mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-23 17:30:02 +00:00
dbe69e4337
Core:
- BPF:
- add syscall program type and libbpf support for generating
instructions and bindings for in-kernel BPF loaders (BPF loaders
for BPF), this is a stepping stone for signed BPF programs
- infrastructure to migrate TCP child sockets from one listener
to another in the same reuseport group/map to improve flexibility
of service hand-off/restart
- add broadcast support to XDP redirect
- allow bypass of the lockless qdisc to improving performance
(for pktgen: +23% with one thread, +44% with 2 threads)
- add a simpler version of "DO_ONCE()" which does not require
jump labels, intended for slow-path usage
- virtio/vsock: introduce SOCK_SEQPACKET support
- add getsocketopt to retrieve netns cookie
- ip: treat lowest address of a IPv4 subnet as ordinary unicast address
allowing reclaiming of precious IPv4 addresses
- ipv6: use prandom_u32() for ID generation
- ip: add support for more flexible field selection for hashing
across multi-path routes (w/ offload to mlxsw)
- icmp: add support for extended RFC 8335 PROBE (ping)
- seg6: add support for SRv6 End.DT46 behavior
- mptcp:
- DSS checksum support (RFC 8684) to detect middlebox meddling
- support Connection-time 'C' flag
- time stamping support
- sctp: packetization Layer Path MTU Discovery (RFC 8899)
- xfrm: speed up state addition with seq set
- WiFi:
- hidden AP discovery on 6 GHz and other HE 6 GHz improvements
- aggregation handling improvements for some drivers
- minstrel improvements for no-ack frames
- deferred rate control for TXQs to improve reaction times
- switch from round robin to virtual time-based airtime scheduler
- add trace points:
- tcp checksum errors
- openvswitch - action execution, upcalls
- socket errors via sk_error_report
Device APIs:
- devlink: add rate API for hierarchical control of max egress rate
of virtual devices (VFs, SFs etc.)
- don't require RCU read lock to be held around BPF hooks
in NAPI context
- page_pool: generic buffer recycling
New hardware/drivers:
- mobile:
- iosm: PCIe Driver for Intel M.2 Modem
- support for Qualcomm MSM8998 (ipa)
- WiFi: Qualcomm QCN9074 and WCN6855 PCI devices
- sparx5: Microchip SparX-5 family of Enterprise Ethernet switches
- Mellanox BlueField Gigabit Ethernet (control NIC of the DPU)
- NXP SJA1110 Automotive Ethernet 10-port switch
- Qualcomm QCA8327 switch support (qca8k)
- Mikrotik 10/25G NIC (atl1c)
Driver changes:
- ACPI support for some MDIO, MAC and PHY devices from Marvell and NXP
(our first foray into MAC/PHY description via ACPI)
- HW timestamping (PTP) support: bnxt_en, ice, sja1105, hns3, tja11xx
- Mellanox/Nvidia NIC (mlx5)
- NIC VF offload of L2 bridging
- support IRQ distribution to Sub-functions
- Marvell (prestera):
- add flower and match all
- devlink trap
- link aggregation
- Netronome (nfp): connection tracking offload
- Intel 1GE (igc): add AF_XDP support
- Marvell DPU (octeontx2): ingress ratelimit offload
- Google vNIC (gve): new ring/descriptor format support
- Qualcomm mobile (rmnet & ipa): inline checksum offload support
- MediaTek WiFi (mt76)
- mt7915 MSI support
- mt7915 Tx status reporting
- mt7915 thermal sensors support
- mt7921 decapsulation offload
- mt7921 enable runtime pm and deep sleep
- Realtek WiFi (rtw88)
- beacon filter support
- Tx antenna path diversity support
- firmware crash information via devcoredump
- Qualcomm 60GHz WiFi (wcn36xx)
- Wake-on-WLAN support with magic packets and GTK rekeying
- Micrel PHY (ksz886x/ksz8081): add cable test support
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmDb+fUACgkQMUZtbf5S
Irs2Jg//aqN0Q8CgIvYCVhPxQw1tY7pTAbgyqgBZ01vwjyvtIOgJiWzSfFEU84mX
M8fcpFX5eTKrOyJ9S6UFfQ/JG114n3hjAxFFT4Hxk2gC1Tg0vHuFQTDHcUl28bUE
mTm61e1YpdorILnv2k5JVQ/wu0vs5QKDrjcYcrcPnh+j93wvnPOgAfDBV95nZzjS
OTt4q2fR8GzLcSYWWsclMbDNkzyTG50RW/0Yd6aGjr5QGvXfrMeXfUJNz533PMf/
w5lNyjRKv+x9mdTZJzU0+msNUrZgUdRz7W8Ey8lD3hJZRE+D6/uU7FtsE8Mi3+uc
HWxeZUyzA3YF1MfVl/eesbxyPT7S/OkLzk4O5B35FbqP0YltaP+bOjq1/nM3ce1/
io9Dx9pIl/2JANUgRCAtLi8Z2dkvRoqTaBxZ/nPudCCljFwDwl6joTMJ7Ow22i5Y
5aIkcXFmZq4LbJDiHvbTlqT7yiuaEvu2UK/23bSIg/K3nF4eAmkY9Y1EgiMf60OF
78Ttw0wk2tUegwaS5MZnCniKBKDyl9gM2F6rbZ/IxQRR2LTXFc1B6gC+ynUxgXfh
Ub8O++6qGYGYZ0XvQH4pzco79p3qQWBTK5beIp2eu6BOAjBVIXq4AibUfoQLACsu
hX7jMPYd0kc3WFgUnKgQP8EnjFSwbf4XiaE7fIXvWBY8hzCw2h4=
=LvtX
-----END PGP SIGNATURE-----
Merge tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Pull networking updates from Jakub Kicinski:
"Core:
- BPF:
- add syscall program type and libbpf support for generating
instructions and bindings for in-kernel BPF loaders (BPF loaders
for BPF), this is a stepping stone for signed BPF programs
- infrastructure to migrate TCP child sockets from one listener to
another in the same reuseport group/map to improve flexibility
of service hand-off/restart
- add broadcast support to XDP redirect
- allow bypass of the lockless qdisc to improving performance (for
pktgen: +23% with one thread, +44% with 2 threads)
- add a simpler version of "DO_ONCE()" which does not require jump
labels, intended for slow-path usage
- virtio/vsock: introduce SOCK_SEQPACKET support
- add getsocketopt to retrieve netns cookie
- ip: treat lowest address of a IPv4 subnet as ordinary unicast
address allowing reclaiming of precious IPv4 addresses
- ipv6: use prandom_u32() for ID generation
- ip: add support for more flexible field selection for hashing
across multi-path routes (w/ offload to mlxsw)
- icmp: add support for extended RFC 8335 PROBE (ping)
- seg6: add support for SRv6 End.DT46 behavior
- mptcp:
- DSS checksum support (RFC 8684) to detect middlebox meddling
- support Connection-time 'C' flag
- time stamping support
- sctp: packetization Layer Path MTU Discovery (RFC 8899)
- xfrm: speed up state addition with seq set
- WiFi:
- hidden AP discovery on 6 GHz and other HE 6 GHz improvements
- aggregation handling improvements for some drivers
- minstrel improvements for no-ack frames
- deferred rate control for TXQs to improve reaction times
- switch from round robin to virtual time-based airtime scheduler
- add trace points:
- tcp checksum errors
- openvswitch - action execution, upcalls
- socket errors via sk_error_report
Device APIs:
- devlink: add rate API for hierarchical control of max egress rate
of virtual devices (VFs, SFs etc.)
- don't require RCU read lock to be held around BPF hooks in NAPI
context
- page_pool: generic buffer recycling
New hardware/drivers:
- mobile:
- iosm: PCIe Driver for Intel M.2 Modem
- support for Qualcomm MSM8998 (ipa)
- WiFi: Qualcomm QCN9074 and WCN6855 PCI devices
- sparx5: Microchip SparX-5 family of Enterprise Ethernet switches
- Mellanox BlueField Gigabit Ethernet (control NIC of the DPU)
- NXP SJA1110 Automotive Ethernet 10-port switch
- Qualcomm QCA8327 switch support (qca8k)
- Mikrotik 10/25G NIC (atl1c)
Driver changes:
- ACPI support for some MDIO, MAC and PHY devices from Marvell and
NXP (our first foray into MAC/PHY description via ACPI)
- HW timestamping (PTP) support: bnxt_en, ice, sja1105, hns3, tja11xx
- Mellanox/Nvidia NIC (mlx5)
- NIC VF offload of L2 bridging
- support IRQ distribution to Sub-functions
- Marvell (prestera):
- add flower and match all
- devlink trap
- link aggregation
- Netronome (nfp): connection tracking offload
- Intel 1GE (igc): add AF_XDP support
- Marvell DPU (octeontx2): ingress ratelimit offload
- Google vNIC (gve): new ring/descriptor format support
- Qualcomm mobile (rmnet & ipa): inline checksum offload support
- MediaTek WiFi (mt76)
- mt7915 MSI support
- mt7915 Tx status reporting
- mt7915 thermal sensors support
- mt7921 decapsulation offload
- mt7921 enable runtime pm and deep sleep
- Realtek WiFi (rtw88)
- beacon filter support
- Tx antenna path diversity support
- firmware crash information via devcoredump
- Qualcomm WiFi (wcn36xx)
- Wake-on-WLAN support with magic packets and GTK rekeying
- Micrel PHY (ksz886x/ksz8081): add cable test support"
* tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2168 commits)
tcp: change ICSK_CA_PRIV_SIZE definition
tcp_yeah: check struct yeah size at compile time
gve: DQO: Fix off by one in gve_rx_dqo()
stmmac: intel: set PCI_D3hot in suspend
stmmac: intel: Enable PHY WOL option in EHL
net: stmmac: option to enable PHY WOL with PMT enabled
net: say "local" instead of "static" addresses in ndo_dflt_fdb_{add,del}
net: use netdev_info in ndo_dflt_fdb_{add,del}
ptp: Set lookup cookie when creating a PTP PPS source.
net: sock: add trace for socket errors
net: sock: introduce sk_error_report
net: dsa: replay the local bridge FDB entries pointing to the bridge dev too
net: dsa: ensure during dsa_fdb_offload_notify that dev_hold and dev_put are on the same dev
net: dsa: include fdb entries pointing to bridge in the host fdb list
net: dsa: include bridge addresses which are local in the host fdb list
net: dsa: sync static FDB entries on foreign interfaces to hardware
net: dsa: install the host MDB and FDB entries in the master's RX filter
net: dsa: reference count the FDB addresses at the cross-chip notifier level
net: dsa: introduce a separate cross-chip notifier type for host FDBs
net: dsa: reference count the MDB entries at the cross-chip notifier level
...
599 lines
14 KiB
C
599 lines
14 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
#define pr_fmt(fmt) "IPsec: " fmt
|
|
|
|
#include <crypto/algapi.h>
|
|
#include <crypto/hash.h>
|
|
#include <linux/err.h>
|
|
#include <linux/module.h>
|
|
#include <linux/slab.h>
|
|
#include <net/ip.h>
|
|
#include <net/xfrm.h>
|
|
#include <net/ah.h>
|
|
#include <linux/crypto.h>
|
|
#include <linux/pfkeyv2.h>
|
|
#include <linux/scatterlist.h>
|
|
#include <net/icmp.h>
|
|
#include <net/protocol.h>
|
|
|
|
struct ah_skb_cb {
|
|
struct xfrm_skb_cb xfrm;
|
|
void *tmp;
|
|
};
|
|
|
|
#define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
|
|
|
|
static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
|
|
unsigned int size)
|
|
{
|
|
unsigned int len;
|
|
|
|
len = size + crypto_ahash_digestsize(ahash) +
|
|
(crypto_ahash_alignmask(ahash) &
|
|
~(crypto_tfm_ctx_alignment() - 1));
|
|
|
|
len = ALIGN(len, crypto_tfm_ctx_alignment());
|
|
|
|
len += sizeof(struct ahash_request) + crypto_ahash_reqsize(ahash);
|
|
len = ALIGN(len, __alignof__(struct scatterlist));
|
|
|
|
len += sizeof(struct scatterlist) * nfrags;
|
|
|
|
return kmalloc(len, GFP_ATOMIC);
|
|
}
|
|
|
|
static inline u8 *ah_tmp_auth(void *tmp, unsigned int offset)
|
|
{
|
|
return tmp + offset;
|
|
}
|
|
|
|
static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
|
|
unsigned int offset)
|
|
{
|
|
return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
|
|
}
|
|
|
|
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
|
|
u8 *icv)
|
|
{
|
|
struct ahash_request *req;
|
|
|
|
req = (void *)PTR_ALIGN(icv + crypto_ahash_digestsize(ahash),
|
|
crypto_tfm_ctx_alignment());
|
|
|
|
ahash_request_set_tfm(req, ahash);
|
|
|
|
return req;
|
|
}
|
|
|
|
static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
|
|
struct ahash_request *req)
|
|
{
|
|
return (void *)ALIGN((unsigned long)(req + 1) +
|
|
crypto_ahash_reqsize(ahash),
|
|
__alignof__(struct scatterlist));
|
|
}
|
|
|
|
/* Clear mutable options and find final destination to substitute
|
|
* into IP header for icv calculation. Options are already checked
|
|
* for validity, so paranoia is not required. */
|
|
|
|
static int ip_clear_mutable_options(const struct iphdr *iph, __be32 *daddr)
|
|
{
|
|
unsigned char *optptr = (unsigned char *)(iph+1);
|
|
int l = iph->ihl*4 - sizeof(struct iphdr);
|
|
int optlen;
|
|
|
|
while (l > 0) {
|
|
switch (*optptr) {
|
|
case IPOPT_END:
|
|
return 0;
|
|
case IPOPT_NOOP:
|
|
l--;
|
|
optptr++;
|
|
continue;
|
|
}
|
|
optlen = optptr[1];
|
|
if (optlen<2 || optlen>l)
|
|
return -EINVAL;
|
|
switch (*optptr) {
|
|
case IPOPT_SEC:
|
|
case 0x85: /* Some "Extended Security" crap. */
|
|
case IPOPT_CIPSO:
|
|
case IPOPT_RA:
|
|
case 0x80|21: /* RFC1770 */
|
|
break;
|
|
case IPOPT_LSRR:
|
|
case IPOPT_SSRR:
|
|
if (optlen < 6)
|
|
return -EINVAL;
|
|
memcpy(daddr, optptr+optlen-4, 4);
|
|
fallthrough;
|
|
default:
|
|
memset(optptr, 0, optlen);
|
|
}
|
|
l -= optlen;
|
|
optptr += optlen;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void ah_output_done(struct crypto_async_request *base, int err)
|
|
{
|
|
u8 *icv;
|
|
struct iphdr *iph;
|
|
struct sk_buff *skb = base->data;
|
|
struct xfrm_state *x = skb_dst(skb)->xfrm;
|
|
struct ah_data *ahp = x->data;
|
|
struct iphdr *top_iph = ip_hdr(skb);
|
|
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
|
|
int ihl = ip_hdrlen(skb);
|
|
|
|
iph = AH_SKB_CB(skb)->tmp;
|
|
icv = ah_tmp_icv(ahp->ahash, iph, ihl);
|
|
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
|
|
|
|
top_iph->tos = iph->tos;
|
|
top_iph->ttl = iph->ttl;
|
|
top_iph->frag_off = iph->frag_off;
|
|
if (top_iph->ihl != 5) {
|
|
top_iph->daddr = iph->daddr;
|
|
memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
|
|
}
|
|
|
|
kfree(AH_SKB_CB(skb)->tmp);
|
|
xfrm_output_resume(skb->sk, skb, err);
|
|
}
|
|
|
|
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
int err;
|
|
int nfrags;
|
|
int ihl;
|
|
u8 *icv;
|
|
struct sk_buff *trailer;
|
|
struct crypto_ahash *ahash;
|
|
struct ahash_request *req;
|
|
struct scatterlist *sg;
|
|
struct iphdr *iph, *top_iph;
|
|
struct ip_auth_hdr *ah;
|
|
struct ah_data *ahp;
|
|
int seqhi_len = 0;
|
|
__be32 *seqhi;
|
|
int sglists = 0;
|
|
struct scatterlist *seqhisg;
|
|
|
|
ahp = x->data;
|
|
ahash = ahp->ahash;
|
|
|
|
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
|
|
goto out;
|
|
nfrags = err;
|
|
|
|
skb_push(skb, -skb_network_offset(skb));
|
|
ah = ip_auth_hdr(skb);
|
|
ihl = ip_hdrlen(skb);
|
|
|
|
if (x->props.flags & XFRM_STATE_ESN) {
|
|
sglists = 1;
|
|
seqhi_len = sizeof(*seqhi);
|
|
}
|
|
err = -ENOMEM;
|
|
iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl + seqhi_len);
|
|
if (!iph)
|
|
goto out;
|
|
seqhi = (__be32 *)((char *)iph + ihl);
|
|
icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
|
|
req = ah_tmp_req(ahash, icv);
|
|
sg = ah_req_sg(ahash, req);
|
|
seqhisg = sg + nfrags;
|
|
|
|
memset(ah->auth_data, 0, ahp->icv_trunc_len);
|
|
|
|
top_iph = ip_hdr(skb);
|
|
|
|
iph->tos = top_iph->tos;
|
|
iph->ttl = top_iph->ttl;
|
|
iph->frag_off = top_iph->frag_off;
|
|
|
|
if (top_iph->ihl != 5) {
|
|
iph->daddr = top_iph->daddr;
|
|
memcpy(iph+1, top_iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
|
|
err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
|
|
if (err)
|
|
goto out_free;
|
|
}
|
|
|
|
ah->nexthdr = *skb_mac_header(skb);
|
|
*skb_mac_header(skb) = IPPROTO_AH;
|
|
|
|
top_iph->tos = 0;
|
|
top_iph->tot_len = htons(skb->len);
|
|
top_iph->frag_off = 0;
|
|
top_iph->ttl = 0;
|
|
top_iph->check = 0;
|
|
|
|
if (x->props.flags & XFRM_STATE_ALIGN4)
|
|
ah->hdrlen = (XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
|
|
else
|
|
ah->hdrlen = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
|
|
|
|
ah->reserved = 0;
|
|
ah->spi = x->id.spi;
|
|
ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
|
|
|
|
sg_init_table(sg, nfrags + sglists);
|
|
err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
|
|
if (unlikely(err < 0))
|
|
goto out_free;
|
|
|
|
if (x->props.flags & XFRM_STATE_ESN) {
|
|
/* Attach seqhi sg right after packet payload */
|
|
*seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
|
|
sg_set_buf(seqhisg, seqhi, seqhi_len);
|
|
}
|
|
ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
|
|
ahash_request_set_callback(req, 0, ah_output_done, skb);
|
|
|
|
AH_SKB_CB(skb)->tmp = iph;
|
|
|
|
err = crypto_ahash_digest(req);
|
|
if (err) {
|
|
if (err == -EINPROGRESS)
|
|
goto out;
|
|
|
|
if (err == -ENOSPC)
|
|
err = NET_XMIT_DROP;
|
|
goto out_free;
|
|
}
|
|
|
|
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
|
|
|
|
top_iph->tos = iph->tos;
|
|
top_iph->ttl = iph->ttl;
|
|
top_iph->frag_off = iph->frag_off;
|
|
if (top_iph->ihl != 5) {
|
|
top_iph->daddr = iph->daddr;
|
|
memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
|
|
}
|
|
|
|
out_free:
|
|
kfree(iph);
|
|
out:
|
|
return err;
|
|
}
|
|
|
|
static void ah_input_done(struct crypto_async_request *base, int err)
|
|
{
|
|
u8 *auth_data;
|
|
u8 *icv;
|
|
struct iphdr *work_iph;
|
|
struct sk_buff *skb = base->data;
|
|
struct xfrm_state *x = xfrm_input_state(skb);
|
|
struct ah_data *ahp = x->data;
|
|
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
|
|
int ihl = ip_hdrlen(skb);
|
|
int ah_hlen = (ah->hdrlen + 2) << 2;
|
|
|
|
if (err)
|
|
goto out;
|
|
|
|
work_iph = AH_SKB_CB(skb)->tmp;
|
|
auth_data = ah_tmp_auth(work_iph, ihl);
|
|
icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
|
|
|
|
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
|
|
if (err)
|
|
goto out;
|
|
|
|
err = ah->nexthdr;
|
|
|
|
skb->network_header += ah_hlen;
|
|
memcpy(skb_network_header(skb), work_iph, ihl);
|
|
__skb_pull(skb, ah_hlen + ihl);
|
|
|
|
if (x->props.mode == XFRM_MODE_TUNNEL)
|
|
skb_reset_transport_header(skb);
|
|
else
|
|
skb_set_transport_header(skb, -ihl);
|
|
out:
|
|
kfree(AH_SKB_CB(skb)->tmp);
|
|
xfrm_input_resume(skb, err);
|
|
}
|
|
|
|
static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
int ah_hlen;
|
|
int ihl;
|
|
int nexthdr;
|
|
int nfrags;
|
|
u8 *auth_data;
|
|
u8 *icv;
|
|
struct sk_buff *trailer;
|
|
struct crypto_ahash *ahash;
|
|
struct ahash_request *req;
|
|
struct scatterlist *sg;
|
|
struct iphdr *iph, *work_iph;
|
|
struct ip_auth_hdr *ah;
|
|
struct ah_data *ahp;
|
|
int err = -ENOMEM;
|
|
int seqhi_len = 0;
|
|
__be32 *seqhi;
|
|
int sglists = 0;
|
|
struct scatterlist *seqhisg;
|
|
|
|
if (!pskb_may_pull(skb, sizeof(*ah)))
|
|
goto out;
|
|
|
|
ah = (struct ip_auth_hdr *)skb->data;
|
|
ahp = x->data;
|
|
ahash = ahp->ahash;
|
|
|
|
nexthdr = ah->nexthdr;
|
|
ah_hlen = (ah->hdrlen + 2) << 2;
|
|
|
|
if (x->props.flags & XFRM_STATE_ALIGN4) {
|
|
if (ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_full_len) &&
|
|
ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len))
|
|
goto out;
|
|
} else {
|
|
if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
|
|
ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
|
|
goto out;
|
|
}
|
|
|
|
if (!pskb_may_pull(skb, ah_hlen))
|
|
goto out;
|
|
|
|
/* We are going to _remove_ AH header to keep sockets happy,
|
|
* so... Later this can change. */
|
|
if (skb_unclone(skb, GFP_ATOMIC))
|
|
goto out;
|
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
|
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
|
|
goto out;
|
|
nfrags = err;
|
|
|
|
ah = (struct ip_auth_hdr *)skb->data;
|
|
iph = ip_hdr(skb);
|
|
ihl = ip_hdrlen(skb);
|
|
|
|
if (x->props.flags & XFRM_STATE_ESN) {
|
|
sglists = 1;
|
|
seqhi_len = sizeof(*seqhi);
|
|
}
|
|
|
|
work_iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl +
|
|
ahp->icv_trunc_len + seqhi_len);
|
|
if (!work_iph) {
|
|
err = -ENOMEM;
|
|
goto out;
|
|
}
|
|
|
|
seqhi = (__be32 *)((char *)work_iph + ihl);
|
|
auth_data = ah_tmp_auth(seqhi, seqhi_len);
|
|
icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
|
|
req = ah_tmp_req(ahash, icv);
|
|
sg = ah_req_sg(ahash, req);
|
|
seqhisg = sg + nfrags;
|
|
|
|
memcpy(work_iph, iph, ihl);
|
|
memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
|
|
memset(ah->auth_data, 0, ahp->icv_trunc_len);
|
|
|
|
iph->ttl = 0;
|
|
iph->tos = 0;
|
|
iph->frag_off = 0;
|
|
iph->check = 0;
|
|
if (ihl > sizeof(*iph)) {
|
|
__be32 dummy;
|
|
err = ip_clear_mutable_options(iph, &dummy);
|
|
if (err)
|
|
goto out_free;
|
|
}
|
|
|
|
skb_push(skb, ihl);
|
|
|
|
sg_init_table(sg, nfrags + sglists);
|
|
err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
|
|
if (unlikely(err < 0))
|
|
goto out_free;
|
|
|
|
if (x->props.flags & XFRM_STATE_ESN) {
|
|
/* Attach seqhi sg right after packet payload */
|
|
*seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
|
|
sg_set_buf(seqhisg, seqhi, seqhi_len);
|
|
}
|
|
ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
|
|
ahash_request_set_callback(req, 0, ah_input_done, skb);
|
|
|
|
AH_SKB_CB(skb)->tmp = work_iph;
|
|
|
|
err = crypto_ahash_digest(req);
|
|
if (err) {
|
|
if (err == -EINPROGRESS)
|
|
goto out;
|
|
|
|
goto out_free;
|
|
}
|
|
|
|
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
|
|
if (err)
|
|
goto out_free;
|
|
|
|
skb->network_header += ah_hlen;
|
|
memcpy(skb_network_header(skb), work_iph, ihl);
|
|
__skb_pull(skb, ah_hlen + ihl);
|
|
if (x->props.mode == XFRM_MODE_TUNNEL)
|
|
skb_reset_transport_header(skb);
|
|
else
|
|
skb_set_transport_header(skb, -ihl);
|
|
|
|
err = nexthdr;
|
|
|
|
out_free:
|
|
kfree (work_iph);
|
|
out:
|
|
return err;
|
|
}
|
|
|
|
static int ah4_err(struct sk_buff *skb, u32 info)
|
|
{
|
|
struct net *net = dev_net(skb->dev);
|
|
const struct iphdr *iph = (const struct iphdr *)skb->data;
|
|
struct ip_auth_hdr *ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
|
|
struct xfrm_state *x;
|
|
|
|
switch (icmp_hdr(skb)->type) {
|
|
case ICMP_DEST_UNREACH:
|
|
if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
|
|
return 0;
|
|
break;
|
|
case ICMP_REDIRECT:
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
|
|
ah->spi, IPPROTO_AH, AF_INET);
|
|
if (!x)
|
|
return 0;
|
|
|
|
if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
|
|
ipv4_update_pmtu(skb, net, info, 0, IPPROTO_AH);
|
|
else
|
|
ipv4_redirect(skb, net, 0, IPPROTO_AH);
|
|
xfrm_state_put(x);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int ah_init_state(struct xfrm_state *x)
|
|
{
|
|
struct ah_data *ahp = NULL;
|
|
struct xfrm_algo_desc *aalg_desc;
|
|
struct crypto_ahash *ahash;
|
|
|
|
if (!x->aalg)
|
|
goto error;
|
|
|
|
if (x->encap)
|
|
goto error;
|
|
|
|
ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
|
|
if (!ahp)
|
|
return -ENOMEM;
|
|
|
|
ahash = crypto_alloc_ahash(x->aalg->alg_name, 0, 0);
|
|
if (IS_ERR(ahash))
|
|
goto error;
|
|
|
|
ahp->ahash = ahash;
|
|
if (crypto_ahash_setkey(ahash, x->aalg->alg_key,
|
|
(x->aalg->alg_key_len + 7) / 8))
|
|
goto error;
|
|
|
|
/*
|
|
* Lookup the algorithm description maintained by xfrm_algo,
|
|
* verify crypto transform properties, and store information
|
|
* we need for AH processing. This lookup cannot fail here
|
|
* after a successful crypto_alloc_ahash().
|
|
*/
|
|
aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
|
|
BUG_ON(!aalg_desc);
|
|
|
|
if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
|
|
crypto_ahash_digestsize(ahash)) {
|
|
pr_info("%s: %s digestsize %u != %hu\n",
|
|
__func__, x->aalg->alg_name,
|
|
crypto_ahash_digestsize(ahash),
|
|
aalg_desc->uinfo.auth.icv_fullbits / 8);
|
|
goto error;
|
|
}
|
|
|
|
ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
|
|
ahp->icv_trunc_len = x->aalg->alg_trunc_len/8;
|
|
|
|
if (x->props.flags & XFRM_STATE_ALIGN4)
|
|
x->props.header_len = XFRM_ALIGN4(sizeof(struct ip_auth_hdr) +
|
|
ahp->icv_trunc_len);
|
|
else
|
|
x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
|
|
ahp->icv_trunc_len);
|
|
if (x->props.mode == XFRM_MODE_TUNNEL)
|
|
x->props.header_len += sizeof(struct iphdr);
|
|
x->data = ahp;
|
|
|
|
return 0;
|
|
|
|
error:
|
|
if (ahp) {
|
|
crypto_free_ahash(ahp->ahash);
|
|
kfree(ahp);
|
|
}
|
|
return -EINVAL;
|
|
}
|
|
|
|
static void ah_destroy(struct xfrm_state *x)
|
|
{
|
|
struct ah_data *ahp = x->data;
|
|
|
|
if (!ahp)
|
|
return;
|
|
|
|
crypto_free_ahash(ahp->ahash);
|
|
kfree(ahp);
|
|
}
|
|
|
|
static int ah4_rcv_cb(struct sk_buff *skb, int err)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static const struct xfrm_type ah_type =
|
|
{
|
|
.owner = THIS_MODULE,
|
|
.proto = IPPROTO_AH,
|
|
.flags = XFRM_TYPE_REPLAY_PROT,
|
|
.init_state = ah_init_state,
|
|
.destructor = ah_destroy,
|
|
.input = ah_input,
|
|
.output = ah_output
|
|
};
|
|
|
|
static struct xfrm4_protocol ah4_protocol = {
|
|
.handler = xfrm4_rcv,
|
|
.input_handler = xfrm_input,
|
|
.cb_handler = ah4_rcv_cb,
|
|
.err_handler = ah4_err,
|
|
.priority = 0,
|
|
};
|
|
|
|
static int __init ah4_init(void)
|
|
{
|
|
if (xfrm_register_type(&ah_type, AF_INET) < 0) {
|
|
pr_info("%s: can't add xfrm type\n", __func__);
|
|
return -EAGAIN;
|
|
}
|
|
if (xfrm4_protocol_register(&ah4_protocol, IPPROTO_AH) < 0) {
|
|
pr_info("%s: can't add protocol\n", __func__);
|
|
xfrm_unregister_type(&ah_type, AF_INET);
|
|
return -EAGAIN;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void __exit ah4_fini(void)
|
|
{
|
|
if (xfrm4_protocol_deregister(&ah4_protocol, IPPROTO_AH) < 0)
|
|
pr_info("%s: can't remove protocol\n", __func__);
|
|
xfrm_unregister_type(&ah_type, AF_INET);
|
|
}
|
|
|
|
module_init(ah4_init);
|
|
module_exit(ah4_fini);
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_ALIAS_XFRM_TYPE(AF_INET, XFRM_PROTO_AH);
|