ah6.c 13.1 KB
Newer Older
L
Linus Torvalds 已提交
1 2
/*
 * Copyright (C)2002 USAGI/WIDE Project
3
 *
L
Linus Torvalds 已提交
4 5 6 7
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
8
 *
L
Linus Torvalds 已提交
9 10 11 12
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
13
 *
L
Linus Torvalds 已提交
14 15 16 17 18 19
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Authors
 *
20
 *	Mitsuru KANDA @USAGI       : IPv6 Support
L
Linus Torvalds 已提交
21 22
 * 	Kazunori MIYAZAWA @USAGI   :
 * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
23
 *
L
Linus Torvalds 已提交
24 25 26 27 28 29 30 31
 * 	This file is derived from net/ipv4/ah.c.
 */

#include <linux/module.h>
#include <net/ip.h>
#include <net/ah.h>
#include <linux/crypto.h>
#include <linux/pfkeyv2.h>
32
#include <linux/spinlock.h>
L
Linus Torvalds 已提交
33 34 35
#include <linux/string.h>
#include <net/icmp.h>
#include <net/ipv6.h>
36
#include <net/protocol.h>
L
Linus Torvalds 已提交
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
#include <net/xfrm.h>

static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
{
	u8 *opt = (u8 *)opthdr;
	int len = ipv6_optlen(opthdr);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
57
			if (len < 2)
L
Linus Torvalds 已提交
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;
			if (opt[off] & 0x20)
				memset(&opt[off+2], 0, opt[off+1]);
			break;
		}

		off += optlen;
		len -= optlen;
	}
	if (len == 0)
		return 1;

bad:
	return 0;
}

77
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
/**
 *	ipv6_rearrange_destopt - rearrange IPv6 destination options header
 *	@iph: IPv6 header
 *	@destopt: destionation options header
 */
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt)
{
	u8 *opt = (u8 *)destopt;
	int len = ipv6_optlen(destopt);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
			if (len < 2)
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;

			/* Rearrange the source address in @iph and the
			 * addresses in home address option for final source.
			 * See 11.3.2 of RFC 3775 for details.
			 */
			if (opt[off] == IPV6_TLV_HAO) {
				struct in6_addr final_addr;
				struct ipv6_destopt_hao *hao;

				hao = (struct ipv6_destopt_hao *)&opt[off];
				if (hao->length != sizeof(hao->addr)) {
					if (net_ratelimit())
						printk(KERN_WARNING "destopt hao: invalid header length: %u\n", hao->length);
					goto bad;
				}
				ipv6_addr_copy(&final_addr, &hao->addr);
				ipv6_addr_copy(&hao->addr, &iph->saddr);
				ipv6_addr_copy(&iph->saddr, &final_addr);
			}
			break;
		}

		off += optlen;
		len -= optlen;
	}
131
	/* Note: ok if len == 0 */
132 133 134
bad:
	return;
}
135 136
#else
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) {}
137 138
#endif

L
Linus Torvalds 已提交
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
/**
 *	ipv6_rearrange_rthdr - rearrange IPv6 routing header
 *	@iph: IPv6 header
 *	@rthdr: routing header
 *
 *	Rearrange the destination address in @iph and the addresses in @rthdr
 *	so that they appear in the order they will at the final destination.
 *	See Appendix A2 of RFC 2402 for details.
 */
static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
{
	int segments, segments_left;
	struct in6_addr *addrs;
	struct in6_addr final_addr;

	segments_left = rthdr->segments_left;
	if (segments_left == 0)
		return;
157
	rthdr->segments_left = 0;
L
Linus Torvalds 已提交
158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

	/* The value of rthdr->hdrlen has been verified either by the system
	 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
	 * packets.  So we can assume that it is even and that segments is
	 * greater than or equal to segments_left.
	 *
	 * For the same reason we can assume that this option is of type 0.
	 */
	segments = rthdr->hdrlen >> 1;

	addrs = ((struct rt0_hdr *)rthdr)->addr;
	ipv6_addr_copy(&final_addr, addrs + segments - 1);

	addrs += segments - segments_left;
	memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs));

	ipv6_addr_copy(addrs, &iph->daddr);
	ipv6_addr_copy(&iph->daddr, &final_addr);
}

178
static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
L
Linus Torvalds 已提交
179 180 181 182 183 184 185 186 187 188 189 190 191 192
{
	union {
		struct ipv6hdr *iph;
		struct ipv6_opt_hdr *opth;
		struct ipv6_rt_hdr *rth;
		char *raw;
	} exthdr = { .iph = iph };
	char *end = exthdr.raw + len;
	int nexthdr = iph->nexthdr;

	exthdr.iph++;

	while (exthdr.raw < end) {
		switch (nexthdr) {
193 194 195
		case NEXTHDR_DEST:
			if (dir == XFRM_POLICY_OUT)
				ipv6_rearrange_destopt(iph, exthdr.opth);
L
Linus Torvalds 已提交
196 197
		case NEXTHDR_HOP:
			if (!zero_out_mutable_opts(exthdr.opth)) {
198
				LIMIT_NETDEBUG(
L
Linus Torvalds 已提交
199 200
					KERN_WARNING "overrun %sopts\n",
					nexthdr == NEXTHDR_HOP ?
201
						"hop" : "dest");
L
Linus Torvalds 已提交
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
				return -EINVAL;
			}
			break;

		case NEXTHDR_ROUTING:
			ipv6_rearrange_rthdr(iph, exthdr.rth);
			break;

		default :
			return 0;
		}

		nexthdr = exthdr.opth->nexthdr;
		exthdr.raw += ipv6_optlen(exthdr.opth);
	}

	return 0;
}

static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
{
	int err;
	int extlen;
	struct ipv6hdr *top_iph;
	struct ip_auth_hdr *ah;
	struct ah_data *ahp;
	u8 nexthdr;
	char tmp_base[8];
	struct {
231
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
232 233
		struct in6_addr saddr;
#endif
L
Linus Torvalds 已提交
234 235 236 237
		struct in6_addr daddr;
		char hdrs[0];
	} *tmp_ext;

238
	skb_push(skb, -skb_network_offset(skb));
239
	top_iph = ipv6_hdr(skb);
L
Linus Torvalds 已提交
240 241
	top_iph->payload_len = htons(skb->len - sizeof(*top_iph));

242 243
	nexthdr = *skb_mac_header(skb);
	*skb_mac_header(skb) = IPPROTO_AH;
L
Linus Torvalds 已提交
244 245 246 247 248 249 250

	/* When there are no extension headers, we only need to save the first
	 * 8 bytes of the base IP header.
	 */
	memcpy(tmp_base, top_iph, sizeof(tmp_base));

	tmp_ext = NULL;
251
	extlen = skb_transport_offset(skb) - sizeof(struct ipv6hdr);
L
Linus Torvalds 已提交
252 253 254 255 256 257 258
	if (extlen) {
		extlen += sizeof(*tmp_ext);
		tmp_ext = kmalloc(extlen, GFP_ATOMIC);
		if (!tmp_ext) {
			err = -ENOMEM;
			goto error;
		}
259
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
260 261
		memcpy(tmp_ext, &top_iph->saddr, extlen);
#else
L
Linus Torvalds 已提交
262
		memcpy(tmp_ext, &top_iph->daddr, extlen);
263
#endif
L
Linus Torvalds 已提交
264 265
		err = ipv6_clear_mutable_options(top_iph,
						 extlen - sizeof(*tmp_ext) +
266 267
						 sizeof(*top_iph),
						 XFRM_POLICY_OUT);
L
Linus Torvalds 已提交
268 269 270 271
		if (err)
			goto error_free_iph;
	}

272
	ah = ip_auth_hdr(skb);
L
Linus Torvalds 已提交
273 274 275 276 277 278 279 280 281
	ah->nexthdr = nexthdr;

	top_iph->priority    = 0;
	top_iph->flow_lbl[0] = 0;
	top_iph->flow_lbl[1] = 0;
	top_iph->flow_lbl[2] = 0;
	top_iph->hop_limit   = 0;

	ahp = x->data;
282
	ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
L
Linus Torvalds 已提交
283 284 285

	ah->reserved = 0;
	ah->spi = x->id.spi;
286
	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output);
287 288

	spin_lock_bh(&x->lock);
289 290
	err = ah_mac_digest(ahp, skb, ah->auth_data);
	memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
291
	spin_unlock_bh(&x->lock);
L
Linus Torvalds 已提交
292

293 294
	if (err)
		goto error_free_iph;
L
Linus Torvalds 已提交
295 296 297

	memcpy(top_iph, tmp_base, sizeof(tmp_base));
	if (tmp_ext) {
298
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
299 300
		memcpy(&top_iph->saddr, tmp_ext, extlen);
#else
L
Linus Torvalds 已提交
301
		memcpy(&top_iph->daddr, tmp_ext, extlen);
302
#endif
L
Linus Torvalds 已提交
303 304 305 306 307 308 309 310
error_free_iph:
		kfree(tmp_ext);
	}

error:
	return err;
}

311
static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
L
Linus Torvalds 已提交
312 313 314 315 316 317 318 319
{
	/*
	 * Before process AH
	 * [IPv6][Ext1][Ext2][AH][Dest][Payload]
	 * |<-------------->| hdr_len
	 *
	 * To erase AH:
	 * Keeping copy of cleared headers. After AH processing,
320 321
	 * Moving the pointer of skb->network_header by using skb_pull as long
	 * as AH header length. Then copy back the copy as long as hdr_len
L
Linus Torvalds 已提交
322
	 * If destination header following AH exists, copy it into after [Ext2].
323
	 *
L
Linus Torvalds 已提交
324 325 326 327
	 * |<>|[IPv6][Ext1][Ext2][Dest][Payload]
	 * There is offset of AH before IPv6 header after the process.
	 */

328
	struct ip_auth_hdr *ah;
329
	struct ipv6hdr *ip6h;
L
Linus Torvalds 已提交
330 331 332 333 334
	struct ah_data *ahp;
	unsigned char *tmp_hdr = NULL;
	u16 hdr_len;
	u16 ah_hlen;
	int nexthdr;
335
	int err = -EINVAL;
L
Linus Torvalds 已提交
336 337 338 339 340 341 342 343 344 345

	if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
		goto out;

	/* We are going to _remove_ AH header to keep sockets happy,
	 * so... Later this can change. */
	if (skb_cloned(skb) &&
	    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
		goto out;

346 347
	skb->ip_summed = CHECKSUM_NONE;

348
	hdr_len = skb->data - skb_network_header(skb);
349
	ah = (struct ip_auth_hdr *)skb->data;
L
Linus Torvalds 已提交
350 351 352 353
	ahp = x->data;
	nexthdr = ah->nexthdr;
	ah_hlen = (ah->hdrlen + 2) << 2;

354 355
	if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
	    ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
356
		goto out;
L
Linus Torvalds 已提交
357 358 359 360

	if (!pskb_may_pull(skb, ah_hlen))
		goto out;

361
	tmp_hdr = kmemdup(skb_network_header(skb), hdr_len, GFP_ATOMIC);
L
Linus Torvalds 已提交
362 363
	if (!tmp_hdr)
		goto out;
364 365
	ip6h = ipv6_hdr(skb);
	if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN))
366
		goto free_out;
367 368 369 370 371
	ip6h->priority    = 0;
	ip6h->flow_lbl[0] = 0;
	ip6h->flow_lbl[1] = 0;
	ip6h->flow_lbl[2] = 0;
	ip6h->hop_limit   = 0;
L
Linus Torvalds 已提交
372

373
	spin_lock(&x->lock);
374
	{
L
Linus Torvalds 已提交
375 376 377 378
		u8 auth_data[MAX_AH_AUTH_LEN];

		memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
		memset(ah->auth_data, 0, ahp->icv_trunc_len);
379
		skb_push(skb, hdr_len);
380 381
		err = ah_mac_digest(ahp, skb, ah->auth_data);
		if (err)
382
			goto unlock;
383
		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
384
			err = -EBADMSG;
L
Linus Torvalds 已提交
385
	}
386 387 388 389 390
unlock:
	spin_unlock(&x->lock);

	if (err)
		goto free_out;
L
Linus Torvalds 已提交
391

392
	skb->network_header += ah_hlen;
393
	memcpy(skb_network_header(skb), tmp_hdr, hdr_len);
394
	skb->transport_header = skb->network_header;
395
	__skb_pull(skb, ah_hlen + hdr_len);
L
Linus Torvalds 已提交
396 397 398 399 400 401 402 403

	kfree(tmp_hdr);

	return nexthdr;

free_out:
	kfree(tmp_hdr);
out:
404
	return err;
L
Linus Torvalds 已提交
405 406
}

407
static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
408
		    u8 type, u8 code, int offset, __be32 info)
L
Linus Torvalds 已提交
409
{
A
Alexey Dobriyan 已提交
410
	struct net *net = dev_net(skb->dev);
L
Linus Torvalds 已提交
411 412 413 414 415 416 417 418
	struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
	struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
	struct xfrm_state *x;

	if (type != ICMPV6_DEST_UNREACH &&
	    type != ICMPV6_PKT_TOOBIG)
		return;

A
Alexey Dobriyan 已提交
419
	x = xfrm_state_lookup(net, (xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6);
L
Linus Torvalds 已提交
420 421 422
	if (!x)
		return;

H
Harvey Harrison 已提交
423
	NETDEBUG(KERN_DEBUG "pmtu discovery on SA AH/%08x/%pI6\n",
424
		 ntohl(ah->spi), &iph->daddr);
L
Linus Torvalds 已提交
425 426 427 428

	xfrm_state_put(x);
}

H
Herbert Xu 已提交
429
static int ah6_init_state(struct xfrm_state *x)
L
Linus Torvalds 已提交
430 431 432
{
	struct ah_data *ahp = NULL;
	struct xfrm_algo_desc *aalg_desc;
433
	struct crypto_hash *tfm;
L
Linus Torvalds 已提交
434 435 436 437 438 439 440

	if (!x->aalg)
		goto error;

	if (x->encap)
		goto error;

441
	ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
L
Linus Torvalds 已提交
442 443 444
	if (ahp == NULL)
		return -ENOMEM;

445 446 447 448 449
	tfm = crypto_alloc_hash(x->aalg->alg_name, 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm))
		goto error;

	ahp->tfm = tfm;
450 451
	if (crypto_hash_setkey(tfm, x->aalg->alg_key,
			       (x->aalg->alg_key_len + 7) / 8))
L
Linus Torvalds 已提交
452
		goto error;
453

L
Linus Torvalds 已提交
454 455 456 457
	/*
	 * Lookup the algorithm description maintained by xfrm_algo,
	 * verify crypto transform properties, and store information
	 * we need for AH processing.  This lookup cannot fail here
458
	 * after a successful crypto_alloc_hash().
L
Linus Torvalds 已提交
459 460 461 462 463
	 */
	aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
	BUG_ON(!aalg_desc);

	if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
464
	    crypto_hash_digestsize(tfm)) {
L
Linus Torvalds 已提交
465
		printk(KERN_INFO "AH: %s digestsize %u != %hu\n",
466
		       x->aalg->alg_name, crypto_hash_digestsize(tfm),
L
Linus Torvalds 已提交
467 468 469
		       aalg_desc->uinfo.auth.icv_fullbits/8);
		goto error;
	}
470

L
Linus Torvalds 已提交
471 472
	ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
	ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8;
473

L
Linus Torvalds 已提交
474
	BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
475

L
Linus Torvalds 已提交
476 477 478
	ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL);
	if (!ahp->work_icv)
		goto error;
479

480 481
	x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
					  ahp->icv_trunc_len);
482 483 484 485 486
	switch (x->props.mode) {
	case XFRM_MODE_BEET:
	case XFRM_MODE_TRANSPORT:
		break;
	case XFRM_MODE_TUNNEL:
L
Linus Torvalds 已提交
487
		x->props.header_len += sizeof(struct ipv6hdr);
488
		break;
489 490 491
	default:
		goto error;
	}
L
Linus Torvalds 已提交
492 493 494 495 496 497
	x->data = ahp;

	return 0;

error:
	if (ahp) {
498
		kfree(ahp->work_icv);
499
		crypto_free_hash(ahp->tfm);
L
Linus Torvalds 已提交
500 501 502 503 504 505 506 507 508 509 510 511
		kfree(ahp);
	}
	return -EINVAL;
}

static void ah6_destroy(struct xfrm_state *x)
{
	struct ah_data *ahp = x->data;

	if (!ahp)
		return;

512
	kfree(ahp->work_icv);
513
	crypto_free_hash(ahp->tfm);
L
Linus Torvalds 已提交
514 515 516
	kfree(ahp);
}

517
static const struct xfrm_type ah6_type =
L
Linus Torvalds 已提交
518 519 520 521
{
	.description	= "AH6",
	.owner		= THIS_MODULE,
	.proto	     	= IPPROTO_AH,
522
	.flags		= XFRM_TYPE_REPLAY_PROT,
L
Linus Torvalds 已提交
523 524 525
	.init_state	= ah6_init_state,
	.destructor	= ah6_destroy,
	.input		= ah6_input,
526 527
	.output		= ah6_output,
	.hdr_offset	= xfrm6_find_1stfragopt,
L
Linus Torvalds 已提交
528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565
};

static struct inet6_protocol ah6_protocol = {
	.handler	=	xfrm6_rcv,
	.err_handler	=	ah6_err,
	.flags		=	INET6_PROTO_NOPOLICY,
};

static int __init ah6_init(void)
{
	if (xfrm_register_type(&ah6_type, AF_INET6) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n");
		return -EAGAIN;
	}

	if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add protocol\n");
		xfrm_unregister_type(&ah6_type, AF_INET6);
		return -EAGAIN;
	}

	return 0;
}

static void __exit ah6_fini(void)
{
	if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove protocol\n");

	if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n");

}

module_init(ah6_init);
module_exit(ah6_fini);

MODULE_LICENSE("GPL");
566
MODULE_ALIAS_XFRM_TYPE(AF_INET6, XFRM_PROTO_AH);