xref: /openbmc/linux/net/ipv4/xfrm4_input.c (revision 96de0e252cedffad61b3cb5e05662c591898e69a) 
1 /*
2  * xfrm4_input.c
3  *
4  * Changes:
5  *	YOSHIFUJI Hideaki @USAGI
6  *		Split up af-specific portion
7  *	Derek Atkins <derek@ihtfp.com>
8  *		Add Encapsulation support
9  *
10  */
11 
12 #include <linux/module.h>
13 #include <linux/string.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv4.h>
16 #include <net/ip.h>
17 #include <net/xfrm.h>
18 
19 #ifdef CONFIG_NETFILTER
20 static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
21 {
22 	if (skb->dst == NULL) {
23 		const struct iphdr *iph = ip_hdr(skb);
24 
25 		if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
26 				   skb->dev))
27 			goto drop;
28 	}
29 	return dst_input(skb);
30 drop:
31 	kfree_skb(skb);
32 	return NET_RX_DROP;
33 }
34 #endif
35 
36 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
37 		    int encap_type)
38 {
39 	int err;
40 	__be32 seq;
41 	struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
42 	struct xfrm_state *x;
43 	int xfrm_nr = 0;
44 	int decaps = 0;
45 	unsigned int nhoff = offsetof(struct iphdr, protocol);
46 
47 	seq = 0;
48 	if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0)
49 		goto drop;
50 
51 	do {
52 		const struct iphdr *iph = ip_hdr(skb);
53 
54 		if (xfrm_nr == XFRM_MAX_DEPTH)
55 			goto drop;
56 
57 		x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi,
58 				      nexthdr, AF_INET);
59 		if (x == NULL)
60 			goto drop;
61 
62 		spin_lock(&x->lock);
63 		if (unlikely(x->km.state != XFRM_STATE_VALID))
64 			goto drop_unlock;
65 
66 		if ((x->encap ? x->encap->encap_type : 0) != encap_type)
67 			goto drop_unlock;
68 
69 		if (x->props.replay_window && xfrm_replay_check(x, seq))
70 			goto drop_unlock;
71 
72 		if (xfrm_state_check_expire(x))
73 			goto drop_unlock;
74 
75 		nexthdr = x->type->input(x, skb);
76 		if (nexthdr <= 0)
77 			goto drop_unlock;
78 
79 		skb_network_header(skb)[nhoff] = nexthdr;
80 
81 		/* only the first xfrm gets the encap type */
82 		encap_type = 0;
83 
84 		if (x->props.replay_window)
85 			xfrm_replay_advance(x, seq);
86 
87 		x->curlft.bytes += skb->len;
88 		x->curlft.packets++;
89 
90 		spin_unlock(&x->lock);
91 
92 		xfrm_vec[xfrm_nr++] = x;
93 
94 		if (x->outer_mode->input(x, skb))
95 			goto drop;
96 
97 		if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
98 			decaps = 1;
99 			break;
100 		}
101 
102 		err = xfrm_parse_spi(skb, nexthdr, &spi, &seq);
103 		if (err < 0)
104 			goto drop;
105 	} while (!err);
106 
107 	/* Allocate new secpath or COW existing one. */
108 
109 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
110 		struct sec_path *sp;
111 		sp = secpath_dup(skb->sp);
112 		if (!sp)
113 			goto drop;
114 		if (skb->sp)
115 			secpath_put(skb->sp);
116 		skb->sp = sp;
117 	}
118 	if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
119 		goto drop;
120 
121 	memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
122 	       xfrm_nr * sizeof(xfrm_vec[0]));
123 	skb->sp->len += xfrm_nr;
124 
125 	nf_reset(skb);
126 
127 	if (decaps) {
128 		dst_release(skb->dst);
129 		skb->dst = NULL;
130 		netif_rx(skb);
131 		return 0;
132 	} else {
133 #ifdef CONFIG_NETFILTER
134 		__skb_push(skb, skb->data - skb_network_header(skb));
135 		ip_hdr(skb)->tot_len = htons(skb->len);
136 		ip_send_check(ip_hdr(skb));
137 
138 		NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
139 			xfrm4_rcv_encap_finish);
140 		return 0;
141 #else
142 		return -ip_hdr(skb)->protocol;
143 #endif
144 	}
145 
146 drop_unlock:
147 	spin_unlock(&x->lock);
148 	xfrm_state_put(x);
149 drop:
150 	while (--xfrm_nr >= 0)
151 		xfrm_state_put(xfrm_vec[xfrm_nr]);
152 
153 	kfree_skb(skb);
154 	return 0;
155 }
156 EXPORT_SYMBOL(xfrm4_rcv_encap);
157 
158 /* If it's a keepalive packet, then just eat it.
159  * If it's an encapsulated packet, then pass it to the
160  * IPsec xfrm input.
161  * Returns 0 if skb passed to xfrm or was dropped.
162  * Returns >0 if skb should be passed to UDP.
163  * Returns <0 if skb should be resubmitted (-ret is protocol)
164  */
165 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
166 {
167 	struct udp_sock *up = udp_sk(sk);
168 	struct udphdr *uh;
169 	struct iphdr *iph;
170 	int iphlen, len;
171 	int ret;
172 
173 	__u8 *udpdata;
174 	__be32 *udpdata32;
175 	__u16 encap_type = up->encap_type;
176 
177 	/* if this is not encapsulated socket, then just return now */
178 	if (!encap_type)
179 		return 1;
180 
181 	/* If this is a paged skb, make sure we pull up
182 	 * whatever data we need to look at. */
183 	len = skb->len - sizeof(struct udphdr);
184 	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
185 		return 1;
186 
187 	/* Now we can get the pointers */
188 	uh = udp_hdr(skb);
189 	udpdata = (__u8 *)uh + sizeof(struct udphdr);
190 	udpdata32 = (__be32 *)udpdata;
191 
192 	switch (encap_type) {
193 	default:
194 	case UDP_ENCAP_ESPINUDP:
195 		/* Check if this is a keepalive packet.  If so, eat it. */
196 		if (len == 1 && udpdata[0] == 0xff) {
197 			goto drop;
198 		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
199 			/* ESP Packet without Non-ESP header */
200 			len = sizeof(struct udphdr);
201 		} else
202 			/* Must be an IKE packet.. pass it through */
203 			return 1;
204 		break;
205 	case UDP_ENCAP_ESPINUDP_NON_IKE:
206 		/* Check if this is a keepalive packet.  If so, eat it. */
207 		if (len == 1 && udpdata[0] == 0xff) {
208 			goto drop;
209 		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
210 			   udpdata32[0] == 0 && udpdata32[1] == 0) {
211 
212 			/* ESP Packet with Non-IKE marker */
213 			len = sizeof(struct udphdr) + 2 * sizeof(u32);
214 		} else
215 			/* Must be an IKE packet.. pass it through */
216 			return 1;
217 		break;
218 	}
219 
220 	/* At this point we are sure that this is an ESPinUDP packet,
221 	 * so we need to remove 'len' bytes from the packet (the UDP
222 	 * header and optional ESP marker bytes) and then modify the
223 	 * protocol to ESP, and then call into the transform receiver.
224 	 */
225 	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
226 		goto drop;
227 
228 	/* Now we can update and verify the packet length... */
229 	iph = ip_hdr(skb);
230 	iphlen = iph->ihl << 2;
231 	iph->tot_len = htons(ntohs(iph->tot_len) - len);
232 	if (skb->len < iphlen + len) {
233 		/* packet is too small!?! */
234 		goto drop;
235 	}
236 
237 	/* pull the data buffer up to the ESP header and set the
238 	 * transport header to point to ESP.  Keep UDP on the stack
239 	 * for later.
240 	 */
241 	__skb_pull(skb, len);
242 	skb_reset_transport_header(skb);
243 
244 	/* process ESP */
245 	ret = xfrm4_rcv_encap(skb, IPPROTO_ESP, 0, encap_type);
246 	return ret;
247 
248 drop:
249 	kfree_skb(skb);
250 	return 0;
251 }
252 
253 int xfrm4_rcv(struct sk_buff *skb)
254 {
255 	return xfrm4_rcv_spi(skb, ip_hdr(skb)->protocol, 0);
256 }
257 
258 EXPORT_SYMBOL(xfrm4_rcv);
259