cur	curlft;
+	__u32				priority;
 	__u32				index;
 	__u16				family;
 	__u8				dir;
 	__u8				action;
+#define XFRM_POLICY_ALLOW	0
+#define XFRM_POLICY_BLOCK	1
+	__u8				flags;
+#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
+	__u8				share;
 };
 
 struct xfrm_userpolicy_id {
@@ -165,4 +194,22 @@ struct xfrm_userpolicy_id {
 	__u8				dir;
 };
 
+struct xfrm_user_acquire {
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_userpolicy_info	policy;
+	__u32				aalgos;
+	__u32				ealgos;
+	__u32				calgos;
+	__u32				seq;
+};
+
+struct xfrm_user_expire {
+	struct xfrm_usersa_info		state;
+	__u8				hard;
+};
+
+#define XFRMGRP_ACQUIRE		1
+#define XFRMGRP_EXPIRE		2
+
 #endif /* _LINUX_XFRM_H */

include/net/xfrm.h

@@ -187,22 +187,6 @@ struct xfrm_tmpl
 
 #define XFRM_MAX_DEPTH		3
 
-enum
-{
-	XFRM_SHARE_ANY,		/* No limitations */
-	XFRM_SHARE_SESSION,	/* For this session only */
-	XFRM_SHARE_USER,	/* For this user only */
-	XFRM_SHARE_UNIQUE	/* Use once */
-};
-
-enum
-{
-	XFRM_POLICY_IN	= 0,
-	XFRM_POLICY_OUT	= 1,
-	XFRM_POLICY_FWD	= 2,
-	XFRM_POLICY_MAX	= 3
-};
-
 struct xfrm_policy
 {
 	struct xfrm_policy	*next;
@@ -218,10 +202,7 @@ struct xfrm_policy
 	struct xfrm_lifetime_cur curlft;
 	struct dst_entry       *bundles;
 	__u8			action;
-#define XFRM_POLICY_ALLOW	0
-#define XFRM_POLICY_BLOCK	1
 	__u8			flags;
-#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
 	__u8			dead;
 	__u8			xfrm_nr;
 	struct xfrm_tmpl       	xfrm_vec[XFRM_MAX_DEPTH];

net/ipv4/Kconfig

@@ -362,5 +362,13 @@ config INET_ESP
 
 	  If unsure, say Y.
 
+config XFRM_USER
+	tristate "IP: IPsec user configuration interface"
+	---help---
+	  Support for IPsec user configuration interface used
+	  by native Linux tools.
+
+	  If unsure, say Y.
+
 source "net/ipv4/netfilter/Kconfig"
 

net/ipv4/Makefile

@@ -20,6 +20,7 @@ obj-$(CONFIG_INET_AH) += ah.o
 obj-$(CONFIG_INET_ESP) += esp.o
 obj-$(CONFIG_IP_PNP) += ipconfig.o
 obj-$(CONFIG_NETFILTER)	+= netfilter/
+obj-$(CONFIG_XFRM_USER) += xfrm_user.o
 
 obj-y += xfrm_policy.o xfrm_state.o xfrm_input.o
 

net/ipv4/ah.c

@@ -189,7 +189,7 @@ int ah_output(struct sk_buff *skb)
 		top_iph->saddr = x->props.saddr.xfrm4_addr;
 		top_iph->daddr = x->id.daddr.xfrm4_addr;
 		ah = (struct ip_auth_hdr*)(top_iph+1);
-		ah->nexthdr = IPPROTO_IP;
+		ah->nexthdr = IPPROTO_IPIP;
 	} else {
 		memcpy(&tmp_iph, skb->data, iph->ihl*4);
 		top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);

net/ipv4/esp.c

@@ -190,11 +190,10 @@ esp_hmac_digest(struct esp_data *esp, struct sk_buff *skb, int offset,
 	struct crypto_tfm *tfm = esp->auth.tfm;
 	char *digest = esp->auth.work_digest;
 
-	memset(auth_data, 0, esp->auth.authlen);
  	crypto_hmac_init(tfm, esp->auth.key, &esp->auth.key_len);
 	skb_digest_walk(skb, tfm, offset, len);
 	crypto_hmac_final(tfm, esp->auth.key, &esp->auth.key_len, digest);
-	memcpy(auth_data, digest, crypto_tfm_alg_digestsize(tfm));
+	memcpy(auth_data, digest, esp->auth.authlen);
 }
 
 /* Check that skb data bits are writable. If they are not, copy data
@@ -370,7 +369,7 @@ int esp_output(struct sk_buff *skb)
 	if (x->props.mode) {
 		top_iph = (struct iphdr*)skb_push(skb, x->props.header_len);
 		esph = (struct ip_esp_hdr*)(top_iph+1);
-		*(u8*)(trailer->tail - 1) = IPPROTO_IP;
+		*(u8*)(trailer->tail - 1) = IPPROTO_IPIP;
 		top_iph->ihl = 5;
 		top_iph->version = 4;
 		top_iph->tos = iph->tos;	/* DS disclosed */
@@ -463,16 +462,16 @@ int esp_input(struct xfrm_state *x, struct sk_buff *skb)
 
 	/* If integrity check is required, do this. */
 	if (esp->auth.authlen) {
-		int icvsize = crypto_tfm_alg_digestsize(esp->auth.tfm);
-		u8 sum[icvsize];
-		u8 sum1[icvsize];
+		u8 sum[esp->auth.authlen];
+		u8 sum1[esp->auth.authlen];
 
 		esp->auth.digest(esp, skb, 0, skb->len-esp->auth.authlen, sum);
 
-		if (skb_copy_bits(skb, skb->len-esp->auth.authlen, sum1, icvsize))
+		if (skb_copy_bits(skb, skb->len-esp->auth.authlen, sum1, 
+				esp->auth.authlen))
 			BUG();
 
-		if (unlikely(memcmp(sum, sum1, icvsize))) {
+		if (unlikely(memcmp(sum, sum1, esp->auth.authlen))) {
 			x->stats.integrity_failed++;
 			goto out;
 		}
@@ -605,14 +604,20 @@ int esp_init_state(struct xfrm_state *x, void *args)
 	memset(esp, 0, sizeof(*esp));
 
 	if (x->aalg) {
+		int digestsize;
+
 		esp->auth.key = x->aalg->alg_key;
 		esp->auth.key_len = (x->aalg->alg_key_len+7)/8;
 		esp->auth.tfm = crypto_alloc_tfm(x->aalg->alg_name, 0);
 		if (esp->auth.tfm == NULL)
 			goto error;
 		esp->auth.digest = esp_hmac_digest;
-		esp->auth.authlen = crypto_tfm_alg_digestsize(esp->auth.tfm);
-		esp->auth.work_digest = kmalloc(esp->auth.authlen, GFP_KERNEL);
+		digestsize = crypto_tfm_alg_digestsize(esp->auth.tfm);
+		/* XXX RFC2403 and RFC 2404 truncate auth to 96 bit */
+		esp->auth.authlen = 12;
+		if (esp->auth.authlen > digestsize) /* XXX */
+			BUG();
+		esp->auth.work_digest = kmalloc(digestsize, GFP_KERNEL);
 		if (!esp->auth.work_digest)
 			goto error;
 	}

net/ipv4/ip_sockglue.c

@@ -626,6 +626,7 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
 	                break;			
  
 		case IP_IPSEC_POLICY:
+		case IP_XFRM_POLICY:
 			err = xfrm_user_policy(sk, optname, optval, optlen);
 			break;
 

net/ipv4/udp.c

@@ -944,7 +944,7 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
 	/*
 	 *	Charge it to the socket, dropping if the queue is full.
 	 */
-	if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+	if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb)) {
 		kfree_skb(skb);
 		return -1;
 	}

net/ipv4/xfrm_input.c

@@ -91,7 +91,7 @@ int xfrm4_rcv(struct sk_buff *skb)
 		iph = skb->nh.iph;
 
 		if (x->props.mode) {
-			if (iph->protocol != IPPROTO_IP)
+			if (iph->protocol != IPPROTO_IPIP)
 				goto drop;
 			skb->nh.raw = skb->data;
 			iph = skb->nh.iph;