2005-04-16 15:20:36 -07:00
/*
* xfrm_input . c
*
* Changes :
* YOSHIFUJI Hideaki @ USAGI
* Split up af - specific portion
2007-02-09 23:25:29 +09:00
*
2005-04-16 15:20:36 -07:00
*/
# include <linux/slab.h>
# include <linux/module.h>
2007-11-13 21:44:23 -08:00
# include <linux/netdevice.h>
# include <net/dst.h>
2005-04-16 15:20:36 -07:00
# include <net/ip.h>
# include <net/xfrm.h>
2006-12-06 20:33:20 -08:00
static struct kmem_cache * secpath_cachep __read_mostly ;
2005-04-16 15:20:36 -07:00
void __secpath_destroy ( struct sec_path * sp )
{
int i ;
for ( i = 0 ; i < sp - > len ; i + + )
2006-04-01 00:54:16 -08:00
xfrm_state_put ( sp - > xvec [ i ] ) ;
2005-04-16 15:20:36 -07:00
kmem_cache_free ( secpath_cachep , sp ) ;
}
EXPORT_SYMBOL ( __secpath_destroy ) ;
struct sec_path * secpath_dup ( struct sec_path * src )
{
struct sec_path * sp ;
2006-12-06 20:33:16 -08:00
sp = kmem_cache_alloc ( secpath_cachep , GFP_ATOMIC ) ;
2005-04-16 15:20:36 -07:00
if ( ! sp )
return NULL ;
sp - > len = 0 ;
if ( src ) {
int i ;
memcpy ( sp , src , sizeof ( * sp ) ) ;
for ( i = 0 ; i < sp - > len ; i + + )
2006-04-01 00:54:16 -08:00
xfrm_state_hold ( sp - > xvec [ i ] ) ;
2005-04-16 15:20:36 -07:00
}
atomic_set ( & sp - > refcnt , 1 ) ;
return sp ;
}
EXPORT_SYMBOL ( secpath_dup ) ;
/* Fetch spi and seq from ipsec header */
2006-09-27 18:47:59 -07:00
int xfrm_parse_spi ( struct sk_buff * skb , u8 nexthdr , __be32 * spi , __be32 * seq )
2005-04-16 15:20:36 -07:00
{
int offset , offset_seq ;
2007-10-17 21:30:34 -07:00
int hlen ;
2005-04-16 15:20:36 -07:00
switch ( nexthdr ) {
case IPPROTO_AH :
2007-10-17 21:30:34 -07:00
hlen = sizeof ( struct ip_auth_hdr ) ;
2005-04-16 15:20:36 -07:00
offset = offsetof ( struct ip_auth_hdr , spi ) ;
offset_seq = offsetof ( struct ip_auth_hdr , seq_no ) ;
break ;
case IPPROTO_ESP :
2007-10-17 21:30:34 -07:00
hlen = sizeof ( struct ip_esp_hdr ) ;
2005-04-16 15:20:36 -07:00
offset = offsetof ( struct ip_esp_hdr , spi ) ;
offset_seq = offsetof ( struct ip_esp_hdr , seq_no ) ;
break ;
case IPPROTO_COMP :
if ( ! pskb_may_pull ( skb , sizeof ( struct ip_comp_hdr ) ) )
return - EINVAL ;
2007-04-25 18:04:18 -07:00
* spi = htonl ( ntohs ( * ( __be16 * ) ( skb_transport_header ( skb ) + 2 ) ) ) ;
2005-04-16 15:20:36 -07:00
* seq = 0 ;
return 0 ;
default :
return 1 ;
}
2007-10-17 21:30:34 -07:00
if ( ! pskb_may_pull ( skb , hlen ) )
2005-04-16 15:20:36 -07:00
return - EINVAL ;
2007-04-25 18:04:18 -07:00
* spi = * ( __be32 * ) ( skb_transport_header ( skb ) + offset ) ;
* seq = * ( __be32 * ) ( skb_transport_header ( skb ) + offset_seq ) ;
2005-04-16 15:20:36 -07:00
return 0 ;
}
2007-11-13 21:41:28 -08:00
int xfrm_prepare_input ( struct xfrm_state * x , struct sk_buff * skb )
{
2008-03-24 14:51:51 -07:00
struct xfrm_mode * inner_mode = x - > inner_mode ;
2007-11-13 21:41:28 -08:00
int err ;
err = x - > outer_mode - > afinfo - > extract_input ( x , skb ) ;
if ( err )
return err ;
2008-03-24 14:51:51 -07:00
if ( x - > sel . family = = AF_UNSPEC ) {
inner_mode = xfrm_ip2inner_mode ( x , XFRM_MODE_SKB_CB ( skb ) - > protocol ) ;
if ( inner_mode = = NULL )
return - EAFNOSUPPORT ;
}
skb - > protocol = inner_mode - > afinfo - > eth_proto ;
return inner_mode - > input2 ( x , skb ) ;
2007-11-13 21:41:28 -08:00
}
EXPORT_SYMBOL ( xfrm_prepare_input ) ;
2007-11-13 21:44:23 -08:00
int xfrm_input ( struct sk_buff * skb , int nexthdr , __be32 spi , int encap_type )
{
2008-11-25 17:37:56 -08:00
struct net * net = dev_net ( skb - > dev ) ;
2007-11-13 21:44:23 -08:00
int err ;
__be32 seq ;
2011-03-08 00:09:51 +00:00
__be32 seq_hi ;
2007-11-13 21:44:23 -08:00
struct xfrm_state * x ;
2007-11-19 18:50:17 -08:00
xfrm_address_t * daddr ;
2008-03-24 14:51:51 -07:00
struct xfrm_mode * inner_mode ;
2007-12-03 22:54:12 -08:00
unsigned int family ;
2007-11-13 21:44:23 -08:00
int decaps = 0 ;
2007-11-19 18:50:17 -08:00
int async = 0 ;
/* A negative encap_type indicates async resumption. */
if ( encap_type < 0 ) {
async = 1 ;
2007-12-11 01:53:43 -08:00
x = xfrm_input_state ( skb ) ;
2011-03-08 00:06:31 +00:00
seq = XFRM_SKB_CB ( skb ) - > seq . input . low ;
2007-11-19 18:50:17 -08:00
goto resume ;
}
2007-11-13 21:44:23 -08:00
2007-11-13 21:44:55 -08:00
/* Allocate new secpath or COW existing one. */
if ( ! skb - > sp | | atomic_read ( & skb - > sp - > refcnt ) ! = 1 ) {
struct sec_path * sp ;
sp = secpath_dup ( skb - > sp ) ;
2007-12-20 20:43:36 -08:00
if ( ! sp ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINERROR ) ;
2007-11-13 21:44:55 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:55 -08:00
if ( skb - > sp )
secpath_put ( skb - > sp ) ;
skb - > sp = sp ;
}
2007-11-19 18:50:17 -08:00
daddr = ( xfrm_address_t * ) ( skb_network_header ( skb ) +
XFRM_SPI_SKB_CB ( skb ) - > daddroff ) ;
2007-12-03 22:54:12 -08:00
family = XFRM_SPI_SKB_CB ( skb ) - > family ;
2007-11-19 18:50:17 -08:00
2007-11-13 21:44:23 -08:00
seq = 0 ;
2007-12-20 20:43:36 -08:00
if ( ! spi & & ( err = xfrm_parse_spi ( skb , nexthdr , & spi , & seq ) ) ! = 0 ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINHDRERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
do {
2007-12-20 20:43:36 -08:00
if ( skb - > sp - > len = = XFRM_MAX_DEPTH ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINBUFFERERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2010-02-22 16:20:22 -08:00
x = xfrm_state_lookup ( net , skb - > mark , daddr , spi , nexthdr , family ) ;
2007-12-20 20:43:36 -08:00
if ( x = = NULL ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINNOSTATES ) ;
2007-12-21 14:58:11 -08:00
xfrm_audit_state_notfound ( skb , family , spi , seq ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-11-13 21:44:55 -08:00
skb - > sp - > xvec [ skb - > sp - > len + + ] = x ;
2007-11-13 21:44:23 -08:00
spin_lock ( & x - > lock ) ;
2007-12-20 20:43:36 -08:00
if ( unlikely ( x - > km . state ! = XFRM_STATE_VALID ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEINVALID ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2008-12-18 19:23:56 -08:00
if ( ( x - > encap ? x - > encap - > encap_type : 0 ) ! = encap_type ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMISMATCH ) ;
goto drop_unlock ;
}
2011-03-28 19:45:52 +00:00
if ( x - > repl - > check ( x , skb , seq ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATESEQERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-12-20 20:43:36 -08:00
if ( xfrm_state_check_expire ( x ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEEXPIRED ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-11-13 21:45:58 -08:00
spin_unlock ( & x - > lock ) ;
2011-03-08 00:09:51 +00:00
seq_hi = htonl ( xfrm_replay_seqhi ( x , seq ) ) ;
2011-03-08 00:06:31 +00:00
XFRM_SKB_CB ( skb ) - > seq . input . low = seq ;
2011-03-08 00:09:51 +00:00
XFRM_SKB_CB ( skb ) - > seq . input . hi = seq_hi ;
2007-11-19 18:50:17 -08:00
2011-03-15 21:08:28 +00:00
skb_dst_force ( skb ) ;
2007-11-13 21:44:23 -08:00
nexthdr = x - > type - > input ( x , skb ) ;
2007-11-13 21:45:58 -08:00
2007-11-19 18:50:17 -08:00
if ( nexthdr = = - EINPROGRESS )
return 0 ;
resume :
2007-11-13 21:45:58 -08:00
spin_lock ( & x - > lock ) ;
2007-12-16 15:55:02 -08:00
if ( nexthdr < = 0 ) {
2007-12-30 21:10:30 -08:00
if ( nexthdr = = - EBADMSG ) {
xfrm_audit_state_icvfail ( x , skb ,
x - > type - > proto ) ;
2007-12-16 15:55:02 -08:00
x - > stats . integrity_failed + + ;
2007-12-30 21:10:30 -08:00
}
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEPROTOERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-16 15:55:02 -08:00
}
2007-11-13 21:44:23 -08:00
/* only the first xfrm gets the encap type */
encap_type = 0 ;
2011-09-20 23:38:58 +00:00
if ( async & & x - > repl - > check ( x , skb , seq ) ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATESEQERROR ) ;
goto drop_unlock ;
}
2011-03-08 00:08:32 +00:00
x - > repl - > advance ( x , seq ) ;
2007-11-13 21:44:23 -08:00
x - > curlft . bytes + = skb - > len ;
x - > curlft . packets + + ;
spin_unlock ( & x - > lock ) ;
2007-11-19 18:47:58 -08:00
XFRM_MODE_SKB_CB ( skb ) - > protocol = nexthdr ;
2008-03-24 14:51:51 -07:00
inner_mode = x - > inner_mode ;
if ( x - > sel . family = = AF_UNSPEC ) {
inner_mode = xfrm_ip2inner_mode ( x , XFRM_MODE_SKB_CB ( skb ) - > protocol ) ;
if ( inner_mode = = NULL )
goto drop ;
}
if ( inner_mode - > input ( x , skb ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMODEERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
if ( x - > outer_mode - > flags & XFRM_MODE_FLAG_TUNNEL ) {
decaps = 1 ;
break ;
}
2007-11-19 18:50:17 -08:00
/*
* We need the inner address . However , we only get here for
* transport mode so the outer address is identical .
*/
daddr = & x - > id . daddr ;
2007-12-03 22:54:12 -08:00
family = x - > outer_mode - > afinfo - > family ;
2007-11-19 18:50:17 -08:00
2007-11-13 21:44:23 -08:00
err = xfrm_parse_spi ( skb , nexthdr , & spi , & seq ) ;
2007-12-20 20:43:36 -08:00
if ( err < 0 ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINHDRERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
} while ( ! err ) ;
nf_reset ( skb ) ;
if ( decaps ) {
2009-06-02 05:19:30 +00:00
skb_dst_drop ( skb ) ;
2007-11-13 21:44:23 -08:00
netif_rx ( skb ) ;
return 0 ;
} else {
2007-11-19 18:50:17 -08:00
return x - > inner_mode - > afinfo - > transport_finish ( skb , async ) ;
2007-11-13 21:44:23 -08:00
}
drop_unlock :
spin_unlock ( & x - > lock ) ;
drop :
kfree_skb ( skb ) ;
return 0 ;
}
EXPORT_SYMBOL ( xfrm_input ) ;
2007-11-19 18:50:17 -08:00
int xfrm_input_resume ( struct sk_buff * skb , int nexthdr )
{
return xfrm_input ( skb , nexthdr , 0 , - 1 ) ;
}
EXPORT_SYMBOL ( xfrm_input_resume ) ;
2005-04-16 15:20:36 -07:00
void __init xfrm_input_init ( void )
{
secpath_cachep = kmem_cache_create ( " secpath_cache " ,
sizeof ( struct sec_path ) ,
2006-08-26 19:25:52 -07:00
0 , SLAB_HWCACHE_ALIGN | SLAB_PANIC ,
2007-07-20 10:11:58 +09:00
NULL ) ;
2005-04-16 15:20:36 -07:00
}