1 #include <crypto/aead.h>
2 #include <crypto/authenc.h>
4 #include <linux/module.h>
8 #include <linux/scatterlist.h>
9 #include <linux/kernel.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/rtnetlink.h>
12 #include <linux/slab.h>
13 #include <linux/spinlock.h>
14 #include <linux/in6.h>
16 #include <net/protocol.h>
20 struct xfrm_skb_cb xfrm
;
24 #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
26 static u32
esp4_get_mtu(struct xfrm_state
*x
, int mtu
);
29 * Allocate an AEAD request structure with extra space for SG and IV.
31 * For alignment considerations the IV is placed at the front, followed
32 * by the request and finally the SG list.
34 * TODO: Use spare space in skb for this where possible.
36 static void *esp_alloc_tmp(struct crypto_aead
*aead
, int nfrags
, int seqhilen
)
42 len
+= crypto_aead_ivsize(aead
);
45 len
+= crypto_aead_alignmask(aead
) &
46 ~(crypto_tfm_ctx_alignment() - 1);
47 len
= ALIGN(len
, crypto_tfm_ctx_alignment());
50 len
+= sizeof(struct aead_givcrypt_request
) + crypto_aead_reqsize(aead
);
51 len
= ALIGN(len
, __alignof__(struct scatterlist
));
53 len
+= sizeof(struct scatterlist
) * nfrags
;
55 return kmalloc(len
, GFP_ATOMIC
);
58 static inline __be32
*esp_tmp_seqhi(void *tmp
)
60 return PTR_ALIGN((__be32
*)tmp
, __alignof__(__be32
));
62 static inline u8
*esp_tmp_iv(struct crypto_aead
*aead
, void *tmp
, int seqhilen
)
64 return crypto_aead_ivsize(aead
) ?
65 PTR_ALIGN((u8
*)tmp
+ seqhilen
,
66 crypto_aead_alignmask(aead
) + 1) : tmp
+ seqhilen
;
69 static inline struct aead_givcrypt_request
*esp_tmp_givreq(
70 struct crypto_aead
*aead
, u8
*iv
)
72 struct aead_givcrypt_request
*req
;
74 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
75 crypto_tfm_ctx_alignment());
76 aead_givcrypt_set_tfm(req
, aead
);
80 static inline struct aead_request
*esp_tmp_req(struct crypto_aead
*aead
, u8
*iv
)
82 struct aead_request
*req
;
84 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
85 crypto_tfm_ctx_alignment());
86 aead_request_set_tfm(req
, aead
);
90 static inline struct scatterlist
*esp_req_sg(struct crypto_aead
*aead
,
91 struct aead_request
*req
)
93 return (void *)ALIGN((unsigned long)(req
+ 1) +
94 crypto_aead_reqsize(aead
),
95 __alignof__(struct scatterlist
));
98 static inline struct scatterlist
*esp_givreq_sg(
99 struct crypto_aead
*aead
, struct aead_givcrypt_request
*req
)
101 return (void *)ALIGN((unsigned long)(req
+ 1) +
102 crypto_aead_reqsize(aead
),
103 __alignof__(struct scatterlist
));
106 static void esp_output_done(struct crypto_async_request
*base
, int err
)
108 struct sk_buff
*skb
= base
->data
;
110 kfree(ESP_SKB_CB(skb
)->tmp
);
111 xfrm_output_resume(skb
, err
);
114 static int esp_output(struct xfrm_state
*x
, struct sk_buff
*skb
)
117 struct ip_esp_hdr
*esph
;
118 struct crypto_aead
*aead
;
119 struct aead_givcrypt_request
*req
;
120 struct scatterlist
*sg
;
121 struct scatterlist
*asg
;
122 struct esp_data
*esp
;
123 struct sk_buff
*trailer
;
138 /* skb is pure payload to encrypt */
144 alen
= crypto_aead_authsize(aead
);
148 struct xfrm_dst
*dst
= (struct xfrm_dst
*)skb_dst(skb
);
151 padto
= min(x
->tfcpad
, esp4_get_mtu(x
, dst
->child_mtu_cached
));
152 if (skb
->len
< padto
)
153 tfclen
= padto
- skb
->len
;
155 blksize
= ALIGN(crypto_aead_blocksize(aead
), 4);
156 clen
= ALIGN(skb
->len
+ 2 + tfclen
, blksize
);
158 clen
= ALIGN(clen
, esp
->padlen
);
159 plen
= clen
- skb
->len
- tfclen
;
161 err
= skb_cow_data(skb
, tfclen
+ plen
+ alen
, &trailer
);
166 assoclen
= sizeof(*esph
);
170 if (x
->props
.flags
& XFRM_STATE_ESN
) {
172 seqhilen
+= sizeof(__be32
);
173 assoclen
+= seqhilen
;
176 tmp
= esp_alloc_tmp(aead
, nfrags
+ sglists
, seqhilen
);
180 seqhi
= esp_tmp_seqhi(tmp
);
181 iv
= esp_tmp_iv(aead
, tmp
, seqhilen
);
182 req
= esp_tmp_givreq(aead
, iv
);
183 asg
= esp_givreq_sg(aead
, req
);
186 /* Fill padding... */
187 tail
= skb_tail_pointer(trailer
);
189 memset(tail
, 0, tfclen
);
194 for (i
= 0; i
< plen
- 2; i
++)
197 tail
[plen
- 2] = plen
- 2;
198 tail
[plen
- 1] = *skb_mac_header(skb
);
199 pskb_put(skb
, trailer
, clen
- skb
->len
+ alen
);
201 skb_push(skb
, -skb_network_offset(skb
));
202 esph
= ip_esp_hdr(skb
);
203 *skb_mac_header(skb
) = IPPROTO_ESP
;
205 /* this is non-NULL only with UDP Encapsulation */
207 struct xfrm_encap_tmpl
*encap
= x
->encap
;
213 spin_lock_bh(&x
->lock
);
214 sport
= encap
->encap_sport
;
215 dport
= encap
->encap_dport
;
216 encap_type
= encap
->encap_type
;
217 spin_unlock_bh(&x
->lock
);
219 uh
= (struct udphdr
*)esph
;
222 uh
->len
= htons(skb
->len
- skb_transport_offset(skb
));
225 switch (encap_type
) {
227 case UDP_ENCAP_ESPINUDP
:
228 esph
= (struct ip_esp_hdr
*)(uh
+ 1);
230 case UDP_ENCAP_ESPINUDP_NON_IKE
:
231 udpdata32
= (__be32
*)(uh
+ 1);
232 udpdata32
[0] = udpdata32
[1] = 0;
233 esph
= (struct ip_esp_hdr
*)(udpdata32
+ 2);
237 *skb_mac_header(skb
) = IPPROTO_UDP
;
240 esph
->spi
= x
->id
.spi
;
241 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.low
);
243 sg_init_table(sg
, nfrags
);
244 skb_to_sgvec(skb
, sg
,
245 esph
->enc_data
+ crypto_aead_ivsize(aead
) - skb
->data
,
248 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
249 sg_init_table(asg
, 3);
250 sg_set_buf(asg
, &esph
->spi
, sizeof(__be32
));
251 *seqhi
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.hi
);
252 sg_set_buf(asg
+ 1, seqhi
, seqhilen
);
253 sg_set_buf(asg
+ 2, &esph
->seq_no
, sizeof(__be32
));
255 sg_init_one(asg
, esph
, sizeof(*esph
));
257 aead_givcrypt_set_callback(req
, 0, esp_output_done
, skb
);
258 aead_givcrypt_set_crypt(req
, sg
, sg
, clen
, iv
);
259 aead_givcrypt_set_assoc(req
, asg
, assoclen
);
260 aead_givcrypt_set_giv(req
, esph
->enc_data
,
261 XFRM_SKB_CB(skb
)->seq
.output
.low
);
263 ESP_SKB_CB(skb
)->tmp
= tmp
;
264 err
= crypto_aead_givencrypt(req
);
265 if (err
== -EINPROGRESS
)
277 static int esp_input_done2(struct sk_buff
*skb
, int err
)
280 struct xfrm_state
*x
= xfrm_input_state(skb
);
281 struct esp_data
*esp
= x
->data
;
282 struct crypto_aead
*aead
= esp
->aead
;
283 int alen
= crypto_aead_authsize(aead
);
284 int hlen
= sizeof(struct ip_esp_hdr
) + crypto_aead_ivsize(aead
);
285 int elen
= skb
->len
- hlen
;
290 kfree(ESP_SKB_CB(skb
)->tmp
);
295 if (skb_copy_bits(skb
, skb
->len
-alen
-2, nexthdr
, 2))
300 if (padlen
+ 2 + alen
>= elen
)
303 /* ... check padding bits here. Silly. :-) */
309 struct xfrm_encap_tmpl
*encap
= x
->encap
;
310 struct udphdr
*uh
= (void *)(skb_network_header(skb
) + ihl
);
313 * 1) if the NAT-T peer's IP or port changed then
314 * advertize the change to the keying daemon.
315 * This is an inbound SA, so just compare
318 if (iph
->saddr
!= x
->props
.saddr
.a4
||
319 uh
->source
!= encap
->encap_sport
) {
320 xfrm_address_t ipaddr
;
322 ipaddr
.a4
= iph
->saddr
;
323 km_new_mapping(x
, &ipaddr
, uh
->source
);
325 /* XXX: perhaps add an extra
326 * policy check here, to see
327 * if we should allow or
328 * reject a packet from a
335 * 2) ignore UDP/TCP checksums in case
336 * of NAT-T in Transport Mode, or
337 * perform other post-processing fixes
338 * as per draft-ietf-ipsec-udp-encaps-06,
341 if (x
->props
.mode
== XFRM_MODE_TRANSPORT
)
342 skb
->ip_summed
= CHECKSUM_UNNECESSARY
;
345 pskb_trim(skb
, skb
->len
- alen
- padlen
- 2);
346 __skb_pull(skb
, hlen
);
347 skb_set_transport_header(skb
, -ihl
);
351 /* RFC4303: Drop dummy packets without any error */
352 if (err
== IPPROTO_NONE
)
359 static void esp_input_done(struct crypto_async_request
*base
, int err
)
361 struct sk_buff
*skb
= base
->data
;
363 xfrm_input_resume(skb
, esp_input_done2(skb
, err
));
367 * Note: detecting truncated vs. non-truncated authentication data is very
368 * expensive, so we only support truncated data, which is the recommended
371 static int esp_input(struct xfrm_state
*x
, struct sk_buff
*skb
)
373 struct ip_esp_hdr
*esph
;
374 struct esp_data
*esp
= x
->data
;
375 struct crypto_aead
*aead
= esp
->aead
;
376 struct aead_request
*req
;
377 struct sk_buff
*trailer
;
378 int elen
= skb
->len
- sizeof(*esph
) - crypto_aead_ivsize(aead
);
386 struct scatterlist
*sg
;
387 struct scatterlist
*asg
;
390 if (!pskb_may_pull(skb
, sizeof(*esph
) + crypto_aead_ivsize(aead
)))
396 if ((err
= skb_cow_data(skb
, 0, &trailer
)) < 0)
400 assoclen
= sizeof(*esph
);
404 if (x
->props
.flags
& XFRM_STATE_ESN
) {
406 seqhilen
+= sizeof(__be32
);
407 assoclen
+= seqhilen
;
411 tmp
= esp_alloc_tmp(aead
, nfrags
+ sglists
, seqhilen
);
415 ESP_SKB_CB(skb
)->tmp
= tmp
;
416 seqhi
= esp_tmp_seqhi(tmp
);
417 iv
= esp_tmp_iv(aead
, tmp
, seqhilen
);
418 req
= esp_tmp_req(aead
, iv
);
419 asg
= esp_req_sg(aead
, req
);
422 skb
->ip_summed
= CHECKSUM_NONE
;
424 esph
= (struct ip_esp_hdr
*)skb
->data
;
426 /* Get ivec. This can be wrong, check against another impls. */
429 sg_init_table(sg
, nfrags
);
430 skb_to_sgvec(skb
, sg
, sizeof(*esph
) + crypto_aead_ivsize(aead
), elen
);
432 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
433 sg_init_table(asg
, 3);
434 sg_set_buf(asg
, &esph
->spi
, sizeof(__be32
));
435 *seqhi
= XFRM_SKB_CB(skb
)->seq
.input
.hi
;
436 sg_set_buf(asg
+ 1, seqhi
, seqhilen
);
437 sg_set_buf(asg
+ 2, &esph
->seq_no
, sizeof(__be32
));
439 sg_init_one(asg
, esph
, sizeof(*esph
));
441 aead_request_set_callback(req
, 0, esp_input_done
, skb
);
442 aead_request_set_crypt(req
, sg
, sg
, elen
, iv
);
443 aead_request_set_assoc(req
, asg
, assoclen
);
445 err
= crypto_aead_decrypt(req
);
446 if (err
== -EINPROGRESS
)
449 err
= esp_input_done2(skb
, err
);
455 static u32
esp4_get_mtu(struct xfrm_state
*x
, int mtu
)
457 struct esp_data
*esp
= x
->data
;
458 u32 blksize
= ALIGN(crypto_aead_blocksize(esp
->aead
), 4);
459 u32 align
= max_t(u32
, blksize
, esp
->padlen
);
462 mtu
-= x
->props
.header_len
+ crypto_aead_authsize(esp
->aead
);
463 rem
= mtu
& (align
- 1);
466 switch (x
->props
.mode
) {
467 case XFRM_MODE_TUNNEL
:
470 case XFRM_MODE_TRANSPORT
:
473 mtu
+= min_t(u32
, blksize
- 4, rem
);
476 /* The worst case. */
477 mtu
+= min_t(u32
, IPV4_BEET_PHMAXLEN
, rem
);
484 static void esp4_err(struct sk_buff
*skb
, u32 info
)
486 struct net
*net
= dev_net(skb
->dev
);
487 struct iphdr
*iph
= (struct iphdr
*)skb
->data
;
488 struct ip_esp_hdr
*esph
= (struct ip_esp_hdr
*)(skb
->data
+(iph
->ihl
<<2));
489 struct xfrm_state
*x
;
491 if (icmp_hdr(skb
)->type
!= ICMP_DEST_UNREACH
||
492 icmp_hdr(skb
)->code
!= ICMP_FRAG_NEEDED
)
495 x
= xfrm_state_lookup(net
, skb
->mark
, (xfrm_address_t
*)&iph
->daddr
, esph
->spi
, IPPROTO_ESP
, AF_INET
);
498 NETDEBUG(KERN_DEBUG
"pmtu discovery on SA ESP/%08x/%08x\n",
499 ntohl(esph
->spi
), ntohl(iph
->daddr
));
503 static void esp_destroy(struct xfrm_state
*x
)
505 struct esp_data
*esp
= x
->data
;
510 crypto_free_aead(esp
->aead
);
514 static int esp_init_aead(struct xfrm_state
*x
)
516 struct esp_data
*esp
= x
->data
;
517 struct crypto_aead
*aead
;
520 aead
= crypto_alloc_aead(x
->aead
->alg_name
, 0, 0);
527 err
= crypto_aead_setkey(aead
, x
->aead
->alg_key
,
528 (x
->aead
->alg_key_len
+ 7) / 8);
532 err
= crypto_aead_setauthsize(aead
, x
->aead
->alg_icv_len
/ 8);
540 static int esp_init_authenc(struct xfrm_state
*x
)
542 struct esp_data
*esp
= x
->data
;
543 struct crypto_aead
*aead
;
544 struct crypto_authenc_key_param
*param
;
548 char authenc_name
[CRYPTO_MAX_ALG_NAME
];
558 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
559 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
561 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
562 x
->ealg
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
565 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
567 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
568 x
->ealg
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
572 aead
= crypto_alloc_aead(authenc_name
, 0, 0);
579 keylen
= (x
->aalg
? (x
->aalg
->alg_key_len
+ 7) / 8 : 0) +
580 (x
->ealg
->alg_key_len
+ 7) / 8 + RTA_SPACE(sizeof(*param
));
582 key
= kmalloc(keylen
, GFP_KERNEL
);
588 rta
->rta_type
= CRYPTO_AUTHENC_KEYA_PARAM
;
589 rta
->rta_len
= RTA_LENGTH(sizeof(*param
));
590 param
= RTA_DATA(rta
);
591 p
+= RTA_SPACE(sizeof(*param
));
594 struct xfrm_algo_desc
*aalg_desc
;
596 memcpy(p
, x
->aalg
->alg_key
, (x
->aalg
->alg_key_len
+ 7) / 8);
597 p
+= (x
->aalg
->alg_key_len
+ 7) / 8;
599 aalg_desc
= xfrm_aalg_get_byname(x
->aalg
->alg_name
, 0);
603 if (aalg_desc
->uinfo
.auth
.icv_fullbits
/8 !=
604 crypto_aead_authsize(aead
)) {
605 NETDEBUG(KERN_INFO
"ESP: %s digestsize %u != %hu\n",
607 crypto_aead_authsize(aead
),
608 aalg_desc
->uinfo
.auth
.icv_fullbits
/8);
612 err
= crypto_aead_setauthsize(
613 aead
, x
->aalg
->alg_trunc_len
/ 8);
618 param
->enckeylen
= cpu_to_be32((x
->ealg
->alg_key_len
+ 7) / 8);
619 memcpy(p
, x
->ealg
->alg_key
, (x
->ealg
->alg_key_len
+ 7) / 8);
621 err
= crypto_aead_setkey(aead
, key
, keylen
);
630 static int esp_init_state(struct xfrm_state
*x
)
632 struct esp_data
*esp
;
633 struct crypto_aead
*aead
;
637 esp
= kzalloc(sizeof(*esp
), GFP_KERNEL
);
644 err
= esp_init_aead(x
);
646 err
= esp_init_authenc(x
);
655 x
->props
.header_len
= sizeof(struct ip_esp_hdr
) +
656 crypto_aead_ivsize(aead
);
657 if (x
->props
.mode
== XFRM_MODE_TUNNEL
)
658 x
->props
.header_len
+= sizeof(struct iphdr
);
659 else if (x
->props
.mode
== XFRM_MODE_BEET
&& x
->sel
.family
!= AF_INET6
)
660 x
->props
.header_len
+= IPV4_BEET_PHMAXLEN
;
662 struct xfrm_encap_tmpl
*encap
= x
->encap
;
664 switch (encap
->encap_type
) {
667 case UDP_ENCAP_ESPINUDP
:
668 x
->props
.header_len
+= sizeof(struct udphdr
);
670 case UDP_ENCAP_ESPINUDP_NON_IKE
:
671 x
->props
.header_len
+= sizeof(struct udphdr
) + 2 * sizeof(u32
);
676 align
= ALIGN(crypto_aead_blocksize(aead
), 4);
678 align
= max_t(u32
, align
, esp
->padlen
);
679 x
->props
.trailer_len
= align
+ 1 + crypto_aead_authsize(esp
->aead
);
685 static const struct xfrm_type esp_type
=
687 .description
= "ESP4",
688 .owner
= THIS_MODULE
,
689 .proto
= IPPROTO_ESP
,
690 .flags
= XFRM_TYPE_REPLAY_PROT
,
691 .init_state
= esp_init_state
,
692 .destructor
= esp_destroy
,
693 .get_mtu
= esp4_get_mtu
,
698 static const struct net_protocol esp4_protocol
= {
699 .handler
= xfrm4_rcv
,
700 .err_handler
= esp4_err
,
705 static int __init
esp4_init(void)
707 if (xfrm_register_type(&esp_type
, AF_INET
) < 0) {
708 printk(KERN_INFO
"ip esp init: can't add xfrm type\n");
711 if (inet_add_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0) {
712 printk(KERN_INFO
"ip esp init: can't add protocol\n");
713 xfrm_unregister_type(&esp_type
, AF_INET
);
719 static void __exit
esp4_fini(void)
721 if (inet_del_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0)
722 printk(KERN_INFO
"ip esp close: can't remove protocol\n");
723 if (xfrm_unregister_type(&esp_type
, AF_INET
) < 0)
724 printk(KERN_INFO
"ip esp close: can't remove xfrm type\n");
727 module_init(esp4_init
);
728 module_exit(esp4_fini
);
729 MODULE_LICENSE("GPL");
730 MODULE_ALIAS_XFRM_TYPE(AF_INET
, XFRM_PROTO_ESP
);