xref: /openbmc/linux/net/ipv4/xfrm4_input.c (revision c21b37f6) 
1 /*
2  * xfrm4_input.c
3  *
4  * Changes:
5  *	YOSHIFUJI Hideaki @USAGI
6  *		Split up af-specific portion
7  *	Derek Atkins <derek@ihtfp.com>
8  *		Add Encapsulation support
9  *
10  */
11 
12 #include <linux/module.h>
13 #include <linux/string.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv4.h>
16 #include <net/ip.h>
17 #include <net/xfrm.h>
18 
19 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
20 {
21 	switch (nexthdr) {
22 	case IPPROTO_IPIP:
23 	case IPPROTO_IPV6:
24 		*spi = ip_hdr(skb)->saddr;
25 		*seq = 0;
26 		return 0;
27 	}
28 
29 	return xfrm_parse_spi(skb, nexthdr, spi, seq);
30 }
31 
32 #ifdef CONFIG_NETFILTER
33 static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
34 {
35 	if (skb->dst == NULL) {
36 		const struct iphdr *iph = ip_hdr(skb);
37 
38 		if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
39 				   skb->dev))
40 			goto drop;
41 	}
42 	return dst_input(skb);
43 drop:
44 	kfree_skb(skb);
45 	return NET_RX_DROP;
46 }
47 #endif
48 
49 static int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
50 {
51 	__be32 spi, seq;
52 	struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
53 	struct xfrm_state *x;
54 	int xfrm_nr = 0;
55 	int decaps = 0;
56 	int err = xfrm4_parse_spi(skb, ip_hdr(skb)->protocol, &spi, &seq);
57 
58 	if (err != 0)
59 		goto drop;
60 
61 	do {
62 		const struct iphdr *iph = ip_hdr(skb);
63 
64 		if (xfrm_nr == XFRM_MAX_DEPTH)
65 			goto drop;
66 
67 		x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi,
68 				iph->protocol != IPPROTO_IPV6 ? iph->protocol : IPPROTO_IPIP, AF_INET);
69 		if (x == NULL)
70 			goto drop;
71 
72 		spin_lock(&x->lock);
73 		if (unlikely(x->km.state != XFRM_STATE_VALID))
74 			goto drop_unlock;
75 
76 		if ((x->encap ? x->encap->encap_type : 0) != encap_type)
77 			goto drop_unlock;
78 
79 		if (x->props.replay_window && xfrm_replay_check(x, seq))
80 			goto drop_unlock;
81 
82 		if (xfrm_state_check_expire(x))
83 			goto drop_unlock;
84 
85 		if (x->type->input(x, skb))
86 			goto drop_unlock;
87 
88 		/* only the first xfrm gets the encap type */
89 		encap_type = 0;
90 
91 		if (x->props.replay_window)
92 			xfrm_replay_advance(x, seq);
93 
94 		x->curlft.bytes += skb->len;
95 		x->curlft.packets++;
96 
97 		spin_unlock(&x->lock);
98 
99 		xfrm_vec[xfrm_nr++] = x;
100 
101 		if (x->mode->input(x, skb))
102 			goto drop;
103 
104 		if (x->props.mode == XFRM_MODE_TUNNEL) {
105 			decaps = 1;
106 			break;
107 		}
108 
109 		err = xfrm_parse_spi(skb, ip_hdr(skb)->protocol, &spi, &seq);
110 		if (err < 0)
111 			goto drop;
112 	} while (!err);
113 
114 	/* Allocate new secpath or COW existing one. */
115 
116 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
117 		struct sec_path *sp;
118 		sp = secpath_dup(skb->sp);
119 		if (!sp)
120 			goto drop;
121 		if (skb->sp)
122 			secpath_put(skb->sp);
123 		skb->sp = sp;
124 	}
125 	if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
126 		goto drop;
127 
128 	memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
129 	       xfrm_nr * sizeof(xfrm_vec[0]));
130 	skb->sp->len += xfrm_nr;
131 
132 	nf_reset(skb);
133 
134 	if (decaps) {
135 		dst_release(skb->dst);
136 		skb->dst = NULL;
137 		netif_rx(skb);
138 		return 0;
139 	} else {
140 #ifdef CONFIG_NETFILTER
141 		__skb_push(skb, skb->data - skb_network_header(skb));
142 		ip_hdr(skb)->tot_len = htons(skb->len);
143 		ip_send_check(ip_hdr(skb));
144 
145 		NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
146 			xfrm4_rcv_encap_finish);
147 		return 0;
148 #else
149 		return -ip_hdr(skb)->protocol;
150 #endif
151 	}
152 
153 drop_unlock:
154 	spin_unlock(&x->lock);
155 	xfrm_state_put(x);
156 drop:
157 	while (--xfrm_nr >= 0)
158 		xfrm_state_put(xfrm_vec[xfrm_nr]);
159 
160 	kfree_skb(skb);
161 	return 0;
162 }
163 
164 /* If it's a keepalive packet, then just eat it.
165  * If it's an encapsulated packet, then pass it to the
166  * IPsec xfrm input.
167  * Returns 0 if skb passed to xfrm or was dropped.
168  * Returns >0 if skb should be passed to UDP.
169  * Returns <0 if skb should be resubmitted (-ret is protocol)
170  */
171 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
172 {
173 	struct udp_sock *up = udp_sk(sk);
174 	struct udphdr *uh;
175 	struct iphdr *iph;
176 	int iphlen, len;
177 	int ret;
178 
179 	__u8 *udpdata;
180 	__be32 *udpdata32;
181 	__u16 encap_type = up->encap_type;
182 
183 	/* if this is not encapsulated socket, then just return now */
184 	if (!encap_type)
185 		return 1;
186 
187 	/* If this is a paged skb, make sure we pull up
188 	 * whatever data we need to look at. */
189 	len = skb->len - sizeof(struct udphdr);
190 	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
191 		return 1;
192 
193 	/* Now we can get the pointers */
194 	uh = udp_hdr(skb);
195 	udpdata = (__u8 *)uh + sizeof(struct udphdr);
196 	udpdata32 = (__be32 *)udpdata;
197 
198 	switch (encap_type) {
199 	default:
200 	case UDP_ENCAP_ESPINUDP:
201 		/* Check if this is a keepalive packet.  If so, eat it. */
202 		if (len == 1 && udpdata[0] == 0xff) {
203 			goto drop;
204 		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
205 			/* ESP Packet without Non-ESP header */
206 			len = sizeof(struct udphdr);
207 		} else
208 			/* Must be an IKE packet.. pass it through */
209 			return 1;
210 		break;
211 	case UDP_ENCAP_ESPINUDP_NON_IKE:
212 		/* Check if this is a keepalive packet.  If so, eat it. */
213 		if (len == 1 && udpdata[0] == 0xff) {
214 			goto drop;
215 		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
216 			   udpdata32[0] == 0 && udpdata32[1] == 0) {
217 
218 			/* ESP Packet with Non-IKE marker */
219 			len = sizeof(struct udphdr) + 2 * sizeof(u32);
220 		} else
221 			/* Must be an IKE packet.. pass it through */
222 			return 1;
223 		break;
224 	}
225 
226 	/* At this point we are sure that this is an ESPinUDP packet,
227 	 * so we need to remove 'len' bytes from the packet (the UDP
228 	 * header and optional ESP marker bytes) and then modify the
229 	 * protocol to ESP, and then call into the transform receiver.
230 	 */
231 	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
232 		goto drop;
233 
234 	/* Now we can update and verify the packet length... */
235 	iph = ip_hdr(skb);
236 	iphlen = iph->ihl << 2;
237 	iph->tot_len = htons(ntohs(iph->tot_len) - len);
238 	if (skb->len < iphlen + len) {
239 		/* packet is too small!?! */
240 		goto drop;
241 	}
242 
243 	/* pull the data buffer up to the ESP header and set the
244 	 * transport header to point to ESP.  Keep UDP on the stack
245 	 * for later.
246 	 */
247 	__skb_pull(skb, len);
248 	skb_reset_transport_header(skb);
249 
250 	/* modify the protocol (it's ESP!) */
251 	iph->protocol = IPPROTO_ESP;
252 
253 	/* process ESP */
254 	ret = xfrm4_rcv_encap(skb, encap_type);
255 	return ret;
256 
257 drop:
258 	kfree_skb(skb);
259 	return 0;
260 }
261 
262 int xfrm4_rcv(struct sk_buff *skb)
263 {
264 	return xfrm4_rcv_encap(skb, 0);
265 }
266 
267 EXPORT_SYMBOL(xfrm4_rcv);
268