ah6.c 13.1 KB
Newer Older
L
Linus Torvalds 已提交
1 2
/*
 * Copyright (C)2002 USAGI/WIDE Project
3
 *
L
Linus Torvalds 已提交
4 5 6 7
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
8
 *
L
Linus Torvalds 已提交
9 10 11 12
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
13
 *
L
Linus Torvalds 已提交
14 15 16 17 18 19
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Authors
 *
20
 *	Mitsuru KANDA @USAGI       : IPv6 Support
L
Linus Torvalds 已提交
21 22
 * 	Kazunori MIYAZAWA @USAGI   :
 * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
23
 *
L
Linus Torvalds 已提交
24 25 26 27 28 29 30 31
 * 	This file is derived from net/ipv4/ah.c.
 */

#include <linux/module.h>
#include <net/ip.h>
#include <net/ah.h>
#include <linux/crypto.h>
#include <linux/pfkeyv2.h>
32
#include <linux/spinlock.h>
L
Linus Torvalds 已提交
33 34 35
#include <linux/string.h>
#include <net/icmp.h>
#include <net/ipv6.h>
36
#include <net/protocol.h>
L
Linus Torvalds 已提交
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
#include <net/xfrm.h>
#include <asm/scatterlist.h>

static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
{
	u8 *opt = (u8 *)opthdr;
	int len = ipv6_optlen(opthdr);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
58
			if (len < 2)
L
Linus Torvalds 已提交
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;
			if (opt[off] & 0x20)
				memset(&opt[off+2], 0, opt[off+1]);
			break;
		}

		off += optlen;
		len -= optlen;
	}
	if (len == 0)
		return 1;

bad:
	return 0;
}

78
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
/**
 *	ipv6_rearrange_destopt - rearrange IPv6 destination options header
 *	@iph: IPv6 header
 *	@destopt: destionation options header
 */
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt)
{
	u8 *opt = (u8 *)destopt;
	int len = ipv6_optlen(destopt);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
			if (len < 2)
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;

			/* Rearrange the source address in @iph and the
			 * addresses in home address option for final source.
			 * See 11.3.2 of RFC 3775 for details.
			 */
			if (opt[off] == IPV6_TLV_HAO) {
				struct in6_addr final_addr;
				struct ipv6_destopt_hao *hao;

				hao = (struct ipv6_destopt_hao *)&opt[off];
				if (hao->length != sizeof(hao->addr)) {
					if (net_ratelimit())
						printk(KERN_WARNING "destopt hao: invalid header length: %u\n", hao->length);
					goto bad;
				}
				ipv6_addr_copy(&final_addr, &hao->addr);
				ipv6_addr_copy(&hao->addr, &iph->saddr);
				ipv6_addr_copy(&iph->saddr, &final_addr);
			}
			break;
		}

		off += optlen;
		len -= optlen;
	}
132
	/* Note: ok if len == 0 */
133 134 135
bad:
	return;
}
136 137
#else
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) {}
138 139
#endif

L
Linus Torvalds 已提交
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
/**
 *	ipv6_rearrange_rthdr - rearrange IPv6 routing header
 *	@iph: IPv6 header
 *	@rthdr: routing header
 *
 *	Rearrange the destination address in @iph and the addresses in @rthdr
 *	so that they appear in the order they will at the final destination.
 *	See Appendix A2 of RFC 2402 for details.
 */
static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
{
	int segments, segments_left;
	struct in6_addr *addrs;
	struct in6_addr final_addr;

	segments_left = rthdr->segments_left;
	if (segments_left == 0)
		return;
158
	rthdr->segments_left = 0;
L
Linus Torvalds 已提交
159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178

	/* The value of rthdr->hdrlen has been verified either by the system
	 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
	 * packets.  So we can assume that it is even and that segments is
	 * greater than or equal to segments_left.
	 *
	 * For the same reason we can assume that this option is of type 0.
	 */
	segments = rthdr->hdrlen >> 1;

	addrs = ((struct rt0_hdr *)rthdr)->addr;
	ipv6_addr_copy(&final_addr, addrs + segments - 1);

	addrs += segments - segments_left;
	memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs));

	ipv6_addr_copy(addrs, &iph->daddr);
	ipv6_addr_copy(&iph->daddr, &final_addr);
}

179
static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
L
Linus Torvalds 已提交
180 181 182 183 184 185 186 187 188 189 190 191 192 193
{
	union {
		struct ipv6hdr *iph;
		struct ipv6_opt_hdr *opth;
		struct ipv6_rt_hdr *rth;
		char *raw;
	} exthdr = { .iph = iph };
	char *end = exthdr.raw + len;
	int nexthdr = iph->nexthdr;

	exthdr.iph++;

	while (exthdr.raw < end) {
		switch (nexthdr) {
194 195 196
		case NEXTHDR_DEST:
			if (dir == XFRM_POLICY_OUT)
				ipv6_rearrange_destopt(iph, exthdr.opth);
L
Linus Torvalds 已提交
197 198
		case NEXTHDR_HOP:
			if (!zero_out_mutable_opts(exthdr.opth)) {
199
				LIMIT_NETDEBUG(
L
Linus Torvalds 已提交
200 201
					KERN_WARNING "overrun %sopts\n",
					nexthdr == NEXTHDR_HOP ?
202
						"hop" : "dest");
L
Linus Torvalds 已提交
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231
				return -EINVAL;
			}
			break;

		case NEXTHDR_ROUTING:
			ipv6_rearrange_rthdr(iph, exthdr.rth);
			break;

		default :
			return 0;
		}

		nexthdr = exthdr.opth->nexthdr;
		exthdr.raw += ipv6_optlen(exthdr.opth);
	}

	return 0;
}

static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
{
	int err;
	int extlen;
	struct ipv6hdr *top_iph;
	struct ip_auth_hdr *ah;
	struct ah_data *ahp;
	u8 nexthdr;
	char tmp_base[8];
	struct {
232
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
233 234
		struct in6_addr saddr;
#endif
L
Linus Torvalds 已提交
235 236 237 238
		struct in6_addr daddr;
		char hdrs[0];
	} *tmp_ext;

239
	skb_push(skb, -skb_network_offset(skb));
240
	top_iph = ipv6_hdr(skb);
L
Linus Torvalds 已提交
241 242
	top_iph->payload_len = htons(skb->len - sizeof(*top_iph));

243 244
	nexthdr = *skb_mac_header(skb);
	*skb_mac_header(skb) = IPPROTO_AH;
L
Linus Torvalds 已提交
245 246 247 248 249 250 251

	/* When there are no extension headers, we only need to save the first
	 * 8 bytes of the base IP header.
	 */
	memcpy(tmp_base, top_iph, sizeof(tmp_base));

	tmp_ext = NULL;
252
	extlen = skb_transport_offset(skb) - sizeof(struct ipv6hdr);
L
Linus Torvalds 已提交
253 254 255 256 257 258 259
	if (extlen) {
		extlen += sizeof(*tmp_ext);
		tmp_ext = kmalloc(extlen, GFP_ATOMIC);
		if (!tmp_ext) {
			err = -ENOMEM;
			goto error;
		}
260
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
261 262
		memcpy(tmp_ext, &top_iph->saddr, extlen);
#else
L
Linus Torvalds 已提交
263
		memcpy(tmp_ext, &top_iph->daddr, extlen);
264
#endif
L
Linus Torvalds 已提交
265 266
		err = ipv6_clear_mutable_options(top_iph,
						 extlen - sizeof(*tmp_ext) +
267 268
						 sizeof(*top_iph),
						 XFRM_POLICY_OUT);
L
Linus Torvalds 已提交
269 270 271 272
		if (err)
			goto error_free_iph;
	}

273
	ah = ip_auth_hdr(skb);
L
Linus Torvalds 已提交
274 275 276 277 278 279 280 281 282
	ah->nexthdr = nexthdr;

	top_iph->priority    = 0;
	top_iph->flow_lbl[0] = 0;
	top_iph->flow_lbl[1] = 0;
	top_iph->flow_lbl[2] = 0;
	top_iph->hop_limit   = 0;

	ahp = x->data;
283
	ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
L
Linus Torvalds 已提交
284 285 286

	ah->reserved = 0;
	ah->spi = x->id.spi;
287
	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
288 289

	spin_lock_bh(&x->lock);
290 291
	err = ah_mac_digest(ahp, skb, ah->auth_data);
	memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
292
	spin_unlock_bh(&x->lock);
L
Linus Torvalds 已提交
293

294 295
	if (err)
		goto error_free_iph;
L
Linus Torvalds 已提交
296 297 298

	memcpy(top_iph, tmp_base, sizeof(tmp_base));
	if (tmp_ext) {
299
#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
300 301
		memcpy(&top_iph->saddr, tmp_ext, extlen);
#else
L
Linus Torvalds 已提交
302
		memcpy(&top_iph->daddr, tmp_ext, extlen);
303
#endif
L
Linus Torvalds 已提交
304 305 306 307 308 309 310 311
error_free_iph:
		kfree(tmp_ext);
	}

error:
	return err;
}

312
static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
L
Linus Torvalds 已提交
313 314 315 316 317 318 319 320
{
	/*
	 * Before process AH
	 * [IPv6][Ext1][Ext2][AH][Dest][Payload]
	 * |<-------------->| hdr_len
	 *
	 * To erase AH:
	 * Keeping copy of cleared headers. After AH processing,
321 322
	 * Moving the pointer of skb->network_header by using skb_pull as long
	 * as AH header length. Then copy back the copy as long as hdr_len
L
Linus Torvalds 已提交
323
	 * If destination header following AH exists, copy it into after [Ext2].
324
	 *
L
Linus Torvalds 已提交
325 326 327 328
	 * |<>|[IPv6][Ext1][Ext2][Dest][Payload]
	 * There is offset of AH before IPv6 header after the process.
	 */

329
	struct ip_auth_hdr *ah;
330
	struct ipv6hdr *ip6h;
L
Linus Torvalds 已提交
331 332 333 334 335
	struct ah_data *ahp;
	unsigned char *tmp_hdr = NULL;
	u16 hdr_len;
	u16 ah_hlen;
	int nexthdr;
336
	int err = -EINVAL;
L
Linus Torvalds 已提交
337 338 339 340 341 342 343 344 345 346

	if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
		goto out;

	/* We are going to _remove_ AH header to keep sockets happy,
	 * so... Later this can change. */
	if (skb_cloned(skb) &&
	    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
		goto out;

347
	hdr_len = skb->data - skb_network_header(skb);
348
	ah = (struct ip_auth_hdr *)skb->data;
L
Linus Torvalds 已提交
349 350 351 352
	ahp = x->data;
	nexthdr = ah->nexthdr;
	ah_hlen = (ah->hdrlen + 2) << 2;

353 354
	if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
	    ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
355
		goto out;
L
Linus Torvalds 已提交
356 357 358 359

	if (!pskb_may_pull(skb, ah_hlen))
		goto out;

360
	tmp_hdr = kmemdup(skb_network_header(skb), hdr_len, GFP_ATOMIC);
L
Linus Torvalds 已提交
361 362
	if (!tmp_hdr)
		goto out;
363 364
	ip6h = ipv6_hdr(skb);
	if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN))
365
		goto free_out;
366 367 368 369 370
	ip6h->priority    = 0;
	ip6h->flow_lbl[0] = 0;
	ip6h->flow_lbl[1] = 0;
	ip6h->flow_lbl[2] = 0;
	ip6h->hop_limit   = 0;
L
Linus Torvalds 已提交
371

372
	{
L
Linus Torvalds 已提交
373 374 375 376
		u8 auth_data[MAX_AH_AUTH_LEN];

		memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
		memset(ah->auth_data, 0, ahp->icv_trunc_len);
377
		skb_push(skb, hdr_len);
378 379 380 381 382
		err = ah_mac_digest(ahp, skb, ah->auth_data);
		if (err)
			goto free_out;
		err = -EINVAL;
		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
383
			LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
L
Linus Torvalds 已提交
384 385 386 387 388
			x->stats.integrity_failed++;
			goto free_out;
		}
	}

389
	skb->network_header += ah_hlen;
390
	memcpy(skb_network_header(skb), tmp_hdr, hdr_len);
391
	skb->transport_header = skb->network_header;
392
	__skb_pull(skb, ah_hlen + hdr_len);
L
Linus Torvalds 已提交
393 394 395 396 397 398 399 400

	kfree(tmp_hdr);

	return nexthdr;

free_out:
	kfree(tmp_hdr);
out:
401
	return err;
L
Linus Torvalds 已提交
402 403
}

404 405
static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
		    int type, int code, int offset, __be32 info)
L
Linus Torvalds 已提交
406 407 408 409 410 411 412 413 414 415 416 417 418
{
	struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
	struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
	struct xfrm_state *x;

	if (type != ICMPV6_DEST_UNREACH &&
	    type != ICMPV6_PKT_TOOBIG)
		return;

	x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6);
	if (!x)
		return;

J
Joe Perches 已提交
419
	NETDEBUG(KERN_DEBUG "pmtu discovery on SA AH/%08x/" NIP6_FMT "\n",
420
		 ntohl(ah->spi), NIP6(iph->daddr));
L
Linus Torvalds 已提交
421 422 423 424

	xfrm_state_put(x);
}

H
Herbert Xu 已提交
425
static int ah6_init_state(struct xfrm_state *x)
L
Linus Torvalds 已提交
426 427 428
{
	struct ah_data *ahp = NULL;
	struct xfrm_algo_desc *aalg_desc;
429
	struct crypto_hash *tfm;
L
Linus Torvalds 已提交
430 431 432 433 434 435 436

	if (!x->aalg)
		goto error;

	if (x->encap)
		goto error;

437
	ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
L
Linus Torvalds 已提交
438 439 440
	if (ahp == NULL)
		return -ENOMEM;

441 442 443 444 445
	tfm = crypto_alloc_hash(x->aalg->alg_name, 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm))
		goto error;

	ahp->tfm = tfm;
446 447
	if (crypto_hash_setkey(tfm, x->aalg->alg_key,
			       (x->aalg->alg_key_len + 7) / 8))
L
Linus Torvalds 已提交
448
		goto error;
449

L
Linus Torvalds 已提交
450 451 452 453
	/*
	 * Lookup the algorithm description maintained by xfrm_algo,
	 * verify crypto transform properties, and store information
	 * we need for AH processing.  This lookup cannot fail here
454
	 * after a successful crypto_alloc_hash().
L
Linus Torvalds 已提交
455 456 457 458 459
	 */
	aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
	BUG_ON(!aalg_desc);

	if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
460
	    crypto_hash_digestsize(tfm)) {
L
Linus Torvalds 已提交
461
		printk(KERN_INFO "AH: %s digestsize %u != %hu\n",
462
		       x->aalg->alg_name, crypto_hash_digestsize(tfm),
L
Linus Torvalds 已提交
463 464 465
		       aalg_desc->uinfo.auth.icv_fullbits/8);
		goto error;
	}
466

L
Linus Torvalds 已提交
467 468
	ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
	ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8;
469

L
Linus Torvalds 已提交
470
	BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
471

L
Linus Torvalds 已提交
472 473 474
	ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL);
	if (!ahp->work_icv)
		goto error;
475

476 477
	x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
					  ahp->icv_trunc_len);
478
	if (x->props.mode == XFRM_MODE_TUNNEL)
L
Linus Torvalds 已提交
479 480 481 482 483 484 485
		x->props.header_len += sizeof(struct ipv6hdr);
	x->data = ahp;

	return 0;

error:
	if (ahp) {
486
		kfree(ahp->work_icv);
487
		crypto_free_hash(ahp->tfm);
L
Linus Torvalds 已提交
488 489 490 491 492 493 494 495 496 497 498 499
		kfree(ahp);
	}
	return -EINVAL;
}

static void ah6_destroy(struct xfrm_state *x)
{
	struct ah_data *ahp = x->data;

	if (!ahp)
		return;

500 501
	kfree(ahp->work_icv);
	ahp->work_icv = NULL;
502
	crypto_free_hash(ahp->tfm);
503
	ahp->tfm = NULL;
L
Linus Torvalds 已提交
504 505 506 507 508 509 510 511
	kfree(ahp);
}

static struct xfrm_type ah6_type =
{
	.description	= "AH6",
	.owner		= THIS_MODULE,
	.proto	     	= IPPROTO_AH,
512
	.flags		= XFRM_TYPE_REPLAY_PROT,
L
Linus Torvalds 已提交
513 514 515
	.init_state	= ah6_init_state,
	.destructor	= ah6_destroy,
	.input		= ah6_input,
516 517
	.output		= ah6_output,
	.hdr_offset	= xfrm6_find_1stfragopt,
L
Linus Torvalds 已提交
518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555
};

static struct inet6_protocol ah6_protocol = {
	.handler	=	xfrm6_rcv,
	.err_handler	=	ah6_err,
	.flags		=	INET6_PROTO_NOPOLICY,
};

static int __init ah6_init(void)
{
	if (xfrm_register_type(&ah6_type, AF_INET6) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n");
		return -EAGAIN;
	}

	if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add protocol\n");
		xfrm_unregister_type(&ah6_type, AF_INET6);
		return -EAGAIN;
	}

	return 0;
}

static void __exit ah6_fini(void)
{
	if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove protocol\n");

	if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n");

}

module_init(ah6_init);
module_exit(ah6_fini);

MODULE_LICENSE("GPL");
556
MODULE_ALIAS_XFRM_TYPE(AF_INET6, XFRM_PROTO_AH);