2005-04-16 15:20:36 -07:00
/*
* xfrm_input . c
*
* Changes :
* YOSHIFUJI Hideaki @ USAGI
* Split up af - specific portion
2007-02-09 23:25:29 +09:00
*
2005-04-16 15:20:36 -07:00
*/
# include <linux/slab.h>
# include <linux/module.h>
2007-11-13 21:44:23 -08:00
# include <linux/netdevice.h>
# include <net/dst.h>
2005-04-16 15:20:36 -07:00
# include <net/ip.h>
# include <net/xfrm.h>
2015-05-27 07:16:49 -07:00
# include <net/ip_tunnels.h>
# include <net/ip6_tunnel.h>
2005-04-16 15:20:36 -07:00
2006-12-06 20:33:20 -08:00
static struct kmem_cache * secpath_cachep __read_mostly ;
2005-04-16 15:20:36 -07:00
2014-03-14 07:28:07 +01:00
static DEFINE_SPINLOCK ( xfrm_input_afinfo_lock ) ;
2017-02-07 14:52:30 +01:00
static struct xfrm_input_afinfo const __rcu * xfrm_input_afinfo [ AF_INET6 + 1 ] ;
2014-03-14 07:28:07 +01:00
2017-01-30 06:45:43 +01:00
static struct gro_cells gro_cells ;
static struct net_device xfrm_napi_dev ;
2017-02-07 14:52:30 +01:00
int xfrm_input_register_afinfo ( const struct xfrm_input_afinfo * afinfo )
2014-03-14 07:28:07 +01:00
{
int err = 0 ;
2017-02-07 14:52:30 +01:00
if ( WARN_ON ( afinfo - > family > = ARRAY_SIZE ( xfrm_input_afinfo ) ) )
2014-03-14 07:28:07 +01:00
return - EAFNOSUPPORT ;
2017-02-07 14:52:30 +01:00
2014-03-14 07:28:07 +01:00
spin_lock_bh ( & xfrm_input_afinfo_lock ) ;
if ( unlikely ( xfrm_input_afinfo [ afinfo - > family ] ! = NULL ) )
2015-04-23 11:06:53 +08:00
err = - EEXIST ;
2014-03-14 07:28:07 +01:00
else
rcu_assign_pointer ( xfrm_input_afinfo [ afinfo - > family ] , afinfo ) ;
spin_unlock_bh ( & xfrm_input_afinfo_lock ) ;
return err ;
}
EXPORT_SYMBOL ( xfrm_input_register_afinfo ) ;
2017-02-07 14:52:30 +01:00
int xfrm_input_unregister_afinfo ( const struct xfrm_input_afinfo * afinfo )
2014-03-14 07:28:07 +01:00
{
int err = 0 ;
spin_lock_bh ( & xfrm_input_afinfo_lock ) ;
if ( likely ( xfrm_input_afinfo [ afinfo - > family ] ! = NULL ) ) {
if ( unlikely ( xfrm_input_afinfo [ afinfo - > family ] ! = afinfo ) )
err = - EINVAL ;
else
RCU_INIT_POINTER ( xfrm_input_afinfo [ afinfo - > family ] , NULL ) ;
}
spin_unlock_bh ( & xfrm_input_afinfo_lock ) ;
synchronize_rcu ( ) ;
return err ;
}
EXPORT_SYMBOL ( xfrm_input_unregister_afinfo ) ;
2017-02-07 14:52:30 +01:00
static const struct xfrm_input_afinfo * xfrm_input_get_afinfo ( unsigned int family )
2014-03-14 07:28:07 +01:00
{
2017-02-07 14:52:30 +01:00
const struct xfrm_input_afinfo * afinfo ;
2014-03-14 07:28:07 +01:00
2017-02-07 14:52:30 +01:00
if ( WARN_ON_ONCE ( family > = ARRAY_SIZE ( xfrm_input_afinfo ) ) )
2014-03-14 07:28:07 +01:00
return NULL ;
2017-02-07 14:52:30 +01:00
2014-03-14 07:28:07 +01:00
rcu_read_lock ( ) ;
afinfo = rcu_dereference ( xfrm_input_afinfo [ family ] ) ;
if ( unlikely ( ! afinfo ) )
rcu_read_unlock ( ) ;
return afinfo ;
}
static int xfrm_rcv_cb ( struct sk_buff * skb , unsigned int family , u8 protocol ,
int err )
{
int ret ;
2017-02-07 14:52:30 +01:00
const struct xfrm_input_afinfo * afinfo = xfrm_input_get_afinfo ( family ) ;
2014-03-14 07:28:07 +01:00
if ( ! afinfo )
return - EAFNOSUPPORT ;
ret = afinfo - > callback ( skb , protocol , err ) ;
2017-02-07 14:52:30 +01:00
rcu_read_unlock ( ) ;
2014-03-14 07:28:07 +01:00
return ret ;
}
2005-04-16 15:20:36 -07:00
void __secpath_destroy ( struct sec_path * sp )
{
int i ;
for ( i = 0 ; i < sp - > len ; i + + )
2006-04-01 00:54:16 -08:00
xfrm_state_put ( sp - > xvec [ i ] ) ;
2005-04-16 15:20:36 -07:00
kmem_cache_free ( secpath_cachep , sp ) ;
}
EXPORT_SYMBOL ( __secpath_destroy ) ;
struct sec_path * secpath_dup ( struct sec_path * src )
{
struct sec_path * sp ;
2006-12-06 20:33:16 -08:00
sp = kmem_cache_alloc ( secpath_cachep , GFP_ATOMIC ) ;
2005-04-16 15:20:36 -07:00
if ( ! sp )
return NULL ;
sp - > len = 0 ;
2017-02-15 09:39:54 +01:00
sp - > olen = 0 ;
2005-04-16 15:20:36 -07:00
if ( src ) {
int i ;
memcpy ( sp , src , sizeof ( * sp ) ) ;
for ( i = 0 ; i < sp - > len ; i + + )
2006-04-01 00:54:16 -08:00
xfrm_state_hold ( sp - > xvec [ i ] ) ;
2005-04-16 15:20:36 -07:00
}
atomic_set ( & sp - > refcnt , 1 ) ;
return sp ;
}
EXPORT_SYMBOL ( secpath_dup ) ;
2017-02-15 09:39:24 +01:00
int secpath_set ( struct sk_buff * skb )
{
struct sec_path * sp ;
/* Allocate new secpath or COW existing one. */
if ( ! skb - > sp | | atomic_read ( & skb - > sp - > refcnt ) ! = 1 ) {
sp = secpath_dup ( skb - > sp ) ;
if ( ! sp )
return - ENOMEM ;
if ( skb - > sp )
secpath_put ( skb - > sp ) ;
skb - > sp = sp ;
}
return 0 ;
}
EXPORT_SYMBOL ( secpath_set ) ;
2005-04-16 15:20:36 -07:00
/* Fetch spi and seq from ipsec header */
2006-09-27 18:47:59 -07:00
int xfrm_parse_spi ( struct sk_buff * skb , u8 nexthdr , __be32 * spi , __be32 * seq )
2005-04-16 15:20:36 -07:00
{
int offset , offset_seq ;
2007-10-17 21:30:34 -07:00
int hlen ;
2005-04-16 15:20:36 -07:00
switch ( nexthdr ) {
case IPPROTO_AH :
2007-10-17 21:30:34 -07:00
hlen = sizeof ( struct ip_auth_hdr ) ;
2005-04-16 15:20:36 -07:00
offset = offsetof ( struct ip_auth_hdr , spi ) ;
offset_seq = offsetof ( struct ip_auth_hdr , seq_no ) ;
break ;
case IPPROTO_ESP :
2007-10-17 21:30:34 -07:00
hlen = sizeof ( struct ip_esp_hdr ) ;
2005-04-16 15:20:36 -07:00
offset = offsetof ( struct ip_esp_hdr , spi ) ;
offset_seq = offsetof ( struct ip_esp_hdr , seq_no ) ;
break ;
case IPPROTO_COMP :
if ( ! pskb_may_pull ( skb , sizeof ( struct ip_comp_hdr ) ) )
return - EINVAL ;
2013-12-24 09:43:47 +08:00
* spi = htonl ( ntohs ( * ( __be16 * ) ( skb_transport_header ( skb ) + 2 ) ) ) ;
2005-04-16 15:20:36 -07:00
* seq = 0 ;
return 0 ;
default :
return 1 ;
}
2007-10-17 21:30:34 -07:00
if ( ! pskb_may_pull ( skb , hlen ) )
2005-04-16 15:20:36 -07:00
return - EINVAL ;
2013-12-24 09:43:47 +08:00
* spi = * ( __be32 * ) ( skb_transport_header ( skb ) + offset ) ;
* seq = * ( __be32 * ) ( skb_transport_header ( skb ) + offset_seq ) ;
2005-04-16 15:20:36 -07:00
return 0 ;
}
2017-02-15 09:39:49 +01:00
EXPORT_SYMBOL ( xfrm_parse_spi ) ;
2005-04-16 15:20:36 -07:00
2007-11-13 21:41:28 -08:00
int xfrm_prepare_input ( struct xfrm_state * x , struct sk_buff * skb )
{
2008-03-24 14:51:51 -07:00
struct xfrm_mode * inner_mode = x - > inner_mode ;
2007-11-13 21:41:28 -08:00
int err ;
err = x - > outer_mode - > afinfo - > extract_input ( x , skb ) ;
if ( err )
return err ;
2008-03-24 14:51:51 -07:00
if ( x - > sel . family = = AF_UNSPEC ) {
inner_mode = xfrm_ip2inner_mode ( x , XFRM_MODE_SKB_CB ( skb ) - > protocol ) ;
if ( inner_mode = = NULL )
return - EAFNOSUPPORT ;
}
skb - > protocol = inner_mode - > afinfo - > eth_proto ;
return inner_mode - > input2 ( x , skb ) ;
2007-11-13 21:41:28 -08:00
}
EXPORT_SYMBOL ( xfrm_prepare_input ) ;
2007-11-13 21:44:23 -08:00
int xfrm_input ( struct sk_buff * skb , int nexthdr , __be32 spi , int encap_type )
{
2008-11-25 17:37:56 -08:00
struct net * net = dev_net ( skb - > dev ) ;
2007-11-13 21:44:23 -08:00
int err ;
__be32 seq ;
2011-03-08 00:09:51 +00:00
__be32 seq_hi ;
2014-02-21 08:41:08 +01:00
struct xfrm_state * x = NULL ;
2007-11-19 18:50:17 -08:00
xfrm_address_t * daddr ;
2008-03-24 14:51:51 -07:00
struct xfrm_mode * inner_mode ;
2015-05-27 07:16:49 -07:00
u32 mark = skb - > mark ;
2007-12-03 22:54:12 -08:00
unsigned int family ;
2007-11-13 21:44:23 -08:00
int decaps = 0 ;
2007-11-19 18:50:17 -08:00
int async = 0 ;
2017-02-15 09:40:00 +01:00
struct xfrm_offload * xo ;
bool xfrm_gro = false ;
2007-11-19 18:50:17 -08:00
if ( encap_type < 0 ) {
2007-12-11 01:53:43 -08:00
x = xfrm_input_state ( skb ) ;
2014-02-21 08:41:08 +01:00
family = x - > outer_mode - > afinfo - > family ;
2017-02-15 09:40:00 +01:00
/* An encap_type of -1 indicates async resumption. */
if ( encap_type = = - 1 ) {
async = 1 ;
seq = XFRM_SKB_CB ( skb ) - > seq . input . low ;
goto resume ;
}
/* encap_type < -1 indicates a GRO call. */
encap_type = 0 ;
seq = XFRM_SPI_SKB_CB ( skb ) - > seq ;
goto lock ;
2007-11-19 18:50:17 -08:00
}
2007-11-13 21:44:23 -08:00
2014-02-21 08:41:08 +01:00
daddr = ( xfrm_address_t * ) ( skb_network_header ( skb ) +
XFRM_SPI_SKB_CB ( skb ) - > daddroff ) ;
family = XFRM_SPI_SKB_CB ( skb ) - > family ;
2015-05-27 07:16:49 -07:00
/* if tunnel is present override skb->mark value with tunnel i_key */
2016-08-10 13:54:57 +03:00
switch ( family ) {
case AF_INET :
if ( XFRM_TUNNEL_SKB_CB ( skb ) - > tunnel . ip4 )
2015-05-27 07:16:49 -07:00
mark = be32_to_cpu ( XFRM_TUNNEL_SKB_CB ( skb ) - > tunnel . ip4 - > parms . i_key ) ;
2016-08-10 13:54:57 +03:00
break ;
case AF_INET6 :
if ( XFRM_TUNNEL_SKB_CB ( skb ) - > tunnel . ip6 )
2015-05-27 07:16:49 -07:00
mark = be32_to_cpu ( XFRM_TUNNEL_SKB_CB ( skb ) - > tunnel . ip6 - > parms . i_key ) ;
2016-08-10 13:54:57 +03:00
break ;
2015-05-27 07:16:49 -07:00
}
2017-02-15 09:39:24 +01:00
err = secpath_set ( skb ) ;
if ( err ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINERROR ) ;
goto drop ;
2007-11-13 21:44:55 -08:00
}
2007-11-13 21:44:23 -08:00
seq = 0 ;
2007-12-20 20:43:36 -08:00
if ( ! spi & & ( err = xfrm_parse_spi ( skb , nexthdr , & spi , & seq ) ) ! = 0 ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINHDRERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
do {
2007-12-20 20:43:36 -08:00
if ( skb - > sp - > len = = XFRM_MAX_DEPTH ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINBUFFERERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2015-05-27 07:16:49 -07:00
x = xfrm_state_lookup ( net , mark , daddr , spi , nexthdr , family ) ;
2007-12-20 20:43:36 -08:00
if ( x = = NULL ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINNOSTATES ) ;
2007-12-21 14:58:11 -08:00
xfrm_audit_state_notfound ( skb , family , spi , seq ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-11-13 21:44:55 -08:00
skb - > sp - > xvec [ skb - > sp - > len + + ] = x ;
2017-02-15 09:40:00 +01:00
lock :
2007-11-13 21:44:23 -08:00
spin_lock ( & x - > lock ) ;
2013-06-06 10:15:54 +08:00
2007-12-20 20:43:36 -08:00
if ( unlikely ( x - > km . state ! = XFRM_STATE_VALID ) ) {
2015-04-24 16:49:31 +08:00
if ( x - > km . state = = XFRM_STATE_ACQ )
XFRM_INC_STATS ( net , LINUX_MIB_XFRMACQUIREERROR ) ;
else
XFRM_INC_STATS ( net ,
LINUX_MIB_XFRMINSTATEINVALID ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2008-12-18 19:23:56 -08:00
if ( ( x - > encap ? x - > encap - > encap_type : 0 ) ! = encap_type ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMISMATCH ) ;
goto drop_unlock ;
}
2011-03-28 19:45:52 +00:00
if ( x - > repl - > check ( x , skb , seq ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATESEQERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-12-20 20:43:36 -08:00
if ( xfrm_state_check_expire ( x ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEEXPIRED ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
2007-11-13 21:45:58 -08:00
spin_unlock ( & x - > lock ) ;
2015-04-02 10:58:24 +03:00
if ( xfrm_tunnel_check ( skb , x , family ) ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMODEERROR ) ;
goto drop ;
}
2011-03-08 00:09:51 +00:00
seq_hi = htonl ( xfrm_replay_seqhi ( x , seq ) ) ;
2011-03-08 00:06:31 +00:00
XFRM_SKB_CB ( skb ) - > seq . input . low = seq ;
2011-03-08 00:09:51 +00:00
XFRM_SKB_CB ( skb ) - > seq . input . hi = seq_hi ;
2007-11-19 18:50:17 -08:00
2011-03-15 21:08:28 +00:00
skb_dst_force ( skb ) ;
2016-03-23 22:39:50 -06:00
dev_hold ( skb - > dev ) ;
2011-03-15 21:08:28 +00:00
2007-11-13 21:44:23 -08:00
nexthdr = x - > type - > input ( x , skb ) ;
2007-11-13 21:45:58 -08:00
2007-11-19 18:50:17 -08:00
if ( nexthdr = = - EINPROGRESS )
return 0 ;
resume :
2016-03-23 22:39:50 -06:00
dev_put ( skb - > dev ) ;
2007-11-13 21:45:58 -08:00
spin_lock ( & x - > lock ) ;
2007-12-16 15:55:02 -08:00
if ( nexthdr < = 0 ) {
2007-12-30 21:10:30 -08:00
if ( nexthdr = = - EBADMSG ) {
xfrm_audit_state_icvfail ( x , skb ,
x - > type - > proto ) ;
2007-12-16 15:55:02 -08:00
x - > stats . integrity_failed + + ;
2007-12-30 21:10:30 -08:00
}
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEPROTOERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop_unlock ;
2007-12-16 15:55:02 -08:00
}
2007-11-13 21:44:23 -08:00
/* only the first xfrm gets the encap type */
encap_type = 0 ;
2012-09-04 00:03:29 +00:00
if ( async & & x - > repl - > recheck ( x , skb , seq ) ) {
2011-09-20 23:38:58 +00:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATESEQERROR ) ;
goto drop_unlock ;
}
2011-03-08 00:08:32 +00:00
x - > repl - > advance ( x , seq ) ;
2007-11-13 21:44:23 -08:00
x - > curlft . bytes + = skb - > len ;
x - > curlft . packets + + ;
spin_unlock ( & x - > lock ) ;
2007-11-19 18:47:58 -08:00
XFRM_MODE_SKB_CB ( skb ) - > protocol = nexthdr ;
2008-03-24 14:51:51 -07:00
inner_mode = x - > inner_mode ;
if ( x - > sel . family = = AF_UNSPEC ) {
inner_mode = xfrm_ip2inner_mode ( x , XFRM_MODE_SKB_CB ( skb ) - > protocol ) ;
2015-10-23 07:52:58 +02:00
if ( inner_mode = = NULL ) {
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMODEERROR ) ;
2008-03-24 14:51:51 -07:00
goto drop ;
2015-10-23 07:52:58 +02:00
}
2008-03-24 14:51:51 -07:00
}
if ( inner_mode - > input ( x , skb ) ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINSTATEMODEERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
if ( x - > outer_mode - > flags & XFRM_MODE_FLAG_TUNNEL ) {
decaps = 1 ;
break ;
}
2007-11-19 18:50:17 -08:00
/*
* We need the inner address . However , we only get here for
* transport mode so the outer address is identical .
*/
daddr = & x - > id . daddr ;
2007-12-03 22:54:12 -08:00
family = x - > outer_mode - > afinfo - > family ;
2007-11-19 18:50:17 -08:00
2007-11-13 21:44:23 -08:00
err = xfrm_parse_spi ( skb , nexthdr , & spi , & seq ) ;
2007-12-20 20:43:36 -08:00
if ( err < 0 ) {
2008-11-25 17:59:52 -08:00
XFRM_INC_STATS ( net , LINUX_MIB_XFRMINHDRERROR ) ;
2007-11-13 21:44:23 -08:00
goto drop ;
2007-12-20 20:43:36 -08:00
}
2007-11-13 21:44:23 -08:00
} while ( ! err ) ;
2014-02-21 08:41:08 +01:00
err = xfrm_rcv_cb ( skb , family , x - > type - > proto , 0 ) ;
if ( err )
goto drop ;
2007-11-13 21:44:23 -08:00
nf_reset ( skb ) ;
if ( decaps ) {
2009-06-02 05:19:30 +00:00
skb_dst_drop ( skb ) ;
2017-01-30 06:45:43 +01:00
gro_cells_receive ( & gro_cells , skb ) ;
2007-11-13 21:44:23 -08:00
return 0 ;
} else {
2017-02-15 09:40:00 +01:00
xo = xfrm_offload ( skb ) ;
if ( xo )
xfrm_gro = xo - > flags & XFRM_GRO ;
err = x - > inner_mode - > afinfo - > transport_finish ( skb , async ) ;
if ( xfrm_gro ) {
skb_dst_drop ( skb ) ;
gro_cells_receive ( & gro_cells , skb ) ;
return err ;
}
return err ;
2007-11-13 21:44:23 -08:00
}
drop_unlock :
spin_unlock ( & x - > lock ) ;
drop :
2014-02-21 08:41:08 +01:00
xfrm_rcv_cb ( skb , family , x & & x - > type ? x - > type - > proto : nexthdr , - 1 ) ;
2007-11-13 21:44:23 -08:00
kfree_skb ( skb ) ;
return 0 ;
}
EXPORT_SYMBOL ( xfrm_input ) ;
2007-11-19 18:50:17 -08:00
int xfrm_input_resume ( struct sk_buff * skb , int nexthdr )
{
return xfrm_input ( skb , nexthdr , 0 , - 1 ) ;
}
EXPORT_SYMBOL ( xfrm_input_resume ) ;
2005-04-16 15:20:36 -07:00
void __init xfrm_input_init ( void )
{
2017-01-30 06:45:43 +01:00
int err ;
init_dummy_netdev ( & xfrm_napi_dev ) ;
err = gro_cells_init ( & gro_cells , & xfrm_napi_dev ) ;
if ( err )
gro_cells . cells = NULL ;
2005-04-16 15:20:36 -07:00
secpath_cachep = kmem_cache_create ( " secpath_cache " ,
sizeof ( struct sec_path ) ,
2006-08-26 19:25:52 -07:00
0 , SLAB_HWCACHE_ALIGN | SLAB_PANIC ,
2007-07-20 10:11:58 +09:00
NULL ) ;
2005-04-16 15:20:36 -07:00
}