xref: /openbmc/linux/net/xfrm/xfrm_input.c (revision 4f139972b489f8bc2c821aa25ac65018d92af3f7) 
1 /*
2  * xfrm_input.c
3  *
4  * Changes:
5  * 	YOSHIFUJI Hideaki @USAGI
6  * 		Split up af-specific portion
7  *
8  */
9 
10 #include <linux/slab.h>
11 #include <linux/module.h>
12 #include <linux/netdevice.h>
13 #include <net/dst.h>
14 #include <net/ip.h>
15 #include <net/xfrm.h>
16 #include <net/ip_tunnels.h>
17 #include <net/ip6_tunnel.h>
18 
19 static struct kmem_cache *secpath_cachep __read_mostly;
20 
21 static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
22 static struct xfrm_input_afinfo const __rcu *xfrm_input_afinfo[AF_INET6 + 1];
23 
24 static struct gro_cells gro_cells;
25 static struct net_device xfrm_napi_dev;
26 
27 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo)
28 {
29 	int err = 0;
30 
31 	if (WARN_ON(afinfo->family >= ARRAY_SIZE(xfrm_input_afinfo)))
32 		return -EAFNOSUPPORT;
33 
34 	spin_lock_bh(&xfrm_input_afinfo_lock);
35 	if (unlikely(xfrm_input_afinfo[afinfo->family] != NULL))
36 		err = -EEXIST;
37 	else
38 		rcu_assign_pointer(xfrm_input_afinfo[afinfo->family], afinfo);
39 	spin_unlock_bh(&xfrm_input_afinfo_lock);
40 	return err;
41 }
42 EXPORT_SYMBOL(xfrm_input_register_afinfo);
43 
44 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo)
45 {
46 	int err = 0;
47 
48 	spin_lock_bh(&xfrm_input_afinfo_lock);
49 	if (likely(xfrm_input_afinfo[afinfo->family] != NULL)) {
50 		if (unlikely(xfrm_input_afinfo[afinfo->family] != afinfo))
51 			err = -EINVAL;
52 		else
53 			RCU_INIT_POINTER(xfrm_input_afinfo[afinfo->family], NULL);
54 	}
55 	spin_unlock_bh(&xfrm_input_afinfo_lock);
56 	synchronize_rcu();
57 	return err;
58 }
59 EXPORT_SYMBOL(xfrm_input_unregister_afinfo);
60 
61 static const struct xfrm_input_afinfo *xfrm_input_get_afinfo(unsigned int family)
62 {
63 	const struct xfrm_input_afinfo *afinfo;
64 
65 	if (WARN_ON_ONCE(family >= ARRAY_SIZE(xfrm_input_afinfo)))
66 		return NULL;
67 
68 	rcu_read_lock();
69 	afinfo = rcu_dereference(xfrm_input_afinfo[family]);
70 	if (unlikely(!afinfo))
71 		rcu_read_unlock();
72 	return afinfo;
73 }
74 
75 static int xfrm_rcv_cb(struct sk_buff *skb, unsigned int family, u8 protocol,
76 		       int err)
77 {
78 	int ret;
79 	const struct xfrm_input_afinfo *afinfo = xfrm_input_get_afinfo(family);
80 
81 	if (!afinfo)
82 		return -EAFNOSUPPORT;
83 
84 	ret = afinfo->callback(skb, protocol, err);
85 	rcu_read_unlock();
86 
87 	return ret;
88 }
89 
90 void __secpath_destroy(struct sec_path *sp)
91 {
92 	int i;
93 	for (i = 0; i < sp->len; i++)
94 		xfrm_state_put(sp->xvec[i]);
95 	kmem_cache_free(secpath_cachep, sp);
96 }
97 EXPORT_SYMBOL(__secpath_destroy);
98 
99 struct sec_path *secpath_dup(struct sec_path *src)
100 {
101 	struct sec_path *sp;
102 
103 	sp = kmem_cache_alloc(secpath_cachep, GFP_ATOMIC);
104 	if (!sp)
105 		return NULL;
106 
107 	sp->len = 0;
108 	sp->olen = 0;
109 
110 	if (src) {
111 		int i;
112 
113 		memcpy(sp, src, sizeof(*sp));
114 		for (i = 0; i < sp->len; i++)
115 			xfrm_state_hold(sp->xvec[i]);
116 	}
117 	atomic_set(&sp->refcnt, 1);
118 	return sp;
119 }
120 EXPORT_SYMBOL(secpath_dup);
121 
122 int secpath_set(struct sk_buff *skb)
123 {
124 	struct sec_path *sp;
125 
126 	/* Allocate new secpath or COW existing one. */
127 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
128 		sp = secpath_dup(skb->sp);
129 		if (!sp)
130 			return -ENOMEM;
131 
132 		if (skb->sp)
133 			secpath_put(skb->sp);
134 		skb->sp = sp;
135 	}
136 	return 0;
137 }
138 EXPORT_SYMBOL(secpath_set);
139 
140 /* Fetch spi and seq from ipsec header */
141 
142 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
143 {
144 	int offset, offset_seq;
145 	int hlen;
146 
147 	switch (nexthdr) {
148 	case IPPROTO_AH:
149 		hlen = sizeof(struct ip_auth_hdr);
150 		offset = offsetof(struct ip_auth_hdr, spi);
151 		offset_seq = offsetof(struct ip_auth_hdr, seq_no);
152 		break;
153 	case IPPROTO_ESP:
154 		hlen = sizeof(struct ip_esp_hdr);
155 		offset = offsetof(struct ip_esp_hdr, spi);
156 		offset_seq = offsetof(struct ip_esp_hdr, seq_no);
157 		break;
158 	case IPPROTO_COMP:
159 		if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr)))
160 			return -EINVAL;
161 		*spi = htonl(ntohs(*(__be16 *)(skb_transport_header(skb) + 2)));
162 		*seq = 0;
163 		return 0;
164 	default:
165 		return 1;
166 	}
167 
168 	if (!pskb_may_pull(skb, hlen))
169 		return -EINVAL;
170 
171 	*spi = *(__be32 *)(skb_transport_header(skb) + offset);
172 	*seq = *(__be32 *)(skb_transport_header(skb) + offset_seq);
173 	return 0;
174 }
175 EXPORT_SYMBOL(xfrm_parse_spi);
176 
177 int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
178 {
179 	struct xfrm_mode *inner_mode = x->inner_mode;
180 	int err;
181 
182 	err = x->outer_mode->afinfo->extract_input(x, skb);
183 	if (err)
184 		return err;
185 
186 	if (x->sel.family == AF_UNSPEC) {
187 		inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
188 		if (inner_mode == NULL)
189 			return -EAFNOSUPPORT;
190 	}
191 
192 	skb->protocol = inner_mode->afinfo->eth_proto;
193 	return inner_mode->input2(x, skb);
194 }
195 EXPORT_SYMBOL(xfrm_prepare_input);
196 
197 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
198 {
199 	struct net *net = dev_net(skb->dev);
200 	int err;
201 	__be32 seq;
202 	__be32 seq_hi;
203 	struct xfrm_state *x = NULL;
204 	xfrm_address_t *daddr;
205 	struct xfrm_mode *inner_mode;
206 	u32 mark = skb->mark;
207 	unsigned int family;
208 	int decaps = 0;
209 	int async = 0;
210 	struct xfrm_offload *xo;
211 	bool xfrm_gro = false;
212 
213 	if (encap_type < 0) {
214 		x = xfrm_input_state(skb);
215 		family = x->outer_mode->afinfo->family;
216 
217 		/* An encap_type of -1 indicates async resumption. */
218 		if (encap_type == -1) {
219 			async = 1;
220 			seq = XFRM_SKB_CB(skb)->seq.input.low;
221 			goto resume;
222 		}
223 		/* encap_type < -1 indicates a GRO call. */
224 		encap_type = 0;
225 		seq = XFRM_SPI_SKB_CB(skb)->seq;
226 		goto lock;
227 	}
228 
229 	daddr = (xfrm_address_t *)(skb_network_header(skb) +
230 				   XFRM_SPI_SKB_CB(skb)->daddroff);
231 	family = XFRM_SPI_SKB_CB(skb)->family;
232 
233 	/* if tunnel is present override skb->mark value with tunnel i_key */
234 	switch (family) {
235 	case AF_INET:
236 		if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
237 			mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
238 		break;
239 	case AF_INET6:
240 		if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
241 			mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
242 		break;
243 	}
244 
245 	err = secpath_set(skb);
246 	if (err) {
247 		XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
248 		goto drop;
249 	}
250 
251 	seq = 0;
252 	if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) {
253 		XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
254 		goto drop;
255 	}
256 
257 	do {
258 		if (skb->sp->len == XFRM_MAX_DEPTH) {
259 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
260 			goto drop;
261 		}
262 
263 		x = xfrm_state_lookup(net, mark, daddr, spi, nexthdr, family);
264 		if (x == NULL) {
265 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
266 			xfrm_audit_state_notfound(skb, family, spi, seq);
267 			goto drop;
268 		}
269 
270 		skb->sp->xvec[skb->sp->len++] = x;
271 
272 lock:
273 		spin_lock(&x->lock);
274 
275 		if (unlikely(x->km.state != XFRM_STATE_VALID)) {
276 			if (x->km.state == XFRM_STATE_ACQ)
277 				XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
278 			else
279 				XFRM_INC_STATS(net,
280 					       LINUX_MIB_XFRMINSTATEINVALID);
281 			goto drop_unlock;
282 		}
283 
284 		if ((x->encap ? x->encap->encap_type : 0) != encap_type) {
285 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
286 			goto drop_unlock;
287 		}
288 
289 		if (x->repl->check(x, skb, seq)) {
290 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
291 			goto drop_unlock;
292 		}
293 
294 		if (xfrm_state_check_expire(x)) {
295 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEEXPIRED);
296 			goto drop_unlock;
297 		}
298 
299 		spin_unlock(&x->lock);
300 
301 		if (xfrm_tunnel_check(skb, x, family)) {
302 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
303 			goto drop;
304 		}
305 
306 		seq_hi = htonl(xfrm_replay_seqhi(x, seq));
307 
308 		XFRM_SKB_CB(skb)->seq.input.low = seq;
309 		XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
310 
311 		skb_dst_force(skb);
312 		dev_hold(skb->dev);
313 
314 		nexthdr = x->type->input(x, skb);
315 
316 		if (nexthdr == -EINPROGRESS)
317 			return 0;
318 resume:
319 		dev_put(skb->dev);
320 
321 		spin_lock(&x->lock);
322 		if (nexthdr <= 0) {
323 			if (nexthdr == -EBADMSG) {
324 				xfrm_audit_state_icvfail(x, skb,
325 							 x->type->proto);
326 				x->stats.integrity_failed++;
327 			}
328 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
329 			goto drop_unlock;
330 		}
331 
332 		/* only the first xfrm gets the encap type */
333 		encap_type = 0;
334 
335 		if (async && x->repl->recheck(x, skb, seq)) {
336 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
337 			goto drop_unlock;
338 		}
339 
340 		x->repl->advance(x, seq);
341 
342 		x->curlft.bytes += skb->len;
343 		x->curlft.packets++;
344 
345 		spin_unlock(&x->lock);
346 
347 		XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
348 
349 		inner_mode = x->inner_mode;
350 
351 		if (x->sel.family == AF_UNSPEC) {
352 			inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
353 			if (inner_mode == NULL) {
354 				XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
355 				goto drop;
356 			}
357 		}
358 
359 		if (inner_mode->input(x, skb)) {
360 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
361 			goto drop;
362 		}
363 
364 		if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
365 			decaps = 1;
366 			break;
367 		}
368 
369 		/*
370 		 * We need the inner address.  However, we only get here for
371 		 * transport mode so the outer address is identical.
372 		 */
373 		daddr = &x->id.daddr;
374 		family = x->outer_mode->afinfo->family;
375 
376 		err = xfrm_parse_spi(skb, nexthdr, &spi, &seq);
377 		if (err < 0) {
378 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
379 			goto drop;
380 		}
381 	} while (!err);
382 
383 	err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
384 	if (err)
385 		goto drop;
386 
387 	nf_reset(skb);
388 
389 	if (decaps) {
390 		skb_dst_drop(skb);
391 		gro_cells_receive(&gro_cells, skb);
392 		return 0;
393 	} else {
394 		xo = xfrm_offload(skb);
395 		if (xo)
396 			xfrm_gro = xo->flags & XFRM_GRO;
397 
398 		err = x->inner_mode->afinfo->transport_finish(skb, async);
399 		if (xfrm_gro) {
400 			skb_dst_drop(skb);
401 			gro_cells_receive(&gro_cells, skb);
402 			return err;
403 		}
404 
405 		return err;
406 	}
407 
408 drop_unlock:
409 	spin_unlock(&x->lock);
410 drop:
411 	xfrm_rcv_cb(skb, family, x && x->type ? x->type->proto : nexthdr, -1);
412 	kfree_skb(skb);
413 	return 0;
414 }
415 EXPORT_SYMBOL(xfrm_input);
416 
417 int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
418 {
419 	return xfrm_input(skb, nexthdr, 0, -1);
420 }
421 EXPORT_SYMBOL(xfrm_input_resume);
422 
423 void __init xfrm_input_init(void)
424 {
425 	int err;
426 
427 	init_dummy_netdev(&xfrm_napi_dev);
428 	err = gro_cells_init(&gro_cells, &xfrm_napi_dev);
429 	if (err)
430 		gro_cells.cells = NULL;
431 
432 	secpath_cachep = kmem_cache_create("secpath_cache",
433 					   sizeof(struct sec_path),
434 					   0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
435 					   NULL);
436 }
437