ah6.c 13.0 KB
Newer Older
L
Linus Torvalds 已提交
1 2
/*
 * Copyright (C)2002 USAGI/WIDE Project
3
 *
L
Linus Torvalds 已提交
4 5 6 7
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
8
 *
L
Linus Torvalds 已提交
9 10 11 12
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
13
 *
L
Linus Torvalds 已提交
14 15 16 17 18 19
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Authors
 *
20
 *	Mitsuru KANDA @USAGI       : IPv6 Support
L
Linus Torvalds 已提交
21 22
 * 	Kazunori MIYAZAWA @USAGI   :
 * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
23
 *
L
Linus Torvalds 已提交
24 25 26 27 28 29 30 31 32 33 34
 * 	This file is derived from net/ipv4/ah.c.
 */

#include <linux/module.h>
#include <net/ip.h>
#include <net/ah.h>
#include <linux/crypto.h>
#include <linux/pfkeyv2.h>
#include <linux/string.h>
#include <net/icmp.h>
#include <net/ipv6.h>
35
#include <net/protocol.h>
L
Linus Torvalds 已提交
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
#include <net/xfrm.h>
#include <asm/scatterlist.h>

static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
{
	u8 *opt = (u8 *)opthdr;
	int len = ipv6_optlen(opthdr);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
57
			if (len < 2)
L
Linus Torvalds 已提交
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;
			if (opt[off] & 0x20)
				memset(&opt[off+2], 0, opt[off+1]);
			break;
		}

		off += optlen;
		len -= optlen;
	}
	if (len == 0)
		return 1;

bad:
	return 0;
}

77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
#ifdef CONFIG_IPV6_MIP6
/**
 *	ipv6_rearrange_destopt - rearrange IPv6 destination options header
 *	@iph: IPv6 header
 *	@destopt: destionation options header
 */
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt)
{
	u8 *opt = (u8 *)destopt;
	int len = ipv6_optlen(destopt);
	int off = 0;
	int optlen = 0;

	off += 2;
	len -= 2;

	while (len > 0) {

		switch (opt[off]) {

		case IPV6_TLV_PAD0:
			optlen = 1;
			break;
		default:
			if (len < 2)
				goto bad;
			optlen = opt[off+1]+2;
			if (len < optlen)
				goto bad;

			/* Rearrange the source address in @iph and the
			 * addresses in home address option for final source.
			 * See 11.3.2 of RFC 3775 for details.
			 */
			if (opt[off] == IPV6_TLV_HAO) {
				struct in6_addr final_addr;
				struct ipv6_destopt_hao *hao;

				hao = (struct ipv6_destopt_hao *)&opt[off];
				if (hao->length != sizeof(hao->addr)) {
					if (net_ratelimit())
						printk(KERN_WARNING "destopt hao: invalid header length: %u\n", hao->length);
					goto bad;
				}
				ipv6_addr_copy(&final_addr, &hao->addr);
				ipv6_addr_copy(&hao->addr, &iph->saddr);
				ipv6_addr_copy(&iph->saddr, &final_addr);
			}
			break;
		}

		off += optlen;
		len -= optlen;
	}
131
	/* Note: ok if len == 0 */
132 133 134
bad:
	return;
}
135 136
#else
static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) {}
137 138
#endif

L
Linus Torvalds 已提交
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
/**
 *	ipv6_rearrange_rthdr - rearrange IPv6 routing header
 *	@iph: IPv6 header
 *	@rthdr: routing header
 *
 *	Rearrange the destination address in @iph and the addresses in @rthdr
 *	so that they appear in the order they will at the final destination.
 *	See Appendix A2 of RFC 2402 for details.
 */
static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
{
	int segments, segments_left;
	struct in6_addr *addrs;
	struct in6_addr final_addr;

	segments_left = rthdr->segments_left;
	if (segments_left == 0)
		return;
157
	rthdr->segments_left = 0;
L
Linus Torvalds 已提交
158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177

	/* The value of rthdr->hdrlen has been verified either by the system
	 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
	 * packets.  So we can assume that it is even and that segments is
	 * greater than or equal to segments_left.
	 *
	 * For the same reason we can assume that this option is of type 0.
	 */
	segments = rthdr->hdrlen >> 1;

	addrs = ((struct rt0_hdr *)rthdr)->addr;
	ipv6_addr_copy(&final_addr, addrs + segments - 1);

	addrs += segments - segments_left;
	memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs));

	ipv6_addr_copy(addrs, &iph->daddr);
	ipv6_addr_copy(&iph->daddr, &final_addr);
}

178
static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir)
L
Linus Torvalds 已提交
179 180 181 182 183 184 185 186 187 188 189 190 191 192
{
	union {
		struct ipv6hdr *iph;
		struct ipv6_opt_hdr *opth;
		struct ipv6_rt_hdr *rth;
		char *raw;
	} exthdr = { .iph = iph };
	char *end = exthdr.raw + len;
	int nexthdr = iph->nexthdr;

	exthdr.iph++;

	while (exthdr.raw < end) {
		switch (nexthdr) {
193 194 195
		case NEXTHDR_DEST:
			if (dir == XFRM_POLICY_OUT)
				ipv6_rearrange_destopt(iph, exthdr.opth);
L
Linus Torvalds 已提交
196 197
		case NEXTHDR_HOP:
			if (!zero_out_mutable_opts(exthdr.opth)) {
198
				LIMIT_NETDEBUG(
L
Linus Torvalds 已提交
199 200
					KERN_WARNING "overrun %sopts\n",
					nexthdr == NEXTHDR_HOP ?
201
						"hop" : "dest");
L
Linus Torvalds 已提交
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
				return -EINVAL;
			}
			break;

		case NEXTHDR_ROUTING:
			ipv6_rearrange_rthdr(iph, exthdr.rth);
			break;

		default :
			return 0;
		}

		nexthdr = exthdr.opth->nexthdr;
		exthdr.raw += ipv6_optlen(exthdr.opth);
	}

	return 0;
}

static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
{
	int err;
	int extlen;
	struct ipv6hdr *top_iph;
	struct ip_auth_hdr *ah;
	struct ah_data *ahp;
	u8 nexthdr;
	char tmp_base[8];
	struct {
231 232 233
#ifdef CONFIG_IPV6_MIP6
		struct in6_addr saddr;
#endif
L
Linus Torvalds 已提交
234 235 236 237 238 239 240
		struct in6_addr daddr;
		char hdrs[0];
	} *tmp_ext;

	top_iph = (struct ipv6hdr *)skb->data;
	top_iph->payload_len = htons(skb->len - sizeof(*top_iph));

241 242
	nexthdr = *skb_network_header(skb);
	*skb_network_header(skb) = IPPROTO_AH;
L
Linus Torvalds 已提交
243 244 245 246 247 248 249

	/* When there are no extension headers, we only need to save the first
	 * 8 bytes of the base IP header.
	 */
	memcpy(tmp_base, top_iph, sizeof(tmp_base));

	tmp_ext = NULL;
250
	extlen = skb_transport_offset(skb) - sizeof(struct ipv6hdr);
L
Linus Torvalds 已提交
251 252 253 254 255 256 257
	if (extlen) {
		extlen += sizeof(*tmp_ext);
		tmp_ext = kmalloc(extlen, GFP_ATOMIC);
		if (!tmp_ext) {
			err = -ENOMEM;
			goto error;
		}
258 259 260
#ifdef CONFIG_IPV6_MIP6
		memcpy(tmp_ext, &top_iph->saddr, extlen);
#else
L
Linus Torvalds 已提交
261
		memcpy(tmp_ext, &top_iph->daddr, extlen);
262
#endif
L
Linus Torvalds 已提交
263 264
		err = ipv6_clear_mutable_options(top_iph,
						 extlen - sizeof(*tmp_ext) +
265 266
						 sizeof(*top_iph),
						 XFRM_POLICY_OUT);
L
Linus Torvalds 已提交
267 268 269 270
		if (err)
			goto error_free_iph;
	}

271
	ah = (struct ip_auth_hdr *)skb_transport_header(skb);
L
Linus Torvalds 已提交
272 273 274 275 276 277 278 279 280
	ah->nexthdr = nexthdr;

	top_iph->priority    = 0;
	top_iph->flow_lbl[0] = 0;
	top_iph->flow_lbl[1] = 0;
	top_iph->flow_lbl[2] = 0;
	top_iph->hop_limit   = 0;

	ahp = x->data;
281
	ah->hdrlen  = (XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) +
L
Linus Torvalds 已提交
282 283 284 285 286
				   ahp->icv_trunc_len) >> 2) - 2;

	ah->reserved = 0;
	ah->spi = x->id.spi;
	ah->seq_no = htonl(++x->replay.oseq);
287
	xfrm_aevent_doreplay(x);
288 289 290 291
	err = ah_mac_digest(ahp, skb, ah->auth_data);
	if (err)
		goto error_free_iph;
	memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
L
Linus Torvalds 已提交
292 293 294 295 296

	err = 0;

	memcpy(top_iph, tmp_base, sizeof(tmp_base));
	if (tmp_ext) {
297 298 299
#ifdef CONFIG_IPV6_MIP6
		memcpy(&top_iph->saddr, tmp_ext, extlen);
#else
L
Linus Torvalds 已提交
300
		memcpy(&top_iph->daddr, tmp_ext, extlen);
301
#endif
L
Linus Torvalds 已提交
302 303 304 305 306 307 308 309
error_free_iph:
		kfree(tmp_ext);
	}

error:
	return err;
}

310
static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
L
Linus Torvalds 已提交
311 312 313 314 315 316 317 318
{
	/*
	 * Before process AH
	 * [IPv6][Ext1][Ext2][AH][Dest][Payload]
	 * |<-------------->| hdr_len
	 *
	 * To erase AH:
	 * Keeping copy of cleared headers. After AH processing,
319 320
	 * Moving the pointer of skb->network_header by using skb_pull as long
	 * as AH header length. Then copy back the copy as long as hdr_len
L
Linus Torvalds 已提交
321
	 * If destination header following AH exists, copy it into after [Ext2].
322
	 *
L
Linus Torvalds 已提交
323 324 325 326 327
	 * |<>|[IPv6][Ext1][Ext2][Dest][Payload]
	 * There is offset of AH before IPv6 header after the process.
	 */

	struct ipv6_auth_hdr *ah;
328
	struct ipv6hdr *ip6h;
L
Linus Torvalds 已提交
329 330 331 332 333
	struct ah_data *ahp;
	unsigned char *tmp_hdr = NULL;
	u16 hdr_len;
	u16 ah_hlen;
	int nexthdr;
334
	int err = -EINVAL;
L
Linus Torvalds 已提交
335 336 337 338 339 340 341 342 343 344

	if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
		goto out;

	/* We are going to _remove_ AH header to keep sockets happy,
	 * so... Later this can change. */
	if (skb_cloned(skb) &&
	    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
		goto out;

345
	hdr_len = skb->data - skb_network_header(skb);
L
Linus Torvalds 已提交
346 347 348 349 350
	ah = (struct ipv6_auth_hdr*)skb->data;
	ahp = x->data;
	nexthdr = ah->nexthdr;
	ah_hlen = (ah->hdrlen + 2) << 2;

351 352 353
	if (ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_full_len) &&
	    ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len))
		goto out;
L
Linus Torvalds 已提交
354 355 356 357

	if (!pskb_may_pull(skb, ah_hlen))
		goto out;

358
	tmp_hdr = kmemdup(skb_network_header(skb), hdr_len, GFP_ATOMIC);
L
Linus Torvalds 已提交
359 360
	if (!tmp_hdr)
		goto out;
361 362
	ip6h = ipv6_hdr(skb);
	if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN))
363
		goto free_out;
364 365 366 367 368
	ip6h->priority    = 0;
	ip6h->flow_lbl[0] = 0;
	ip6h->flow_lbl[1] = 0;
	ip6h->flow_lbl[2] = 0;
	ip6h->hop_limit   = 0;
L
Linus Torvalds 已提交
369

370
	{
L
Linus Torvalds 已提交
371 372 373 374
		u8 auth_data[MAX_AH_AUTH_LEN];

		memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
		memset(ah->auth_data, 0, ahp->icv_trunc_len);
375
		skb_push(skb, hdr_len);
376 377 378 379 380
		err = ah_mac_digest(ahp, skb, ah->auth_data);
		if (err)
			goto free_out;
		err = -EINVAL;
		if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
381
			LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
L
Linus Torvalds 已提交
382 383 384 385 386
			x->stats.integrity_failed++;
			goto free_out;
		}
	}

387
	skb->network_header += ah_hlen;
388
	memcpy(skb_network_header(skb), tmp_hdr, hdr_len);
389
	skb->transport_header = skb->network_header;
390
	__skb_pull(skb, ah_hlen + hdr_len);
L
Linus Torvalds 已提交
391 392 393 394 395 396 397 398

	kfree(tmp_hdr);

	return nexthdr;

free_out:
	kfree(tmp_hdr);
out:
399
	return err;
L
Linus Torvalds 已提交
400 401
}

402 403
static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
		    int type, int code, int offset, __be32 info)
L
Linus Torvalds 已提交
404 405 406 407 408 409 410 411 412 413 414 415 416
{
	struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
	struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
	struct xfrm_state *x;

	if (type != ICMPV6_DEST_UNREACH &&
	    type != ICMPV6_PKT_TOOBIG)
		return;

	x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6);
	if (!x)
		return;

J
Joe Perches 已提交
417
	NETDEBUG(KERN_DEBUG "pmtu discovery on SA AH/%08x/" NIP6_FMT "\n",
418
		 ntohl(ah->spi), NIP6(iph->daddr));
L
Linus Torvalds 已提交
419 420 421 422

	xfrm_state_put(x);
}

H
Herbert Xu 已提交
423
static int ah6_init_state(struct xfrm_state *x)
L
Linus Torvalds 已提交
424 425 426
{
	struct ah_data *ahp = NULL;
	struct xfrm_algo_desc *aalg_desc;
427
	struct crypto_hash *tfm;
L
Linus Torvalds 已提交
428 429 430 431 432 433 434 435 436 437 438

	if (!x->aalg)
		goto error;

	/* null auth can use a zero length key */
	if (x->aalg->alg_key_len > 512)
		goto error;

	if (x->encap)
		goto error;

439
	ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
L
Linus Torvalds 已提交
440 441 442 443 444
	if (ahp == NULL)
		return -ENOMEM;

	ahp->key = x->aalg->alg_key;
	ahp->key_len = (x->aalg->alg_key_len+7)/8;
445 446 447 448 449 450
	tfm = crypto_alloc_hash(x->aalg->alg_name, 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm))
		goto error;

	ahp->tfm = tfm;
	if (crypto_hash_setkey(tfm, ahp->key, ahp->key_len))
L
Linus Torvalds 已提交
451
		goto error;
452

L
Linus Torvalds 已提交
453 454 455 456
	/*
	 * Lookup the algorithm description maintained by xfrm_algo,
	 * verify crypto transform properties, and store information
	 * we need for AH processing.  This lookup cannot fail here
457
	 * after a successful crypto_alloc_hash().
L
Linus Torvalds 已提交
458 459 460 461 462
	 */
	aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
	BUG_ON(!aalg_desc);

	if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
463
	    crypto_hash_digestsize(tfm)) {
L
Linus Torvalds 已提交
464
		printk(KERN_INFO "AH: %s digestsize %u != %hu\n",
465
		       x->aalg->alg_name, crypto_hash_digestsize(tfm),
L
Linus Torvalds 已提交
466 467 468
		       aalg_desc->uinfo.auth.icv_fullbits/8);
		goto error;
	}
469

L
Linus Torvalds 已提交
470 471
	ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
	ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8;
472

L
Linus Torvalds 已提交
473
	BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
474

L
Linus Torvalds 已提交
475 476 477
	ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL);
	if (!ahp->work_icv)
		goto error;
478

L
Linus Torvalds 已提交
479
	x->props.header_len = XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len);
480
	if (x->props.mode == XFRM_MODE_TUNNEL)
L
Linus Torvalds 已提交
481 482 483 484 485 486 487
		x->props.header_len += sizeof(struct ipv6hdr);
	x->data = ahp;

	return 0;

error:
	if (ahp) {
488
		kfree(ahp->work_icv);
489
		crypto_free_hash(ahp->tfm);
L
Linus Torvalds 已提交
490 491 492 493 494 495 496 497 498 499 500 501
		kfree(ahp);
	}
	return -EINVAL;
}

static void ah6_destroy(struct xfrm_state *x)
{
	struct ah_data *ahp = x->data;

	if (!ahp)
		return;

502 503
	kfree(ahp->work_icv);
	ahp->work_icv = NULL;
504
	crypto_free_hash(ahp->tfm);
505
	ahp->tfm = NULL;
L
Linus Torvalds 已提交
506 507 508 509 510 511 512 513 514 515 516
	kfree(ahp);
}

static struct xfrm_type ah6_type =
{
	.description	= "AH6",
	.owner		= THIS_MODULE,
	.proto	     	= IPPROTO_AH,
	.init_state	= ah6_init_state,
	.destructor	= ah6_destroy,
	.input		= ah6_input,
517 518
	.output		= ah6_output,
	.hdr_offset	= xfrm6_find_1stfragopt,
L
Linus Torvalds 已提交
519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556
};

static struct inet6_protocol ah6_protocol = {
	.handler	=	xfrm6_rcv,
	.err_handler	=	ah6_err,
	.flags		=	INET6_PROTO_NOPOLICY,
};

static int __init ah6_init(void)
{
	if (xfrm_register_type(&ah6_type, AF_INET6) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n");
		return -EAGAIN;
	}

	if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) {
		printk(KERN_INFO "ipv6 ah init: can't add protocol\n");
		xfrm_unregister_type(&ah6_type, AF_INET6);
		return -EAGAIN;
	}

	return 0;
}

static void __exit ah6_fini(void)
{
	if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove protocol\n");

	if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
		printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n");

}

module_init(ah6_init);
module_exit(ah6_fini);

MODULE_LICENSE("GPL");