cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

ip6t_ah.c (2986B)

      1// SPDX-License-Identifier: GPL-2.0-only
      2/* Kernel module to match AH parameters. */
      3
      4/* (C) 2001-2002 Andras Kis-Szabo <kisza@sch.bme.hu>
      5 */
      6#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
      7#include <linux/module.h>
      8#include <linux/skbuff.h>
      9#include <linux/ip.h>
     10#include <linux/ipv6.h>
     11#include <linux/types.h>
     12#include <net/checksum.h>
     13#include <net/ipv6.h>
     14
     15#include <linux/netfilter/x_tables.h>
     16#include <linux/netfilter_ipv6/ip6_tables.h>
     17#include <linux/netfilter_ipv6/ip6t_ah.h>
     18
     19MODULE_LICENSE("GPL");
     20MODULE_DESCRIPTION("Xtables: IPv6 IPsec-AH match");
     21MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
     22
     23/* Returns 1 if the spi is matched by the range, 0 otherwise */
     24static inline bool
     25spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
     26{
     27	bool r;
     28
     29	pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
     30		 invert ? '!' : ' ', min, spi, max);
     31	r = (spi >= min && spi <= max) ^ invert;
     32	pr_debug(" result %s\n", r ? "PASS" : "FAILED");
     33	return r;
     34}
     35
     36static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
     37{
     38	struct ip_auth_hdr _ah;
     39	const struct ip_auth_hdr *ah;
     40	const struct ip6t_ah *ahinfo = par->matchinfo;
     41	unsigned int ptr = 0;
     42	unsigned int hdrlen = 0;
     43	int err;
     44
     45	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL, NULL);
     46	if (err < 0) {
     47		if (err != -ENOENT)
     48			par->hotdrop = true;
     49		return false;
     50	}
     51
     52	ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
     53	if (ah == NULL) {
     54		par->hotdrop = true;
     55		return false;
     56	}
     57
     58	hdrlen = ipv6_authlen(ah);
     59
     60	pr_debug("IPv6 AH LEN %u %u ", hdrlen, ah->hdrlen);
     61	pr_debug("RES %04X ", ah->reserved);
     62	pr_debug("SPI %u %08X\n", ntohl(ah->spi), ntohl(ah->spi));
     63
     64	pr_debug("IPv6 AH spi %02X ",
     65		 spi_match(ahinfo->spis[0], ahinfo->spis[1],
     66			   ntohl(ah->spi),
     67			   !!(ahinfo->invflags & IP6T_AH_INV_SPI)));
     68	pr_debug("len %02X %04X %02X ",
     69		 ahinfo->hdrlen, hdrlen,
     70		 (!ahinfo->hdrlen ||
     71		  (ahinfo->hdrlen == hdrlen) ^
     72		  !!(ahinfo->invflags & IP6T_AH_INV_LEN)));
     73	pr_debug("res %02X %04X %02X\n",
     74		 ahinfo->hdrres, ah->reserved,
     75		 !(ahinfo->hdrres && ah->reserved));
     76
     77	return spi_match(ahinfo->spis[0], ahinfo->spis[1],
     78			  ntohl(ah->spi),
     79			  !!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
     80		(!ahinfo->hdrlen ||
     81		 (ahinfo->hdrlen == hdrlen) ^
     82		 !!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
     83		!(ahinfo->hdrres && ah->reserved);
     84}
     85
     86static int ah_mt6_check(const struct xt_mtchk_param *par)
     87{
     88	const struct ip6t_ah *ahinfo = par->matchinfo;
     89
     90	if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
     91		pr_debug("unknown flags %X\n", ahinfo->invflags);
     92		return -EINVAL;
     93	}
     94	return 0;
     95}
     96
     97static struct xt_match ah_mt6_reg __read_mostly = {
     98	.name		= "ah",
     99	.family		= NFPROTO_IPV6,
    100	.match		= ah_mt6,
    101	.matchsize	= sizeof(struct ip6t_ah),
    102	.checkentry	= ah_mt6_check,
    103	.me		= THIS_MODULE,
    104};
    105
    106static int __init ah_mt6_init(void)
    107{
    108	return xt_register_match(&ah_mt6_reg);
    109}
    110
    111static void __exit ah_mt6_exit(void)
    112{
    113	xt_unregister_match(&ah_mt6_reg);
    114}
    115
    116module_init(ah_mt6_init);
    117module_exit(ah_mt6_exit);