2006-08-20 14:24:50 +10:00
# include <linux/err.h>
2005-04-16 15:20:36 -07:00
# include <linux/module.h>
# include <net/ip.h>
# include <net/xfrm.h>
# include <net/ah.h>
# include <linux/crypto.h>
# include <linux/pfkeyv2.h>
# include <net/icmp.h>
2005-12-27 02:43:12 -02:00
# include <net/protocol.h>
2005-04-16 15:20:36 -07:00
# include <asm/scatterlist.h>
/* Clear mutable options and find final destination to substitute
* into IP header for icv calculation . Options are already checked
* for validity , so paranoia is not required . */
2006-11-08 00:23:14 -08:00
static int ip_clear_mutable_options ( struct iphdr * iph , __be32 * daddr )
2005-04-16 15:20:36 -07:00
{
unsigned char * optptr = ( unsigned char * ) ( iph + 1 ) ;
int l = iph - > ihl * 4 - sizeof ( struct iphdr ) ;
int optlen ;
while ( l > 0 ) {
switch ( * optptr ) {
case IPOPT_END :
return 0 ;
case IPOPT_NOOP :
l - - ;
optptr + + ;
continue ;
}
optlen = optptr [ 1 ] ;
if ( optlen < 2 | | optlen > l )
return - EINVAL ;
switch ( * optptr ) {
case IPOPT_SEC :
case 0x85 : /* Some "Extended Security" crap. */
2006-08-03 16:46:20 -07:00
case IPOPT_CIPSO :
2005-04-16 15:20:36 -07:00
case IPOPT_RA :
case 0x80 | 21 : /* RFC1770 */
break ;
case IPOPT_LSRR :
case IPOPT_SSRR :
if ( optlen < 6 )
return - EINVAL ;
memcpy ( daddr , optptr + optlen - 4 , 4 ) ;
/* Fall through */
default :
memset ( optptr + 2 , 0 , optlen - 2 ) ;
}
l - = optlen ;
optptr + = optlen ;
}
return 0 ;
}
static int ah_output ( struct xfrm_state * x , struct sk_buff * skb )
{
int err ;
struct iphdr * iph , * top_iph ;
struct ip_auth_hdr * ah ;
struct ah_data * ahp ;
union {
struct iphdr iph ;
char buf [ 60 ] ;
} tmp_iph ;
top_iph = skb - > nh . iph ;
iph = & tmp_iph . iph ;
iph - > tos = top_iph - > tos ;
iph - > ttl = top_iph - > ttl ;
iph - > frag_off = top_iph - > frag_off ;
if ( top_iph - > ihl ! = 5 ) {
iph - > daddr = top_iph - > daddr ;
memcpy ( iph + 1 , top_iph + 1 , top_iph - > ihl * 4 - sizeof ( struct iphdr ) ) ;
err = ip_clear_mutable_options ( top_iph , & top_iph - > daddr ) ;
if ( err )
goto error ;
}
ah = ( struct ip_auth_hdr * ) ( ( char * ) top_iph + top_iph - > ihl * 4 ) ;
ah - > nexthdr = top_iph - > protocol ;
top_iph - > tos = 0 ;
top_iph - > tot_len = htons ( skb - > len ) ;
top_iph - > frag_off = 0 ;
top_iph - > ttl = 0 ;
top_iph - > protocol = IPPROTO_AH ;
top_iph - > check = 0 ;
ahp = x - > data ;
ah - > hdrlen = ( XFRM_ALIGN8 ( sizeof ( struct ip_auth_hdr ) +
ahp - > icv_trunc_len ) > > 2 ) - 2 ;
ah - > reserved = 0 ;
ah - > spi = x - > id . spi ;
ah - > seq_no = htonl ( + + x - > replay . oseq ) ;
2006-03-20 19:15:29 -08:00
xfrm_aevent_doreplay ( x ) ;
2006-08-20 14:24:50 +10:00
err = ah_mac_digest ( ahp , skb , ah - > auth_data ) ;
if ( err )
goto error ;
memcpy ( ah - > auth_data , ahp - > work_icv , ahp - > icv_trunc_len ) ;
2005-04-16 15:20:36 -07:00
top_iph - > tos = iph - > tos ;
top_iph - > ttl = iph - > ttl ;
top_iph - > frag_off = iph - > frag_off ;
if ( top_iph - > ihl ! = 5 ) {
top_iph - > daddr = iph - > daddr ;
memcpy ( top_iph + 1 , iph + 1 , top_iph - > ihl * 4 - sizeof ( struct iphdr ) ) ;
}
ip_send_check ( top_iph ) ;
err = 0 ;
error :
return err ;
}
2006-04-01 00:52:46 -08:00
static int ah_input ( struct xfrm_state * x , struct sk_buff * skb )
2005-04-16 15:20:36 -07:00
{
int ah_hlen ;
2006-05-27 23:06:13 -07:00
int ihl ;
2006-08-20 14:24:50 +10:00
int err = - EINVAL ;
2005-04-16 15:20:36 -07:00
struct iphdr * iph ;
struct ip_auth_hdr * ah ;
struct ah_data * ahp ;
char work_buf [ 60 ] ;
if ( ! pskb_may_pull ( skb , sizeof ( struct ip_auth_hdr ) ) )
goto out ;
ah = ( struct ip_auth_hdr * ) skb - > data ;
ahp = x - > data ;
ah_hlen = ( ah - > hdrlen + 2 ) < < 2 ;
if ( ah_hlen ! = XFRM_ALIGN8 ( sizeof ( struct ip_auth_hdr ) + ahp - > icv_full_len ) & &
ah_hlen ! = XFRM_ALIGN8 ( sizeof ( struct ip_auth_hdr ) + ahp - > icv_trunc_len ) )
goto out ;
if ( ! pskb_may_pull ( skb , ah_hlen ) )
goto out ;
/* We are going to _remove_ AH header to keep sockets happy,
* so . . . Later this can change . */
if ( skb_cloned ( skb ) & &
pskb_expand_head ( skb , 0 , 0 , GFP_ATOMIC ) )
goto out ;
skb - > ip_summed = CHECKSUM_NONE ;
ah = ( struct ip_auth_hdr * ) skb - > data ;
iph = skb - > nh . iph ;
2006-05-27 23:06:13 -07:00
ihl = skb - > data - skb - > nh . raw ;
memcpy ( work_buf , iph , ihl ) ;
2005-04-16 15:20:36 -07:00
iph - > ttl = 0 ;
iph - > tos = 0 ;
iph - > frag_off = 0 ;
iph - > check = 0 ;
2006-05-27 23:06:13 -07:00
if ( ihl > sizeof ( * iph ) ) {
2006-11-08 00:23:14 -08:00
__be32 dummy ;
2005-04-16 15:20:36 -07:00
if ( ip_clear_mutable_options ( iph , & dummy ) )
goto out ;
}
{
u8 auth_data [ MAX_AH_AUTH_LEN ] ;
memcpy ( auth_data , ah - > auth_data , ahp - > icv_trunc_len ) ;
2006-05-27 23:06:13 -07:00
skb_push ( skb , ihl ) ;
2006-08-20 14:24:50 +10:00
err = ah_mac_digest ( ahp , skb , ah - > auth_data ) ;
if ( err )
goto out ;
err = - EINVAL ;
if ( memcmp ( ahp - > work_icv , auth_data , ahp - > icv_trunc_len ) ) {
2005-04-16 15:20:36 -07:00
x - > stats . integrity_failed + + ;
goto out ;
}
}
( ( struct iphdr * ) work_buf ) - > protocol = ah - > nexthdr ;
2006-05-27 23:06:13 -07:00
skb - > h . raw = memcpy ( skb - > nh . raw + = ah_hlen , work_buf , ihl ) ;
__skb_pull ( skb , ah_hlen + ihl ) ;
2005-04-16 15:20:36 -07:00
return 0 ;
out :
2006-08-20 14:24:50 +10:00
return err ;
2005-04-16 15:20:36 -07:00
}
static void ah4_err ( struct sk_buff * skb , u32 info )
{
struct iphdr * iph = ( struct iphdr * ) skb - > data ;
struct ip_auth_hdr * ah = ( struct ip_auth_hdr * ) ( skb - > data + ( iph - > ihl < < 2 ) ) ;
struct xfrm_state * x ;
if ( skb - > h . icmph - > type ! = ICMP_DEST_UNREACH | |
skb - > h . icmph - > code ! = ICMP_FRAG_NEEDED )
return ;
x = xfrm_state_lookup ( ( xfrm_address_t * ) & iph - > daddr , ah - > spi , IPPROTO_AH , AF_INET ) ;
if ( ! x )
return ;
printk ( KERN_DEBUG " pmtu discovery on SA AH/%08x/%08x \n " ,
ntohl ( ah - > spi ) , ntohl ( iph - > daddr ) ) ;
xfrm_state_put ( x ) ;
}
2005-06-20 13:18:08 -07:00
static int ah_init_state ( struct xfrm_state * x )
2005-04-16 15:20:36 -07:00
{
struct ah_data * ahp = NULL ;
struct xfrm_algo_desc * aalg_desc ;
2006-08-20 14:24:50 +10:00
struct crypto_hash * tfm ;
2005-04-16 15:20:36 -07:00
if ( ! x - > aalg )
goto error ;
/* null auth can use a zero length key */
if ( x - > aalg - > alg_key_len > 512 )
goto error ;
if ( x - > encap )
goto error ;
2006-07-21 14:51:30 -07:00
ahp = kzalloc ( sizeof ( * ahp ) , GFP_KERNEL ) ;
2005-04-16 15:20:36 -07:00
if ( ahp = = NULL )
return - ENOMEM ;
ahp - > key = x - > aalg - > alg_key ;
ahp - > key_len = ( x - > aalg - > alg_key_len + 7 ) / 8 ;
2006-08-20 14:24:50 +10:00
tfm = crypto_alloc_hash ( x - > aalg - > alg_name , 0 , CRYPTO_ALG_ASYNC ) ;
if ( IS_ERR ( tfm ) )
goto error ;
ahp - > tfm = tfm ;
if ( crypto_hash_setkey ( tfm , ahp - > key , ahp - > key_len ) )
2005-04-16 15:20:36 -07:00
goto error ;
/*
* Lookup the algorithm description maintained by xfrm_algo ,
* verify crypto transform properties , and store information
* we need for AH processing . This lookup cannot fail here
2006-08-20 14:24:50 +10:00
* after a successful crypto_alloc_hash ( ) .
2005-04-16 15:20:36 -07:00
*/
aalg_desc = xfrm_aalg_get_byname ( x - > aalg - > alg_name , 0 ) ;
BUG_ON ( ! aalg_desc ) ;
if ( aalg_desc - > uinfo . auth . icv_fullbits / 8 ! =
2006-08-20 14:24:50 +10:00
crypto_hash_digestsize ( tfm ) ) {
2005-04-16 15:20:36 -07:00
printk ( KERN_INFO " AH: %s digestsize %u != %hu \n " ,
2006-08-20 14:24:50 +10:00
x - > aalg - > alg_name , crypto_hash_digestsize ( tfm ) ,
2005-04-16 15:20:36 -07:00
aalg_desc - > uinfo . auth . icv_fullbits / 8 ) ;
goto error ;
}
ahp - > icv_full_len = aalg_desc - > uinfo . auth . icv_fullbits / 8 ;
ahp - > icv_trunc_len = aalg_desc - > uinfo . auth . icv_truncbits / 8 ;
BUG_ON ( ahp - > icv_trunc_len > MAX_AH_AUTH_LEN ) ;
ahp - > work_icv = kmalloc ( ahp - > icv_full_len , GFP_KERNEL ) ;
if ( ! ahp - > work_icv )
goto error ;
x - > props . header_len = XFRM_ALIGN8 ( sizeof ( struct ip_auth_hdr ) + ahp - > icv_trunc_len ) ;
2006-09-22 15:05:15 -07:00
if ( x - > props . mode = = XFRM_MODE_TUNNEL )
2005-04-16 15:20:36 -07:00
x - > props . header_len + = sizeof ( struct iphdr ) ;
x - > data = ahp ;
return 0 ;
error :
if ( ahp ) {
2005-09-01 17:44:29 -07:00
kfree ( ahp - > work_icv ) ;
2006-08-20 14:24:50 +10:00
crypto_free_hash ( ahp - > tfm ) ;
2005-04-16 15:20:36 -07:00
kfree ( ahp ) ;
}
return - EINVAL ;
}
static void ah_destroy ( struct xfrm_state * x )
{
struct ah_data * ahp = x - > data ;
if ( ! ahp )
return ;
2005-09-01 17:44:29 -07:00
kfree ( ahp - > work_icv ) ;
ahp - > work_icv = NULL ;
2006-08-20 14:24:50 +10:00
crypto_free_hash ( ahp - > tfm ) ;
2005-09-01 17:44:29 -07:00
ahp - > tfm = NULL ;
2005-04-16 15:20:36 -07:00
kfree ( ahp ) ;
}
static struct xfrm_type ah_type =
{
. description = " AH4 " ,
. owner = THIS_MODULE ,
. proto = IPPROTO_AH ,
. init_state = ah_init_state ,
. destructor = ah_destroy ,
. input = ah_input ,
. output = ah_output
} ;
static struct net_protocol ah4_protocol = {
. handler = xfrm4_rcv ,
. err_handler = ah4_err ,
. no_policy = 1 ,
} ;
static int __init ah4_init ( void )
{
if ( xfrm_register_type ( & ah_type , AF_INET ) < 0 ) {
printk ( KERN_INFO " ip ah init: can't add xfrm type \n " ) ;
return - EAGAIN ;
}
if ( inet_add_protocol ( & ah4_protocol , IPPROTO_AH ) < 0 ) {
printk ( KERN_INFO " ip ah init: can't add protocol \n " ) ;
xfrm_unregister_type ( & ah_type , AF_INET ) ;
return - EAGAIN ;
}
return 0 ;
}
static void __exit ah4_fini ( void )
{
if ( inet_del_protocol ( & ah4_protocol , IPPROTO_AH ) < 0 )
printk ( KERN_INFO " ip ah close: can't remove protocol \n " ) ;
if ( xfrm_unregister_type ( & ah_type , AF_INET ) < 0 )
printk ( KERN_INFO " ip ah close: can't remove xfrm type \n " ) ;
}
module_init ( ah4_init ) ;
module_exit ( ah4_fini ) ;
MODULE_LICENSE ( " GPL " ) ;