1 /* 2 * Copyright (C)2002 USAGI/WIDE Project 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation; either version 2 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 * 18 * Authors 19 * 20 * Mitsuru KANDA @USAGI : IPv6 Support 21 * Kazunori MIYAZAWA @USAGI : 22 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 23 * 24 * This file is derived from net/ipv4/ah.c. 25 */ 26 27 #include <linux/config.h> 28 #include <linux/module.h> 29 #include <net/ip.h> 30 #include <net/ah.h> 31 #include <linux/crypto.h> 32 #include <linux/pfkeyv2.h> 33 #include <linux/string.h> 34 #include <net/icmp.h> 35 #include <net/ipv6.h> 36 #include <net/protocol.h> 37 #include <net/xfrm.h> 38 #include <asm/scatterlist.h> 39 40 static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr) 41 { 42 u8 *opt = (u8 *)opthdr; 43 int len = ipv6_optlen(opthdr); 44 int off = 0; 45 int optlen = 0; 46 47 off += 2; 48 len -= 2; 49 50 while (len > 0) { 51 52 switch (opt[off]) { 53 54 case IPV6_TLV_PAD0: 55 optlen = 1; 56 break; 57 default: 58 if (len < 2) 59 goto bad; 60 optlen = opt[off+1]+2; 61 if (len < optlen) 62 goto bad; 63 if (opt[off] & 0x20) 64 memset(&opt[off+2], 0, opt[off+1]); 65 break; 66 } 67 68 off += optlen; 69 len -= optlen; 70 } 71 if (len == 0) 72 return 1; 73 74 bad: 75 return 0; 76 } 77 78 /** 79 * ipv6_rearrange_rthdr - rearrange IPv6 routing header 80 * @iph: IPv6 header 81 * @rthdr: routing header 82 * 83 * Rearrange the destination address in @iph and the addresses in @rthdr 84 * so that they appear in the order they will at the final destination. 85 * See Appendix A2 of RFC 2402 for details. 86 */ 87 static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr) 88 { 89 int segments, segments_left; 90 struct in6_addr *addrs; 91 struct in6_addr final_addr; 92 93 segments_left = rthdr->segments_left; 94 if (segments_left == 0) 95 return; 96 rthdr->segments_left = 0; 97 98 /* The value of rthdr->hdrlen has been verified either by the system 99 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming 100 * packets. So we can assume that it is even and that segments is 101 * greater than or equal to segments_left. 102 * 103 * For the same reason we can assume that this option is of type 0. 104 */ 105 segments = rthdr->hdrlen >> 1; 106 107 addrs = ((struct rt0_hdr *)rthdr)->addr; 108 ipv6_addr_copy(&final_addr, addrs + segments - 1); 109 110 addrs += segments - segments_left; 111 memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs)); 112 113 ipv6_addr_copy(addrs, &iph->daddr); 114 ipv6_addr_copy(&iph->daddr, &final_addr); 115 } 116 117 static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len) 118 { 119 union { 120 struct ipv6hdr *iph; 121 struct ipv6_opt_hdr *opth; 122 struct ipv6_rt_hdr *rth; 123 char *raw; 124 } exthdr = { .iph = iph }; 125 char *end = exthdr.raw + len; 126 int nexthdr = iph->nexthdr; 127 128 exthdr.iph++; 129 130 while (exthdr.raw < end) { 131 switch (nexthdr) { 132 case NEXTHDR_HOP: 133 case NEXTHDR_DEST: 134 if (!zero_out_mutable_opts(exthdr.opth)) { 135 LIMIT_NETDEBUG( 136 KERN_WARNING "overrun %sopts\n", 137 nexthdr == NEXTHDR_HOP ? 138 "hop" : "dest"); 139 return -EINVAL; 140 } 141 break; 142 143 case NEXTHDR_ROUTING: 144 ipv6_rearrange_rthdr(iph, exthdr.rth); 145 break; 146 147 default : 148 return 0; 149 } 150 151 nexthdr = exthdr.opth->nexthdr; 152 exthdr.raw += ipv6_optlen(exthdr.opth); 153 } 154 155 return 0; 156 } 157 158 static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) 159 { 160 int err; 161 int extlen; 162 struct ipv6hdr *top_iph; 163 struct ip_auth_hdr *ah; 164 struct ah_data *ahp; 165 u8 nexthdr; 166 char tmp_base[8]; 167 struct { 168 struct in6_addr daddr; 169 char hdrs[0]; 170 } *tmp_ext; 171 172 top_iph = (struct ipv6hdr *)skb->data; 173 top_iph->payload_len = htons(skb->len - sizeof(*top_iph)); 174 175 nexthdr = *skb->nh.raw; 176 *skb->nh.raw = IPPROTO_AH; 177 178 /* When there are no extension headers, we only need to save the first 179 * 8 bytes of the base IP header. 180 */ 181 memcpy(tmp_base, top_iph, sizeof(tmp_base)); 182 183 tmp_ext = NULL; 184 extlen = skb->h.raw - (unsigned char *)(top_iph + 1); 185 if (extlen) { 186 extlen += sizeof(*tmp_ext); 187 tmp_ext = kmalloc(extlen, GFP_ATOMIC); 188 if (!tmp_ext) { 189 err = -ENOMEM; 190 goto error; 191 } 192 memcpy(tmp_ext, &top_iph->daddr, extlen); 193 err = ipv6_clear_mutable_options(top_iph, 194 extlen - sizeof(*tmp_ext) + 195 sizeof(*top_iph)); 196 if (err) 197 goto error_free_iph; 198 } 199 200 ah = (struct ip_auth_hdr *)skb->h.raw; 201 ah->nexthdr = nexthdr; 202 203 top_iph->priority = 0; 204 top_iph->flow_lbl[0] = 0; 205 top_iph->flow_lbl[1] = 0; 206 top_iph->flow_lbl[2] = 0; 207 top_iph->hop_limit = 0; 208 209 ahp = x->data; 210 ah->hdrlen = (XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + 211 ahp->icv_trunc_len) >> 2) - 2; 212 213 ah->reserved = 0; 214 ah->spi = x->id.spi; 215 ah->seq_no = htonl(++x->replay.oseq); 216 xfrm_aevent_doreplay(x); 217 ahp->icv(ahp, skb, ah->auth_data); 218 219 err = 0; 220 221 memcpy(top_iph, tmp_base, sizeof(tmp_base)); 222 if (tmp_ext) { 223 memcpy(&top_iph->daddr, tmp_ext, extlen); 224 error_free_iph: 225 kfree(tmp_ext); 226 } 227 228 error: 229 return err; 230 } 231 232 static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) 233 { 234 /* 235 * Before process AH 236 * [IPv6][Ext1][Ext2][AH][Dest][Payload] 237 * |<-------------->| hdr_len 238 * 239 * To erase AH: 240 * Keeping copy of cleared headers. After AH processing, 241 * Moving the pointer of skb->nh.raw by using skb_pull as long as AH 242 * header length. Then copy back the copy as long as hdr_len 243 * If destination header following AH exists, copy it into after [Ext2]. 244 * 245 * |<>|[IPv6][Ext1][Ext2][Dest][Payload] 246 * There is offset of AH before IPv6 header after the process. 247 */ 248 249 struct ipv6_auth_hdr *ah; 250 struct ah_data *ahp; 251 unsigned char *tmp_hdr = NULL; 252 u16 hdr_len; 253 u16 ah_hlen; 254 int nexthdr; 255 256 if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr))) 257 goto out; 258 259 /* We are going to _remove_ AH header to keep sockets happy, 260 * so... Later this can change. */ 261 if (skb_cloned(skb) && 262 pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 263 goto out; 264 265 hdr_len = skb->data - skb->nh.raw; 266 ah = (struct ipv6_auth_hdr*)skb->data; 267 ahp = x->data; 268 nexthdr = ah->nexthdr; 269 ah_hlen = (ah->hdrlen + 2) << 2; 270 271 if (ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_full_len) && 272 ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len)) 273 goto out; 274 275 if (!pskb_may_pull(skb, ah_hlen)) 276 goto out; 277 278 tmp_hdr = kmalloc(hdr_len, GFP_ATOMIC); 279 if (!tmp_hdr) 280 goto out; 281 memcpy(tmp_hdr, skb->nh.raw, hdr_len); 282 if (ipv6_clear_mutable_options(skb->nh.ipv6h, hdr_len)) 283 goto free_out; 284 skb->nh.ipv6h->priority = 0; 285 skb->nh.ipv6h->flow_lbl[0] = 0; 286 skb->nh.ipv6h->flow_lbl[1] = 0; 287 skb->nh.ipv6h->flow_lbl[2] = 0; 288 skb->nh.ipv6h->hop_limit = 0; 289 290 { 291 u8 auth_data[MAX_AH_AUTH_LEN]; 292 293 memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len); 294 memset(ah->auth_data, 0, ahp->icv_trunc_len); 295 skb_push(skb, hdr_len); 296 ahp->icv(ahp, skb, ah->auth_data); 297 if (memcmp(ah->auth_data, auth_data, ahp->icv_trunc_len)) { 298 LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); 299 x->stats.integrity_failed++; 300 goto free_out; 301 } 302 } 303 304 skb->h.raw = memcpy(skb->nh.raw += ah_hlen, tmp_hdr, hdr_len); 305 __skb_pull(skb, ah_hlen + hdr_len); 306 307 kfree(tmp_hdr); 308 309 return nexthdr; 310 311 free_out: 312 kfree(tmp_hdr); 313 out: 314 return -EINVAL; 315 } 316 317 static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, 318 int type, int code, int offset, __u32 info) 319 { 320 struct ipv6hdr *iph = (struct ipv6hdr*)skb->data; 321 struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset); 322 struct xfrm_state *x; 323 324 if (type != ICMPV6_DEST_UNREACH && 325 type != ICMPV6_PKT_TOOBIG) 326 return; 327 328 x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6); 329 if (!x) 330 return; 331 332 NETDEBUG(KERN_DEBUG "pmtu discovery on SA AH/%08x/" NIP6_FMT "\n", 333 ntohl(ah->spi), NIP6(iph->daddr)); 334 335 xfrm_state_put(x); 336 } 337 338 static int ah6_init_state(struct xfrm_state *x) 339 { 340 struct ah_data *ahp = NULL; 341 struct xfrm_algo_desc *aalg_desc; 342 343 if (!x->aalg) 344 goto error; 345 346 /* null auth can use a zero length key */ 347 if (x->aalg->alg_key_len > 512) 348 goto error; 349 350 if (x->encap) 351 goto error; 352 353 ahp = kzalloc(sizeof(*ahp), GFP_KERNEL); 354 if (ahp == NULL) 355 return -ENOMEM; 356 357 ahp->key = x->aalg->alg_key; 358 ahp->key_len = (x->aalg->alg_key_len+7)/8; 359 ahp->tfm = crypto_alloc_tfm(x->aalg->alg_name, 0); 360 if (!ahp->tfm) 361 goto error; 362 ahp->icv = ah_hmac_digest; 363 364 /* 365 * Lookup the algorithm description maintained by xfrm_algo, 366 * verify crypto transform properties, and store information 367 * we need for AH processing. This lookup cannot fail here 368 * after a successful crypto_alloc_tfm(). 369 */ 370 aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); 371 BUG_ON(!aalg_desc); 372 373 if (aalg_desc->uinfo.auth.icv_fullbits/8 != 374 crypto_tfm_alg_digestsize(ahp->tfm)) { 375 printk(KERN_INFO "AH: %s digestsize %u != %hu\n", 376 x->aalg->alg_name, crypto_tfm_alg_digestsize(ahp->tfm), 377 aalg_desc->uinfo.auth.icv_fullbits/8); 378 goto error; 379 } 380 381 ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8; 382 ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8; 383 384 BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN); 385 386 ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL); 387 if (!ahp->work_icv) 388 goto error; 389 390 x->props.header_len = XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len); 391 if (x->props.mode) 392 x->props.header_len += sizeof(struct ipv6hdr); 393 x->data = ahp; 394 395 return 0; 396 397 error: 398 if (ahp) { 399 kfree(ahp->work_icv); 400 crypto_free_tfm(ahp->tfm); 401 kfree(ahp); 402 } 403 return -EINVAL; 404 } 405 406 static void ah6_destroy(struct xfrm_state *x) 407 { 408 struct ah_data *ahp = x->data; 409 410 if (!ahp) 411 return; 412 413 kfree(ahp->work_icv); 414 ahp->work_icv = NULL; 415 crypto_free_tfm(ahp->tfm); 416 ahp->tfm = NULL; 417 kfree(ahp); 418 } 419 420 static struct xfrm_type ah6_type = 421 { 422 .description = "AH6", 423 .owner = THIS_MODULE, 424 .proto = IPPROTO_AH, 425 .init_state = ah6_init_state, 426 .destructor = ah6_destroy, 427 .input = ah6_input, 428 .output = ah6_output 429 }; 430 431 static struct inet6_protocol ah6_protocol = { 432 .handler = xfrm6_rcv, 433 .err_handler = ah6_err, 434 .flags = INET6_PROTO_NOPOLICY, 435 }; 436 437 static int __init ah6_init(void) 438 { 439 if (xfrm_register_type(&ah6_type, AF_INET6) < 0) { 440 printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n"); 441 return -EAGAIN; 442 } 443 444 if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) { 445 printk(KERN_INFO "ipv6 ah init: can't add protocol\n"); 446 xfrm_unregister_type(&ah6_type, AF_INET6); 447 return -EAGAIN; 448 } 449 450 return 0; 451 } 452 453 static void __exit ah6_fini(void) 454 { 455 if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0) 456 printk(KERN_INFO "ipv6 ah close: can't remove protocol\n"); 457 458 if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0) 459 printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n"); 460 461 } 462 463 module_init(ah6_init); 464 module_exit(ah6_fini); 465 466 MODULE_LICENSE("GPL"); 467