2 * Copyright (C)2002 USAGI/WIDE Project
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Mitsuru KANDA @USAGI : IPv6 Support
21 * Kazunori MIYAZAWA @USAGI :
22 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
24 * This file is derived from net/ipv4/ah.c.
27 #include <linux/config.h>
28 #include <linux/module.h>
31 #include <linux/crypto.h>
32 #include <linux/pfkeyv2.h>
33 #include <linux/string.h>
37 #include <asm/scatterlist.h>
39 static int zero_out_mutable_opts(struct ipv6_opt_hdr *opthdr)
41 u8 *opt = (u8 *)opthdr;
42 int len = ipv6_optlen(opthdr);
59 optlen = opt[off+1]+2;
63 memset(&opt[off+2], 0, opt[off+1]);
78 * ipv6_rearrange_rthdr - rearrange IPv6 routing header
80 * @rthdr: routing header
82 * Rearrange the destination address in @iph and the addresses in @rthdr
83 * so that they appear in the order they will at the final destination.
84 * See Appendix A2 of RFC 2402 for details.
86 static void ipv6_rearrange_rthdr(struct ipv6hdr *iph, struct ipv6_rt_hdr *rthdr)
88 int segments, segments_left;
89 struct in6_addr *addrs;
90 struct in6_addr final_addr;
92 segments_left = rthdr->segments_left;
93 if (segments_left == 0)
95 rthdr->segments_left = 0;
97 /* The value of rthdr->hdrlen has been verified either by the system
98 * call if it is locally generated, or by ipv6_rthdr_rcv() for incoming
99 * packets. So we can assume that it is even and that segments is
100 * greater than or equal to segments_left.
102 * For the same reason we can assume that this option is of type 0.
104 segments = rthdr->hdrlen >> 1;
106 addrs = ((struct rt0_hdr *)rthdr)->addr;
107 ipv6_addr_copy(&final_addr, addrs + segments - 1);
109 addrs += segments - segments_left;
110 memmove(addrs + 1, addrs, (segments_left - 1) * sizeof(*addrs));
112 ipv6_addr_copy(addrs, &iph->daddr);
113 ipv6_addr_copy(&iph->daddr, &final_addr);
116 static int ipv6_clear_mutable_options(struct ipv6hdr *iph, int len)
120 struct ipv6_opt_hdr *opth;
121 struct ipv6_rt_hdr *rth;
123 } exthdr = { .iph = iph };
124 char *end = exthdr.raw + len;
125 int nexthdr = iph->nexthdr;
129 while (exthdr.raw < end) {
133 if (!zero_out_mutable_opts(exthdr.opth)) {
134 LIMIT_NETDEBUG(printk(
135 KERN_WARNING "overrun %sopts\n",
136 nexthdr == NEXTHDR_HOP ?
142 case NEXTHDR_ROUTING:
143 ipv6_rearrange_rthdr(iph, exthdr.rth);
150 nexthdr = exthdr.opth->nexthdr;
151 exthdr.raw += ipv6_optlen(exthdr.opth);
157 static int ah6_output(struct sk_buff *skb)
161 struct dst_entry *dst = skb->dst;
162 struct xfrm_state *x = dst->xfrm;
163 struct ipv6hdr *top_iph;
164 struct ip_auth_hdr *ah;
169 struct in6_addr daddr;
173 top_iph = (struct ipv6hdr *)skb->data;
174 top_iph->payload_len = htons(skb->len - sizeof(*top_iph));
176 nexthdr = *skb->nh.raw;
177 *skb->nh.raw = IPPROTO_AH;
179 /* When there are no extension headers, we only need to save the first
180 * 8 bytes of the base IP header.
182 memcpy(tmp_base, top_iph, sizeof(tmp_base));
185 extlen = skb->h.raw - (unsigned char *)(top_iph + 1);
187 extlen += sizeof(*tmp_ext);
188 tmp_ext = kmalloc(extlen, GFP_ATOMIC);
193 memcpy(tmp_ext, &top_iph->daddr, extlen);
194 err = ipv6_clear_mutable_options(top_iph,
195 extlen - sizeof(*tmp_ext) +
201 ah = (struct ip_auth_hdr *)skb->h.raw;
202 ah->nexthdr = nexthdr;
204 top_iph->priority = 0;
205 top_iph->flow_lbl[0] = 0;
206 top_iph->flow_lbl[1] = 0;
207 top_iph->flow_lbl[2] = 0;
208 top_iph->hop_limit = 0;
211 ah->hdrlen = (XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) +
212 ahp->icv_trunc_len) >> 2) - 2;
216 ah->seq_no = htonl(++x->replay.oseq);
217 ahp->icv(ahp, skb, ah->auth_data);
221 memcpy(top_iph, tmp_base, sizeof(tmp_base));
223 memcpy(&top_iph->daddr, tmp_ext, extlen);
232 static int ah6_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struct sk_buff *skb)
236 * [IPv6][Ext1][Ext2][AH][Dest][Payload]
237 * |<-------------->| hdr_len
240 * Keeping copy of cleared headers. After AH processing,
241 * Moving the pointer of skb->nh.raw by using skb_pull as long as AH
242 * header length. Then copy back the copy as long as hdr_len
243 * If destination header following AH exists, copy it into after [Ext2].
245 * |<>|[IPv6][Ext1][Ext2][Dest][Payload]
246 * There is offset of AH before IPv6 header after the process.
249 struct ipv6_auth_hdr *ah;
251 unsigned char *tmp_hdr = NULL;
256 if (!pskb_may_pull(skb, sizeof(struct ip_auth_hdr)))
259 /* We are going to _remove_ AH header to keep sockets happy,
260 * so... Later this can change. */
261 if (skb_cloned(skb) &&
262 pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
265 hdr_len = skb->data - skb->nh.raw;
266 ah = (struct ipv6_auth_hdr*)skb->data;
268 nexthdr = ah->nexthdr;
269 ah_hlen = (ah->hdrlen + 2) << 2;
271 if (ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_full_len) &&
272 ah_hlen != XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len))
275 if (!pskb_may_pull(skb, ah_hlen))
278 tmp_hdr = kmalloc(hdr_len, GFP_ATOMIC);
281 memcpy(tmp_hdr, skb->nh.raw, hdr_len);
282 if (ipv6_clear_mutable_options(skb->nh.ipv6h, hdr_len))
284 skb->nh.ipv6h->priority = 0;
285 skb->nh.ipv6h->flow_lbl[0] = 0;
286 skb->nh.ipv6h->flow_lbl[1] = 0;
287 skb->nh.ipv6h->flow_lbl[2] = 0;
288 skb->nh.ipv6h->hop_limit = 0;
291 u8 auth_data[MAX_AH_AUTH_LEN];
293 memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
294 memset(ah->auth_data, 0, ahp->icv_trunc_len);
295 skb_push(skb, skb->data - skb->nh.raw);
296 ahp->icv(ahp, skb, ah->auth_data);
297 if (memcmp(ah->auth_data, auth_data, ahp->icv_trunc_len)) {
299 printk(KERN_WARNING "ipsec ah authentication error\n"));
300 x->stats.integrity_failed++;
305 skb->nh.raw = skb_pull(skb, ah_hlen);
306 memcpy(skb->nh.raw, tmp_hdr, hdr_len);
307 skb->nh.ipv6h->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
308 skb_pull(skb, hdr_len);
309 skb->h.raw = skb->data;
322 static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
323 int type, int code, int offset, __u32 info)
325 struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
326 struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
327 struct xfrm_state *x;
329 if (type != ICMPV6_DEST_UNREACH &&
330 type != ICMPV6_PKT_TOOBIG)
333 x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET6);
337 NETDEBUG(printk(KERN_DEBUG "pmtu discovery on SA AH/%08x/"
338 "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x\n",
339 ntohl(ah->spi), NIP6(iph->daddr)));
344 static int ah6_init_state(struct xfrm_state *x, void *args)
346 struct ah_data *ahp = NULL;
347 struct xfrm_algo_desc *aalg_desc;
352 /* null auth can use a zero length key */
353 if (x->aalg->alg_key_len > 512)
359 ahp = kmalloc(sizeof(*ahp), GFP_KERNEL);
363 memset(ahp, 0, sizeof(*ahp));
365 ahp->key = x->aalg->alg_key;
366 ahp->key_len = (x->aalg->alg_key_len+7)/8;
367 ahp->tfm = crypto_alloc_tfm(x->aalg->alg_name, 0);
370 ahp->icv = ah_hmac_digest;
373 * Lookup the algorithm description maintained by xfrm_algo,
374 * verify crypto transform properties, and store information
375 * we need for AH processing. This lookup cannot fail here
376 * after a successful crypto_alloc_tfm().
378 aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name);
381 if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
382 crypto_tfm_alg_digestsize(ahp->tfm)) {
383 printk(KERN_INFO "AH: %s digestsize %u != %hu\n",
384 x->aalg->alg_name, crypto_tfm_alg_digestsize(ahp->tfm),
385 aalg_desc->uinfo.auth.icv_fullbits/8);
389 ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
390 ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8;
392 BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
394 ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL);
398 x->props.header_len = XFRM_ALIGN8(sizeof(struct ipv6_auth_hdr) + ahp->icv_trunc_len);
400 x->props.header_len += sizeof(struct ipv6hdr);
408 kfree(ahp->work_icv);
410 crypto_free_tfm(ahp->tfm);
416 static void ah6_destroy(struct xfrm_state *x)
418 struct ah_data *ahp = x->data;
424 kfree(ahp->work_icv);
425 ahp->work_icv = NULL;
428 crypto_free_tfm(ahp->tfm);
434 static struct xfrm_type ah6_type =
436 .description = "AH6",
437 .owner = THIS_MODULE,
439 .init_state = ah6_init_state,
440 .destructor = ah6_destroy,
445 static struct inet6_protocol ah6_protocol = {
446 .handler = xfrm6_rcv,
447 .err_handler = ah6_err,
448 .flags = INET6_PROTO_NOPOLICY,
451 static int __init ah6_init(void)
453 if (xfrm_register_type(&ah6_type, AF_INET6) < 0) {
454 printk(KERN_INFO "ipv6 ah init: can't add xfrm type\n");
458 if (inet6_add_protocol(&ah6_protocol, IPPROTO_AH) < 0) {
459 printk(KERN_INFO "ipv6 ah init: can't add protocol\n");
460 xfrm_unregister_type(&ah6_type, AF_INET6);
467 static void __exit ah6_fini(void)
469 if (inet6_del_protocol(&ah6_protocol, IPPROTO_AH) < 0)
470 printk(KERN_INFO "ipv6 ah close: can't remove protocol\n");
472 if (xfrm_unregister_type(&ah6_type, AF_INET6) < 0)
473 printk(KERN_INFO "ipv6 ah close: can't remove xfrm type\n");
477 module_init(ah6_init);
478 module_exit(ah6_fini);
480 MODULE_LICENSE("GPL");