Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ah6.c
Go to the documentation of this file.
1 /*
2  * Copyright (C)2002 USAGI/WIDE Project
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17  *
18  * Authors
19  *
20  * Mitsuru KANDA @USAGI : IPv6 Support
21  * Kazunori MIYAZAWA @USAGI :
22  * Kunihiro Ishiguro <[email protected]>
23  *
24  * This file is derived from net/ipv4/ah.c.
25  */
26 
27 #define pr_fmt(fmt) "IPv6: " fmt
28 
29 #include <crypto/hash.h>
30 #include <linux/module.h>
31 #include <linux/slab.h>
32 #include <net/ip.h>
33 #include <net/ah.h>
34 #include <linux/crypto.h>
35 #include <linux/pfkeyv2.h>
36 #include <linux/string.h>
37 #include <linux/scatterlist.h>
38 #include <net/ip6_route.h>
39 #include <net/icmp.h>
40 #include <net/ipv6.h>
41 #include <net/protocol.h>
42 #include <net/xfrm.h>
43 
44 #define IPV6HDR_BASELEN 8
45 
46 struct tmp_ext {
47 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
48  struct in6_addr saddr;
49 #endif
50  struct in6_addr daddr;
51  char hdrs[0];
52 };
53 
54 struct ah_skb_cb {
55  struct xfrm_skb_cb xfrm;
56  void *tmp;
57 };
58 
59 #define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
60 
61 static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
62  unsigned int size)
63 {
64  unsigned int len;
65 
66  len = size + crypto_ahash_digestsize(ahash) +
67  (crypto_ahash_alignmask(ahash) &
68  ~(crypto_tfm_ctx_alignment() - 1));
69 
70  len = ALIGN(len, crypto_tfm_ctx_alignment());
71 
72  len += sizeof(struct ahash_request) + crypto_ahash_reqsize(ahash);
73  len = ALIGN(len, __alignof__(struct scatterlist));
74 
75  len += sizeof(struct scatterlist) * nfrags;
76 
77  return kmalloc(len, GFP_ATOMIC);
78 }
79 
80 static inline struct tmp_ext *ah_tmp_ext(void *base)
81 {
82  return base + IPV6HDR_BASELEN;
83 }
84 
85 static inline u8 *ah_tmp_auth(u8 *tmp, unsigned int offset)
86 {
87  return tmp + offset;
88 }
89 
90 static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
91  unsigned int offset)
92 {
93  return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
94 }
95 
96 static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
97  u8 *icv)
98 {
99  struct ahash_request *req;
100 
101  req = (void *)PTR_ALIGN(icv + crypto_ahash_digestsize(ahash),
102  crypto_tfm_ctx_alignment());
103 
104  ahash_request_set_tfm(req, ahash);
105 
106  return req;
107 }
108 
109 static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
110  struct ahash_request *req)
111 {
112  return (void *)ALIGN((unsigned long)(req + 1) +
113  crypto_ahash_reqsize(ahash),
114  __alignof__(struct scatterlist));
115 }
116 
117 static bool zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
118 {
119  u8 *opt = (u8 *)opthdr;
120  int len = ipv6_optlen(opthdr);
121  int off = 0;
122  int optlen = 0;
123 
124  off += 2;
125  len -= 2;
126 
127  while (len > 0) {
128 
129  switch (opt[off]) {
130 
131  case IPV6_TLV_PAD1:
132  optlen = 1;
133  break;
134  default:
135  if (len < 2)
136  goto bad;
137  optlen = opt[off+1]+2;
138  if (len < optlen)
139  goto bad;
140  if (opt[off] & 0x20)
141  memset(&opt[off+2], 0, opt[off+1]);
142  break;
143  }
144 
145  off += optlen;
146  len -= optlen;
147  }
148  if (len == 0)
149  return true;
150 
151 bad:
152  return false;
153 }
154 
155 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
156 
161 static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt)
162 {
163  u8 *opt = (u8 *)destopt;
164  int len = ipv6_optlen(destopt);
165  int off = 0;
166  int optlen = 0;
167 
168  off += 2;
169  len -= 2;
170 
171  while (len > 0) {
172 
173  switch (opt[off]) {
174 
175  case IPV6_TLV_PAD1:
176  optlen = 1;
177  break;
178  default:
179  if (len < 2)
180  goto bad;
181  optlen = opt[off+1]+2;
182  if (len < optlen)
183  goto bad;
184 
185  /* Rearrange the source address in @iph and the
186  * addresses in home address option for final source.
187  * See 11.3.2 of RFC 3775 for details.
188  */
189  if (opt[off] == IPV6_TLV_HAO) {
190  struct in6_addr final_addr;
191  struct ipv6_destopt_hao *hao;
192 
193  hao = (struct ipv6_destopt_hao *)&opt[off];
194  if (hao->length != sizeof(hao->addr)) {
195  net_warn_ratelimited("destopt hao: invalid header length: %u\n",
196  hao->length);
197  goto bad;
198  }
199  final_addr = hao->addr;
200  hao->addr = iph->saddr;
201  iph->saddr = final_addr;
202  }
203  break;
204  }
205 
206  off += optlen;
207  len -= optlen;
208  }
209  /* Note: ok if len == 0 */
210 bad:
211  return;
212 }
213 #else
214 static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) {}
215 #endif
216 
226 static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
227 {
228  int segments, segments_left;
229  struct in6_addr *addrs;
230  struct in6_addr final_addr;
231 
232  segments_left = rthdr->segments_left;
233  if (segments_left == 0)
234  return;
235  rthdr->segments_left = 0;
236 
237  /* The value of rthdr->hdrlen has been verified either by the system
238  * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
239  * packets. So we can assume that it is even and that segments is
240  * greater than or equal to segments_left.
241  *
242  * For the same reason we can assume that this option is of type 0.
243  */
244  segments = rthdr->hdrlen >> 1;
245 
246  addrs = ((struct rt0_hdr *)rthdr)->addr;
247  final_addr = addrs[segments - 1];
248 
249  addrs += segments - segments_left;
250  memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs));
251 
252  addrs[0] = iph->daddr;
253  iph->daddr = final_addr;
254 }
255 
256 static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
257 {
258  union {
259  struct ipv6hdr *iph;
260  struct ipv6_opt_hdr *opth;
261  struct ipv6_rt_hdr *rth;
262  char *raw;
263  } exthdr = { .iph = iph };
264  char *end = exthdr.raw + len;
265  int nexthdr = iph->nexthdr;
266 
267  exthdr.iph++;
268 
269  while (exthdr.raw < end) {
270  switch (nexthdr) {
271  case NEXTHDR_DEST:
272  if (dir == XFRM_POLICY_OUT)
273  ipv6_rearrange_destopt(iph, exthdr.opth);
274  case NEXTHDR_HOP:
275  if (!zero_out_mutable_opts(exthdr.opth)) {
277  KERN_WARNING "overrun %sopts\n",
278  nexthdr == NEXTHDR_HOP ?
279  "hop" : "dest");
280  return -EINVAL;
281  }
282  break;
283 
284  case NEXTHDR_ROUTING:
285  ipv6_rearrange_rthdr(iph, exthdr.rth);
286  break;
287 
288  default :
289  return 0;
290  }
291 
292  nexthdr = exthdr.opth->nexthdr;
293  exthdr.raw += ipv6_optlen(exthdr.opth);
294  }
295 
296  return 0;
297 }
298 
299 static void ah6_output_done(struct crypto_async_request *base, int err)
300 {
301  int extlen;
302  u8 *iph_base;
303  u8 *icv;
304  struct sk_buff *skb = base->data;
305  struct xfrm_state *x = skb_dst(skb)->xfrm;
306  struct ah_data *ahp = x->data;
307  struct ipv6hdr *top_iph = ipv6_hdr(skb);
308  struct ip_auth_hdr *ah = ip_auth_hdr(skb);
309  struct tmp_ext *iph_ext;
310 
311  extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
312  if (extlen)
313  extlen += sizeof(*iph_ext);
314 
315  iph_base = AH_SKB_CB(skb)->tmp;
316  iph_ext = ah_tmp_ext(iph_base);
317  icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
318 
319  memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
320  memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
321 
322  if (extlen) {
323 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
324  memcpy(&top_iph->saddr, iph_ext, extlen);
325 #else
326  memcpy(&top_iph->daddr, iph_ext, extlen);
327 #endif
328  }
329 
330  kfree(AH_SKB_CB(skb)->tmp);
331  xfrm_output_resume(skb, err);
332 }
333 
334 static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
335 {
336  int err;
337  int nfrags;
338  int extlen;
339  u8 *iph_base;
340  u8 *icv;
341  u8 nexthdr;
342  struct sk_buff *trailer;
343  struct crypto_ahash *ahash;
344  struct ahash_request *req;
345  struct scatterlist *sg;
346  struct ipv6hdr *top_iph;
347  struct ip_auth_hdr *ah;
348  struct ah_data *ahp;
349  struct tmp_ext *iph_ext;
350 
351  ahp = x->data;
352  ahash = ahp->ahash;
353 
354  if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
355  goto out;
356  nfrags = err;
357 
358  skb_push(skb, -skb_network_offset(skb));
359  extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
360  if (extlen)
361  extlen += sizeof(*iph_ext);
362 
363  err = -ENOMEM;
364  iph_base = ah_alloc_tmp(ahash, nfrags, IPV6HDR_BASELEN + extlen);
365  if (!iph_base)
366  goto out;
367 
368  iph_ext = ah_tmp_ext(iph_base);
369  icv = ah_tmp_icv(ahash, iph_ext, extlen);
370  req = ah_tmp_req(ahash, icv);
371  sg = ah_req_sg(ahash, req);
372 
373  ah = ip_auth_hdr(skb);
374  memset(ah->auth_data, 0, ahp->icv_trunc_len);
375 
376  top_iph = ipv6_hdr(skb);
377  top_iph->payload_len = htons(skb->len - sizeof(*top_iph));
378 
379  nexthdr = *skb_mac_header(skb);
380  *skb_mac_header(skb) = IPPROTO_AH;
381 
382  /* When there are no extension headers, we only need to save the first
383  * 8 bytes of the base IP header.
384  */
385  memcpy(iph_base, top_iph, IPV6HDR_BASELEN);
386 
387  if (extlen) {
388 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
389  memcpy(iph_ext, &top_iph->saddr, extlen);
390 #else
391  memcpy(iph_ext, &top_iph->daddr, extlen);
392 #endif
393  err = ipv6_clear_mutable_options(top_iph,
394  extlen - sizeof(*iph_ext) +
395  sizeof(*top_iph),
397  if (err)
398  goto out_free;
399  }
400 
401  ah->nexthdr = nexthdr;
402 
403  top_iph->priority = 0;
404  top_iph->flow_lbl[0] = 0;
405  top_iph->flow_lbl[1] = 0;
406  top_iph->flow_lbl[2] = 0;
407  top_iph->hop_limit = 0;
408 
409  ah->hdrlen = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
410 
411  ah->reserved = 0;
412  ah->spi = x->id.spi;
413  ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
414 
415  sg_init_table(sg, nfrags);
416  skb_to_sgvec(skb, sg, 0, skb->len);
417 
418  ahash_request_set_crypt(req, sg, icv, skb->len);
419  ahash_request_set_callback(req, 0, ah6_output_done, skb);
420 
421  AH_SKB_CB(skb)->tmp = iph_base;
422 
423  err = crypto_ahash_digest(req);
424  if (err) {
425  if (err == -EINPROGRESS)
426  goto out;
427 
428  if (err == -EBUSY)
429  err = NET_XMIT_DROP;
430  goto out_free;
431  }
432 
433  memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
434  memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
435 
436  if (extlen) {
437 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
438  memcpy(&top_iph->saddr, iph_ext, extlen);
439 #else
440  memcpy(&top_iph->daddr, iph_ext, extlen);
441 #endif
442  }
443 
444 out_free:
445  kfree(iph_base);
446 out:
447  return err;
448 }
449 
450 static void ah6_input_done(struct crypto_async_request *base, int err)
451 {
452  u8 *auth_data;
453  u8 *icv;
454  u8 *work_iph;
455  struct sk_buff *skb = base->data;
456  struct xfrm_state *x = xfrm_input_state(skb);
457  struct ah_data *ahp = x->data;
458  struct ip_auth_hdr *ah = ip_auth_hdr(skb);
459  int hdr_len = skb_network_header_len(skb);
460  int ah_hlen = (ah->hdrlen + 2) << 2;
461 
462  work_iph = AH_SKB_CB(skb)->tmp;
463  auth_data = ah_tmp_auth(work_iph, hdr_len);
464  icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
465 
466  err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG: 0;
467  if (err)
468  goto out;
469 
470  err = ah->nexthdr;
471 
472  skb->network_header += ah_hlen;
473  memcpy(skb_network_header(skb), work_iph, hdr_len);
474  __skb_pull(skb, ah_hlen + hdr_len);
475  skb_set_transport_header(skb, -hdr_len);
476 out:
477  kfree(AH_SKB_CB(skb)->tmp);
478  xfrm_input_resume(skb, err);
479 }
480 
481 
482 
483 static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
484 {
485  /*
486  * Before process AH
487  * [IPv6][Ext1][Ext2][AH][Dest][Payload]
488  * |<-------------->| hdr_len
489  *
490  * To erase AH:
491  * Keeping copy of cleared headers. After AH processing,
492  * Moving the pointer of skb->network_header by using skb_pull as long
493  * as AH header length. Then copy back the copy as long as hdr_len
494  * If destination header following AH exists, copy it into after [Ext2].
495  *
496  * |<>|[IPv6][Ext1][Ext2][Dest][Payload]
497  * There is offset of AH before IPv6 header after the process.
498  */
499 
500  u8 *auth_data;
501  u8 *icv;
502  u8 *work_iph;
503  struct sk_buff *trailer;
504  struct crypto_ahash *ahash;
505  struct ahash_request *req;
506  struct scatterlist *sg;
507  struct ip_auth_hdr *ah;
508  struct ipv6hdr *ip6h;
509  struct ah_data *ahp;
510  u16 hdr_len;
511  u16 ah_hlen;
512  int nexthdr;
513  int nfrags;
514  int err = -ENOMEM;
515 
516  if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
517  goto out;
518 
519  /* We are going to _remove_ AH header to keep sockets happy,
520  * so... Later this can change. */
521  if (skb_cloned(skb) &&
522  pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
523  goto out;
524 
525  skb->ip_summed = CHECKSUM_NONE;
526 
527  hdr_len = skb_network_header_len(skb);
528  ah = (struct ip_auth_hdr *)skb->data;
529  ahp = x->data;
530  ahash = ahp->ahash;
531 
532  nexthdr = ah->nexthdr;
533  ah_hlen = (ah->hdrlen + 2) << 2;
534 
535  if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
536  ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
537  goto out;
538 
539  if (!pskb_may_pull(skb, ah_hlen))
540  goto out;
541 
542 
543  if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
544  goto out;
545  nfrags = err;
546 
547  ah = (struct ip_auth_hdr *)skb->data;
548  ip6h = ipv6_hdr(skb);
549 
550  skb_push(skb, hdr_len);
551 
552  work_iph = ah_alloc_tmp(ahash, nfrags, hdr_len + ahp->icv_trunc_len);
553  if (!work_iph)
554  goto out;
555 
556  auth_data = ah_tmp_auth(work_iph, hdr_len);
557  icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
558  req = ah_tmp_req(ahash, icv);
559  sg = ah_req_sg(ahash, req);
560 
561  memcpy(work_iph, ip6h, hdr_len);
562  memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
563  memset(ah->auth_data, 0, ahp->icv_trunc_len);
564 
565  if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN))
566  goto out_free;
567 
568  ip6h->priority = 0;
569  ip6h->flow_lbl[0] = 0;
570  ip6h->flow_lbl[1] = 0;
571  ip6h->flow_lbl[2] = 0;
572  ip6h->hop_limit = 0;
573 
574  sg_init_table(sg, nfrags);
575  skb_to_sgvec(skb, sg, 0, skb->len);
576 
577  ahash_request_set_crypt(req, sg, icv, skb->len);
578  ahash_request_set_callback(req, 0, ah6_input_done, skb);
579 
580  AH_SKB_CB(skb)->tmp = work_iph;
581 
582  err = crypto_ahash_digest(req);
583  if (err) {
584  if (err == -EINPROGRESS)
585  goto out;
586 
587  goto out_free;
588  }
589 
590  err = memcmp(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG: 0;
591  if (err)
592  goto out_free;
593 
594  skb->network_header += ah_hlen;
595  memcpy(skb_network_header(skb), work_iph, hdr_len);
596  skb->transport_header = skb->network_header;
597  __skb_pull(skb, ah_hlen + hdr_len);
598 
599  err = nexthdr;
600 
601 out_free:
602  kfree(work_iph);
603 out:
604  return err;
605 }
606 
607 static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
608  u8 type, u8 code, int offset, __be32 info)
609 {
610  struct net *net = dev_net(skb->dev);
611  struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
612  struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
613  struct xfrm_state *x;
614 
615  if (type != ICMPV6_DEST_UNREACH &&
616  type != ICMPV6_PKT_TOOBIG &&
617  type != NDISC_REDIRECT)
618  return;
619 
620  x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6);
621  if (!x)
622  return;
623 
624  if (type == NDISC_REDIRECT)
625  ip6_redirect(skb, net, 0, 0);
626  else
627  ip6_update_pmtu(skb, net, info, 0, 0);
628  xfrm_state_put(x);
629 }
630 
631 static int ah6_init_state(struct xfrm_state *x)
632 {
633  struct ah_data *ahp = NULL;
634  struct xfrm_algo_desc *aalg_desc;
635  struct crypto_ahash *ahash;
636 
637  if (!x->aalg)
638  goto error;
639 
640  if (x->encap)
641  goto error;
642 
643  ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
644  if (ahp == NULL)
645  return -ENOMEM;
646 
647  ahash = crypto_alloc_ahash(x->aalg->alg_name, 0, 0);
648  if (IS_ERR(ahash))
649  goto error;
650 
651  ahp->ahash = ahash;
652  if (crypto_ahash_setkey(ahash, x->aalg->alg_key,
653  (x->aalg->alg_key_len + 7) / 8))
654  goto error;
655 
656  /*
657  * Lookup the algorithm description maintained by xfrm_algo,
658  * verify crypto transform properties, and store information
659  * we need for AH processing. This lookup cannot fail here
660  * after a successful crypto_alloc_hash().
661  */
662  aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
663  BUG_ON(!aalg_desc);
664 
665  if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
666  crypto_ahash_digestsize(ahash)) {
667  pr_info("AH: %s digestsize %u != %hu\n",
668  x->aalg->alg_name, crypto_ahash_digestsize(ahash),
669  aalg_desc->uinfo.auth.icv_fullbits/8);
670  goto error;
671  }
672 
673  ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
674  ahp->icv_trunc_len = x->aalg->alg_trunc_len/8;
675 
677 
678  x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
679  ahp->icv_trunc_len);
680  switch (x->props.mode) {
681  case XFRM_MODE_BEET:
682  case XFRM_MODE_TRANSPORT:
683  break;
684  case XFRM_MODE_TUNNEL:
685  x->props.header_len += sizeof(struct ipv6hdr);
686  break;
687  default:
688  goto error;
689  }
690  x->data = ahp;
691 
692  return 0;
693 
694 error:
695  if (ahp) {
696  crypto_free_ahash(ahp->ahash);
697  kfree(ahp);
698  }
699  return -EINVAL;
700 }
701 
702 static void ah6_destroy(struct xfrm_state *x)
703 {
704  struct ah_data *ahp = x->data;
705 
706  if (!ahp)
707  return;
708 
709  crypto_free_ahash(ahp->ahash);
710  kfree(ahp);
711 }
712 
713 static const struct xfrm_type ah6_type =
714 {
715  .description = "AH6",
716  .owner = THIS_MODULE,
717  .proto = IPPROTO_AH,
718  .flags = XFRM_TYPE_REPLAY_PROT,
719  .init_state = ah6_init_state,
720  .destructor = ah6_destroy,
721  .input = ah6_input,
722  .output = ah6_output,
723  .hdr_offset = xfrm6_find_1stfragopt,
724 };
725 
726 static const struct inet6_protocol ah6_protocol = {
727  .handler = xfrm6_rcv,
728  .err_handler = ah6_err,
729  .flags = INET6_PROTO_NOPOLICY,
730 };
731 
732 static int __init ah6_init(void)
733 {
734  if (xfrm_register_type(&ah6_type, AF_INET6) < 0) {
735  pr_info("%s: can't add xfrm type\n", __func__);
736  return -EAGAIN;
737  }
738 
739  if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) {
740  pr_info("%s: can't add protocol\n", __func__);
741  xfrm_unregister_type(&ah6_type, AF_INET6);
742  return -EAGAIN;
743  }
744 
745  return 0;
746 }
747 
748 static void __exit ah6_fini(void)
749 {
750  if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0)
751  pr_info("%s: can't remove protocol\n", __func__);
752 
753  if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
754  pr_info("%s: can't remove xfrm type\n", __func__);
755 
756 }
757 
758 module_init(ah6_init);
759 module_exit(ah6_fini);
760 
761 MODULE_LICENSE("GPL");