1 #include <crypto/aead.h>
2 #include <crypto/authenc.h>
4 #include <linux/module.h>
8 #include <linux/scatterlist.h>
9 #include <linux/kernel.h>
10 #include <linux/pfkeyv2.h>
11 #include <linux/rtnetlink.h>
12 #include <linux/slab.h>
13 #include <linux/spinlock.h>
14 #include <linux/in6.h>
16 #include <net/protocol.h>
20 struct xfrm_skb_cb xfrm
;
24 #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
27 * Allocate an AEAD request structure with extra space for SG and IV.
29 * For alignment considerations the IV is placed at the front, followed
30 * by the request and finally the SG list.
32 * TODO: Use spare space in skb for this where possible.
34 static void *esp_alloc_tmp(struct crypto_aead
*aead
, int nfrags
)
38 len
= crypto_aead_ivsize(aead
);
40 len
+= crypto_aead_alignmask(aead
) &
41 ~(crypto_tfm_ctx_alignment() - 1);
42 len
= ALIGN(len
, crypto_tfm_ctx_alignment());
45 len
+= sizeof(struct aead_givcrypt_request
) + crypto_aead_reqsize(aead
);
46 len
= ALIGN(len
, __alignof__(struct scatterlist
));
48 len
+= sizeof(struct scatterlist
) * nfrags
;
50 return kmalloc(len
, GFP_ATOMIC
);
53 static inline u8
*esp_tmp_iv(struct crypto_aead
*aead
, void *tmp
)
55 return crypto_aead_ivsize(aead
) ?
56 PTR_ALIGN((u8
*)tmp
, crypto_aead_alignmask(aead
) + 1) : tmp
;
59 static inline struct aead_givcrypt_request
*esp_tmp_givreq(
60 struct crypto_aead
*aead
, u8
*iv
)
62 struct aead_givcrypt_request
*req
;
64 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
65 crypto_tfm_ctx_alignment());
66 aead_givcrypt_set_tfm(req
, aead
);
70 static inline struct aead_request
*esp_tmp_req(struct crypto_aead
*aead
, u8
*iv
)
72 struct aead_request
*req
;
74 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
75 crypto_tfm_ctx_alignment());
76 aead_request_set_tfm(req
, aead
);
80 static inline struct scatterlist
*esp_req_sg(struct crypto_aead
*aead
,
81 struct aead_request
*req
)
83 return (void *)ALIGN((unsigned long)(req
+ 1) +
84 crypto_aead_reqsize(aead
),
85 __alignof__(struct scatterlist
));
88 static inline struct scatterlist
*esp_givreq_sg(
89 struct crypto_aead
*aead
, struct aead_givcrypt_request
*req
)
91 return (void *)ALIGN((unsigned long)(req
+ 1) +
92 crypto_aead_reqsize(aead
),
93 __alignof__(struct scatterlist
));
96 static void esp_output_done(struct crypto_async_request
*base
, int err
)
98 struct sk_buff
*skb
= base
->data
;
100 kfree(ESP_SKB_CB(skb
)->tmp
);
101 xfrm_output_resume(skb
, err
);
104 static int esp_output(struct xfrm_state
*x
, struct sk_buff
*skb
)
107 struct ip_esp_hdr
*esph
;
108 struct crypto_aead
*aead
;
109 struct aead_givcrypt_request
*req
;
110 struct scatterlist
*sg
;
111 struct scatterlist
*asg
;
112 struct esp_data
*esp
;
113 struct sk_buff
*trailer
;
122 /* skb is pure payload to encrypt */
126 /* Round to block size */
131 alen
= crypto_aead_authsize(aead
);
133 blksize
= ALIGN(crypto_aead_blocksize(aead
), 4);
134 clen
= ALIGN(clen
+ 2, blksize
);
136 clen
= ALIGN(clen
, esp
->padlen
);
138 if ((err
= skb_cow_data(skb
, clen
- skb
->len
+ alen
, &trailer
)) < 0)
142 tmp
= esp_alloc_tmp(aead
, nfrags
+ 1);
146 iv
= esp_tmp_iv(aead
, tmp
);
147 req
= esp_tmp_givreq(aead
, iv
);
148 asg
= esp_givreq_sg(aead
, req
);
151 /* Fill padding... */
152 tail
= skb_tail_pointer(trailer
);
155 for (i
=0; i
<clen
-skb
->len
- 2; i
++)
158 tail
[clen
- skb
->len
- 2] = (clen
- skb
->len
) - 2;
159 tail
[clen
- skb
->len
- 1] = *skb_mac_header(skb
);
160 pskb_put(skb
, trailer
, clen
- skb
->len
+ alen
);
162 skb_push(skb
, -skb_network_offset(skb
));
163 esph
= ip_esp_hdr(skb
);
164 *skb_mac_header(skb
) = IPPROTO_ESP
;
166 /* this is non-NULL only with UDP Encapsulation */
168 struct xfrm_encap_tmpl
*encap
= x
->encap
;
174 spin_lock_bh(&x
->lock
);
175 sport
= encap
->encap_sport
;
176 dport
= encap
->encap_dport
;
177 encap_type
= encap
->encap_type
;
178 spin_unlock_bh(&x
->lock
);
180 uh
= (struct udphdr
*)esph
;
183 uh
->len
= htons(skb
->len
- skb_transport_offset(skb
));
186 switch (encap_type
) {
188 case UDP_ENCAP_ESPINUDP
:
189 esph
= (struct ip_esp_hdr
*)(uh
+ 1);
191 case UDP_ENCAP_ESPINUDP_NON_IKE
:
192 udpdata32
= (__be32
*)(uh
+ 1);
193 udpdata32
[0] = udpdata32
[1] = 0;
194 esph
= (struct ip_esp_hdr
*)(udpdata32
+ 2);
198 *skb_mac_header(skb
) = IPPROTO_UDP
;
201 esph
->spi
= x
->id
.spi
;
202 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.output
);
204 sg_init_table(sg
, nfrags
);
205 skb_to_sgvec(skb
, sg
,
206 esph
->enc_data
+ crypto_aead_ivsize(aead
) - skb
->data
,
208 sg_init_one(asg
, esph
, sizeof(*esph
));
210 aead_givcrypt_set_callback(req
, 0, esp_output_done
, skb
);
211 aead_givcrypt_set_crypt(req
, sg
, sg
, clen
, iv
);
212 aead_givcrypt_set_assoc(req
, asg
, sizeof(*esph
));
213 aead_givcrypt_set_giv(req
, esph
->enc_data
,
214 XFRM_SKB_CB(skb
)->seq
.output
);
216 ESP_SKB_CB(skb
)->tmp
= tmp
;
217 err
= crypto_aead_givencrypt(req
);
218 if (err
== -EINPROGRESS
)
230 static int esp_input_done2(struct sk_buff
*skb
, int err
)
233 struct xfrm_state
*x
= xfrm_input_state(skb
);
234 struct esp_data
*esp
= x
->data
;
235 struct crypto_aead
*aead
= esp
->aead
;
236 int alen
= crypto_aead_authsize(aead
);
237 int hlen
= sizeof(struct ip_esp_hdr
) + crypto_aead_ivsize(aead
);
238 int elen
= skb
->len
- hlen
;
243 kfree(ESP_SKB_CB(skb
)->tmp
);
248 if (skb_copy_bits(skb
, skb
->len
-alen
-2, nexthdr
, 2))
253 if (padlen
+ 2 + alen
>= elen
)
256 /* ... check padding bits here. Silly. :-) */
262 struct xfrm_encap_tmpl
*encap
= x
->encap
;
263 struct udphdr
*uh
= (void *)(skb_network_header(skb
) + ihl
);
266 * 1) if the NAT-T peer's IP or port changed then
267 * advertize the change to the keying daemon.
268 * This is an inbound SA, so just compare
271 if (iph
->saddr
!= x
->props
.saddr
.a4
||
272 uh
->source
!= encap
->encap_sport
) {
273 xfrm_address_t ipaddr
;
275 ipaddr
.a4
= iph
->saddr
;
276 km_new_mapping(x
, &ipaddr
, uh
->source
);
278 /* XXX: perhaps add an extra
279 * policy check here, to see
280 * if we should allow or
281 * reject a packet from a
288 * 2) ignore UDP/TCP checksums in case
289 * of NAT-T in Transport Mode, or
290 * perform other post-processing fixes
291 * as per draft-ietf-ipsec-udp-encaps-06,
294 if (x
->props
.mode
== XFRM_MODE_TRANSPORT
)
295 skb
->ip_summed
= CHECKSUM_UNNECESSARY
;
298 pskb_trim(skb
, skb
->len
- alen
- padlen
- 2);
299 __skb_pull(skb
, hlen
);
300 skb_set_transport_header(skb
, -ihl
);
304 /* RFC4303: Drop dummy packets without any error */
305 if (err
== IPPROTO_NONE
)
312 static void esp_input_done(struct crypto_async_request
*base
, int err
)
314 struct sk_buff
*skb
= base
->data
;
316 xfrm_input_resume(skb
, esp_input_done2(skb
, err
));
320 * Note: detecting truncated vs. non-truncated authentication data is very
321 * expensive, so we only support truncated data, which is the recommended
324 static int esp_input(struct xfrm_state
*x
, struct sk_buff
*skb
)
326 struct ip_esp_hdr
*esph
;
327 struct esp_data
*esp
= x
->data
;
328 struct crypto_aead
*aead
= esp
->aead
;
329 struct aead_request
*req
;
330 struct sk_buff
*trailer
;
331 int elen
= skb
->len
- sizeof(*esph
) - crypto_aead_ivsize(aead
);
335 struct scatterlist
*sg
;
336 struct scatterlist
*asg
;
339 if (!pskb_may_pull(skb
, sizeof(*esph
) + crypto_aead_ivsize(aead
)))
345 if ((err
= skb_cow_data(skb
, 0, &trailer
)) < 0)
350 tmp
= esp_alloc_tmp(aead
, nfrags
+ 1);
354 ESP_SKB_CB(skb
)->tmp
= tmp
;
355 iv
= esp_tmp_iv(aead
, tmp
);
356 req
= esp_tmp_req(aead
, iv
);
357 asg
= esp_req_sg(aead
, req
);
360 skb
->ip_summed
= CHECKSUM_NONE
;
362 esph
= (struct ip_esp_hdr
*)skb
->data
;
364 /* Get ivec. This can be wrong, check against another impls. */
367 sg_init_table(sg
, nfrags
);
368 skb_to_sgvec(skb
, sg
, sizeof(*esph
) + crypto_aead_ivsize(aead
), elen
);
369 sg_init_one(asg
, esph
, sizeof(*esph
));
371 aead_request_set_callback(req
, 0, esp_input_done
, skb
);
372 aead_request_set_crypt(req
, sg
, sg
, elen
, iv
);
373 aead_request_set_assoc(req
, asg
, sizeof(*esph
));
375 err
= crypto_aead_decrypt(req
);
376 if (err
== -EINPROGRESS
)
379 err
= esp_input_done2(skb
, err
);
385 static u32
esp4_get_mtu(struct xfrm_state
*x
, int mtu
)
387 struct esp_data
*esp
= x
->data
;
388 u32 blksize
= ALIGN(crypto_aead_blocksize(esp
->aead
), 4);
389 u32 align
= max_t(u32
, blksize
, esp
->padlen
);
392 mtu
-= x
->props
.header_len
+ crypto_aead_authsize(esp
->aead
);
393 rem
= mtu
& (align
- 1);
396 switch (x
->props
.mode
) {
397 case XFRM_MODE_TUNNEL
:
400 case XFRM_MODE_TRANSPORT
:
403 mtu
+= min_t(u32
, blksize
- 4, rem
);
406 /* The worst case. */
407 mtu
+= min_t(u32
, IPV4_BEET_PHMAXLEN
, rem
);
414 static void esp4_err(struct sk_buff
*skb
, u32 info
)
416 struct net
*net
= dev_net(skb
->dev
);
417 struct iphdr
*iph
= (struct iphdr
*)skb
->data
;
418 struct ip_esp_hdr
*esph
= (struct ip_esp_hdr
*)(skb
->data
+(iph
->ihl
<<2));
419 struct xfrm_state
*x
;
421 if (icmp_hdr(skb
)->type
!= ICMP_DEST_UNREACH
||
422 icmp_hdr(skb
)->code
!= ICMP_FRAG_NEEDED
)
425 x
= xfrm_state_lookup(net
, (xfrm_address_t
*)&iph
->daddr
, esph
->spi
, IPPROTO_ESP
, AF_INET
);
428 NETDEBUG(KERN_DEBUG
"pmtu discovery on SA ESP/%08x/%08x\n",
429 ntohl(esph
->spi
), ntohl(iph
->daddr
));
433 static void esp_destroy(struct xfrm_state
*x
)
435 struct esp_data
*esp
= x
->data
;
440 crypto_free_aead(esp
->aead
);
444 static int esp_init_aead(struct xfrm_state
*x
)
446 struct esp_data
*esp
= x
->data
;
447 struct crypto_aead
*aead
;
450 aead
= crypto_alloc_aead(x
->aead
->alg_name
, 0, 0);
457 err
= crypto_aead_setkey(aead
, x
->aead
->alg_key
,
458 (x
->aead
->alg_key_len
+ 7) / 8);
462 err
= crypto_aead_setauthsize(aead
, x
->aead
->alg_icv_len
/ 8);
470 static int esp_init_authenc(struct xfrm_state
*x
)
472 struct esp_data
*esp
= x
->data
;
473 struct crypto_aead
*aead
;
474 struct crypto_authenc_key_param
*param
;
478 char authenc_name
[CRYPTO_MAX_ALG_NAME
];
487 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
, "authenc(%s,%s)",
488 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
489 x
->ealg
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
492 aead
= crypto_alloc_aead(authenc_name
, 0, 0);
499 keylen
= (x
->aalg
? (x
->aalg
->alg_key_len
+ 7) / 8 : 0) +
500 (x
->ealg
->alg_key_len
+ 7) / 8 + RTA_SPACE(sizeof(*param
));
502 key
= kmalloc(keylen
, GFP_KERNEL
);
508 rta
->rta_type
= CRYPTO_AUTHENC_KEYA_PARAM
;
509 rta
->rta_len
= RTA_LENGTH(sizeof(*param
));
510 param
= RTA_DATA(rta
);
511 p
+= RTA_SPACE(sizeof(*param
));
514 struct xfrm_algo_desc
*aalg_desc
;
516 memcpy(p
, x
->aalg
->alg_key
, (x
->aalg
->alg_key_len
+ 7) / 8);
517 p
+= (x
->aalg
->alg_key_len
+ 7) / 8;
519 aalg_desc
= xfrm_aalg_get_byname(x
->aalg
->alg_name
, 0);
523 if (aalg_desc
->uinfo
.auth
.icv_fullbits
/8 !=
524 crypto_aead_authsize(aead
)) {
525 NETDEBUG(KERN_INFO
"ESP: %s digestsize %u != %hu\n",
527 crypto_aead_authsize(aead
),
528 aalg_desc
->uinfo
.auth
.icv_fullbits
/8);
532 err
= crypto_aead_setauthsize(
533 aead
, aalg_desc
->uinfo
.auth
.icv_truncbits
/ 8);
538 param
->enckeylen
= cpu_to_be32((x
->ealg
->alg_key_len
+ 7) / 8);
539 memcpy(p
, x
->ealg
->alg_key
, (x
->ealg
->alg_key_len
+ 7) / 8);
541 err
= crypto_aead_setkey(aead
, key
, keylen
);
550 static int esp_init_state(struct xfrm_state
*x
)
552 struct esp_data
*esp
;
553 struct crypto_aead
*aead
;
557 esp
= kzalloc(sizeof(*esp
), GFP_KERNEL
);
564 err
= esp_init_aead(x
);
566 err
= esp_init_authenc(x
);
575 x
->props
.header_len
= sizeof(struct ip_esp_hdr
) +
576 crypto_aead_ivsize(aead
);
577 if (x
->props
.mode
== XFRM_MODE_TUNNEL
)
578 x
->props
.header_len
+= sizeof(struct iphdr
);
579 else if (x
->props
.mode
== XFRM_MODE_BEET
&& x
->sel
.family
!= AF_INET6
)
580 x
->props
.header_len
+= IPV4_BEET_PHMAXLEN
;
582 struct xfrm_encap_tmpl
*encap
= x
->encap
;
584 switch (encap
->encap_type
) {
587 case UDP_ENCAP_ESPINUDP
:
588 x
->props
.header_len
+= sizeof(struct udphdr
);
590 case UDP_ENCAP_ESPINUDP_NON_IKE
:
591 x
->props
.header_len
+= sizeof(struct udphdr
) + 2 * sizeof(u32
);
596 align
= ALIGN(crypto_aead_blocksize(aead
), 4);
598 align
= max_t(u32
, align
, esp
->padlen
);
599 x
->props
.trailer_len
= align
+ 1 + crypto_aead_authsize(esp
->aead
);
605 static const struct xfrm_type esp_type
=
607 .description
= "ESP4",
608 .owner
= THIS_MODULE
,
609 .proto
= IPPROTO_ESP
,
610 .flags
= XFRM_TYPE_REPLAY_PROT
,
611 .init_state
= esp_init_state
,
612 .destructor
= esp_destroy
,
613 .get_mtu
= esp4_get_mtu
,
618 static const struct net_protocol esp4_protocol
= {
619 .handler
= xfrm4_rcv
,
620 .err_handler
= esp4_err
,
625 static int __init
esp4_init(void)
627 if (xfrm_register_type(&esp_type
, AF_INET
) < 0) {
628 printk(KERN_INFO
"ip esp init: can't add xfrm type\n");
631 if (inet_add_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0) {
632 printk(KERN_INFO
"ip esp init: can't add protocol\n");
633 xfrm_unregister_type(&esp_type
, AF_INET
);
639 static void __exit
esp4_fini(void)
641 if (inet_del_protocol(&esp4_protocol
, IPPROTO_ESP
) < 0)
642 printk(KERN_INFO
"ip esp close: can't remove protocol\n");
643 if (xfrm_unregister_type(&esp_type
, AF_INET
) < 0)
644 printk(KERN_INFO
"ip esp close: can't remove xfrm type\n");
647 module_init(esp4_init
);
648 module_exit(esp4_fini
);
649 MODULE_LICENSE("GPL");
650 MODULE_ALIAS_XFRM_TYPE(AF_INET
, XFRM_PROTO_ESP
);