xref: /linux/net/ipv4/esp4_offload.c (revision 37744feebc086908fd89760650f458ab19071750)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * IPV4 GSO/GRO offload support
4  * Linux INET implementation
5  *
6  * Copyright (C) 2016 secunet Security Networks AG
7  * Author: Steffen Klassert <steffen.klassert@secunet.com>
8  *
9  * ESP GRO support
10  */
11 
12 #include <linux/skbuff.h>
13 #include <linux/init.h>
14 #include <net/protocol.h>
15 #include <crypto/aead.h>
16 #include <crypto/authenc.h>
17 #include <linux/err.h>
18 #include <linux/module.h>
19 #include <net/ip.h>
20 #include <net/xfrm.h>
21 #include <net/esp.h>
22 #include <linux/scatterlist.h>
23 #include <linux/kernel.h>
24 #include <linux/slab.h>
25 #include <linux/spinlock.h>
26 #include <net/udp.h>
27 
28 static struct sk_buff *esp4_gro_receive(struct list_head *head,
29 					struct sk_buff *skb)
30 {
31 	int offset = skb_gro_offset(skb);
32 	struct xfrm_offload *xo;
33 	struct xfrm_state *x;
34 	__be32 seq;
35 	__be32 spi;
36 	int err;
37 
38 	if (!pskb_pull(skb, offset))
39 		return NULL;
40 
41 	if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
42 		goto out;
43 
44 	xo = xfrm_offload(skb);
45 	if (!xo || !(xo->flags & CRYPTO_DONE)) {
46 		struct sec_path *sp = secpath_set(skb);
47 
48 		if (!sp)
49 			goto out;
50 
51 		if (sp->len == XFRM_MAX_DEPTH)
52 			goto out_reset;
53 
54 		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
55 				      (xfrm_address_t *)&ip_hdr(skb)->daddr,
56 				      spi, IPPROTO_ESP, AF_INET);
57 		if (!x)
58 			goto out_reset;
59 
60 		skb->mark = xfrm_smark_get(skb->mark, x);
61 
62 		sp->xvec[sp->len++] = x;
63 		sp->olen++;
64 
65 		xo = xfrm_offload(skb);
66 		if (!xo)
67 			goto out_reset;
68 	}
69 
70 	xo->flags |= XFRM_GRO;
71 
72 	XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
73 	XFRM_SPI_SKB_CB(skb)->family = AF_INET;
74 	XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
75 	XFRM_SPI_SKB_CB(skb)->seq = seq;
76 
77 	/* We don't need to handle errors from xfrm_input, it does all
78 	 * the error handling and frees the resources on error. */
79 	xfrm_input(skb, IPPROTO_ESP, spi, -2);
80 
81 	return ERR_PTR(-EINPROGRESS);
82 out_reset:
83 	secpath_reset(skb);
84 out:
85 	skb_push(skb, offset);
86 	NAPI_GRO_CB(skb)->same_flow = 0;
87 	NAPI_GRO_CB(skb)->flush = 1;
88 
89 	return NULL;
90 }
91 
92 static void esp4_gso_encap(struct xfrm_state *x, struct sk_buff *skb)
93 {
94 	struct ip_esp_hdr *esph;
95 	struct iphdr *iph = ip_hdr(skb);
96 	struct xfrm_offload *xo = xfrm_offload(skb);
97 	int proto = iph->protocol;
98 
99 	skb_push(skb, -skb_network_offset(skb));
100 	esph = ip_esp_hdr(skb);
101 	*skb_mac_header(skb) = IPPROTO_ESP;
102 
103 	esph->spi = x->id.spi;
104 	esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
105 
106 	xo->proto = proto;
107 }
108 
109 static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
110 						struct sk_buff *skb,
111 						netdev_features_t features)
112 {
113 	__skb_push(skb, skb->mac_len);
114 	return skb_mac_gso_segment(skb, features);
115 }
116 
117 static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x,
118 						   struct sk_buff *skb,
119 						   netdev_features_t features)
120 {
121 	const struct net_offload *ops;
122 	struct sk_buff *segs = ERR_PTR(-EINVAL);
123 	struct xfrm_offload *xo = xfrm_offload(skb);
124 
125 	skb->transport_header += x->props.header_len;
126 	ops = rcu_dereference(inet_offloads[xo->proto]);
127 	if (likely(ops && ops->callbacks.gso_segment))
128 		segs = ops->callbacks.gso_segment(skb, features);
129 
130 	return segs;
131 }
132 
133 static struct sk_buff *xfrm4_beet_gso_segment(struct xfrm_state *x,
134 					      struct sk_buff *skb,
135 					      netdev_features_t features)
136 {
137 	struct xfrm_offload *xo = xfrm_offload(skb);
138 	struct sk_buff *segs = ERR_PTR(-EINVAL);
139 	const struct net_offload *ops;
140 	u8 proto = xo->proto;
141 
142 	skb->transport_header += x->props.header_len;
143 
144 	if (x->sel.family != AF_INET6) {
145 		if (proto == IPPROTO_BEETPH) {
146 			struct ip_beet_phdr *ph =
147 				(struct ip_beet_phdr *)skb->data;
148 
149 			skb->transport_header += ph->hdrlen * 8;
150 			proto = ph->nexthdr;
151 		} else {
152 			skb->transport_header -= IPV4_BEET_PHMAXLEN;
153 		}
154 	} else {
155 		__be16 frag;
156 
157 		skb->transport_header +=
158 			ipv6_skip_exthdr(skb, 0, &proto, &frag);
159 		if (proto == IPPROTO_TCP)
160 			skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4;
161 	}
162 
163 	__skb_pull(skb, skb_transport_offset(skb));
164 	ops = rcu_dereference(inet_offloads[proto]);
165 	if (likely(ops && ops->callbacks.gso_segment))
166 		segs = ops->callbacks.gso_segment(skb, features);
167 
168 	return segs;
169 }
170 
171 static struct sk_buff *xfrm4_outer_mode_gso_segment(struct xfrm_state *x,
172 						    struct sk_buff *skb,
173 						    netdev_features_t features)
174 {
175 	switch (x->outer_mode.encap) {
176 	case XFRM_MODE_TUNNEL:
177 		return xfrm4_tunnel_gso_segment(x, skb, features);
178 	case XFRM_MODE_TRANSPORT:
179 		return xfrm4_transport_gso_segment(x, skb, features);
180 	case XFRM_MODE_BEET:
181 		return xfrm4_beet_gso_segment(x, skb, features);
182 	}
183 
184 	return ERR_PTR(-EOPNOTSUPP);
185 }
186 
187 static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
188 				        netdev_features_t features)
189 {
190 	struct xfrm_state *x;
191 	struct ip_esp_hdr *esph;
192 	struct crypto_aead *aead;
193 	netdev_features_t esp_features = features;
194 	struct xfrm_offload *xo = xfrm_offload(skb);
195 	struct sec_path *sp;
196 
197 	if (!xo)
198 		return ERR_PTR(-EINVAL);
199 
200 	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
201 		return ERR_PTR(-EINVAL);
202 
203 	sp = skb_sec_path(skb);
204 	x = sp->xvec[sp->len - 1];
205 	aead = x->data;
206 	esph = ip_esp_hdr(skb);
207 
208 	if (esph->spi != x->id.spi)
209 		return ERR_PTR(-EINVAL);
210 
211 	if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead)))
212 		return ERR_PTR(-EINVAL);
213 
214 	__skb_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead));
215 
216 	skb->encap_hdr_csum = 1;
217 
218 	if ((!(skb->dev->gso_partial_features & NETIF_F_HW_ESP) &&
219 	     !(features & NETIF_F_HW_ESP)) || x->xso.dev != skb->dev)
220 		esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
221 	else if (!(features & NETIF_F_HW_ESP_TX_CSUM) &&
222 		 !(skb->dev->gso_partial_features & NETIF_F_HW_ESP_TX_CSUM))
223 		esp_features = features & ~NETIF_F_CSUM_MASK;
224 
225 	xo->flags |= XFRM_GSO_SEGMENT;
226 
227 	return xfrm4_outer_mode_gso_segment(x, skb, esp_features);
228 }
229 
230 static int esp_input_tail(struct xfrm_state *x, struct sk_buff *skb)
231 {
232 	struct crypto_aead *aead = x->data;
233 	struct xfrm_offload *xo = xfrm_offload(skb);
234 
235 	if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead)))
236 		return -EINVAL;
237 
238 	if (!(xo->flags & CRYPTO_DONE))
239 		skb->ip_summed = CHECKSUM_NONE;
240 
241 	return esp_input_done2(skb, 0);
242 }
243 
244 static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb,  netdev_features_t features)
245 {
246 	int err;
247 	int alen;
248 	int blksize;
249 	struct xfrm_offload *xo;
250 	struct ip_esp_hdr *esph;
251 	struct crypto_aead *aead;
252 	struct esp_info esp;
253 	bool hw_offload = true;
254 	__u32 seq;
255 
256 	esp.inplace = true;
257 
258 	xo = xfrm_offload(skb);
259 
260 	if (!xo)
261 		return -EINVAL;
262 
263 	if ((!(features & NETIF_F_HW_ESP) &&
264 	     !(skb->dev->gso_partial_features & NETIF_F_HW_ESP)) ||
265 	    x->xso.dev != skb->dev) {
266 		xo->flags |= CRYPTO_FALLBACK;
267 		hw_offload = false;
268 	}
269 
270 	esp.proto = xo->proto;
271 
272 	/* skb is pure payload to encrypt */
273 
274 	aead = x->data;
275 	alen = crypto_aead_authsize(aead);
276 
277 	esp.tfclen = 0;
278 	/* XXX: Add support for tfc padding here. */
279 
280 	blksize = ALIGN(crypto_aead_blocksize(aead), 4);
281 	esp.clen = ALIGN(skb->len + 2 + esp.tfclen, blksize);
282 	esp.plen = esp.clen - skb->len - esp.tfclen;
283 	esp.tailen = esp.tfclen + esp.plen + alen;
284 
285 	esp.esph = ip_esp_hdr(skb);
286 
287 
288 	if (!hw_offload || (hw_offload && !skb_is_gso(skb))) {
289 		esp.nfrags = esp_output_head(x, skb, &esp);
290 		if (esp.nfrags < 0)
291 			return esp.nfrags;
292 	}
293 
294 	seq = xo->seq.low;
295 
296 	esph = esp.esph;
297 	esph->spi = x->id.spi;
298 
299 	skb_push(skb, -skb_network_offset(skb));
300 
301 	if (xo->flags & XFRM_GSO_SEGMENT) {
302 		esph->seq_no = htonl(seq);
303 
304 		if (!skb_is_gso(skb))
305 			xo->seq.low++;
306 		else
307 			xo->seq.low += skb_shinfo(skb)->gso_segs;
308 	}
309 
310 	esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32));
311 
312 	ip_hdr(skb)->tot_len = htons(skb->len);
313 	ip_send_check(ip_hdr(skb));
314 
315 	if (hw_offload)
316 		return 0;
317 
318 	err = esp_output_tail(x, skb, &esp);
319 	if (err)
320 		return err;
321 
322 	secpath_reset(skb);
323 
324 	return 0;
325 }
326 
327 static const struct net_offload esp4_offload = {
328 	.callbacks = {
329 		.gro_receive = esp4_gro_receive,
330 		.gso_segment = esp4_gso_segment,
331 	},
332 };
333 
334 static const struct xfrm_type_offload esp_type_offload = {
335 	.description	= "ESP4 OFFLOAD",
336 	.owner		= THIS_MODULE,
337 	.proto	     	= IPPROTO_ESP,
338 	.input_tail	= esp_input_tail,
339 	.xmit		= esp_xmit,
340 	.encap		= esp4_gso_encap,
341 };
342 
343 static int __init esp4_offload_init(void)
344 {
345 	if (xfrm_register_type_offload(&esp_type_offload, AF_INET) < 0) {
346 		pr_info("%s: can't add xfrm type offload\n", __func__);
347 		return -EAGAIN;
348 	}
349 
350 	return inet_add_offload(&esp4_offload, IPPROTO_ESP);
351 }
352 
353 static void __exit esp4_offload_exit(void)
354 {
355 	xfrm_unregister_type_offload(&esp_type_offload, AF_INET);
356 	inet_del_offload(&esp4_offload, IPPROTO_ESP);
357 }
358 
359 module_init(esp4_offload_init);
360 module_exit(esp4_offload_exit);
361 MODULE_LICENSE("GPL");
362 MODULE_AUTHOR("Steffen Klassert <steffen.klassert@secunet.com>");
363 MODULE_ALIAS_XFRM_OFFLOAD_TYPE(AF_INET, XFRM_PROTO_ESP);
364