Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/net/ipv4/ah4.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) #define pr_fmt(fmt) "IPsec: " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) #include <crypto/algapi.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) #include <crypto/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6) #include <linux/err.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) #include <net/ip.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) #include <net/xfrm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #include <net/ah.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include <linux/crypto.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include <linux/pfkeyv2.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) #include <linux/scatterlist.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include <net/icmp.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include <net/protocol.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) struct ah_skb_cb {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) 	struct xfrm_skb_cb xfrm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 	void *tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) #define AH_SKB_CB(__skb) ((struct ah_skb_cb *)&((__skb)->cb[0]))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) static void *ah_alloc_tmp(struct crypto_ahash *ahash, int nfrags,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) 			  unsigned int size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 	unsigned int len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 	len = size + crypto_ahash_digestsize(ahash) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) 	      (crypto_ahash_alignmask(ahash) &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 	       ~(crypto_tfm_ctx_alignment() - 1));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	len = ALIGN(len, crypto_tfm_ctx_alignment());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 	len += sizeof(struct ahash_request) + crypto_ahash_reqsize(ahash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 	len = ALIGN(len, __alignof__(struct scatterlist));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 	len += sizeof(struct scatterlist) * nfrags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	return kmalloc(len, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) static inline u8 *ah_tmp_auth(void *tmp, unsigned int offset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 	return tmp + offset;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 			     unsigned int offset)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 	return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 					       u8 *icv)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	struct ahash_request *req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	req = (void *)PTR_ALIGN(icv + crypto_ahash_digestsize(ahash),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 				crypto_tfm_ctx_alignment());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	ahash_request_set_tfm(req, ahash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	return req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 					     struct ahash_request *req)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 	return (void *)ALIGN((unsigned long)(req + 1) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 			     crypto_ahash_reqsize(ahash),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 			     __alignof__(struct scatterlist));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) /* Clear mutable options and find final destination to substitute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77)  * into IP header for icv calculation. Options are already checked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78)  * for validity, so paranoia is not required. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) static int ip_clear_mutable_options(const struct iphdr *iph, __be32 *daddr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	unsigned char *optptr = (unsigned char *)(iph+1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	int  l = iph->ihl*4 - sizeof(struct iphdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	int  optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	while (l > 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 		switch (*optptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 		case IPOPT_END:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 			return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 		case IPOPT_NOOP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 			l--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 			optptr++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 			continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 		optlen = optptr[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 		if (optlen<2 || optlen>l)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 		switch (*optptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 		case IPOPT_SEC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 		case 0x85:	/* Some "Extended Security" crap. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 		case IPOPT_CIPSO:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 		case IPOPT_RA:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 		case 0x80|21:	/* RFC1770 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 		case IPOPT_LSRR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 		case IPOPT_SSRR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 			if (optlen < 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 				return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 			memcpy(daddr, optptr+optlen-4, 4);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 			fallthrough;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 		default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 			memset(optptr, 0, optlen);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 		l -= optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 		optptr += optlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) static void ah_output_done(struct crypto_async_request *base, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 	u8 *icv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	struct iphdr *iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	struct sk_buff *skb = base->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	struct xfrm_state *x = skb_dst(skb)->xfrm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	struct ah_data *ahp = x->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 	struct iphdr *top_iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 	struct ip_auth_hdr *ah = ip_auth_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 	int ihl = ip_hdrlen(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	iph = AH_SKB_CB(skb)->tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	icv = ah_tmp_icv(ahp->ahash, iph, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	top_iph->tos = iph->tos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	top_iph->ttl = iph->ttl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	top_iph->frag_off = iph->frag_off;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	if (top_iph->ihl != 5) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 		top_iph->daddr = iph->daddr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 		memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	kfree(AH_SKB_CB(skb)->tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 	xfrm_output_resume(skb, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 	int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	int nfrags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	int ihl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 	u8 *icv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 	struct sk_buff *trailer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	struct crypto_ahash *ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	struct ahash_request *req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 	struct scatterlist *sg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 	struct iphdr *iph, *top_iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 	struct ip_auth_hdr *ah;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	struct ah_data *ahp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 	int seqhi_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	__be32 *seqhi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	int sglists = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 	struct scatterlist *seqhisg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	ahp = x->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 	ahash = ahp->ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 	if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	nfrags = err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 	skb_push(skb, -skb_network_offset(skb));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 	ah = ip_auth_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 	ihl = ip_hdrlen(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 	if (x->props.flags & XFRM_STATE_ESN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 		sglists = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 		seqhi_len = sizeof(*seqhi);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 	err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 	iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl + seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 	if (!iph)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 	seqhi = (__be32 *)((char *)iph + ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 	icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 	req = ah_tmp_req(ahash, icv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 	sg = ah_req_sg(ahash, req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 	seqhisg = sg + nfrags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 	memset(ah->auth_data, 0, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 	top_iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 	iph->tos = top_iph->tos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 	iph->ttl = top_iph->ttl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 	iph->frag_off = top_iph->frag_off;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 	if (top_iph->ihl != 5) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 		iph->daddr = top_iph->daddr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 		memcpy(iph+1, top_iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 		err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 			goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 	ah->nexthdr = *skb_mac_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 	*skb_mac_header(skb) = IPPROTO_AH;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 	top_iph->tos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	top_iph->tot_len = htons(skb->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 	top_iph->frag_off = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	top_iph->ttl = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 	top_iph->check = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 	if (x->props.flags & XFRM_STATE_ALIGN4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 		ah->hdrlen  = (XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 		ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 	ah->reserved = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 	ah->spi = x->id.spi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 	sg_init_table(sg, nfrags + sglists);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 	if (unlikely(err < 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 	if (x->props.flags & XFRM_STATE_ESN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 		/* Attach seqhi sg right after packet payload */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 		*seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 		sg_set_buf(seqhisg, seqhi, seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 	ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 	ahash_request_set_callback(req, 0, ah_output_done, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 	AH_SKB_CB(skb)->tmp = iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	err = crypto_ahash_digest(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 	if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 		if (err == -EINPROGRESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 		if (err == -ENOSPC)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 			err = NET_XMIT_DROP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 	memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 	top_iph->tos = iph->tos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	top_iph->ttl = iph->ttl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 	top_iph->frag_off = iph->frag_off;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 	if (top_iph->ihl != 5) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 		top_iph->daddr = iph->daddr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 		memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) out_free:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 	kfree(iph);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) static void ah_input_done(struct crypto_async_request *base, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 	u8 *auth_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) 	u8 *icv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 	struct iphdr *work_iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 	struct sk_buff *skb = base->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 	struct xfrm_state *x = xfrm_input_state(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 	struct ah_data *ahp = x->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 	struct ip_auth_hdr *ah = ip_auth_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) 	int ihl = ip_hdrlen(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 	int ah_hlen = (ah->hdrlen + 2) << 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 	work_iph = AH_SKB_CB(skb)->tmp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) 	auth_data = ah_tmp_auth(work_iph, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 	icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 	err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) 	err = ah->nexthdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 	skb->network_header += ah_hlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 	memcpy(skb_network_header(skb), work_iph, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 	__skb_pull(skb, ah_hlen + ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 	if (x->props.mode == XFRM_MODE_TUNNEL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 		skb_reset_transport_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 		skb_set_transport_header(skb, -ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 	kfree(AH_SKB_CB(skb)->tmp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 	xfrm_input_resume(skb, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) 	int ah_hlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 	int ihl;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 	int nexthdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 	int nfrags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) 	u8 *auth_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 	u8 *icv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 	struct sk_buff *trailer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 	struct crypto_ahash *ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 	struct ahash_request *req;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) 	struct scatterlist *sg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 	struct iphdr *iph, *work_iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 	struct ip_auth_hdr *ah;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) 	struct ah_data *ahp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) 	int err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 	int seqhi_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) 	__be32 *seqhi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 	int sglists = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 	struct scatterlist *seqhisg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 	if (!pskb_may_pull(skb, sizeof(*ah)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) 	ah = (struct ip_auth_hdr *)skb->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) 	ahp = x->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) 	ahash = ahp->ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) 	nexthdr = ah->nexthdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 	ah_hlen = (ah->hdrlen + 2) << 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) 	if (x->props.flags & XFRM_STATE_ALIGN4) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) 		if (ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_full_len) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 		    ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 	} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) 		if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) 		    ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) 	if (!pskb_may_pull(skb, ah_hlen))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) 	/* We are going to _remove_ AH header to keep sockets happy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) 	 * so... Later this can change. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) 	if (skb_unclone(skb, GFP_ATOMIC))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) 	skb->ip_summed = CHECKSUM_NONE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) 	if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) 	nfrags = err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) 	ah = (struct ip_auth_hdr *)skb->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) 	iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) 	ihl = ip_hdrlen(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) 	if (x->props.flags & XFRM_STATE_ESN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) 		sglists = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) 		seqhi_len = sizeof(*seqhi);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) 	work_iph = ah_alloc_tmp(ahash, nfrags + sglists, ihl +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) 				ahp->icv_trunc_len + seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 	if (!work_iph) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) 		err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) 	seqhi = (__be32 *)((char *)work_iph + ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) 	auth_data = ah_tmp_auth(seqhi, seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) 	icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 	req = ah_tmp_req(ahash, icv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) 	sg = ah_req_sg(ahash, req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) 	seqhisg = sg + nfrags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) 	memcpy(work_iph, iph, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) 	memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) 	memset(ah->auth_data, 0, ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) 	iph->ttl = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) 	iph->tos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) 	iph->frag_off = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) 	iph->check = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) 	if (ihl > sizeof(*iph)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) 		__be32 dummy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 		err = ip_clear_mutable_options(iph, &dummy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) 		if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) 			goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) 	skb_push(skb, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) 	sg_init_table(sg, nfrags + sglists);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) 	if (unlikely(err < 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) 	if (x->props.flags & XFRM_STATE_ESN) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) 		/* Attach seqhi sg right after packet payload */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) 		*seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) 		sg_set_buf(seqhisg, seqhi, seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) 	ahash_request_set_crypt(req, sg, icv, skb->len + seqhi_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) 	ahash_request_set_callback(req, 0, ah_input_done, skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) 	AH_SKB_CB(skb)->tmp = work_iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 	err = crypto_ahash_digest(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) 	if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) 		if (err == -EINPROGRESS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 			goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) 	err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 	if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) 	skb->network_header += ah_hlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) 	memcpy(skb_network_header(skb), work_iph, ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 	__skb_pull(skb, ah_hlen + ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) 	if (x->props.mode == XFRM_MODE_TUNNEL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) 		skb_reset_transport_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) 		skb_set_transport_header(skb, -ihl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) 	err = nexthdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) out_free:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) 	kfree (work_iph);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) static int ah4_err(struct sk_buff *skb, u32 info)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) 	struct net *net = dev_net(skb->dev);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) 	const struct iphdr *iph = (const struct iphdr *)skb->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) 	struct ip_auth_hdr *ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) 	struct xfrm_state *x;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) 	switch (icmp_hdr(skb)->type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) 	case ICMP_DEST_UNREACH:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) 		if (icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) 			return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) 	case ICMP_REDIRECT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) 	default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) 	x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) 			      ah->spi, IPPROTO_AH, AF_INET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) 	if (!x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) 	if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) 		ipv4_update_pmtu(skb, net, info, 0, IPPROTO_AH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) 		ipv4_redirect(skb, net, 0, IPPROTO_AH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) 	xfrm_state_put(x);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) static int ah_init_state(struct xfrm_state *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) 	struct ah_data *ahp = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) 	struct xfrm_algo_desc *aalg_desc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) 	struct crypto_ahash *ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) 	if (!x->aalg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) 		goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) 	if (x->encap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) 		goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) 	ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) 	if (!ahp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) 	ahash = crypto_alloc_ahash(x->aalg->alg_name, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) 	if (IS_ERR(ahash))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) 		goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) 	ahp->ahash = ahash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) 	if (crypto_ahash_setkey(ahash, x->aalg->alg_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) 				(x->aalg->alg_key_len + 7) / 8))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) 		goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) 	 * Lookup the algorithm description maintained by xfrm_algo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) 	 * verify crypto transform properties, and store information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) 	 * we need for AH processing.  This lookup cannot fail here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) 	 * after a successful crypto_alloc_ahash().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) 	aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) 	BUG_ON(!aalg_desc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) 	if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) 	    crypto_ahash_digestsize(ahash)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) 		pr_info("%s: %s digestsize %u != %hu\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) 			__func__, x->aalg->alg_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) 			crypto_ahash_digestsize(ahash),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) 			aalg_desc->uinfo.auth.icv_fullbits / 8);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) 		goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) 	ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) 	ahp->icv_trunc_len = x->aalg->alg_trunc_len/8;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) 	if (x->props.flags & XFRM_STATE_ALIGN4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) 		x->props.header_len = XFRM_ALIGN4(sizeof(struct ip_auth_hdr) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) 						  ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) 		x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) 						  ahp->icv_trunc_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) 	if (x->props.mode == XFRM_MODE_TUNNEL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) 		x->props.header_len += sizeof(struct iphdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) 	x->data = ahp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) 	if (ahp) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) 		crypto_free_ahash(ahp->ahash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) 		kfree(ahp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) 	return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) static void ah_destroy(struct xfrm_state *x)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) 	struct ah_data *ahp = x->data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) 	if (!ahp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) 		return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) 	crypto_free_ahash(ahp->ahash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) 	kfree(ahp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) static int ah4_rcv_cb(struct sk_buff *skb, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) static const struct xfrm_type ah_type =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) 	.description	= "AH4",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) 	.owner		= THIS_MODULE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) 	.proto	     	= IPPROTO_AH,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) 	.flags		= XFRM_TYPE_REPLAY_PROT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) 	.init_state	= ah_init_state,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) 	.destructor	= ah_destroy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) 	.input		= ah_input,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) 	.output		= ah_output
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) static struct xfrm4_protocol ah4_protocol = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) 	.handler	=	xfrm4_rcv,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) 	.input_handler	=	xfrm_input,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) 	.cb_handler	=	ah4_rcv_cb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) 	.err_handler	=	ah4_err,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) 	.priority	=	0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) static int __init ah4_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) 	if (xfrm_register_type(&ah_type, AF_INET) < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) 		pr_info("%s: can't add xfrm type\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) 		return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) 	if (xfrm4_protocol_register(&ah4_protocol, IPPROTO_AH) < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) 		pr_info("%s: can't add protocol\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) 		xfrm_unregister_type(&ah_type, AF_INET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) 		return -EAGAIN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) static void __exit ah4_fini(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) 	if (xfrm4_protocol_deregister(&ah4_protocol, IPPROTO_AH) < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) 		pr_info("%s: can't remove protocol\n", __func__);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) 	xfrm_unregister_type(&ah_type, AF_INET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) module_init(ah4_init);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) module_exit(ah4_fini);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) MODULE_LICENSE("GPL");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) MODULE_ALIAS_XFRM_TYPE(AF_INET, XFRM_PROTO_AH);
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.