xref: /linux/net/ipv4/xfrm4_input.c (revision 2b8232ce512105e28453f301d1510de8363bccd1) 
1 /*
2  * xfrm4_input.c
3  *
4  * Changes:
5  *	YOSHIFUJI Hideaki @USAGI
6  *		Split up af-specific portion
7  *	Derek Atkins <derek@ihtfp.com>
8  *		Add Encapsulation support
9  *
10  */
11 
12 #include <linux/module.h>
13 #include <linux/string.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter_ipv4.h>
16 #include <net/ip.h>
17 #include <net/xfrm.h>
18 
19 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
20 {
21 	switch (nexthdr) {
22 	case IPPROTO_IPIP:
23 	case IPPROTO_IPV6:
24 		*spi = ip_hdr(skb)->saddr;
25 		*seq = 0;
26 		return 0;
27 	}
28 
29 	return xfrm_parse_spi(skb, nexthdr, spi, seq);
30 }
31 
32 #ifdef CONFIG_NETFILTER
33 static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
34 {
35 	if (skb->dst == NULL) {
36 		const struct iphdr *iph = ip_hdr(skb);
37 
38 		if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
39 				   skb->dev))
40 			goto drop;
41 	}
42 	return dst_input(skb);
43 drop:
44 	kfree_skb(skb);
45 	return NET_RX_DROP;
46 }
47 #endif
48 
49 static int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
50 {
51 	__be32 spi, seq;
52 	struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
53 	struct xfrm_state *x;
54 	int xfrm_nr = 0;
55 	int decaps = 0;
56 	int err = xfrm4_parse_spi(skb, ip_hdr(skb)->protocol, &spi, &seq);
57 	unsigned int nhoff = offsetof(struct iphdr, protocol);
58 
59 	if (err != 0)
60 		goto drop;
61 
62 	do {
63 		const struct iphdr *iph = ip_hdr(skb);
64 		int nexthdr;
65 
66 		if (xfrm_nr == XFRM_MAX_DEPTH)
67 			goto drop;
68 
69 		x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi,
70 				iph->protocol != IPPROTO_IPV6 ? iph->protocol : IPPROTO_IPIP, AF_INET);
71 		if (x == NULL)
72 			goto drop;
73 
74 		spin_lock(&x->lock);
75 		if (unlikely(x->km.state != XFRM_STATE_VALID))
76 			goto drop_unlock;
77 
78 		if ((x->encap ? x->encap->encap_type : 0) != encap_type)
79 			goto drop_unlock;
80 
81 		if (x->props.replay_window && xfrm_replay_check(x, seq))
82 			goto drop_unlock;
83 
84 		if (xfrm_state_check_expire(x))
85 			goto drop_unlock;
86 
87 		nexthdr = x->type->input(x, skb);
88 		if (nexthdr <= 0)
89 			goto drop_unlock;
90 
91 		skb_network_header(skb)[nhoff] = nexthdr;
92 
93 		/* only the first xfrm gets the encap type */
94 		encap_type = 0;
95 
96 		if (x->props.replay_window)
97 			xfrm_replay_advance(x, seq);
98 
99 		x->curlft.bytes += skb->len;
100 		x->curlft.packets++;
101 
102 		spin_unlock(&x->lock);
103 
104 		xfrm_vec[xfrm_nr++] = x;
105 
106 		if (x->mode->input(x, skb))
107 			goto drop;
108 
109 		if (x->props.mode == XFRM_MODE_TUNNEL) {
110 			decaps = 1;
111 			break;
112 		}
113 
114 		err = xfrm_parse_spi(skb, ip_hdr(skb)->protocol, &spi, &seq);
115 		if (err < 0)
116 			goto drop;
117 	} while (!err);
118 
119 	/* Allocate new secpath or COW existing one. */
120 
121 	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
122 		struct sec_path *sp;
123 		sp = secpath_dup(skb->sp);
124 		if (!sp)
125 			goto drop;
126 		if (skb->sp)
127 			secpath_put(skb->sp);
128 		skb->sp = sp;
129 	}
130 	if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
131 		goto drop;
132 
133 	memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
134 	       xfrm_nr * sizeof(xfrm_vec[0]));
135 	skb->sp->len += xfrm_nr;
136 
137 	nf_reset(skb);
138 
139 	if (decaps) {
140 		dst_release(skb->dst);
141 		skb->dst = NULL;
142 		netif_rx(skb);
143 		return 0;
144 	} else {
145 #ifdef CONFIG_NETFILTER
146 		__skb_push(skb, skb->data - skb_network_header(skb));
147 		ip_hdr(skb)->tot_len = htons(skb->len);
148 		ip_send_check(ip_hdr(skb));
149 
150 		NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
151 			xfrm4_rcv_encap_finish);
152 		return 0;
153 #else
154 		return -ip_hdr(skb)->protocol;
155 #endif
156 	}
157 
158 drop_unlock:
159 	spin_unlock(&x->lock);
160 	xfrm_state_put(x);
161 drop:
162 	while (--xfrm_nr >= 0)
163 		xfrm_state_put(xfrm_vec[xfrm_nr]);
164 
165 	kfree_skb(skb);
166 	return 0;
167 }
168 
169 /* If it's a keepalive packet, then just eat it.
170  * If it's an encapsulated packet, then pass it to the
171  * IPsec xfrm input.
172  * Returns 0 if skb passed to xfrm or was dropped.
173  * Returns >0 if skb should be passed to UDP.
174  * Returns <0 if skb should be resubmitted (-ret is protocol)
175  */
176 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
177 {
178 	struct udp_sock *up = udp_sk(sk);
179 	struct udphdr *uh;
180 	struct iphdr *iph;
181 	int iphlen, len;
182 	int ret;
183 
184 	__u8 *udpdata;
185 	__be32 *udpdata32;
186 	__u16 encap_type = up->encap_type;
187 
188 	/* if this is not encapsulated socket, then just return now */
189 	if (!encap_type)
190 		return 1;
191 
192 	/* If this is a paged skb, make sure we pull up
193 	 * whatever data we need to look at. */
194 	len = skb->len - sizeof(struct udphdr);
195 	if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
196 		return 1;
197 
198 	/* Now we can get the pointers */
199 	uh = udp_hdr(skb);
200 	udpdata = (__u8 *)uh + sizeof(struct udphdr);
201 	udpdata32 = (__be32 *)udpdata;
202 
203 	switch (encap_type) {
204 	default:
205 	case UDP_ENCAP_ESPINUDP:
206 		/* Check if this is a keepalive packet.  If so, eat it. */
207 		if (len == 1 && udpdata[0] == 0xff) {
208 			goto drop;
209 		} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
210 			/* ESP Packet without Non-ESP header */
211 			len = sizeof(struct udphdr);
212 		} else
213 			/* Must be an IKE packet.. pass it through */
214 			return 1;
215 		break;
216 	case UDP_ENCAP_ESPINUDP_NON_IKE:
217 		/* Check if this is a keepalive packet.  If so, eat it. */
218 		if (len == 1 && udpdata[0] == 0xff) {
219 			goto drop;
220 		} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
221 			   udpdata32[0] == 0 && udpdata32[1] == 0) {
222 
223 			/* ESP Packet with Non-IKE marker */
224 			len = sizeof(struct udphdr) + 2 * sizeof(u32);
225 		} else
226 			/* Must be an IKE packet.. pass it through */
227 			return 1;
228 		break;
229 	}
230 
231 	/* At this point we are sure that this is an ESPinUDP packet,
232 	 * so we need to remove 'len' bytes from the packet (the UDP
233 	 * header and optional ESP marker bytes) and then modify the
234 	 * protocol to ESP, and then call into the transform receiver.
235 	 */
236 	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
237 		goto drop;
238 
239 	/* Now we can update and verify the packet length... */
240 	iph = ip_hdr(skb);
241 	iphlen = iph->ihl << 2;
242 	iph->tot_len = htons(ntohs(iph->tot_len) - len);
243 	if (skb->len < iphlen + len) {
244 		/* packet is too small!?! */
245 		goto drop;
246 	}
247 
248 	/* pull the data buffer up to the ESP header and set the
249 	 * transport header to point to ESP.  Keep UDP on the stack
250 	 * for later.
251 	 */
252 	__skb_pull(skb, len);
253 	skb_reset_transport_header(skb);
254 
255 	/* modify the protocol (it's ESP!) */
256 	iph->protocol = IPPROTO_ESP;
257 
258 	/* process ESP */
259 	ret = xfrm4_rcv_encap(skb, encap_type);
260 	return ret;
261 
262 drop:
263 	kfree_skb(skb);
264 	return 0;
265 }
266 
267 int xfrm4_rcv(struct sk_buff *skb)
268 {
269 	return xfrm4_rcv_encap(skb, 0);
270 }
271 
272 EXPORT_SYMBOL(xfrm4_rcv);
273