xfrm: Move IPsec replay detection functions to a separate file

	struct xfrm_replay_state preplay;

	struct xfrm_replay_state_esn *preplay_esn;

	/* The functions for replay detection. */

	struct xfrm_replay	*repl;

	/* internal flag that only holds state for delayed aevent at the

	 * moment

	*/

	struct net *net;

};

struct xfrm_replay {

	void	(*advance)(struct xfrm_state *x, __be32 net_seq);

	int	(*check)(struct xfrm_state *x,

			 struct sk_buff *skb,

			 __be32 net_seq);

	void	(*notify)(struct xfrm_state *x, int event);

	int	(*overflow)(struct xfrm_state *x, struct sk_buff *skb);

};

struct net_device;

struct xfrm_type;

struct xfrm_dst;

				    u32 auid, u32 ses, u32 secid);

extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,

					     struct sk_buff *skb);

extern void xfrm_audit_state_replay(struct xfrm_state *x,

				    struct sk_buff *skb, __be32 net_seq);

extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);

extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,

				      __be32 net_spi, __be32 net_seq);

{

}

static inline void xfrm_audit_state_replay(struct xfrm_state *x,

					   struct sk_buff *skb, __be32 net_seq)

{

}

static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,

				      u16 family)

{

extern int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);

extern void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);

extern void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);

extern int xfrm_replay_check(struct xfrm_state *x,

			     struct sk_buff *skb, __be32 seq);

extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);

extern void xfrm_replay_notify(struct xfrm_state *x, int event);

extern int xfrm_init_replay(struct xfrm_state *x);

extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);

extern int xfrm_init_state(struct xfrm_state *x);

extern int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);

obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \

		      xfrm_input.o xfrm_output.o xfrm_algo.o \

		      xfrm_sysctl.o

		      xfrm_sysctl.o xfrm_replay.o

obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o

obj-$(CONFIG_XFRM_USER) += xfrm_user.o

obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o

			goto drop_unlock;

		}

		if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) {

		if (x->props.replay_window && x->repl->check(x, skb, seq)) {

			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);

			goto drop_unlock;

		}

		/* only the first xfrm gets the encap type */

		encap_type = 0;

		if (x->props.replay_window)

			xfrm_replay_advance(x, seq);

		x->repl->advance(x, seq);

		x->curlft.bytes += skb->len;

		x->curlft.packets++;

			goto error;

		}

		if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {

			XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;

			if (unlikely(x->replay.oseq == 0)) {

		err = x->repl->overflow(x, skb);

		if (err) {

			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);

				x->replay.oseq--;

				xfrm_audit_state_replay_overflow(x, skb);

				err = -EOVERFLOW;

			goto error;

		}

			if (xfrm_aevent_is_on(net))

				xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);

		}

		x->curlft.bytes += skb->len;

		x->curlft.packets++;

/*

 * xfrm_replay.c - xfrm replay detection, derived from xfrm_state.c.

 */

#include <net/xfrm.h>

static void xfrm_replay_notify(struct xfrm_state *x, int event)

{

	struct km_event c;

	/* we send notify messages in case

	 *  1. we updated on of the sequence numbers, and the seqno difference

	 *     is at least x->replay_maxdiff, in this case we also update the

	 *     timeout of our timer function

	 *  2. if x->replay_maxage has elapsed since last update,

	 *     and there were changes

	 *

	 *  The state structure must be locked!

	 */

	switch (event) {

	case XFRM_REPLAY_UPDATE:

		if (x->replay_maxdiff &&

		    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&

		    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {

			if (x->xflags & XFRM_TIME_DEFER)

				event = XFRM_REPLAY_TIMEOUT;

			else

				return;

		}

		break;

	case XFRM_REPLAY_TIMEOUT:

		if (memcmp(&x->replay, &x->preplay,

			   sizeof(struct xfrm_replay_state)) == 0) {

			x->xflags |= XFRM_TIME_DEFER;

			return;

		}

		break;

	}

	memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));

	c.event = XFRM_MSG_NEWAE;

	c.data.aevent = event;

	km_state_notify(x, &c);

	if (x->replay_maxage &&

	    !mod_timer(&x->rtimer, jiffies + x->replay_maxage))

		x->xflags &= ~XFRM_TIME_DEFER;

}

static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)

{

	int err = 0;

	struct net *net = xs_net(x);

	if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {

		XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;

		if (unlikely(x->replay.oseq == 0)) {

			x->replay.oseq--;

			xfrm_audit_state_replay_overflow(x, skb);

			err = -EOVERFLOW;

			return err;

		}

		if (xfrm_aevent_is_on(net))

			x->repl->notify(x, XFRM_REPLAY_UPDATE);

	}

	return err;

}

static int xfrm_replay_check(struct xfrm_state *x,

		      struct sk_buff *skb, __be32 net_seq)

{

	u32 diff;

	u32 seq = ntohl(net_seq);

	if (unlikely(seq == 0))

		goto err;

	if (likely(seq > x->replay.seq))

		return 0;

	diff = x->replay.seq - seq;

	if (diff >= min_t(unsigned int, x->props.replay_window,

			  sizeof(x->replay.bitmap) * 8)) {

		x->stats.replay_window++;

		goto err;

	}

	if (x->replay.bitmap & (1U << diff)) {

		x->stats.replay++;

		goto err;

	}

	return 0;

err:

	xfrm_audit_state_replay(x, skb, net_seq);

	return -EINVAL;

}

static void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)

{

	u32 diff;

	u32 seq = ntohl(net_seq);

	if (!x->props.replay_window)

		return;

	if (seq > x->replay.seq) {

		diff = seq - x->replay.seq;

		if (diff < x->props.replay_window)

			x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;

		else

			x->replay.bitmap = 1;

		x->replay.seq = seq;

	} else {

		diff = x->replay.seq - seq;

		x->replay.bitmap |= (1U << diff);

	}

	if (xfrm_aevent_is_on(xs_net(x)))

		xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);

}

static struct xfrm_replay xfrm_replay_legacy = {

	.advance	= xfrm_replay_advance,

	.check		= xfrm_replay_check,

	.notify		= xfrm_replay_notify,

	.overflow	= xfrm_replay_overflow,

};

int xfrm_init_replay(struct xfrm_state *x)

{

	x->repl = &xfrm_replay_legacy;

	return 0;

}

EXPORT_SYMBOL(xfrm_init_replay);