xref: /openbmc/linux/net/ipv6/xfrm6_input.c (revision 227620e2) 
11da177e4SLinus Torvalds /*
21da177e4SLinus Torvalds  * xfrm6_input.c: based on net/ipv4/xfrm4_input.c
31da177e4SLinus Torvalds  *
41da177e4SLinus Torvalds  * Authors:
51da177e4SLinus Torvalds  *	Mitsuru KANDA @USAGI
61da177e4SLinus Torvalds  * 	Kazunori MIYAZAWA @USAGI
71da177e4SLinus Torvalds  * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
81da177e4SLinus Torvalds  *	YOSHIFUJI Hideaki @USAGI
91da177e4SLinus Torvalds  *		IPv6 support
101da177e4SLinus Torvalds  */
111da177e4SLinus Torvalds 
121da177e4SLinus Torvalds #include <linux/module.h>
131da177e4SLinus Torvalds #include <linux/string.h>
14b05e1066SPatrick McHardy #include <linux/netfilter.h>
15b05e1066SPatrick McHardy #include <linux/netfilter_ipv6.h>
161da177e4SLinus Torvalds #include <net/ipv6.h>
171da177e4SLinus Torvalds #include <net/xfrm.h>
181da177e4SLinus Torvalds 
19227620e2SHerbert Xu int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb)
20227620e2SHerbert Xu {
21227620e2SHerbert Xu 	return xfrm6_extract_header(skb);
22227620e2SHerbert Xu }
23227620e2SHerbert Xu 
2433b5ecb8SHerbert Xu int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
251da177e4SLinus Torvalds {
261da177e4SLinus Torvalds 	int err;
276067b2baSAl Viro 	__be32 seq;
28dbe5b4aaSHerbert Xu 	struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
291da177e4SLinus Torvalds 	struct xfrm_state *x;
301da177e4SLinus Torvalds 	int xfrm_nr = 0;
311da177e4SLinus Torvalds 	int decaps = 0;
321da177e4SLinus Torvalds 	unsigned int nhoff;
331da177e4SLinus Torvalds 
34951dbc8aSPatrick McHardy 	nhoff = IP6CB(skb)->nhoff;
351da177e4SLinus Torvalds 
361da177e4SLinus Torvalds 	seq = 0;
371da177e4SLinus Torvalds 	if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0)
381da177e4SLinus Torvalds 		goto drop;
391da177e4SLinus Torvalds 
401da177e4SLinus Torvalds 	do {
410660e03fSArnaldo Carvalho de Melo 		struct ipv6hdr *iph = ipv6_hdr(skb);
421da177e4SLinus Torvalds 
431da177e4SLinus Torvalds 		if (xfrm_nr == XFRM_MAX_DEPTH)
441da177e4SLinus Torvalds 			goto drop;
451da177e4SLinus Torvalds 
4673d605d1SKazunori MIYAZAWA 		x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi,
4733b5ecb8SHerbert Xu 				      nexthdr, AF_INET6);
481da177e4SLinus Torvalds 		if (x == NULL)
491da177e4SLinus Torvalds 			goto drop;
501da177e4SLinus Torvalds 		spin_lock(&x->lock);
511da177e4SLinus Torvalds 		if (unlikely(x->km.state != XFRM_STATE_VALID))
521da177e4SLinus Torvalds 			goto drop_unlock;
531da177e4SLinus Torvalds 
541da177e4SLinus Torvalds 		if (x->props.replay_window && xfrm_replay_check(x, seq))
551da177e4SLinus Torvalds 			goto drop_unlock;
561da177e4SLinus Torvalds 
571da177e4SLinus Torvalds 		if (xfrm_state_check_expire(x))
581da177e4SLinus Torvalds 			goto drop_unlock;
591da177e4SLinus Torvalds 
60e695633eSHerbert Xu 		nexthdr = x->type->input(x, skb);
611da177e4SLinus Torvalds 		if (nexthdr <= 0)
621da177e4SLinus Torvalds 			goto drop_unlock;
631da177e4SLinus Torvalds 
64d56f90a7SArnaldo Carvalho de Melo 		skb_network_header(skb)[nhoff] = nexthdr;
651da177e4SLinus Torvalds 
661da177e4SLinus Torvalds 		if (x->props.replay_window)
671da177e4SLinus Torvalds 			xfrm_replay_advance(x, seq);
681da177e4SLinus Torvalds 
691da177e4SLinus Torvalds 		x->curlft.bytes += skb->len;
701da177e4SLinus Torvalds 		x->curlft.packets++;
711da177e4SLinus Torvalds 
721da177e4SLinus Torvalds 		spin_unlock(&x->lock);
731da177e4SLinus Torvalds 
74dbe5b4aaSHerbert Xu 		xfrm_vec[xfrm_nr++] = x;
751da177e4SLinus Torvalds 
76227620e2SHerbert Xu 		if (x->inner_mode->input(x, skb))
77b59f45d0SHerbert Xu 			goto drop;
78b59f45d0SHerbert Xu 
7913996378SHerbert Xu 		if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
801da177e4SLinus Torvalds 			decaps = 1;
811da177e4SLinus Torvalds 			break;
821da177e4SLinus Torvalds 		}
831da177e4SLinus Torvalds 
841da177e4SLinus Torvalds 		if ((err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) < 0)
851da177e4SLinus Torvalds 			goto drop;
861da177e4SLinus Torvalds 	} while (!err);
871da177e4SLinus Torvalds 
881da177e4SLinus Torvalds 	/* Allocate new secpath or COW existing one. */
891da177e4SLinus Torvalds 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
901da177e4SLinus Torvalds 		struct sec_path *sp;
911da177e4SLinus Torvalds 		sp = secpath_dup(skb->sp);
921da177e4SLinus Torvalds 		if (!sp)
931da177e4SLinus Torvalds 			goto drop;
941da177e4SLinus Torvalds 		if (skb->sp)
951da177e4SLinus Torvalds 			secpath_put(skb->sp);
961da177e4SLinus Torvalds 		skb->sp = sp;
971da177e4SLinus Torvalds 	}
981da177e4SLinus Torvalds 
991da177e4SLinus Torvalds 	if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
1001da177e4SLinus Torvalds 		goto drop;
1011da177e4SLinus Torvalds 
102dbe5b4aaSHerbert Xu 	memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
103dbe5b4aaSHerbert Xu 	       xfrm_nr * sizeof(xfrm_vec[0]));
1041da177e4SLinus Torvalds 	skb->sp->len += xfrm_nr;
1051da177e4SLinus Torvalds 
106b05e1066SPatrick McHardy 	nf_reset(skb);
107b05e1066SPatrick McHardy 
1081da177e4SLinus Torvalds 	if (decaps) {
1091da177e4SLinus Torvalds 		dst_release(skb->dst);
1101da177e4SLinus Torvalds 		skb->dst = NULL;
1111da177e4SLinus Torvalds 		netif_rx(skb);
1121da177e4SLinus Torvalds 		return -1;
1131da177e4SLinus Torvalds 	} else {
114b05e1066SPatrick McHardy #ifdef CONFIG_NETFILTER
1150660e03fSArnaldo Carvalho de Melo 		ipv6_hdr(skb)->payload_len = htons(skb->len);
116d56f90a7SArnaldo Carvalho de Melo 		__skb_push(skb, skb->data - skb_network_header(skb));
117b05e1066SPatrick McHardy 
118b05e1066SPatrick McHardy 		NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
119b05e1066SPatrick McHardy 			ip6_rcv_finish);
120b05e1066SPatrick McHardy 		return -1;
121b05e1066SPatrick McHardy #else
1221da177e4SLinus Torvalds 		return 1;
123b05e1066SPatrick McHardy #endif
1241da177e4SLinus Torvalds 	}
1251da177e4SLinus Torvalds 
1261da177e4SLinus Torvalds drop_unlock:
1271da177e4SLinus Torvalds 	spin_unlock(&x->lock);
1281da177e4SLinus Torvalds 	xfrm_state_put(x);
1291da177e4SLinus Torvalds drop:
1301da177e4SLinus Torvalds 	while (--xfrm_nr >= 0)
131dbe5b4aaSHerbert Xu 		xfrm_state_put(xfrm_vec[xfrm_nr]);
1321da177e4SLinus Torvalds 	kfree_skb(skb);
1331da177e4SLinus Torvalds 	return -1;
1341da177e4SLinus Torvalds }
1351da177e4SLinus Torvalds 
1361da177e4SLinus Torvalds EXPORT_SYMBOL(xfrm6_rcv_spi);
1371da177e4SLinus Torvalds 
138e5bbef20SHerbert Xu int xfrm6_rcv(struct sk_buff *skb)
1391da177e4SLinus Torvalds {
14033b5ecb8SHerbert Xu 	return xfrm6_rcv_spi(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
14133b5ecb8SHerbert Xu 			     0);
1421da177e4SLinus Torvalds }
143fbd9a5b4SMasahide NAKAMURA 
1447159039aSYOSHIFUJI Hideaki EXPORT_SYMBOL(xfrm6_rcv);
1457159039aSYOSHIFUJI Hideaki 
146fbd9a5b4SMasahide NAKAMURA int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
147fbd9a5b4SMasahide NAKAMURA 		     xfrm_address_t *saddr, u8 proto)
148fbd9a5b4SMasahide NAKAMURA {
149fbd9a5b4SMasahide NAKAMURA 	struct xfrm_state *x = NULL;
150fbd9a5b4SMasahide NAKAMURA 	int wildcard = 0;
151fbd9a5b4SMasahide NAKAMURA 	xfrm_address_t *xany;
152fbd9a5b4SMasahide NAKAMURA 	struct xfrm_state *xfrm_vec_one = NULL;
153fbd9a5b4SMasahide NAKAMURA 	int nh = 0;
154fbd9a5b4SMasahide NAKAMURA 	int i = 0;
155fbd9a5b4SMasahide NAKAMURA 
156c53b3590SYOSHIFUJI Hideaki 	xany = (xfrm_address_t *)&in6addr_any;
157fbd9a5b4SMasahide NAKAMURA 
158fbd9a5b4SMasahide NAKAMURA 	for (i = 0; i < 3; i++) {
159fbd9a5b4SMasahide NAKAMURA 		xfrm_address_t *dst, *src;
160fbd9a5b4SMasahide NAKAMURA 		switch (i) {
161fbd9a5b4SMasahide NAKAMURA 		case 0:
162fbd9a5b4SMasahide NAKAMURA 			dst = daddr;
163fbd9a5b4SMasahide NAKAMURA 			src = saddr;
164fbd9a5b4SMasahide NAKAMURA 			break;
165fbd9a5b4SMasahide NAKAMURA 		case 1:
166fbd9a5b4SMasahide NAKAMURA 			/* lookup state with wild-card source address */
167fbd9a5b4SMasahide NAKAMURA 			wildcard = 1;
168fbd9a5b4SMasahide NAKAMURA 			dst = daddr;
169fbd9a5b4SMasahide NAKAMURA 			src = xany;
170fbd9a5b4SMasahide NAKAMURA 			break;
171fbd9a5b4SMasahide NAKAMURA 		case 2:
172fbd9a5b4SMasahide NAKAMURA 		default:
173fbd9a5b4SMasahide NAKAMURA 			/* lookup state with wild-card addresses */
174fbd9a5b4SMasahide NAKAMURA 			wildcard = 1; /* XXX */
175fbd9a5b4SMasahide NAKAMURA 			dst = xany;
176fbd9a5b4SMasahide NAKAMURA 			src = xany;
177fbd9a5b4SMasahide NAKAMURA 			break;
178fbd9a5b4SMasahide NAKAMURA 		}
179fbd9a5b4SMasahide NAKAMURA 
180fbd9a5b4SMasahide NAKAMURA 		x = xfrm_state_lookup_byaddr(dst, src, proto, AF_INET6);
181fbd9a5b4SMasahide NAKAMURA 		if (!x)
182fbd9a5b4SMasahide NAKAMURA 			continue;
183fbd9a5b4SMasahide NAKAMURA 
184fbd9a5b4SMasahide NAKAMURA 		spin_lock(&x->lock);
185fbd9a5b4SMasahide NAKAMURA 
186fbd9a5b4SMasahide NAKAMURA 		if (wildcard) {
187fbd9a5b4SMasahide NAKAMURA 			if ((x->props.flags & XFRM_STATE_WILDRECV) == 0) {
188fbd9a5b4SMasahide NAKAMURA 				spin_unlock(&x->lock);
189fbd9a5b4SMasahide NAKAMURA 				xfrm_state_put(x);
190fbd9a5b4SMasahide NAKAMURA 				x = NULL;
191fbd9a5b4SMasahide NAKAMURA 				continue;
192fbd9a5b4SMasahide NAKAMURA 			}
193fbd9a5b4SMasahide NAKAMURA 		}
194fbd9a5b4SMasahide NAKAMURA 
195fbd9a5b4SMasahide NAKAMURA 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
196fbd9a5b4SMasahide NAKAMURA 			spin_unlock(&x->lock);
197fbd9a5b4SMasahide NAKAMURA 			xfrm_state_put(x);
198fbd9a5b4SMasahide NAKAMURA 			x = NULL;
199fbd9a5b4SMasahide NAKAMURA 			continue;
200fbd9a5b4SMasahide NAKAMURA 		}
201fbd9a5b4SMasahide NAKAMURA 		if (xfrm_state_check_expire(x)) {
202fbd9a5b4SMasahide NAKAMURA 			spin_unlock(&x->lock);
203fbd9a5b4SMasahide NAKAMURA 			xfrm_state_put(x);
204fbd9a5b4SMasahide NAKAMURA 			x = NULL;
205fbd9a5b4SMasahide NAKAMURA 			continue;
206fbd9a5b4SMasahide NAKAMURA 		}
207fbd9a5b4SMasahide NAKAMURA 
208fbd9a5b4SMasahide NAKAMURA 		nh = x->type->input(x, skb);
209fbd9a5b4SMasahide NAKAMURA 		if (nh <= 0) {
210fbd9a5b4SMasahide NAKAMURA 			spin_unlock(&x->lock);
211fbd9a5b4SMasahide NAKAMURA 			xfrm_state_put(x);
212fbd9a5b4SMasahide NAKAMURA 			x = NULL;
213fbd9a5b4SMasahide NAKAMURA 			continue;
214fbd9a5b4SMasahide NAKAMURA 		}
215fbd9a5b4SMasahide NAKAMURA 
216fbd9a5b4SMasahide NAKAMURA 		x->curlft.bytes += skb->len;
217fbd9a5b4SMasahide NAKAMURA 		x->curlft.packets++;
218fbd9a5b4SMasahide NAKAMURA 
219fbd9a5b4SMasahide NAKAMURA 		spin_unlock(&x->lock);
220fbd9a5b4SMasahide NAKAMURA 
221fbd9a5b4SMasahide NAKAMURA 		xfrm_vec_one = x;
222fbd9a5b4SMasahide NAKAMURA 		break;
223fbd9a5b4SMasahide NAKAMURA 	}
224fbd9a5b4SMasahide NAKAMURA 
225fbd9a5b4SMasahide NAKAMURA 	if (!xfrm_vec_one)
226fbd9a5b4SMasahide NAKAMURA 		goto drop;
227fbd9a5b4SMasahide NAKAMURA 
228fbd9a5b4SMasahide NAKAMURA 	/* Allocate new secpath or COW existing one. */
229fbd9a5b4SMasahide NAKAMURA 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
230fbd9a5b4SMasahide NAKAMURA 		struct sec_path *sp;
231fbd9a5b4SMasahide NAKAMURA 		sp = secpath_dup(skb->sp);
232fbd9a5b4SMasahide NAKAMURA 		if (!sp)
233fbd9a5b4SMasahide NAKAMURA 			goto drop;
234fbd9a5b4SMasahide NAKAMURA 		if (skb->sp)
235fbd9a5b4SMasahide NAKAMURA 			secpath_put(skb->sp);
236fbd9a5b4SMasahide NAKAMURA 		skb->sp = sp;
237fbd9a5b4SMasahide NAKAMURA 	}
238fbd9a5b4SMasahide NAKAMURA 
239fbd9a5b4SMasahide NAKAMURA 	if (1 + skb->sp->len > XFRM_MAX_DEPTH)
240fbd9a5b4SMasahide NAKAMURA 		goto drop;
241fbd9a5b4SMasahide NAKAMURA 
242fbd9a5b4SMasahide NAKAMURA 	skb->sp->xvec[skb->sp->len] = xfrm_vec_one;
243fbd9a5b4SMasahide NAKAMURA 	skb->sp->len ++;
244fbd9a5b4SMasahide NAKAMURA 
245fbd9a5b4SMasahide NAKAMURA 	return 1;
246fbd9a5b4SMasahide NAKAMURA drop:
247fbd9a5b4SMasahide NAKAMURA 	if (xfrm_vec_one)
248fbd9a5b4SMasahide NAKAMURA 		xfrm_state_put(xfrm_vec_one);
249fbd9a5b4SMasahide NAKAMURA 	return -1;
250fbd9a5b4SMasahide NAKAMURA }
2517159039aSYOSHIFUJI Hideaki 
2527159039aSYOSHIFUJI Hideaki EXPORT_SYMBOL(xfrm6_input_addr);
253