summaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-12-21 14:58:11 -0800
committerDavid S. Miller <davem@davemloft.net>2008-01-28 15:00:01 -0800
commitafeb14b49098ba7a51c96e083a4105a0301f94c4 (patch)
tree2675451596adbea8aa261704c356d074136abbbd /net/ipv4
parentdfd4f0ae2e111e2b93c295938c0e64ebbb69ae6e (diff)
downloadlinux-afeb14b49098ba7a51c96e083a4105a0301f94c4.tar.gz
linux-afeb14b49098ba7a51c96e083a4105a0301f94c4.tar.bz2
linux-afeb14b49098ba7a51c96e083a4105a0301f94c4.zip
[XFRM]: RFC4303 compliant auditing
This patch adds a number of new IPsec audit events to meet the auditing requirements of RFC4303. This includes audit hooks for the following events: * Could not find a valid SA [sections 2.1, 3.4.2] . xfrm_audit_state_notfound() . xfrm_audit_state_notfound_simple() * Sequence number overflow [section 3.3.3] . xfrm_audit_state_replay_overflow() * Replayed packet [section 3.4.3] . xfrm_audit_state_replay() * Integrity check failure [sections 3.4.4.1, 3.4.4.2] . xfrm_audit_state_icvfail() While RFC4304 deals only with ESP most of the changes in this patch apply to IPsec in general, i.e. both AH and ESP. The one case, integrity check failure, where ESP specific code had to be modified the same was done to the AH code for the sake of consistency. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/ah4.c4
-rw-r--r--net/ipv4/esp4.c1
2 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index d76803a3dcae..ec8de0aa20ec 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -179,8 +179,10 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto unlock;
- if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
+ if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
+ xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
err = -EBADMSG;
+ }
}
unlock:
spin_unlock(&x->lock);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 28ea5c77ca23..b334c7619c08 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -191,6 +191,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
+ xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
err = -EBADMSG;
goto unlock;
}