2 * Copyright (C)2002 USAGI/WIDE Project
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Mitsuru KANDA @USAGI : IPv6 Support
21 * Kazunori MIYAZAWA @USAGI :
22 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
24 * This file is derived from net/ipv4/esp.c
27 #define pr_fmt(fmt) "IPv6: " fmt
29 #include <crypto/aead.h>
30 #include <crypto/authenc.h>
31 #include <linux/err.h>
32 #include <linux/module.h>
36 #include <linux/scatterlist.h>
37 #include <linux/kernel.h>
38 #include <linux/pfkeyv2.h>
39 #include <linux/random.h>
40 #include <linux/slab.h>
41 #include <linux/spinlock.h>
44 #include <net/protocol.h>
45 #include <linux/icmpv6.h>
48 struct xfrm_skb_cb xfrm
;
52 #define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
54 static u32
esp6_get_mtu(struct xfrm_state
*x
, int mtu
);
57 * Allocate an AEAD request structure with extra space for SG and IV.
59 * For alignment considerations the upper 32 bits of the sequence number are
60 * placed at the front, if present. Followed by the IV, the request and finally
63 * TODO: Use spare space in skb for this where possible.
65 static void *esp_alloc_tmp(struct crypto_aead
*aead
, int nfrags
, int seqihlen
)
71 len
+= crypto_aead_ivsize(aead
);
74 len
+= crypto_aead_alignmask(aead
) &
75 ~(crypto_tfm_ctx_alignment() - 1);
76 len
= ALIGN(len
, crypto_tfm_ctx_alignment());
79 len
+= sizeof(struct aead_givcrypt_request
) + crypto_aead_reqsize(aead
);
80 len
= ALIGN(len
, __alignof__(struct scatterlist
));
82 len
+= sizeof(struct scatterlist
) * nfrags
;
84 return kmalloc(len
, GFP_ATOMIC
);
87 static inline __be32
*esp_tmp_seqhi(void *tmp
)
89 return PTR_ALIGN((__be32
*)tmp
, __alignof__(__be32
));
92 static inline u8
*esp_tmp_iv(struct crypto_aead
*aead
, void *tmp
, int seqhilen
)
94 return crypto_aead_ivsize(aead
) ?
95 PTR_ALIGN((u8
*)tmp
+ seqhilen
,
96 crypto_aead_alignmask(aead
) + 1) : tmp
+ seqhilen
;
99 static inline struct aead_givcrypt_request
*esp_tmp_givreq(
100 struct crypto_aead
*aead
, u8
*iv
)
102 struct aead_givcrypt_request
*req
;
104 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
105 crypto_tfm_ctx_alignment());
106 aead_givcrypt_set_tfm(req
, aead
);
110 static inline struct aead_request
*esp_tmp_req(struct crypto_aead
*aead
, u8
*iv
)
112 struct aead_request
*req
;
114 req
= (void *)PTR_ALIGN(iv
+ crypto_aead_ivsize(aead
),
115 crypto_tfm_ctx_alignment());
116 aead_request_set_tfm(req
, aead
);
120 static inline struct scatterlist
*esp_req_sg(struct crypto_aead
*aead
,
121 struct aead_request
*req
)
123 return (void *)ALIGN((unsigned long)(req
+ 1) +
124 crypto_aead_reqsize(aead
),
125 __alignof__(struct scatterlist
));
128 static inline struct scatterlist
*esp_givreq_sg(
129 struct crypto_aead
*aead
, struct aead_givcrypt_request
*req
)
131 return (void *)ALIGN((unsigned long)(req
+ 1) +
132 crypto_aead_reqsize(aead
),
133 __alignof__(struct scatterlist
));
136 static void esp_output_done(struct crypto_async_request
*base
, int err
)
138 struct sk_buff
*skb
= base
->data
;
140 kfree(ESP_SKB_CB(skb
)->tmp
);
141 xfrm_output_resume(skb
, err
);
144 static int esp6_output(struct xfrm_state
*x
, struct sk_buff
*skb
)
147 struct ip_esp_hdr
*esph
;
148 struct crypto_aead
*aead
;
149 struct aead_givcrypt_request
*req
;
150 struct scatterlist
*sg
;
151 struct scatterlist
*asg
;
152 struct sk_buff
*trailer
;
166 struct esp_data
*esp
= x
->data
;
168 /* skb is pure payload to encrypt */
172 alen
= crypto_aead_authsize(aead
);
176 struct xfrm_dst
*dst
= (struct xfrm_dst
*)skb_dst(skb
);
179 padto
= min(x
->tfcpad
, esp6_get_mtu(x
, dst
->child_mtu_cached
));
180 if (skb
->len
< padto
)
181 tfclen
= padto
- skb
->len
;
183 blksize
= ALIGN(crypto_aead_blocksize(aead
), 4);
184 clen
= ALIGN(skb
->len
+ 2 + tfclen
, blksize
);
186 clen
= ALIGN(clen
, esp
->padlen
);
187 plen
= clen
- skb
->len
- tfclen
;
189 err
= skb_cow_data(skb
, tfclen
+ plen
+ alen
, &trailer
);
194 assoclen
= sizeof(*esph
);
198 if (x
->props
.flags
& XFRM_STATE_ESN
) {
200 seqhilen
+= sizeof(__be32
);
201 assoclen
+= seqhilen
;
204 tmp
= esp_alloc_tmp(aead
, nfrags
+ sglists
, seqhilen
);
208 seqhi
= esp_tmp_seqhi(tmp
);
209 iv
= esp_tmp_iv(aead
, tmp
, seqhilen
);
210 req
= esp_tmp_givreq(aead
, iv
);
211 asg
= esp_givreq_sg(aead
, req
);
214 /* Fill padding... */
215 tail
= skb_tail_pointer(trailer
);
217 memset(tail
, 0, tfclen
);
222 for (i
= 0; i
< plen
- 2; i
++)
225 tail
[plen
- 2] = plen
- 2;
226 tail
[plen
- 1] = *skb_mac_header(skb
);
227 pskb_put(skb
, trailer
, clen
- skb
->len
+ alen
);
229 skb_push(skb
, -skb_network_offset(skb
));
230 esph
= ip_esp_hdr(skb
);
231 *skb_mac_header(skb
) = IPPROTO_ESP
;
233 esph
->spi
= x
->id
.spi
;
234 esph
->seq_no
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.low
);
236 sg_init_table(sg
, nfrags
);
237 skb_to_sgvec(skb
, sg
,
238 esph
->enc_data
+ crypto_aead_ivsize(aead
) - skb
->data
,
241 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
242 sg_init_table(asg
, 3);
243 sg_set_buf(asg
, &esph
->spi
, sizeof(__be32
));
244 *seqhi
= htonl(XFRM_SKB_CB(skb
)->seq
.output
.hi
);
245 sg_set_buf(asg
+ 1, seqhi
, seqhilen
);
246 sg_set_buf(asg
+ 2, &esph
->seq_no
, sizeof(__be32
));
248 sg_init_one(asg
, esph
, sizeof(*esph
));
250 aead_givcrypt_set_callback(req
, 0, esp_output_done
, skb
);
251 aead_givcrypt_set_crypt(req
, sg
, sg
, clen
, iv
);
252 aead_givcrypt_set_assoc(req
, asg
, assoclen
);
253 aead_givcrypt_set_giv(req
, esph
->enc_data
,
254 XFRM_SKB_CB(skb
)->seq
.output
.low
);
256 ESP_SKB_CB(skb
)->tmp
= tmp
;
257 err
= crypto_aead_givencrypt(req
);
258 if (err
== -EINPROGRESS
)
270 static int esp_input_done2(struct sk_buff
*skb
, int err
)
272 struct xfrm_state
*x
= xfrm_input_state(skb
);
273 struct esp_data
*esp
= x
->data
;
274 struct crypto_aead
*aead
= esp
->aead
;
275 int alen
= crypto_aead_authsize(aead
);
276 int hlen
= sizeof(struct ip_esp_hdr
) + crypto_aead_ivsize(aead
);
277 int elen
= skb
->len
- hlen
;
278 int hdr_len
= skb_network_header_len(skb
);
282 kfree(ESP_SKB_CB(skb
)->tmp
);
287 if (skb_copy_bits(skb
, skb
->len
- alen
- 2, nexthdr
, 2))
292 if (padlen
+ 2 + alen
>= elen
) {
293 LIMIT_NETDEBUG(KERN_WARNING
"ipsec esp packet is garbage "
294 "padlen=%d, elen=%d\n", padlen
+ 2, elen
- alen
);
298 /* ... check padding bits here. Silly. :-) */
300 pskb_trim(skb
, skb
->len
- alen
- padlen
- 2);
301 __skb_pull(skb
, hlen
);
302 skb_set_transport_header(skb
, -hdr_len
);
306 /* RFC4303: Drop dummy packets without any error */
307 if (err
== IPPROTO_NONE
)
314 static void esp_input_done(struct crypto_async_request
*base
, int err
)
316 struct sk_buff
*skb
= base
->data
;
318 xfrm_input_resume(skb
, esp_input_done2(skb
, err
));
321 static int esp6_input(struct xfrm_state
*x
, struct sk_buff
*skb
)
323 struct ip_esp_hdr
*esph
;
324 struct esp_data
*esp
= x
->data
;
325 struct crypto_aead
*aead
= esp
->aead
;
326 struct aead_request
*req
;
327 struct sk_buff
*trailer
;
328 int elen
= skb
->len
- sizeof(*esph
) - crypto_aead_ivsize(aead
);
337 struct scatterlist
*sg
;
338 struct scatterlist
*asg
;
340 if (!pskb_may_pull(skb
, sizeof(*esph
) + crypto_aead_ivsize(aead
))) {
350 if ((nfrags
= skb_cow_data(skb
, 0, &trailer
)) < 0) {
357 assoclen
= sizeof(*esph
);
361 if (x
->props
.flags
& XFRM_STATE_ESN
) {
363 seqhilen
+= sizeof(__be32
);
364 assoclen
+= seqhilen
;
367 tmp
= esp_alloc_tmp(aead
, nfrags
+ sglists
, seqhilen
);
371 ESP_SKB_CB(skb
)->tmp
= tmp
;
372 seqhi
= esp_tmp_seqhi(tmp
);
373 iv
= esp_tmp_iv(aead
, tmp
, seqhilen
);
374 req
= esp_tmp_req(aead
, iv
);
375 asg
= esp_req_sg(aead
, req
);
378 skb
->ip_summed
= CHECKSUM_NONE
;
380 esph
= (struct ip_esp_hdr
*)skb
->data
;
382 /* Get ivec. This can be wrong, check against another impls. */
385 sg_init_table(sg
, nfrags
);
386 skb_to_sgvec(skb
, sg
, sizeof(*esph
) + crypto_aead_ivsize(aead
), elen
);
388 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
389 sg_init_table(asg
, 3);
390 sg_set_buf(asg
, &esph
->spi
, sizeof(__be32
));
391 *seqhi
= XFRM_SKB_CB(skb
)->seq
.input
.hi
;
392 sg_set_buf(asg
+ 1, seqhi
, seqhilen
);
393 sg_set_buf(asg
+ 2, &esph
->seq_no
, sizeof(__be32
));
395 sg_init_one(asg
, esph
, sizeof(*esph
));
397 aead_request_set_callback(req
, 0, esp_input_done
, skb
);
398 aead_request_set_crypt(req
, sg
, sg
, elen
, iv
);
399 aead_request_set_assoc(req
, asg
, assoclen
);
401 ret
= crypto_aead_decrypt(req
);
402 if (ret
== -EINPROGRESS
)
405 ret
= esp_input_done2(skb
, ret
);
411 static u32
esp6_get_mtu(struct xfrm_state
*x
, int mtu
)
413 struct esp_data
*esp
= x
->data
;
414 u32 blksize
= ALIGN(crypto_aead_blocksize(esp
->aead
), 4);
415 u32 align
= max_t(u32
, blksize
, esp
->padlen
);
418 mtu
-= x
->props
.header_len
+ crypto_aead_authsize(esp
->aead
);
419 rem
= mtu
& (align
- 1);
422 if (x
->props
.mode
!= XFRM_MODE_TUNNEL
) {
423 u32 padsize
= ((blksize
- 1) & 7) + 1;
424 mtu
-= blksize
- padsize
;
425 mtu
+= min_t(u32
, blksize
- padsize
, rem
);
431 static void esp6_err(struct sk_buff
*skb
, struct inet6_skb_parm
*opt
,
432 u8 type
, u8 code
, int offset
, __be32 info
)
434 struct net
*net
= dev_net(skb
->dev
);
435 const struct ipv6hdr
*iph
= (const struct ipv6hdr
*)skb
->data
;
436 struct ip_esp_hdr
*esph
= (struct ip_esp_hdr
*)(skb
->data
+ offset
);
437 struct xfrm_state
*x
;
439 if (type
!= ICMPV6_DEST_UNREACH
&&
440 type
!= ICMPV6_PKT_TOOBIG
)
443 x
= xfrm_state_lookup(net
, skb
->mark
, (const xfrm_address_t
*)&iph
->daddr
,
444 esph
->spi
, IPPROTO_ESP
, AF_INET6
);
447 pr_debug("pmtu discovery on SA ESP/%08x/%pI6\n",
448 ntohl(esph
->spi
), &iph
->daddr
);
452 static void esp6_destroy(struct xfrm_state
*x
)
454 struct esp_data
*esp
= x
->data
;
459 crypto_free_aead(esp
->aead
);
463 static int esp_init_aead(struct xfrm_state
*x
)
465 struct esp_data
*esp
= x
->data
;
466 struct crypto_aead
*aead
;
469 aead
= crypto_alloc_aead(x
->aead
->alg_name
, 0, 0);
476 err
= crypto_aead_setkey(aead
, x
->aead
->alg_key
,
477 (x
->aead
->alg_key_len
+ 7) / 8);
481 err
= crypto_aead_setauthsize(aead
, x
->aead
->alg_icv_len
/ 8);
489 static int esp_init_authenc(struct xfrm_state
*x
)
491 struct esp_data
*esp
= x
->data
;
492 struct crypto_aead
*aead
;
493 struct crypto_authenc_key_param
*param
;
497 char authenc_name
[CRYPTO_MAX_ALG_NAME
];
507 if ((x
->props
.flags
& XFRM_STATE_ESN
)) {
508 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
510 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
511 x
->ealg
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
514 if (snprintf(authenc_name
, CRYPTO_MAX_ALG_NAME
,
516 x
->aalg
? x
->aalg
->alg_name
: "digest_null",
517 x
->ealg
->alg_name
) >= CRYPTO_MAX_ALG_NAME
)
521 aead
= crypto_alloc_aead(authenc_name
, 0, 0);
528 keylen
= (x
->aalg
? (x
->aalg
->alg_key_len
+ 7) / 8 : 0) +
529 (x
->ealg
->alg_key_len
+ 7) / 8 + RTA_SPACE(sizeof(*param
));
531 key
= kmalloc(keylen
, GFP_KERNEL
);
537 rta
->rta_type
= CRYPTO_AUTHENC_KEYA_PARAM
;
538 rta
->rta_len
= RTA_LENGTH(sizeof(*param
));
539 param
= RTA_DATA(rta
);
540 p
+= RTA_SPACE(sizeof(*param
));
543 struct xfrm_algo_desc
*aalg_desc
;
545 memcpy(p
, x
->aalg
->alg_key
, (x
->aalg
->alg_key_len
+ 7) / 8);
546 p
+= (x
->aalg
->alg_key_len
+ 7) / 8;
548 aalg_desc
= xfrm_aalg_get_byname(x
->aalg
->alg_name
, 0);
552 if (aalg_desc
->uinfo
.auth
.icv_fullbits
/8 !=
553 crypto_aead_authsize(aead
)) {
554 NETDEBUG(KERN_INFO
"ESP: %s digestsize %u != %hu\n",
556 crypto_aead_authsize(aead
),
557 aalg_desc
->uinfo
.auth
.icv_fullbits
/8);
561 err
= crypto_aead_setauthsize(
562 aead
, x
->aalg
->alg_trunc_len
/ 8);
567 param
->enckeylen
= cpu_to_be32((x
->ealg
->alg_key_len
+ 7) / 8);
568 memcpy(p
, x
->ealg
->alg_key
, (x
->ealg
->alg_key_len
+ 7) / 8);
570 err
= crypto_aead_setkey(aead
, key
, keylen
);
579 static int esp6_init_state(struct xfrm_state
*x
)
581 struct esp_data
*esp
;
582 struct crypto_aead
*aead
;
589 esp
= kzalloc(sizeof(*esp
), GFP_KERNEL
);
596 err
= esp_init_aead(x
);
598 err
= esp_init_authenc(x
);
607 x
->props
.header_len
= sizeof(struct ip_esp_hdr
) +
608 crypto_aead_ivsize(aead
);
609 switch (x
->props
.mode
) {
611 if (x
->sel
.family
!= AF_INET6
)
612 x
->props
.header_len
+= IPV4_BEET_PHMAXLEN
+
613 (sizeof(struct ipv6hdr
) - sizeof(struct iphdr
));
615 case XFRM_MODE_TRANSPORT
:
617 case XFRM_MODE_TUNNEL
:
618 x
->props
.header_len
+= sizeof(struct ipv6hdr
);
624 align
= ALIGN(crypto_aead_blocksize(aead
), 4);
626 align
= max_t(u32
, align
, esp
->padlen
);
627 x
->props
.trailer_len
= align
+ 1 + crypto_aead_authsize(esp
->aead
);
633 static const struct xfrm_type esp6_type
=
635 .description
= "ESP6",
636 .owner
= THIS_MODULE
,
637 .proto
= IPPROTO_ESP
,
638 .flags
= XFRM_TYPE_REPLAY_PROT
,
639 .init_state
= esp6_init_state
,
640 .destructor
= esp6_destroy
,
641 .get_mtu
= esp6_get_mtu
,
643 .output
= esp6_output
,
644 .hdr_offset
= xfrm6_find_1stfragopt
,
647 static const struct inet6_protocol esp6_protocol
= {
648 .handler
= xfrm6_rcv
,
649 .err_handler
= esp6_err
,
650 .flags
= INET6_PROTO_NOPOLICY
,
653 static int __init
esp6_init(void)
655 if (xfrm_register_type(&esp6_type
, AF_INET6
) < 0) {
656 pr_info("%s: can't add xfrm type\n", __func__
);
659 if (inet6_add_protocol(&esp6_protocol
, IPPROTO_ESP
) < 0) {
660 pr_info("%s: can't add protocol\n", __func__
);
661 xfrm_unregister_type(&esp6_type
, AF_INET6
);
668 static void __exit
esp6_fini(void)
670 if (inet6_del_protocol(&esp6_protocol
, IPPROTO_ESP
) < 0)
671 pr_info("%s: can't remove protocol\n", __func__
);
672 if (xfrm_unregister_type(&esp6_type
, AF_INET6
) < 0)
673 pr_info("%s: can't remove xfrm type\n", __func__
);
676 module_init(esp6_init
);
677 module_exit(esp6_fini
);
679 MODULE_LICENSE("GPL");
680 MODULE_ALIAS_XFRM_TYPE(AF_INET6
, XFRM_PROTO_ESP
);