1 /* 2 * Copyright (C)2002 USAGI/WIDE Project 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation; either version 2 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 * 18 * Authors 19 * 20 * Mitsuru KANDA @USAGI : IPv6 Support 21 * Kazunori MIYAZAWA @USAGI : 22 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 23 * 24 * This file is derived from net/ipv4/ah.c. 25 */ 26 27 #include <linux/module.h> 28 #include <net/ip.h> 29 #include <net/ah.h> 30 #include <linux/crypto.h> 31 #include <linux/pfkeyv2.h> 32 #include <linux/spinlock.h> 33 #include <linux/string.h> 34 #include <net/icmp.h> 35 #include <net/ipv6.h> 36 #include <net/protocol.h> 37 #include <net/xfrm.h> 38 #include <asm/scatterlist.h> 39 40 static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr) 41 { 42 u8 *opt = (u8 *)opthdr; 43 int len = ipv6_optlen(opthdr); 44 int off = 0; 45 int optlen = 0; 46 47 off += 2; 48 len -= 2; 49 50 while (len > 0) { 51 52 switch (opt[off]) { 53 54 case IPV6_TLV_PAD0: 55 optlen = 1; 56 break; 57 default: 58 if (len < 2) 59 goto bad; 60 optlen = opt[off+1]+2; 61 if (len < optlen) 62 goto bad; 63 if (opt[off] & 0x20) 64 memset(&opt[off+2], 0, opt[off+1]); 65 break; 66 } 67 68 off += optlen; 69 len -= optlen; 70 } 71 if (len == 0) 72 return 1; 73 74 bad: 75 return 0; 76 } 77 78 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 79 /** 80 * ipv6_rearrange_destopt - rearrange IPv6 destination options header 81 * @iph: IPv6 header 82 * @destopt: destionation options header 83 */ 84 static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) 85 { 86 u8 *opt = (u8 *)destopt; 87 int len = ipv6_optlen(destopt); 88 int off = 0; 89 int optlen = 0; 90 91 off += 2; 92 len -= 2; 93 94 while (len > 0) { 95 96 switch (opt[off]) { 97 98 case IPV6_TLV_PAD0: 99 optlen = 1; 100 break; 101 default: 102 if (len < 2) 103 goto bad; 104 optlen = opt[off+1]+2; 105 if (len < optlen) 106 goto bad; 107 108 /* Rearrange the source address in @iph and the 109 * addresses in home address option for final source. 110 * See 11.3.2 of RFC 3775 for details. 111 */ 112 if (opt[off] == IPV6_TLV_HAO) { 113 struct in6_addr final_addr; 114 struct ipv6_destopt_hao *hao; 115 116 hao = (struct ipv6_destopt_hao *)&opt[off]; 117 if (hao->length != sizeof(hao->addr)) { 118 if (net_ratelimit()) 119 printk(KERN_WARNING "destopt hao: invalid header length: %u\n", hao->length); 120 goto bad; 121 } 122 ipv6_addr_copy(&final_addr, &hao->addr); 123 ipv6_addr_copy(&hao->addr, &iph->saddr); 124 ipv6_addr_copy(&iph->saddr, &final_addr); 125 } 126 break; 127 } 128 129 off += optlen; 130 len -= optlen; 131 } 132 /* Note: ok if len == 0 */ 133 bad: 134 return; 135 } 136 #else 137 static void ipv6_rearrange_destopt(struct ipv6hdr *iph, struct ipv6_opt_hdr *destopt) {} 138 #endif 139 140 /** 141 * ipv6_rearrange_rthdr - rearrange IPv6 routing header 142 * @iph: IPv6 header 143 * @rthdr: routing header 144 * 145 * Rearrange the destination address in @iph and the addresses in @rthdr 146 * so that they appear in the order they will at the final destination. 147 * See Appendix A2 of RFC 2402 for details. 148 */ 149 static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr) 150 { 151 int segments, segments_left; 152 struct in6_addr *addrs; 153 struct in6_addr final_addr; 154 155 segments_left = rthdr->segments_left; 156 if (segments_left == 0) 157 return; 158 rthdr->segments_left = 0; 159 160 /* The value of rthdr->hdrlen has been verified either by the system 161 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming 162 * packets. So we can assume that it is even and that segments is 163 * greater than or equal to segments_left. 164 * 165 * For the same reason we can assume that this option is of type 0. 166 */ 167 segments = rthdr->hdrlen >> 1; 168 169 addrs = ((struct rt0_hdr *)rthdr)->addr; 170 ipv6_addr_copy(&final_addr, addrs + segments - 1); 171 172 addrs += segments - segments_left; 173 memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs)); 174 175 ipv6_addr_copy(addrs, &iph->daddr); 176 ipv6_addr_copy(&iph->daddr, &final_addr); 177 } 178 179 static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len, int dir) 180 { 181 union { 182 struct ipv6hdr *iph; 183 struct ipv6_opt_hdr *opth; 184 struct ipv6_rt_hdr *rth; 185 char *raw; 186 } exthdr = { .iph = iph }; 187 char *end = exthdr.raw + len; 188 int nexthdr = iph->nexthdr; 189 190 exthdr.iph++; 191 192 while (exthdr.raw < end) { 193 switch (nexthdr) { 194 case NEXTHDR_DEST: 195 if (dir == XFRM_POLICY_OUT) 196 ipv6_rearrange_destopt(iph, exthdr.opth); 197 case NEXTHDR_HOP: 198 if (!zero_out_mutable_opts(exthdr.opth)) { 199 LIMIT_NETDEBUG( 200 KERN_WARNING "overrun %sopts\n", 201 nexthdr == NEXTHDR_HOP ? 202 "hop" : "dest"); 203 return -EINVAL; 204 } 205 break; 206 207 case NEXTHDR_ROUTING: 208 ipv6_rearrange_rthdr(iph, exthdr.rth); 209 break; 210 211 default : 212 return 0; 213 } 214 215 nexthdr = exthdr.opth->nexthdr; 216 exthdr.raw += ipv6_optlen(exthdr.opth); 217 } 218 219 return 0; 220 } 221 222 static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) 223 { 224 int err; 225 int extlen; 226 struct ipv6hdr *top_iph; 227 struct ip_auth_hdr *ah; 228 struct ah_data *ahp; 229 u8 nexthdr; 230 char tmp_base[8]; 231 struct { 232 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 233 struct in6_addr saddr; 234 #endif 235 struct in6_addr daddr; 236 char hdrs[0]; 237 } *tmp_ext; 238 239 skb_push(skb, -skb_network_offset(skb)); 240 top_iph = ipv6_hdr(skb); 241 top_iph->payload_len = htons(skb->len - sizeof(*top_iph)); 242 243 nexthdr = *skb_mac_header(skb); 244 *skb_mac_header(skb) = IPPROTO_AH; 245 246 /* When there are no extension headers, we only need to save the first 247 * 8 bytes of the base IP header. 248 */ 249 memcpy(tmp_base, top_iph, sizeof(tmp_base)); 250 251 tmp_ext = NULL; 252 extlen = skb_transport_offset(skb) - sizeof(struct ipv6hdr); 253 if (extlen) { 254 extlen += sizeof(*tmp_ext); 255 tmp_ext = kmalloc(extlen, GFP_ATOMIC); 256 if (!tmp_ext) { 257 err = -ENOMEM; 258 goto error; 259 } 260 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 261 memcpy(tmp_ext, &top_iph->saddr, extlen); 262 #else 263 memcpy(tmp_ext, &top_iph->daddr, extlen); 264 #endif 265 err = ipv6_clear_mutable_options(top_iph, 266 extlen - sizeof(*tmp_ext) + 267 sizeof(*top_iph), 268 XFRM_POLICY_OUT); 269 if (err) 270 goto error_free_iph; 271 } 272 273 ah = ip_auth_hdr(skb); 274 ah->nexthdr = nexthdr; 275 276 top_iph->priority = 0; 277 top_iph->flow_lbl[0] = 0; 278 top_iph->flow_lbl[1] = 0; 279 top_iph->flow_lbl[2] = 0; 280 top_iph->hop_limit = 0; 281 282 ahp = x->data; 283 ah->hdrlen = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2; 284 285 ah->reserved = 0; 286 ah->spi = x->id.spi; 287 ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); 288 289 spin_lock_bh(&x->lock); 290 err = ah_mac_digest(ahp, skb, ah->auth_data); 291 memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); 292 spin_unlock_bh(&x->lock); 293 294 if (err) 295 goto error_free_iph; 296 297 memcpy(top_iph, tmp_base, sizeof(tmp_base)); 298 if (tmp_ext) { 299 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE) 300 memcpy(&top_iph->saddr, tmp_ext, extlen); 301 #else 302 memcpy(&top_iph->daddr, tmp_ext, extlen); 303 #endif 304 error_free_iph: 305 kfree(tmp_ext); 306 } 307 308 error: 309 return err; 310 } 311 312 static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) 313 { 314 /* 315 * Before process AH 316 * [IPv6][Ext1][Ext2][AH][Dest][Payload] 317 * |<-------------->| hdr_len 318 * 319 * To erase AH: 320 * Keeping copy of cleared headers. After AH processing, 321 * Moving the pointer of skb->network_header by using skb_pull as long 322 * as AH header length. Then copy back the copy as long as hdr_len 323 * If destination header following AH exists, copy it into after [Ext2]. 324 * 325 * |<>|[IPv6][Ext1][Ext2][Dest][Payload] 326 * There is offset of AH before IPv6 header after the process. 327 */ 328 329 struct ip_auth_hdr *ah; 330 struct ipv6hdr *ip6h; 331 struct ah_data *ahp; 332 unsigned char *tmp_hdr = NULL; 333 u16 hdr_len; 334 u16 ah_hlen; 335 int nexthdr; 336 int err = -EINVAL; 337 338 if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr))) 339 goto out; 340 341 /* We are going to _remove_ AH header to keep sockets happy, 342 * so... Later this can change. */ 343 if (skb_cloned(skb) && 344 pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 345 goto out; 346 347 skb->ip_summed = CHECKSUM_NONE; 348 349 hdr_len = skb->data - skb_network_header(skb); 350 ah = (struct ip_auth_hdr *)skb->data; 351 ahp = x->data; 352 nexthdr = ah->nexthdr; 353 ah_hlen = (ah->hdrlen + 2) << 2; 354 355 if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) && 356 ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len)) 357 goto out; 358 359 if (!pskb_may_pull(skb, ah_hlen)) 360 goto out; 361 362 tmp_hdr = kmemdup(skb_network_header(skb), hdr_len, GFP_ATOMIC); 363 if (!tmp_hdr) 364 goto out; 365 ip6h = ipv6_hdr(skb); 366 if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN)) 367 goto free_out; 368 ip6h->priority = 0; 369 ip6h->flow_lbl[0] = 0; 370 ip6h->flow_lbl[1] = 0; 371 ip6h->flow_lbl[2] = 0; 372 ip6h->hop_limit = 0; 373 374 { 375 u8 auth_data[MAX_AH_AUTH_LEN]; 376 377 memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len); 378 memset(ah->auth_data, 0, ahp->icv_trunc_len); 379 skb_push(skb, hdr_len); 380 err = ah_mac_digest(ahp, skb, ah->auth_data); 381 if (err) 382 goto free_out; 383 err = -EINVAL; 384 if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { 385 LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); 386 x->stats.integrity_failed++; 387 goto free_out; 388 } 389 } 390 391 skb->network_header += ah_hlen; 392 memcpy(skb_network_header(skb), tmp_hdr, hdr_len); 393 skb->transport_header = skb->network_header; 394 __skb_pull(skb, ah_hlen + hdr_len); 395 396 kfree(tmp_hdr); 397 398 return nexthdr; 399 400 free_out: 401 kfree(tmp_hdr); 402 out: 403 return err; 404 } 405 406 static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 407 int type, int code, int offset, __be32 info) 408 { 409 struct ipv6hdr *iph = (struct ipv6hdr*)skb->data; 410 struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset); 411 struct xfrm_state *x; 412 413 if (type != ICMPV6_DEST_UNREACH && 414 type != ICMPV6_PKT_TOOBIG) 415 return; 416 417 x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6); 418 if (!x) 419 return; 420 421 NETDEBUG(KERN_DEBUG "pmtu discovery on SA AH/%08x/" NIP6_FMT "\n", 422 ntohl(ah->spi), NIP6(iph->daddr)); 423 424 xfrm_state_put(x); 425 } 426 427 static int ah6_init_state(struct xfrm_state *x) 428 { 429 struct ah_data *ahp = NULL; 430 struct xfrm_algo_desc *aalg_desc; 431 struct crypto_hash *tfm; 432 433 if (!x->aalg) 434 goto error; 435 436 if (x->encap) 437 goto error; 438 439 ahp = kzalloc(sizeof(*ahp), GFP_KERNEL); 440 if (ahp == NULL) 441 return -ENOMEM; 442 443 tfm = crypto_alloc_hash(x->aalg->alg_name, 0, CRYPTO_ALG_ASYNC); 444 if (IS_ERR(tfm)) 445 goto error; 446 447 ahp->tfm = tfm; 448 if (crypto_hash_setkey(tfm, x->aalg->alg_key, 449 (x->aalg->alg_key_len + 7) / 8)) 450 goto error; 451 452 /* 453 * Lookup the algorithm description maintained by xfrm_algo, 454 * verify crypto transform properties, and store information 455 * we need for AH processing. This lookup cannot fail here 456 * after a successful crypto_alloc_hash(). 457 */ 458 aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); 459 BUG_ON(!aalg_desc); 460 461 if (aalg_desc->uinfo.auth.icv_fullbits/8 != 462 crypto_hash_digestsize(tfm)) { 463 printk(KERN_INFO "AH: %s digestsize %u != %hu\n", 464 x->aalg->alg_name, crypto_hash_digestsize(tfm), 465 aalg_desc->uinfo.auth.icv_fullbits/8); 466 goto error; 467 } 468 469 ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8; 470 ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8; 471 472 BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN); 473 474 ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL); 475 if (!ahp->work_icv) 476 goto error; 477 478 x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) + 479 ahp->icv_trunc_len); 480 switch (x->props.mode) { 481 case XFRM_MODE_BEET: 482 case XFRM_MODE_TRANSPORT: 483 break; 484 case XFRM_MODE_TUNNEL: 485 x->props.header_len += sizeof(struct ipv6hdr); 486 default: 487 goto error; 488 } 489 x->data = ahp; 490 491 return 0; 492 493 error: 494 if (ahp) { 495 kfree(ahp->work_icv); 496 crypto_free_hash(ahp->tfm); 497 kfree(ahp); 498 } 499 return -EINVAL; 500 } 501 502 static void ah6_destroy(struct xfrm_state *x) 503 { 504 struct ah_data *ahp = x->data; 505 506 if (!ahp) 507 return; 508 509 kfree(ahp->work_icv); 510 ahp->work_icv = NULL; 511 crypto_free_hash(ahp->tfm); 512 ahp->tfm = NULL; 513 kfree(ahp); 514 } 515 516 static struct xfrm_type ah6_type = 517 { 518 .description = "AH6", 519 .owner = THIS_MODULE, 520 .proto = IPPROTO_AH, 521 .flags = XFRM_TYPE_REPLAY_PROT, 522 .init_state = ah6_init_state, 523 .destructor = ah6_destroy, 524 .input = ah6_input, 525 .output = ah6_output, 526 .hdr_offset = xfrm6_find_1stfragopt, 527 }; 528 529 static struct inet6_protocol ah6_protocol = { 530 .handler = xfrm6_rcv, 531 .err_handler = ah6_err, 532 .flags = INET6_PROTO_NOPOLICY, 533 }; 534 535 static int __init ah6_init(void) 536 { 537 if (xfrm_register_type(&ah6_type, AF_INET6) < 0) { 538 printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n"); 539 return -EAGAIN; 540 } 541 542 if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) { 543 printk(KERN_INFO "ipv6 ah init: can't add protocol\n"); 544 xfrm_unregister_type(&ah6_type, AF_INET6); 545 return -EAGAIN; 546 } 547 548 return 0; 549 } 550 551 static void __exit ah6_fini(void) 552 { 553 if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0) 554 printk(KERN_INFO "ipv6 ah close: can't remove protocol\n"); 555 556 if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0) 557 printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n"); 558 559 } 560 561 module_init(ah6_init); 562 module_exit(ah6_fini); 563 564 MODULE_LICENSE("GPL"); 565 MODULE_ALIAS_XFRM_TYPE(AF_INET6, XFRM_PROTO_AH); 566