xref: /linux/net/ipv4/ah4.c (revision c358f53871605a1a8d7ed6e544a05ea00e9c80cb)
1 // SPDX-License-Identifier: GPL-2.0-only
2 #define pr_fmt(fmt) "IPsec: " fmt
3 
4 #include <crypto/algapi.h>
5 #include <crypto/hash.h>
6 #include <linux/err.h>
7 #include <linux/module.h>
8 #include <linux/slab.h>
9 #include <net/ip.h>
10 #include <net/xfrm.h>
11 #include <net/ah.h>
12 #include <linux/crypto.h>
13 #include <linux/pfkeyv2.h>
14 #include <linux/scatterlist.h>
15 #include <net/icmp.h>
16 #include <net/protocol.h>
17 
18 struct ah_skb_cb {
19 	struct xfrm_skb_cb xfrm;
20 	void *tmp;
21 };
22 
23 #define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
24 
25 static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
26 			  unsigned int size)
27 {
28 	unsigned int len;
29 
30 	len = size + crypto_ahash_digestsize(ahash) +
31 	      (crypto_ahash_alignmask(ahash) &
32 	       ~(crypto_tfm_ctx_alignment() - 1));
33 
34 	len = ALIGN(len, crypto_tfm_ctx_alignment());
35 
36 	len += sizeof(struct ahash_request) + crypto_ahash_reqsize(ahash);
37 	len = ALIGN(len, __alignof__(struct scatterlist));
38 
39 	len += sizeof(struct scatterlist) * nfrags;
40 
41 	return kmalloc(len, GFP_ATOMIC);
42 }
43 
44 static inline u8 *ah_tmp_auth(void *tmp, unsigned int offset)
45 {
46 	return tmp + offset;
47 }
48 
49 static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
50 			     unsigned int offset)
51 {
52 	return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
53 }
54 
55 static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
56 					       u8 *icv)
57 {
58 	struct ahash_request *req;
59 
60 	req = (void *)PTR_ALIGN(icv + crypto_ahash_digestsize(ahash),
61 				crypto_tfm_ctx_alignment());
62 
63 	ahash_request_set_tfm(req, ahash);
64 
65 	return req;
66 }
67 
68 static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
69 					     struct ahash_request *req)
70 {
71 	return (void *)ALIGN((unsigned long)(req + 1) +
72 			     crypto_ahash_reqsize(ahash),
73 			     __alignof__(struct scatterlist));
74 }
75 
76 /* Clear mutable options and find final destination to substitute
77  * into IP header for icv calculation. Options are already checked
78  * for validity, so paranoia is not required. */
79 
80 static int ip_clear_mutable_options(const struct iphdr *iph, __be32 *daddr)
81 {
82 	unsigned char *optptr = (unsigned char *)(iph+1);
83 	int  l = iph->ihl*4 - sizeof(struct iphdr);
84 	int  optlen;
85 
86 	while (l > 0) {
87 		switch (*optptr) {
88 		case IPOPT_END:
89 			return 0;
90 		case IPOPT_NOOP:
91 			l--;
92 			optptr++;
93 			continue;
94 		}
95 		optlen = optptr[1];
96 		if (optlen<2 || optlen>l)
97 			return -EINVAL;
98 		switch (*optptr) {
99 		case IPOPT_SEC:
100 		case 0x85:	/* Some "Extended Security" crap. */
101 		case IPOPT_CIPSO:
102 		case IPOPT_RA:
103 		case 0x80|21:	/* RFC1770 */
104 			break;
105 		case IPOPT_LSRR:
106 		case IPOPT_SSRR:
107 			if (optlen < 6)
108 				return -EINVAL;
109 			memcpy(daddr, optptr+optlen-4, 4);
110 			fallthrough;
111 		default:
112 			memset(optptr, 0, optlen);
113 		}
114 		l -= optlen;
115 		optptr += optlen;
116 	}
117 	return 0;
118 }
119 
120 static void ah_output_done(struct crypto_async_request *base, int err)
121 {
122 	u8 *icv;
123 	struct iphdr *iph;
124 	struct sk_buff *skb = base->data;
125 	struct xfrm_state *x = skb_dst(skb)->xfrm;
126 	struct ah_data *ahp = x->data;
127 	struct iphdr *top_iph = ip_hdr(skb);
128 	struct ip_auth_hdr *ah = ip_auth_hdr(skb);
129 	int ihl = ip_hdrlen(skb);
130 
131 	iph = AH_SKB_CB(skb)->tmp;
132 	icv = ah_tmp_icv(ahp->ahash, iph, ihl);
133 	memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
134 
135 	top_iph->tos = iph->tos;
136 	top_iph->ttl = iph->ttl;
137 	top_iph->frag_off = iph->frag_off;
138 	if (top_iph->ihl != 5) {
139 		top_iph->daddr = iph->daddr;
140 		memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
141 	}
142 
143 	kfree(AH_SKB_CB(skb)->tmp);
144 	xfrm_output_resume(skb->sk, skb, err);
145 }
146 
147 static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
148 {
149 	int err;
150 	int nfrags;
151 	int ihl;
152 	u8 *icv;
153 	struct sk_buff *trailer;
154 	struct crypto_ahash *ahash;
155 	struct ahash_request *req;
156 	struct scatterlist *sg;
157 	struct iphdr *iph, *top_iph;
158 	struct ip_auth_hdr *ah;
159 	struct ah_data *ahp;
160 	int seqhi_len = 0;
161 	__be32 *seqhi;
162 	int sglists = 0;
163 	struct scatterlist *seqhisg;
164 
165 	ahp = x->data;
166 	ahash = ahp->ahash;
167 
168 	if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
169 		goto out;
170 	nfrags = err;
171 
172 	skb_push(skb, -skb_network_offset(skb));
173 	ah = ip_auth_hdr(skb);
174 	ihl = ip_hdrlen(skb);
175 
176 	if (x->props.flags & XFRM_STATE_ESN) {
177 		sglists = 1;
178 		seqhi_len = sizeof(*seqhi);
179 	}
180 	err = -ENOMEM;
181 	iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl + seqhi_len);
182 	if (!iph)
183 		goto out;
184 	seqhi = (__be32 *)((char *)iph + ihl);
185 	icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
186 	req = ah_tmp_req(ahash, icv);
187 	sg = ah_req_sg(ahash, req);
188 	seqhisg = sg + nfrags;
189 
190 	memset(ah->auth_data, 0, ahp->icv_trunc_len);
191 
192 	top_iph = ip_hdr(skb);
193 
194 	iph->tos = top_iph->tos;
195 	iph->ttl = top_iph->ttl;
196 	iph->frag_off = top_iph->frag_off;
197 
198 	if (top_iph->ihl != 5) {
199 		iph->daddr = top_iph->daddr;
200 		memcpy(iph+1, top_iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
201 		err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
202 		if (err)
203 			goto out_free;
204 	}
205 
206 	ah->nexthdr = *skb_mac_header(skb);
207 	*skb_mac_header(skb) = IPPROTO_AH;
208 
209 	top_iph->tos = 0;
210 	top_iph->tot_len = htons(skb->len);
211 	top_iph->frag_off = 0;
212 	top_iph->ttl = 0;
213 	top_iph->check = 0;
214 
215 	if (x->props.flags & XFRM_STATE_ALIGN4)
216 		ah->hdrlen  = (XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
217 	else
218 		ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
219 
220 	ah->reserved = 0;
221 	ah->spi = x->id.spi;
222 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
223 
224 	sg_init_table(sg, nfrags + sglists);
225 	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
226 	if (unlikely(err < 0))
227 		goto out_free;
228 
229 	if (x->props.flags & XFRM_STATE_ESN) {
230 		/* Attach seqhi sg right after packet payload */
231 		*seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
232 		sg_set_buf(seqhisg, seqhi, seqhi_len);
233 	}
234 	ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
235 	ahash_request_set_callback(req, 0, ah_output_done, skb);
236 
237 	AH_SKB_CB(skb)->tmp = iph;
238 
239 	err = crypto_ahash_digest(req);
240 	if (err) {
241 		if (err == -EINPROGRESS)
242 			goto out;
243 
244 		if (err == -ENOSPC)
245 			err = NET_XMIT_DROP;
246 		goto out_free;
247 	}
248 
249 	memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
250 
251 	top_iph->tos = iph->tos;
252 	top_iph->ttl = iph->ttl;
253 	top_iph->frag_off = iph->frag_off;
254 	if (top_iph->ihl != 5) {
255 		top_iph->daddr = iph->daddr;
256 		memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
257 	}
258 
259 out_free:
260 	kfree(iph);
261 out:
262 	return err;
263 }
264 
265 static void ah_input_done(struct crypto_async_request *base, int err)
266 {
267 	u8 *auth_data;
268 	u8 *icv;
269 	struct iphdr *work_iph;
270 	struct sk_buff *skb = base->data;
271 	struct xfrm_state *x = xfrm_input_state(skb);
272 	struct ah_data *ahp = x->data;
273 	struct ip_auth_hdr *ah = ip_auth_hdr(skb);
274 	int ihl = ip_hdrlen(skb);
275 	int ah_hlen = (ah->hdrlen + 2) << 2;
276 
277 	if (err)
278 		goto out;
279 
280 	work_iph = AH_SKB_CB(skb)->tmp;
281 	auth_data = ah_tmp_auth(work_iph, ihl);
282 	icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
283 
284 	err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
285 	if (err)
286 		goto out;
287 
288 	err = ah->nexthdr;
289 
290 	skb->network_header += ah_hlen;
291 	memcpy(skb_network_header(skb), work_iph, ihl);
292 	__skb_pull(skb, ah_hlen + ihl);
293 
294 	if (x->props.mode == XFRM_MODE_TUNNEL)
295 		skb_reset_transport_header(skb);
296 	else
297 		skb_set_transport_header(skb, -ihl);
298 out:
299 	kfree(AH_SKB_CB(skb)->tmp);
300 	xfrm_input_resume(skb, err);
301 }
302 
303 static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
304 {
305 	int ah_hlen;
306 	int ihl;
307 	int nexthdr;
308 	int nfrags;
309 	u8 *auth_data;
310 	u8 *icv;
311 	struct sk_buff *trailer;
312 	struct crypto_ahash *ahash;
313 	struct ahash_request *req;
314 	struct scatterlist *sg;
315 	struct iphdr *iph, *work_iph;
316 	struct ip_auth_hdr *ah;
317 	struct ah_data *ahp;
318 	int err = -ENOMEM;
319 	int seqhi_len = 0;
320 	__be32 *seqhi;
321 	int sglists = 0;
322 	struct scatterlist *seqhisg;
323 
324 	if (!pskb_may_pull(skb, sizeof(*ah)))
325 		goto out;
326 
327 	ah = (struct ip_auth_hdr *)skb->data;
328 	ahp = x->data;
329 	ahash = ahp->ahash;
330 
331 	nexthdr = ah->nexthdr;
332 	ah_hlen = (ah->hdrlen + 2) << 2;
333 
334 	if (x->props.flags & XFRM_STATE_ALIGN4) {
335 		if (ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_full_len) &&
336 		    ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len))
337 			goto out;
338 	} else {
339 		if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
340 		    ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
341 			goto out;
342 	}
343 
344 	if (!pskb_may_pull(skb, ah_hlen))
345 		goto out;
346 
347 	/* We are going to _remove_ AH header to keep sockets happy,
348 	 * so... Later this can change. */
349 	if (skb_unclone(skb, GFP_ATOMIC))
350 		goto out;
351 
352 	skb->ip_summed = CHECKSUM_NONE;
353 
354 
355 	if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
356 		goto out;
357 	nfrags = err;
358 
359 	ah = (struct ip_auth_hdr *)skb->data;
360 	iph = ip_hdr(skb);
361 	ihl = ip_hdrlen(skb);
362 
363 	if (x->props.flags & XFRM_STATE_ESN) {
364 		sglists = 1;
365 		seqhi_len = sizeof(*seqhi);
366 	}
367 
368 	work_iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl +
369 				ahp->icv_trunc_len + seqhi_len);
370 	if (!work_iph) {
371 		err = -ENOMEM;
372 		goto out;
373 	}
374 
375 	seqhi = (__be32 *)((char *)work_iph + ihl);
376 	auth_data = ah_tmp_auth(seqhi, seqhi_len);
377 	icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
378 	req = ah_tmp_req(ahash, icv);
379 	sg = ah_req_sg(ahash, req);
380 	seqhisg = sg + nfrags;
381 
382 	memcpy(work_iph, iph, ihl);
383 	memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
384 	memset(ah->auth_data, 0, ahp->icv_trunc_len);
385 
386 	iph->ttl = 0;
387 	iph->tos = 0;
388 	iph->frag_off = 0;
389 	iph->check = 0;
390 	if (ihl > sizeof(*iph)) {
391 		__be32 dummy;
392 		err = ip_clear_mutable_options(iph, &dummy);
393 		if (err)
394 			goto out_free;
395 	}
396 
397 	skb_push(skb, ihl);
398 
399 	sg_init_table(sg, nfrags + sglists);
400 	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
401 	if (unlikely(err < 0))
402 		goto out_free;
403 
404 	if (x->props.flags & XFRM_STATE_ESN) {
405 		/* Attach seqhi sg right after packet payload */
406 		*seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
407 		sg_set_buf(seqhisg, seqhi, seqhi_len);
408 	}
409 	ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
410 	ahash_request_set_callback(req, 0, ah_input_done, skb);
411 
412 	AH_SKB_CB(skb)->tmp = work_iph;
413 
414 	err = crypto_ahash_digest(req);
415 	if (err) {
416 		if (err == -EINPROGRESS)
417 			goto out;
418 
419 		goto out_free;
420 	}
421 
422 	err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
423 	if (err)
424 		goto out_free;
425 
426 	skb->network_header += ah_hlen;
427 	memcpy(skb_network_header(skb), work_iph, ihl);
428 	__skb_pull(skb, ah_hlen + ihl);
429 	if (x->props.mode == XFRM_MODE_TUNNEL)
430 		skb_reset_transport_header(skb);
431 	else
432 		skb_set_transport_header(skb, -ihl);
433 
434 	err = nexthdr;
435 
436 out_free:
437 	kfree (work_iph);
438 out:
439 	return err;
440 }
441 
442 static int ah4_err(struct sk_buff *skb, u32 info)
443 {
444 	struct net *net = dev_net(skb->dev);
445 	const struct iphdr *iph = (const struct iphdr *)skb->data;
446 	struct ip_auth_hdr *ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
447 	struct xfrm_state *x;
448 
449 	switch (icmp_hdr(skb)->type) {
450 	case ICMP_DEST_UNREACH:
451 		if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
452 			return 0;
453 		break;
454 	case ICMP_REDIRECT:
455 		break;
456 	default:
457 		return 0;
458 	}
459 
460 	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
461 			      ah->spi, IPPROTO_AH, AF_INET);
462 	if (!x)
463 		return 0;
464 
465 	if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
466 		ipv4_update_pmtu(skb, net, info, 0, IPPROTO_AH);
467 	else
468 		ipv4_redirect(skb, net, 0, IPPROTO_AH);
469 	xfrm_state_put(x);
470 
471 	return 0;
472 }
473 
474 static int ah_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
475 {
476 	struct ah_data *ahp = NULL;
477 	struct xfrm_algo_desc *aalg_desc;
478 	struct crypto_ahash *ahash;
479 
480 	if (!x->aalg) {
481 		NL_SET_ERR_MSG(extack, "AH requires a state with an AUTH algorithm");
482 		goto error;
483 	}
484 
485 	if (x->encap) {
486 		NL_SET_ERR_MSG(extack, "AH is not compatible with encapsulation");
487 		goto error;
488 	}
489 
490 	ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
491 	if (!ahp)
492 		return -ENOMEM;
493 
494 	ahash = crypto_alloc_ahash(x->aalg->alg_name, 0, 0);
495 	if (IS_ERR(ahash)) {
496 		NL_SET_ERR_MSG(extack, "Kernel was unable to initialize cryptographic operations");
497 		goto error;
498 	}
499 
500 	ahp->ahash = ahash;
501 	if (crypto_ahash_setkey(ahash, x->aalg->alg_key,
502 				(x->aalg->alg_key_len + 7) / 8)) {
503 		NL_SET_ERR_MSG(extack, "Kernel was unable to initialize cryptographic operations");
504 		goto error;
505 	}
506 
507 	/*
508 	 * Lookup the algorithm description maintained by xfrm_algo,
509 	 * verify crypto transform properties, and store information
510 	 * we need for AH processing.  This lookup cannot fail here
511 	 * after a successful crypto_alloc_ahash().
512 	 */
513 	aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
514 	BUG_ON(!aalg_desc);
515 
516 	if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
517 	    crypto_ahash_digestsize(ahash)) {
518 		NL_SET_ERR_MSG(extack, "Kernel was unable to initialize cryptographic operations");
519 		goto error;
520 	}
521 
522 	ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
523 	ahp->icv_trunc_len = x->aalg->alg_trunc_len/8;
524 
525 	if (x->props.flags & XFRM_STATE_ALIGN4)
526 		x->props.header_len = XFRM_ALIGN4(sizeof(struct ip_auth_hdr) +
527 						  ahp->icv_trunc_len);
528 	else
529 		x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
530 						  ahp->icv_trunc_len);
531 	if (x->props.mode == XFRM_MODE_TUNNEL)
532 		x->props.header_len += sizeof(struct iphdr);
533 	x->data = ahp;
534 
535 	return 0;
536 
537 error:
538 	if (ahp) {
539 		crypto_free_ahash(ahp->ahash);
540 		kfree(ahp);
541 	}
542 	return -EINVAL;
543 }
544 
545 static void ah_destroy(struct xfrm_state *x)
546 {
547 	struct ah_data *ahp = x->data;
548 
549 	if (!ahp)
550 		return;
551 
552 	crypto_free_ahash(ahp->ahash);
553 	kfree(ahp);
554 }
555 
556 static int ah4_rcv_cb(struct sk_buff *skb, int err)
557 {
558 	return 0;
559 }
560 
561 static const struct xfrm_type ah_type =
562 {
563 	.owner		= THIS_MODULE,
564 	.proto	     	= IPPROTO_AH,
565 	.flags		= XFRM_TYPE_REPLAY_PROT,
566 	.init_state	= ah_init_state,
567 	.destructor	= ah_destroy,
568 	.input		= ah_input,
569 	.output		= ah_output
570 };
571 
572 static struct xfrm4_protocol ah4_protocol = {
573 	.handler	=	xfrm4_rcv,
574 	.input_handler	=	xfrm_input,
575 	.cb_handler	=	ah4_rcv_cb,
576 	.err_handler	=	ah4_err,
577 	.priority	=	0,
578 };
579 
580 static int __init ah4_init(void)
581 {
582 	if (xfrm_register_type(&ah_type, AF_INET) < 0) {
583 		pr_info("%s: can't add xfrm type\n", __func__);
584 		return -EAGAIN;
585 	}
586 	if (xfrm4_protocol_register(&ah4_protocol, IPPROTO_AH) < 0) {
587 		pr_info("%s: can't add protocol\n", __func__);
588 		xfrm_unregister_type(&ah_type, AF_INET);
589 		return -EAGAIN;
590 	}
591 	return 0;
592 }
593 
594 static void __exit ah4_fini(void)
595 {
596 	if (xfrm4_protocol_deregister(&ah4_protocol, IPPROTO_AH) < 0)
597 		pr_info("%s: can't remove protocol\n", __func__);
598 	xfrm_unregister_type(&ah_type, AF_INET);
599 }
600 
601 module_init(ah4_init);
602 module_exit(ah4_fini);
603 MODULE_LICENSE("GPL");
604 MODULE_ALIAS_XFRM_TYPE(AF_INET, XFRM_PROTO_AH);
605