1 #include <linux/config.h>
2 #include <linux/module.h>
6 #include <asm/scatterlist.h>
7 #include <linux/crypto.h>
8 #include <linux/kernel.h>
9 #include <linux/pfkeyv2.h>
10 #include <linux/random.h>
14 /* decapsulation data for use when post-processing */
15 struct esp_decap_data
{
21 static int esp_output(struct xfrm_state
*x
, struct sk_buff
*skb
)
24 struct iphdr
*top_iph
;
25 struct ip_esp_hdr
*esph
;
26 struct crypto_tfm
*tfm
;
28 struct sk_buff
*trailer
;
34 /* Strip IP+ESP header. */
35 __skb_pull(skb
, skb
->h
.raw
- skb
->data
);
36 /* Now skb is pure payload to encrypt */
40 /* Round to block size */
44 alen
= esp
->auth
.icv_trunc_len
;
46 blksize
= ALIGN(crypto_tfm_alg_blocksize(tfm
), 4);
47 clen
= ALIGN(clen
+ 2, blksize
);
49 clen
= ALIGN(clen
, esp
->conf
.padlen
);
51 if ((nfrags
= skb_cow_data(skb
, clen
-skb
->len
+alen
, &trailer
)) < 0)
57 for (i
=0; i
<clen
-skb
->len
- 2; i
++)
58 *(u8
*)(trailer
->tail
+ i
) = i
+1;
60 *(u8
*)(trailer
->tail
+ clen
-skb
->len
- 2) = (clen
- skb
->len
)-2;
61 pskb_put(skb
, trailer
, clen
- skb
->len
);
63 __skb_push(skb
, skb
->data
- skb
->nh
.raw
);
64 top_iph
= skb
->nh
.iph
;
65 esph
= (struct ip_esp_hdr
*)(skb
->nh
.raw
+ top_iph
->ihl
*4);
66 top_iph
->tot_len
= htons(skb
->len
+ alen
);
67 *(u8
*)(trailer
->tail
- 1) = top_iph
->protocol
;
69 /* this is non-NULL only with UDP Encapsulation */
71 struct xfrm_encap_tmpl
*encap
= x
->encap
;
75 uh
= (struct udphdr
*)esph
;
76 uh
->source
= encap
->encap_sport
;
77 uh
->dest
= encap
->encap_dport
;
78 uh
->len
= htons(skb
->len
+ alen
- top_iph
->ihl
*4);
81 switch (encap
->encap_type
) {
83 case UDP_ENCAP_ESPINUDP
:
84 esph
= (struct ip_esp_hdr
*)(uh
+ 1);
86 case UDP_ENCAP_ESPINUDP_NON_IKE
:
87 udpdata32
= (u32
*)(uh
+ 1);
88 udpdata32
[0] = udpdata32
[1] = 0;
89 esph
= (struct ip_esp_hdr
*)(udpdata32
+ 2);
93 top_iph
->protocol
= IPPROTO_UDP
;
95 top_iph
->protocol
= IPPROTO_ESP
;
97 esph
->spi
= x
->id
.spi
;
98 esph
->seq_no
= htonl(++x
->replay
.oseq
);
101 crypto_cipher_set_iv(tfm
, esp
->conf
.ivec
, crypto_tfm_alg_ivsize(tfm
));
104 struct scatterlist
*sg
= &esp
->sgbuf
[0];
106 if (unlikely(nfrags
> ESP_NUM_FAST_SG
)) {
107 sg
= kmalloc(sizeof(struct scatterlist
)*nfrags
, GFP_ATOMIC
);
111 skb_to_sgvec(skb
, sg
, esph
->enc_data
+esp
->conf
.ivlen
-skb
->data
, clen
);
112 crypto_cipher_encrypt(tfm
, sg
, sg
, clen
);
113 if (unlikely(sg
!= &esp
->sgbuf
[0]))
117 if (esp
->conf
.ivlen
) {
118 memcpy(esph
->enc_data
, esp
->conf
.ivec
, crypto_tfm_alg_ivsize(tfm
));
119 crypto_cipher_get_iv(tfm
, esp
->conf
.ivec
, crypto_tfm_alg_ivsize(tfm
));
122 if (esp
->auth
.icv_full_len
) {
123 esp
->auth
.icv(esp
, skb
, (u8
*)esph
-skb
->data
,
124 sizeof(struct ip_esp_hdr
) + esp
->conf
.ivlen
+clen
, trailer
->tail
);
125 pskb_put(skb
, trailer
, alen
);
128 ip_send_check(top_iph
);
137 * Note: detecting truncated vs. non-truncated authentication data is very
138 * expensive, so we only support truncated data, which is the recommended
141 static int esp_input(struct xfrm_state
*x
, struct xfrm_decap_state
*decap
, struct sk_buff
*skb
)
144 struct ip_esp_hdr
*esph
;
145 struct esp_data
*esp
= x
->data
;
146 struct sk_buff
*trailer
;
147 int blksize
= ALIGN(crypto_tfm_alg_blocksize(esp
->conf
.tfm
), 4);
148 int alen
= esp
->auth
.icv_trunc_len
;
149 int elen
= skb
->len
- sizeof(struct ip_esp_hdr
) - esp
->conf
.ivlen
- alen
;
153 if (!pskb_may_pull(skb
, sizeof(struct ip_esp_hdr
)))
156 if (elen
<= 0 || (elen
& (blksize
-1)))
159 /* If integrity check is required, do this. */
160 if (esp
->auth
.icv_full_len
) {
161 u8 sum
[esp
->auth
.icv_full_len
];
164 esp
->auth
.icv(esp
, skb
, 0, skb
->len
-alen
, sum
);
166 if (skb_copy_bits(skb
, skb
->len
-alen
, sum1
, alen
))
169 if (unlikely(memcmp(sum
, sum1
, alen
))) {
170 x
->stats
.integrity_failed
++;
175 if ((nfrags
= skb_cow_data(skb
, 0, &trailer
)) < 0)
178 skb
->ip_summed
= CHECKSUM_NONE
;
180 esph
= (struct ip_esp_hdr
*)skb
->data
;
183 /* Get ivec. This can be wrong, check against another impls. */
185 crypto_cipher_set_iv(esp
->conf
.tfm
, esph
->enc_data
, crypto_tfm_alg_ivsize(esp
->conf
.tfm
));
189 struct scatterlist
*sg
= &esp
->sgbuf
[0];
193 if (unlikely(nfrags
> ESP_NUM_FAST_SG
)) {
194 sg
= kmalloc(sizeof(struct scatterlist
)*nfrags
, GFP_ATOMIC
);
198 skb_to_sgvec(skb
, sg
, sizeof(struct ip_esp_hdr
) + esp
->conf
.ivlen
, elen
);
199 crypto_cipher_decrypt(esp
->conf
.tfm
, sg
, sg
, elen
);
200 if (unlikely(sg
!= &esp
->sgbuf
[0]))
203 if (skb_copy_bits(skb
, skb
->len
-alen
-2, nexthdr
, 2))
207 if (padlen
+2 >= elen
)
210 /* ... check padding bits here. Silly. :-) */
212 if (x
->encap
&& decap
&& decap
->decap_type
) {
213 struct esp_decap_data
*encap_data
;
214 struct udphdr
*uh
= (struct udphdr
*) (iph
+1);
216 encap_data
= (struct esp_decap_data
*) (decap
->decap_data
);
217 encap_data
->proto
= 0;
219 switch (decap
->decap_type
) {
220 case UDP_ENCAP_ESPINUDP
:
221 case UDP_ENCAP_ESPINUDP_NON_IKE
:
222 encap_data
->proto
= AF_INET
;
223 encap_data
->saddr
.a4
= iph
->saddr
;
224 encap_data
->sport
= uh
->source
;
225 encap_len
= (void*)esph
- (void*)uh
;
233 iph
->protocol
= nexthdr
[1];
234 pskb_trim(skb
, skb
->len
- alen
- padlen
- 2);
235 memcpy(workbuf
, skb
->nh
.raw
, iph
->ihl
*4);
236 skb
->h
.raw
= skb_pull(skb
, sizeof(struct ip_esp_hdr
) + esp
->conf
.ivlen
);
237 skb
->nh
.raw
+= encap_len
+ sizeof(struct ip_esp_hdr
) + esp
->conf
.ivlen
;
238 memcpy(skb
->nh
.raw
, workbuf
, iph
->ihl
*4);
239 skb
->nh
.iph
->tot_len
= htons(skb
->len
);
248 static int esp_post_input(struct xfrm_state
*x
, struct xfrm_decap_state
*decap
, struct sk_buff
*skb
)
252 struct xfrm_encap_tmpl
*encap
;
253 struct esp_decap_data
*decap_data
;
256 decap_data
= (struct esp_decap_data
*)(decap
->decap_data
);
258 /* first, make sure that the decap type == the encap type */
259 if (encap
->encap_type
!= decap
->decap_type
)
262 switch (encap
->encap_type
) {
264 case UDP_ENCAP_ESPINUDP
:
265 case UDP_ENCAP_ESPINUDP_NON_IKE
:
267 * 1) if the NAT-T peer's IP or port changed then
268 * advertize the change to the keying daemon.
269 * This is an inbound SA, so just compare
272 if (decap_data
->proto
== AF_INET
&&
273 (decap_data
->saddr
.a4
!= x
->props
.saddr
.a4
||
274 decap_data
->sport
!= encap
->encap_sport
)) {
275 xfrm_address_t ipaddr
;
277 ipaddr
.a4
= decap_data
->saddr
.a4
;
278 km_new_mapping(x
, &ipaddr
, decap_data
->sport
);
280 /* XXX: perhaps add an extra
281 * policy check here, to see
282 * if we should allow or
283 * reject a packet from a
290 * 2) ignore UDP/TCP checksums in case
291 * of NAT-T in Transport Mode, or
292 * perform other post-processing fixes
293 * as per * draft-ietf-ipsec-udp-encaps-06,
297 skb
->ip_summed
= CHECKSUM_UNNECESSARY
;
305 static u32
esp4_get_max_size(struct xfrm_state
*x
, int mtu
)
307 struct esp_data
*esp
= x
->data
;
308 u32 blksize
= ALIGN(crypto_tfm_alg_blocksize(esp
->conf
.tfm
), 4);
311 mtu
= ALIGN(mtu
+ 2, blksize
);
313 /* The worst case. */
314 mtu
= ALIGN(mtu
+ 2, 4) + blksize
- 4;
316 if (esp
->conf
.padlen
)
317 mtu
= ALIGN(mtu
, esp
->conf
.padlen
);
319 return mtu
+ x
->props
.header_len
+ esp
->auth
.icv_trunc_len
;
322 static void esp4_err(struct sk_buff
*skb
, u32 info
)
324 struct iphdr
*iph
= (struct iphdr
*)skb
->data
;
325 struct ip_esp_hdr
*esph
= (struct ip_esp_hdr
*)(skb
->data
+(iph
->ihl
<<2));
326 struct xfrm_state
*x
;
328 if (skb
->h
.icmph
->type
!= ICMP_DEST_UNREACH
||
329 skb
->h
.icmph
->code
!= ICMP_FRAG_NEEDED
)
332 x
= xfrm_state_lookup((xfrm_address_t
*)&iph
->daddr
, esph
->spi
, IPPROTO_ESP
, AF_INET
);
335 NETDEBUG(KERN_DEBUG
"pmtu discovery on SA ESP/%08x/%08x\n",
336 ntohl(esph
->spi
), ntohl(iph
->daddr
));
340 static void esp_destroy(struct xfrm_state
*x
)
342 struct esp_data
*esp
= x
->data
;
347 crypto_free_tfm(esp
->conf
.tfm
);
348 esp
->conf
.tfm
= NULL
;
349 kfree(esp
->conf
.ivec
);
350 esp
->conf
.ivec
= NULL
;
351 crypto_free_tfm(esp
->auth
.tfm
);
352 esp
->auth
.tfm
= NULL
;
353 kfree(esp
->auth
.work_icv
);
354 esp
->auth
.work_icv
= NULL
;
358 static int esp_init_state(struct xfrm_state
*x
)
360 struct esp_data
*esp
= NULL
;
362 /* null auth and encryption can have zero length keys */
364 if (x
->aalg
->alg_key_len
> 512)
370 esp
= kmalloc(sizeof(*esp
), GFP_KERNEL
);
374 memset(esp
, 0, sizeof(*esp
));
377 struct xfrm_algo_desc
*aalg_desc
;
379 esp
->auth
.key
= x
->aalg
->alg_key
;
380 esp
->auth
.key_len
= (x
->aalg
->alg_key_len
+7)/8;
381 esp
->auth
.tfm
= crypto_alloc_tfm(x
->aalg
->alg_name
, 0);
382 if (esp
->auth
.tfm
== NULL
)
384 esp
->auth
.icv
= esp_hmac_digest
;
386 aalg_desc
= xfrm_aalg_get_byname(x
->aalg
->alg_name
, 0);
389 if (aalg_desc
->uinfo
.auth
.icv_fullbits
/8 !=
390 crypto_tfm_alg_digestsize(esp
->auth
.tfm
)) {
391 NETDEBUG(KERN_INFO
"ESP: %s digestsize %u != %hu\n",
393 crypto_tfm_alg_digestsize(esp
->auth
.tfm
),
394 aalg_desc
->uinfo
.auth
.icv_fullbits
/8);
398 esp
->auth
.icv_full_len
= aalg_desc
->uinfo
.auth
.icv_fullbits
/8;
399 esp
->auth
.icv_trunc_len
= aalg_desc
->uinfo
.auth
.icv_truncbits
/8;
401 esp
->auth
.work_icv
= kmalloc(esp
->auth
.icv_full_len
, GFP_KERNEL
);
402 if (!esp
->auth
.work_icv
)
405 esp
->conf
.key
= x
->ealg
->alg_key
;
406 esp
->conf
.key_len
= (x
->ealg
->alg_key_len
+7)/8;
407 if (x
->props
.ealgo
== SADB_EALG_NULL
)
408 esp
->conf
.tfm
= crypto_alloc_tfm(x
->ealg
->alg_name
, CRYPTO_TFM_MODE_ECB
);
410 esp
->conf
.tfm
= crypto_alloc_tfm(x
->ealg
->alg_name
, CRYPTO_TFM_MODE_CBC
);
411 if (esp
->conf
.tfm
== NULL
)
413 esp
->conf
.ivlen
= crypto_tfm_alg_ivsize(esp
->conf
.tfm
);
414 esp
->conf
.padlen
= 0;
415 if (esp
->conf
.ivlen
) {
416 esp
->conf
.ivec
= kmalloc(esp
->conf
.ivlen
, GFP_KERNEL
);
417 if (unlikely(esp
->conf
.ivec
== NULL
))
419 get_random_bytes(esp
->conf
.ivec
, esp
->conf
.ivlen
);
421 if (crypto_cipher_setkey(esp
->conf
.tfm
, esp
->conf
.key
, esp
->conf
.key_len
))
423 x
->props
.header_len
= sizeof(struct ip_esp_hdr
) + esp
->conf
.ivlen
;
425 x
->props
.header_len
+= sizeof(struct iphdr
);
427 struct xfrm_encap_tmpl
*encap
= x
->encap
;
429 switch (encap
->encap_type
) {
432 case UDP_ENCAP_ESPINUDP
:
433 x
->props
.header_len
+= sizeof(struct udphdr
);
435 case UDP_ENCAP_ESPINUDP_NON_IKE
:
436 x
->props
.header_len
+= sizeof(struct udphdr
) + 2 * sizeof(u32
);
441 x
->props
.trailer_len
= esp4_get_max_size(x
, 0) - x
->props
.header_len
;
451 static struct xfrm_type esp_type
=
453 .description
= "ESP4",
454 .owner
= THIS_MODULE
,
455 .proto
= IPPROTO_ESP
,
456 .init_state
= esp_init_state
,
457 .destructor
= esp_destroy
,
458 .get_max_size
= esp4_get_max_size
,
460 .post_input
= esp_post_input
,
464 static struct net_protocol esp4_protocol
= {
465 .handler
= xfrm4_rcv
,
466 .err_handler
= esp4_err
,
470 static int __init
esp4_init(void)
472 struct xfrm_decap_state decap
;
474 if (sizeof(struct esp_decap_data
) >
475 sizeof(decap
.decap_data
)) {
476 extern void decap_data_too_small(void);
478 decap_data_too_small();
481 if (xfrm_register_type(&esp_type
, AF_INET
) < 0) {
482 printk(KERN_INFO
"ip esp init: can't add xfrm type\n");
485 if (inet_add_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0) {
486 printk(KERN_INFO
"ip esp init: can't add protocol\n");
487 xfrm_unregister_type(&esp_type
, AF_INET
);
493 static void __exit
esp4_fini(void)
495 if (inet_del_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0)
496 printk(KERN_INFO
"ip esp close: can't remove protocol\n");
497 if (xfrm_unregister_type(&esp_type
, AF_INET
) < 0)
498 printk(KERN_INFO
"ip esp close: can't remove xfrm type\n");
501 module_init(esp4_init
);
502 module_exit(esp4_fini
);
503 MODULE_LICENSE("GPL");