[IPSEC]: Implement UDP Encapsulation framework.

In particular, implement ESPinUDP encapsulation for IPsec
Nat Traversal.

4 files changed, 63 insertions, 5 deletions

diff --git a/include/linux/pfkeyv2.h b/include/linux/pfkeyv2.h
index efb41c857ea3..b5efb37a1c2f 100644
--- a/include/linux/pfkeyv2.h
+++ b/include/linux/pfkeyv2.h
@@ -194,6 +194,26 @@ struct sadb_x_ipsecrequest {
 } __attribute__((packed));
 /* sizeof(struct sadb_x_ipsecrequest) == 16 */
 
+/* This defines the TYPE of Nat Traversal in use.  Currently only one
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
+ */
+struct sadb_x_nat_t_type {
+	uint16_t	sadb_x_nat_t_type_len;
+	uint16_t	sadb_x_nat_t_type_exttype;
+	uint8_t		sadb_x_nat_t_type_type;
+	uint8_t		sadb_x_nat_t_type_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_type) == 8 */
+
+/* Pass a NAT Traversal port (Source or Dest port) */
+struct sadb_x_nat_t_port {
+	uint16_t	sadb_x_nat_t_port_len;
+	uint16_t	sadb_x_nat_t_port_exttype;
+	uint16_t	sadb_x_nat_t_port_port;
+	uint16_t	sadb_x_nat_t_port_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_port) == 8 */
+
 /* Message types */
 #define SADB_RESERVED		0
 #define SADB_GETSPI		1
@@ -218,7 +238,8 @@ struct sadb_x_ipsecrequest {
 #define SADB_X_SPDSETIDX	20
 #define SADB_X_SPDEXPIRE	21
 #define SADB_X_SPDDELETE2	22
-#define SADB_MAX		22
+#define SADB_X_NAT_T_NEW_MAPPING	23
+#define SADB_MAX		23
 
 /* Security Association flags */
 #define SADB_SAFLAGS_PFS	1
@@ -291,7 +312,12 @@ struct sadb_x_ipsecrequest {
 #define SADB_X_EXT_KMPRIVATE		17
 #define SADB_X_EXT_POLICY		18
 #define SADB_X_EXT_SA2			19
-#define SADB_EXT_MAX			19
+/* The next four entries are for setting up NAT Traversal */
+#define SADB_X_EXT_NAT_T_TYPE		20
+#define SADB_X_EXT_NAT_T_SPORT		21
+#define SADB_X_EXT_NAT_T_DPORT		22
+#define SADB_X_EXT_NAT_T_OA		23
+#define SADB_EXT_MAX			23
 
 /* Identity Extension values */
 #define SADB_IDENTTYPE_RESERVED	0
diff --git a/include/linux/udp.h b/include/linux/udp.h
index 5bdb970a1b69..2cd62b5b79f3 100644
--- a/include/linux/udp.h
+++ b/include/linux/udp.h
@@ -30,10 +30,15 @@ struct udphdr {
 
 /* UDP socket options */
 #define UDP_CORK	1	/* Never send partially complete segments */
+#define UDP_ENCAP	100	/* Set the socket to accept encapsulated packets */
+
+/* UDP encapsulation types */
+#define UDP_ENCAP_ESPINUDP	2 /* draft-ietf-ipsec-udp-encaps-06 */
 
 struct udp_opt {
 	int		pending;	/* Any pending frames ? */
 	unsigned int	corkflag;	/* Cork is required */
+  	__u16		encap_type;	/* Is this an Encapsulation socket? */
 	/*
 	 * Following members retains the infomation to create a UDP header
 	 * when the socket is uncorked.
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 8b1ae0cc3ebe..46144681c5a7 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -130,12 +130,19 @@ struct xfrm_user_tmpl {
 	__u32			calgos;
 };
 
+struct xfrm_encap_tmpl {
+	__u16		encap_type;
+	__u16		encap_sport;
+	__u16		encap_dport;
+};
+
 /* Netlink message attributes.  */
 enum xfrm_attr_type_t {
 	XFRMA_UNSPEC,
 	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
 	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
 	XFRMA_ALG_COMP,		/* struct xfrm_algo */
+	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
 	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
 
 #define XFRMA_MAX XFRMA_TMPL
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 85ff3a302e78..f8706d30b1a6 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -118,6 +118,7 @@ struct xfrm_state
 	struct xfrm_algo	*aalg;
 	struct xfrm_algo	*ealg;
 	struct xfrm_algo	*calg;
+	struct xfrm_algo	*encap_alg;
 
 	/* State for replay detection */
 	struct xfrm_replay_state replay;
@@ -192,6 +193,7 @@ extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
 extern struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
 extern void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
 
+struct xfrm_decap_state;
 struct xfrm_type
 {
 	char			*description;
@@ -200,7 +202,8 @@ struct xfrm_type
 
 	int			(*init_state)(struct xfrm_state *x, void *args);
 	void			(*destructor)(struct xfrm_state *);
-	int			(*input)(struct xfrm_state *, struct sk_buff *skb);
+	int			(*input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
+	int			(*post_input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
 	int			(*output)(struct sk_buff *skb);
 	/* Estimate maximal size of result of transformation of a dgram */
 	u32			(*get_max_size)(struct xfrm_state *, int size);
@@ -246,7 +249,7 @@ struct xfrm_tmpl
 	__u32			calgos;
 };
 
-#define XFRM_MAX_DEPTH		3
+#define XFRM_MAX_DEPTH		4
 
 struct xfrm_policy
 {
@@ -278,6 +281,7 @@ struct xfrm_mgr
 	int			(*notify)(struct xfrm_state *x, int event);
 	int			(*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp, int dir);
 	struct xfrm_policy	*(*compile_policy)(u16 family, int opt, u8 *data, int len, int *dir);
+	int			(*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
 };
 
 extern int xfrm_register_km(struct xfrm_mgr *km);
@@ -498,12 +502,26 @@ struct xfrm_dst
 	} u;
 };
 
+/* Decapsulation state, used by the input to store data during
+ * decapsulation procedure, to be used later (during the policy
+ * check
+ */
+struct xfrm_decap_state {
+	__u16	decap_type;
+	char	decap_data[30];
+};   
+
+struct sec_decap_state {
+	struct xfrm_state	*xvec;
+	struct xfrm_decap_state decap;
+};
+
 struct sec_path
 {
 	kmem_cache_t		*pool;
 	atomic_t		refcnt;
 	int			len;
-	struct xfrm_state	*xvec[XFRM_MAX_DEPTH];
+	struct sec_decap_state	x[XFRM_MAX_DEPTH];
 };
 
 static inline struct sec_path *
@@ -730,6 +748,7 @@ extern int xfrm_replay_check(struct xfrm_state *x, u32 seq);
 extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq);
 extern int xfrm_check_selectors(struct xfrm_state **x, int n, struct flowi *fl);
 extern int xfrm4_rcv(struct sk_buff *skb);
+extern int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type);
 extern int xfrm6_rcv(struct sk_buff **pskb);
 extern int xfrm6_clear_mutable_options(struct sk_buff *skb, u16 *nh_offset, int dir);
 extern int xfrm_user_policy(struct sock *sk, int optname, u8 *optval, int optlen);
@@ -760,6 +779,7 @@ extern wait_queue_head_t km_waitq;
 extern void km_warn_expired(struct xfrm_state *x);
 extern void km_expired(struct xfrm_state *x);
 extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *pol);
+extern int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport);
 
 extern void xfrm4_input_init(void);
 extern void xfrm6_input_init(void);