1 #define pr_fmt(fmt) "IPsec: " fmt
3 #include <crypto/aead.h>
4 #include <crypto/authenc.h>
6 #include <linux/module.h>
10 #include <linux/scatterlist.h>
11 #include <linux/kernel.h>
12 #include <linux/pfkeyv2.h>
13 #include <linux/rtnetlink.h>
14 #include <linux/slab.h>
15 #include <linux/spinlock.h>
16 #include <linux/in6.h>
18 #include <net/protocol.h>
22 struct xfrm_skb_cb xfrm
;
26 struct esp_output_extra
{
31 #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
33 static u32
esp4_get_mtu(struct xfrm_state
*x
, int mtu
);
36 * Allocate an AEAD request structure with extra space for SG and IV.
38 * For alignment considerations the IV is placed at the front, followed
39 * by the request and finally the SG list.
41 * TODO: Use spare space in skb for this where possible.
43 static void *esp_alloc_tmp(struct crypto_aead
*aead
, int nfrags
, int extralen
)
49 len
+= crypto_aead_ivsize(aead
);
52 len
+= crypto_aead_alignmask(aead
) &
53 ~(crypto_tfm_ctx_alignment() - 1);
54 len
= ALIGN(len
, crypto_tfm_ctx_alignment());
57 len
+= sizeof(struct aead_request
) + crypto_aead_reqsize(aead
);
58 len
= ALIGN(len
, __alignof__(struct scatterlist
));
60 len
+= sizeof(struct scatterlist
) * nfrags
;
62 return kmalloc(len
, GFP_ATOMIC
);
65 static inline void *esp_tmp_extra(void *tmp
)
67 return PTR_ALIGN(tmp
, __alignof__(struct esp_output_extra
));
70 static inline u8
*esp_tmp_iv(struct crypto_aead
*aead
, void *tmp
, int extralen
)
72 return crypto_aead_ivsize(aead
) ?
73 PTR_ALIGN((u8
*)tmp
+ extralen
,
74 crypto_aead_alignmask(aead
) + 1) : tmp
+ extralen
;
77 static inline struct aead_request
*esp_tmp_req(struct crypto_aead
*aead
, u8
*iv
)
79 struct aead_request
*req
;
81 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
82 crypto_tfm_ctx_alignment());
83 aead_request_set_tfm(req
, aead
);
87 static inline struct scatterlist
*esp_req_sg(struct crypto_aead
*aead
,
88 struct aead_request
*req
)
90 return (void *)ALIGN((unsigned long)(req
+ 1) +
91 crypto_aead_reqsize(aead
),
92 __alignof__(struct scatterlist
));
95 static void esp_output_done(struct crypto_async_request
*base
, int err
)
97 struct sk_buff
*skb
= base
->data
;
99 kfree(ESP_SKB_CB(skb
)->tmp
);
100 xfrm_output_resume(skb
, err
);
103 /* Move ESP header back into place. */
104 static void esp_restore_header(struct sk_buff
*skb
, unsigned int offset
)
106 struct ip_esp_hdr
*esph
= (void *)(skb
->data
+ offset
);
107 void *tmp
= ESP_SKB_CB(skb
)->tmp
;
108 __be32
*seqhi
= esp_tmp_extra(tmp
);
110 esph
->seq_no
= esph
->spi
;
114 static void esp_output_restore_header(struct sk_buff
*skb
)
116 void *tmp
= ESP_SKB_CB(skb
)->tmp
;
117 struct esp_output_extra
*extra
= esp_tmp_extra(tmp
);
119 esp_restore_header(skb
, skb_transport_offset(skb
) + extra
->esphoff
-
123 static void esp_output_done_esn(struct crypto_async_request
*base
, int err
)
125 struct sk_buff
*skb
= base
->data
;
127 esp_output_restore_header(skb
);
128 esp_output_done(base
, err
);
131 static int esp_output(struct xfrm_state
*x
, struct sk_buff
*skb
)
134 struct esp_output_extra
*extra
;
135 struct ip_esp_hdr
*esph
;
136 struct crypto_aead
*aead
;
137 struct aead_request
*req
;
138 struct scatterlist
*sg
;
139 struct sk_buff
*trailer
;
154 /* skb is pure payload to encrypt */
157 alen
= crypto_aead_authsize(aead
);
158 ivlen
= crypto_aead_ivsize(aead
);
162 struct xfrm_dst
*dst
= (struct xfrm_dst
*)skb_dst(skb
);
165 padto
= min(x
->tfcpad
, esp4_get_mtu(x
, dst
->child_mtu_cached
));
166 if (skb
->len
< padto
)
167 tfclen
= padto
- skb
->len
;
169 blksize
= ALIGN(crypto_aead_blocksize(aead
), 4);
170 clen
= ALIGN(skb
->len
+ 2 + tfclen
, blksize
);
171 plen
= clen
- skb
->len
- tfclen
;
173 err
= skb_cow_data(skb
, tfclen
+ plen
+ alen
, &trailer
);
178 assoclen
= sizeof(*esph
);
181 if (x
->props
.flags
& XFRM_STATE_ESN
) {
182 extralen
+= sizeof(*extra
);
183 assoclen
+= sizeof(__be32
);
186 tmp
= esp_alloc_tmp(aead
, nfrags
, extralen
);
192 extra
= esp_tmp_extra(tmp
);
193 iv
= esp_tmp_iv(aead
, tmp
, extralen
);
194 req
= esp_tmp_req(aead
, iv
);
195 sg
= esp_req_sg(aead
, req
);
197 /* Fill padding... */
198 tail
= skb_tail_pointer(trailer
);
200 memset(tail
, 0, tfclen
);
205 for (i
= 0; i
< plen
- 2; i
++)
208 tail
[plen
- 2] = plen
- 2;
209 tail
[plen
- 1] = *skb_mac_header(skb
);
210 pskb_put(skb
, trailer
, clen
- skb
->len
+ alen
);
212 skb_push(skb
, -skb_network_offset(skb
));
213 esph
= ip_esp_hdr(skb
);
214 *skb_mac_header(skb
) = IPPROTO_ESP
;
216 /* this is non-NULL only with UDP Encapsulation */
218 struct xfrm_encap_tmpl
*encap
= x
->encap
;
224 spin_lock_bh(&x
->lock
);
225 sport
= encap
->encap_sport
;
226 dport
= encap
->encap_dport
;
227 encap_type
= encap
->encap_type
;
228 spin_unlock_bh(&x
->lock
);
230 uh
= (struct udphdr
*)esph
;
233 uh
->len
= htons(skb
->len
- skb_transport_offset(skb
));
236 switch (encap_type
) {
238 case UDP_ENCAP_ESPINUDP
:
239 esph
= (struct ip_esp_hdr
*)(uh
+ 1);
241 case UDP_ENCAP_ESPINUDP_NON_IKE
:
242 udpdata32
= (__be32
*)(uh
+ 1);
243 udpdata32
[0] = udpdata32
[1] = 0;
244 esph
= (struct ip_esp_hdr
*)(udpdata32
+ 2);
248 *skb_mac_header(skb
) = IPPROTO_UDP
;
251 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.low
);
253 aead_request_set_callback(req
, 0, esp_output_done
, skb
);
255 /* For ESN we move the header forward by 4 bytes to
256 * accomodate the high bits. We will move it back after
259 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
260 extra
->esphoff
= (unsigned char *)esph
-
261 skb_transport_header(skb
);
262 esph
= (struct ip_esp_hdr
*)((unsigned char *)esph
- 4);
263 extra
->seqhi
= esph
->spi
;
264 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.hi
);
265 aead_request_set_callback(req
, 0, esp_output_done_esn
, skb
);
268 esph
->spi
= x
->id
.spi
;
270 sg_init_table(sg
, nfrags
);
271 skb_to_sgvec(skb
, sg
,
272 (unsigned char *)esph
- skb
->data
,
273 assoclen
+ ivlen
+ clen
+ alen
);
275 aead_request_set_crypt(req
, sg
, sg
, ivlen
+ clen
, iv
);
276 aead_request_set_ad(req
, assoclen
);
278 seqno
= cpu_to_be64(XFRM_SKB_CB(skb
)->seq
.output
.low
+
279 ((u64
)XFRM_SKB_CB(skb
)->seq
.output
.hi
<< 32));
281 memset(iv
, 0, ivlen
);
282 memcpy(iv
+ ivlen
- min(ivlen
, 8), (u8
*)&seqno
+ 8 - min(ivlen
, 8),
285 ESP_SKB_CB(skb
)->tmp
= tmp
;
286 err
= crypto_aead_encrypt(req
);
297 if ((x
->props
.flags
& XFRM_STATE_ESN
))
298 esp_output_restore_header(skb
);
307 static int esp_input_done2(struct sk_buff
*skb
, int err
)
309 const struct iphdr
*iph
;
310 struct xfrm_state
*x
= xfrm_input_state(skb
);
311 struct crypto_aead
*aead
= x
->data
;
312 int alen
= crypto_aead_authsize(aead
);
313 int hlen
= sizeof(struct ip_esp_hdr
) + crypto_aead_ivsize(aead
);
314 int elen
= skb
->len
- hlen
;
319 kfree(ESP_SKB_CB(skb
)->tmp
);
324 if (skb_copy_bits(skb
, skb
->len
-alen
-2, nexthdr
, 2))
329 if (padlen
+ 2 + alen
>= elen
)
332 /* ... check padding bits here. Silly. :-) */
338 struct xfrm_encap_tmpl
*encap
= x
->encap
;
339 struct udphdr
*uh
= (void *)(skb_network_header(skb
) + ihl
);
342 * 1) if the NAT-T peer's IP or port changed then
343 * advertize the change to the keying daemon.
344 * This is an inbound SA, so just compare
347 if (iph
->saddr
!= x
->props
.saddr
.a4
||
348 uh
->source
!= encap
->encap_sport
) {
349 xfrm_address_t ipaddr
;
351 ipaddr
.a4
= iph
->saddr
;
352 km_new_mapping(x
, &ipaddr
, uh
->source
);
354 /* XXX: perhaps add an extra
355 * policy check here, to see
356 * if we should allow or
357 * reject a packet from a
364 * 2) ignore UDP/TCP checksums in case
365 * of NAT-T in Transport Mode, or
366 * perform other post-processing fixes
367 * as per draft-ietf-ipsec-udp-encaps-06,
370 if (x
->props
.mode
== XFRM_MODE_TRANSPORT
)
371 skb
->ip_summed
= CHECKSUM_UNNECESSARY
;
374 pskb_trim(skb
, skb
->len
- alen
- padlen
- 2);
375 __skb_pull(skb
, hlen
);
376 if (x
->props
.mode
== XFRM_MODE_TUNNEL
)
377 skb_reset_transport_header(skb
);
379 skb_set_transport_header(skb
, -ihl
);
383 /* RFC4303: Drop dummy packets without any error */
384 if (err
== IPPROTO_NONE
)
391 static void esp_input_done(struct crypto_async_request
*base
, int err
)
393 struct sk_buff
*skb
= base
->data
;
395 xfrm_input_resume(skb
, esp_input_done2(skb
, err
));
398 static void esp_input_restore_header(struct sk_buff
*skb
)
400 esp_restore_header(skb
, 0);
404 static void esp_input_done_esn(struct crypto_async_request
*base
, int err
)
406 struct sk_buff
*skb
= base
->data
;
408 esp_input_restore_header(skb
);
409 esp_input_done(base
, err
);
413 * Note: detecting truncated vs. non-truncated authentication data is very
414 * expensive, so we only support truncated data, which is the recommended
417 static int esp_input(struct xfrm_state
*x
, struct sk_buff
*skb
)
419 struct ip_esp_hdr
*esph
;
420 struct crypto_aead
*aead
= x
->data
;
421 struct aead_request
*req
;
422 struct sk_buff
*trailer
;
423 int ivlen
= crypto_aead_ivsize(aead
);
424 int elen
= skb
->len
- sizeof(*esph
) - ivlen
;
431 struct scatterlist
*sg
;
434 if (!pskb_may_pull(skb
, sizeof(*esph
) + ivlen
))
440 err
= skb_cow_data(skb
, 0, &trailer
);
446 assoclen
= sizeof(*esph
);
449 if (x
->props
.flags
& XFRM_STATE_ESN
) {
450 seqhilen
+= sizeof(__be32
);
451 assoclen
+= seqhilen
;
455 tmp
= esp_alloc_tmp(aead
, nfrags
, seqhilen
);
459 ESP_SKB_CB(skb
)->tmp
= tmp
;
460 seqhi
= esp_tmp_extra(tmp
);
461 iv
= esp_tmp_iv(aead
, tmp
, seqhilen
);
462 req
= esp_tmp_req(aead
, iv
);
463 sg
= esp_req_sg(aead
, req
);
465 skb
->ip_summed
= CHECKSUM_NONE
;
467 esph
= (struct ip_esp_hdr
*)skb
->data
;
469 aead_request_set_callback(req
, 0, esp_input_done
, skb
);
471 /* For ESN we move the header forward by 4 bytes to
472 * accomodate the high bits. We will move it back after
475 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
476 esph
= (void *)skb_push(skb
, 4);
478 esph
->spi
= esph
->seq_no
;
479 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.input
.hi
);
480 aead_request_set_callback(req
, 0, esp_input_done_esn
, skb
);
483 sg_init_table(sg
, nfrags
);
484 skb_to_sgvec(skb
, sg
, 0, skb
->len
);
486 aead_request_set_crypt(req
, sg
, sg
, elen
+ ivlen
, iv
);
487 aead_request_set_ad(req
, assoclen
);
489 err
= crypto_aead_decrypt(req
);
490 if (err
== -EINPROGRESS
)
493 if ((x
->props
.flags
& XFRM_STATE_ESN
))
494 esp_input_restore_header(skb
);
496 err
= esp_input_done2(skb
, err
);
502 static u32
esp4_get_mtu(struct xfrm_state
*x
, int mtu
)
504 struct crypto_aead
*aead
= x
->data
;
505 u32 blksize
= ALIGN(crypto_aead_blocksize(aead
), 4);
506 unsigned int net_adj
;
508 switch (x
->props
.mode
) {
509 case XFRM_MODE_TRANSPORT
:
511 net_adj
= sizeof(struct iphdr
);
513 case XFRM_MODE_TUNNEL
:
520 return ((mtu
- x
->props
.header_len
- crypto_aead_authsize(aead
) -
521 net_adj
) & ~(blksize
- 1)) + net_adj
- 2;
524 static int esp4_err(struct sk_buff
*skb
, u32 info
)
526 struct net
*net
= dev_net(skb
->dev
);
527 const struct iphdr
*iph
= (const struct iphdr
*)skb
->data
;
528 struct ip_esp_hdr
*esph
= (struct ip_esp_hdr
*)(skb
->data
+(iph
->ihl
<<2));
529 struct xfrm_state
*x
;
531 switch (icmp_hdr(skb
)->type
) {
532 case ICMP_DEST_UNREACH
:
533 if (icmp_hdr(skb
)->code
!= ICMP_FRAG_NEEDED
)
541 x
= xfrm_state_lookup(net
, skb
->mark
, (const xfrm_address_t
*)&iph
->daddr
,
542 esph
->spi
, IPPROTO_ESP
, AF_INET
);
546 if (icmp_hdr(skb
)->type
== ICMP_DEST_UNREACH
)
547 ipv4_update_pmtu(skb
, net
, info
, 0, 0, IPPROTO_ESP
, 0);
549 ipv4_redirect(skb
, net
, 0, 0, IPPROTO_ESP
, 0);
555 static void esp_destroy(struct xfrm_state
*x
)
557 struct crypto_aead
*aead
= x
->data
;
562 crypto_free_aead(aead
);
565 static int esp_init_aead(struct xfrm_state
*x
)
567 char aead_name
[CRYPTO_MAX_ALG_NAME
];
568 struct crypto_aead
*aead
;
572 if (snprintf(aead_name
, CRYPTO_MAX_ALG_NAME
, "%s(%s)",
573 x
->geniv
, x
->aead
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
576 aead
= crypto_alloc_aead(aead_name
, 0, 0);
583 err
= crypto_aead_setkey(aead
, x
->aead
->alg_key
,
584 (x
->aead
->alg_key_len
+ 7) / 8);
588 err
= crypto_aead_setauthsize(aead
, x
->aead
->alg_icv_len
/ 8);
596 static int esp_init_authenc(struct xfrm_state
*x
)
598 struct crypto_aead
*aead
;
599 struct crypto_authenc_key_param
*param
;
603 char authenc_name
[CRYPTO_MAX_ALG_NAME
];
613 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
614 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
615 "%s%sauthencesn(%s,%s)%s",
616 x
->geniv
?: "", x
->geniv
? "(" : "",
617 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
619 x
->geniv
? ")" : "") >= CRYPTO_MAX_ALG_NAME
)
622 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
623 "%s%sauthenc(%s,%s)%s",
624 x
->geniv
?: "", x
->geniv
? "(" : "",
625 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
627 x
->geniv
? ")" : "") >= CRYPTO_MAX_ALG_NAME
)
631 aead
= crypto_alloc_aead(authenc_name
, 0, 0);
638 keylen
= (x
->aalg
? (x
->aalg
->alg_key_len
+ 7) / 8 : 0) +
639 (x
->ealg
->alg_key_len
+ 7) / 8 + RTA_SPACE(sizeof(*param
));
641 key
= kmalloc(keylen
, GFP_KERNEL
);
647 rta
->rta_type
= CRYPTO_AUTHENC_KEYA_PARAM
;
648 rta
->rta_len
= RTA_LENGTH(sizeof(*param
));
649 param
= RTA_DATA(rta
);
650 p
+= RTA_SPACE(sizeof(*param
));
653 struct xfrm_algo_desc
*aalg_desc
;
655 memcpy(p
, x
->aalg
->alg_key
, (x
->aalg
->alg_key_len
+ 7) / 8);
656 p
+= (x
->aalg
->alg_key_len
+ 7) / 8;
658 aalg_desc
= xfrm_aalg_get_byname(x
->aalg
->alg_name
, 0);
662 if (aalg_desc
->uinfo
.auth
.icv_fullbits
/ 8 !=
663 crypto_aead_authsize(aead
)) {
664 pr_info("ESP: %s digestsize %u != %hu\n",
666 crypto_aead_authsize(aead
),
667 aalg_desc
->uinfo
.auth
.icv_fullbits
/ 8);
671 err
= crypto_aead_setauthsize(
672 aead
, x
->aalg
->alg_trunc_len
/ 8);
677 param
->enckeylen
= cpu_to_be32((x
->ealg
->alg_key_len
+ 7) / 8);
678 memcpy(p
, x
->ealg
->alg_key
, (x
->ealg
->alg_key_len
+ 7) / 8);
680 err
= crypto_aead_setkey(aead
, key
, keylen
);
689 static int esp_init_state(struct xfrm_state
*x
)
691 struct crypto_aead
*aead
;
698 err
= esp_init_aead(x
);
700 err
= esp_init_authenc(x
);
707 x
->props
.header_len
= sizeof(struct ip_esp_hdr
) +
708 crypto_aead_ivsize(aead
);
709 if (x
->props
.mode
== XFRM_MODE_TUNNEL
)
710 x
->props
.header_len
+= sizeof(struct iphdr
);
711 else if (x
->props
.mode
== XFRM_MODE_BEET
&& x
->sel
.family
!= AF_INET6
)
712 x
->props
.header_len
+= IPV4_BEET_PHMAXLEN
;
714 struct xfrm_encap_tmpl
*encap
= x
->encap
;
716 switch (encap
->encap_type
) {
719 case UDP_ENCAP_ESPINUDP
:
720 x
->props
.header_len
+= sizeof(struct udphdr
);
722 case UDP_ENCAP_ESPINUDP_NON_IKE
:
723 x
->props
.header_len
+= sizeof(struct udphdr
) + 2 * sizeof(u32
);
728 align
= ALIGN(crypto_aead_blocksize(aead
), 4);
729 x
->props
.trailer_len
= align
+ 1 + crypto_aead_authsize(aead
);
735 static int esp4_rcv_cb(struct sk_buff
*skb
, int err
)
740 static const struct xfrm_type esp_type
=
742 .description
= "ESP4",
743 .owner
= THIS_MODULE
,
744 .proto
= IPPROTO_ESP
,
745 .flags
= XFRM_TYPE_REPLAY_PROT
,
746 .init_state
= esp_init_state
,
747 .destructor
= esp_destroy
,
748 .get_mtu
= esp4_get_mtu
,
753 static struct xfrm4_protocol esp4_protocol
= {
754 .handler
= xfrm4_rcv
,
755 .input_handler
= xfrm_input
,
756 .cb_handler
= esp4_rcv_cb
,
757 .err_handler
= esp4_err
,
761 static int __init
esp4_init(void)
763 if (xfrm_register_type(&esp_type
, AF_INET
) < 0) {
764 pr_info("%s: can't add xfrm type\n", __func__
);
767 if (xfrm4_protocol_register(&esp4_protocol
, IPPROTO_ESP
) < 0) {
768 pr_info("%s: can't add protocol\n", __func__
);
769 xfrm_unregister_type(&esp_type
, AF_INET
);
775 static void __exit
esp4_fini(void)
777 if (xfrm4_protocol_deregister(&esp4_protocol
, IPPROTO_ESP
) < 0)
778 pr_info("%s: can't remove protocol\n", __func__
);
779 if (xfrm_unregister_type(&esp_type
, AF_INET
) < 0)
780 pr_info("%s: can't remove xfrm type\n", __func__
);
783 module_init(esp4_init
);
784 module_exit(esp4_fini
);
785 MODULE_LICENSE("GPL");
786 MODULE_ALIAS_XFRM_TYPE(AF_INET
, XFRM_PROTO_ESP
);