162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * xfrm4_input.c 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Changes: 662306a36Sopenharmony_ci * YOSHIFUJI Hideaki @USAGI 762306a36Sopenharmony_ci * Split up af-specific portion 862306a36Sopenharmony_ci * Derek Atkins <derek@ihtfp.com> 962306a36Sopenharmony_ci * Add Encapsulation support 1062306a36Sopenharmony_ci * 1162306a36Sopenharmony_ci */ 1262306a36Sopenharmony_ci 1362306a36Sopenharmony_ci#include <linux/slab.h> 1462306a36Sopenharmony_ci#include <linux/module.h> 1562306a36Sopenharmony_ci#include <linux/string.h> 1662306a36Sopenharmony_ci#include <linux/netfilter.h> 1762306a36Sopenharmony_ci#include <linux/netfilter_ipv4.h> 1862306a36Sopenharmony_ci#include <net/ip.h> 1962306a36Sopenharmony_ci#include <net/xfrm.h> 2062306a36Sopenharmony_ci 2162306a36Sopenharmony_cistatic int xfrm4_rcv_encap_finish2(struct net *net, struct sock *sk, 2262306a36Sopenharmony_ci struct sk_buff *skb) 2362306a36Sopenharmony_ci{ 2462306a36Sopenharmony_ci return dst_input(skb); 2562306a36Sopenharmony_ci} 2662306a36Sopenharmony_ci 2762306a36Sopenharmony_cistatic inline int xfrm4_rcv_encap_finish(struct net *net, struct sock *sk, 2862306a36Sopenharmony_ci struct sk_buff *skb) 2962306a36Sopenharmony_ci{ 3062306a36Sopenharmony_ci if (!skb_dst(skb)) { 3162306a36Sopenharmony_ci const struct iphdr *iph = ip_hdr(skb); 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ci if (ip_route_input_noref(skb, iph->daddr, iph->saddr, 3462306a36Sopenharmony_ci iph->tos, skb->dev)) 3562306a36Sopenharmony_ci goto drop; 3662306a36Sopenharmony_ci } 3762306a36Sopenharmony_ci 3862306a36Sopenharmony_ci if (xfrm_trans_queue(skb, xfrm4_rcv_encap_finish2)) 3962306a36Sopenharmony_ci goto drop; 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ci return 0; 4262306a36Sopenharmony_cidrop: 4362306a36Sopenharmony_ci kfree_skb(skb); 4462306a36Sopenharmony_ci return NET_RX_DROP; 4562306a36Sopenharmony_ci} 4662306a36Sopenharmony_ci 4762306a36Sopenharmony_ciint xfrm4_transport_finish(struct sk_buff *skb, int async) 4862306a36Sopenharmony_ci{ 4962306a36Sopenharmony_ci struct xfrm_offload *xo = xfrm_offload(skb); 5062306a36Sopenharmony_ci struct iphdr *iph = ip_hdr(skb); 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol; 5362306a36Sopenharmony_ci 5462306a36Sopenharmony_ci#ifndef CONFIG_NETFILTER 5562306a36Sopenharmony_ci if (!async) 5662306a36Sopenharmony_ci return -iph->protocol; 5762306a36Sopenharmony_ci#endif 5862306a36Sopenharmony_ci 5962306a36Sopenharmony_ci __skb_push(skb, skb->data - skb_network_header(skb)); 6062306a36Sopenharmony_ci iph->tot_len = htons(skb->len); 6162306a36Sopenharmony_ci ip_send_check(iph); 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_ci if (xo && (xo->flags & XFRM_GRO)) { 6462306a36Sopenharmony_ci skb_mac_header_rebuild(skb); 6562306a36Sopenharmony_ci skb_reset_transport_header(skb); 6662306a36Sopenharmony_ci return 0; 6762306a36Sopenharmony_ci } 6862306a36Sopenharmony_ci 6962306a36Sopenharmony_ci NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, 7062306a36Sopenharmony_ci dev_net(skb->dev), NULL, skb, skb->dev, NULL, 7162306a36Sopenharmony_ci xfrm4_rcv_encap_finish); 7262306a36Sopenharmony_ci return 0; 7362306a36Sopenharmony_ci} 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_ci/* If it's a keepalive packet, then just eat it. 7662306a36Sopenharmony_ci * If it's an encapsulated packet, then pass it to the 7762306a36Sopenharmony_ci * IPsec xfrm input. 7862306a36Sopenharmony_ci * Returns 0 if skb passed to xfrm or was dropped. 7962306a36Sopenharmony_ci * Returns >0 if skb should be passed to UDP. 8062306a36Sopenharmony_ci * Returns <0 if skb should be resubmitted (-ret is protocol) 8162306a36Sopenharmony_ci */ 8262306a36Sopenharmony_ciint xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb) 8362306a36Sopenharmony_ci{ 8462306a36Sopenharmony_ci struct udp_sock *up = udp_sk(sk); 8562306a36Sopenharmony_ci struct udphdr *uh; 8662306a36Sopenharmony_ci struct iphdr *iph; 8762306a36Sopenharmony_ci int iphlen, len; 8862306a36Sopenharmony_ci __u8 *udpdata; 8962306a36Sopenharmony_ci __be32 *udpdata32; 9062306a36Sopenharmony_ci u16 encap_type; 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_ci encap_type = READ_ONCE(up->encap_type); 9362306a36Sopenharmony_ci /* if this is not encapsulated socket, then just return now */ 9462306a36Sopenharmony_ci if (!encap_type) 9562306a36Sopenharmony_ci return 1; 9662306a36Sopenharmony_ci 9762306a36Sopenharmony_ci /* If this is a paged skb, make sure we pull up 9862306a36Sopenharmony_ci * whatever data we need to look at. */ 9962306a36Sopenharmony_ci len = skb->len - sizeof(struct udphdr); 10062306a36Sopenharmony_ci if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8))) 10162306a36Sopenharmony_ci return 1; 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_ci /* Now we can get the pointers */ 10462306a36Sopenharmony_ci uh = udp_hdr(skb); 10562306a36Sopenharmony_ci udpdata = (__u8 *)uh + sizeof(struct udphdr); 10662306a36Sopenharmony_ci udpdata32 = (__be32 *)udpdata; 10762306a36Sopenharmony_ci 10862306a36Sopenharmony_ci switch (encap_type) { 10962306a36Sopenharmony_ci default: 11062306a36Sopenharmony_ci case UDP_ENCAP_ESPINUDP: 11162306a36Sopenharmony_ci /* Check if this is a keepalive packet. If so, eat it. */ 11262306a36Sopenharmony_ci if (len == 1 && udpdata[0] == 0xff) { 11362306a36Sopenharmony_ci goto drop; 11462306a36Sopenharmony_ci } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) { 11562306a36Sopenharmony_ci /* ESP Packet without Non-ESP header */ 11662306a36Sopenharmony_ci len = sizeof(struct udphdr); 11762306a36Sopenharmony_ci } else 11862306a36Sopenharmony_ci /* Must be an IKE packet.. pass it through */ 11962306a36Sopenharmony_ci return 1; 12062306a36Sopenharmony_ci break; 12162306a36Sopenharmony_ci case UDP_ENCAP_ESPINUDP_NON_IKE: 12262306a36Sopenharmony_ci /* Check if this is a keepalive packet. If so, eat it. */ 12362306a36Sopenharmony_ci if (len == 1 && udpdata[0] == 0xff) { 12462306a36Sopenharmony_ci goto drop; 12562306a36Sopenharmony_ci } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) && 12662306a36Sopenharmony_ci udpdata32[0] == 0 && udpdata32[1] == 0) { 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_ci /* ESP Packet with Non-IKE marker */ 12962306a36Sopenharmony_ci len = sizeof(struct udphdr) + 2 * sizeof(u32); 13062306a36Sopenharmony_ci } else 13162306a36Sopenharmony_ci /* Must be an IKE packet.. pass it through */ 13262306a36Sopenharmony_ci return 1; 13362306a36Sopenharmony_ci break; 13462306a36Sopenharmony_ci } 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ci /* At this point we are sure that this is an ESPinUDP packet, 13762306a36Sopenharmony_ci * so we need to remove 'len' bytes from the packet (the UDP 13862306a36Sopenharmony_ci * header and optional ESP marker bytes) and then modify the 13962306a36Sopenharmony_ci * protocol to ESP, and then call into the transform receiver. 14062306a36Sopenharmony_ci */ 14162306a36Sopenharmony_ci if (skb_unclone(skb, GFP_ATOMIC)) 14262306a36Sopenharmony_ci goto drop; 14362306a36Sopenharmony_ci 14462306a36Sopenharmony_ci /* Now we can update and verify the packet length... */ 14562306a36Sopenharmony_ci iph = ip_hdr(skb); 14662306a36Sopenharmony_ci iphlen = iph->ihl << 2; 14762306a36Sopenharmony_ci iph->tot_len = htons(ntohs(iph->tot_len) - len); 14862306a36Sopenharmony_ci if (skb->len < iphlen + len) { 14962306a36Sopenharmony_ci /* packet is too small!?! */ 15062306a36Sopenharmony_ci goto drop; 15162306a36Sopenharmony_ci } 15262306a36Sopenharmony_ci 15362306a36Sopenharmony_ci /* pull the data buffer up to the ESP header and set the 15462306a36Sopenharmony_ci * transport header to point to ESP. Keep UDP on the stack 15562306a36Sopenharmony_ci * for later. 15662306a36Sopenharmony_ci */ 15762306a36Sopenharmony_ci __skb_pull(skb, len); 15862306a36Sopenharmony_ci skb_reset_transport_header(skb); 15962306a36Sopenharmony_ci 16062306a36Sopenharmony_ci /* process ESP */ 16162306a36Sopenharmony_ci return xfrm4_rcv_encap(skb, IPPROTO_ESP, 0, encap_type); 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_cidrop: 16462306a36Sopenharmony_ci kfree_skb(skb); 16562306a36Sopenharmony_ci return 0; 16662306a36Sopenharmony_ci} 16762306a36Sopenharmony_ciEXPORT_SYMBOL(xfrm4_udp_encap_rcv); 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ciint xfrm4_rcv(struct sk_buff *skb) 17062306a36Sopenharmony_ci{ 17162306a36Sopenharmony_ci return xfrm4_rcv_spi(skb, ip_hdr(skb)->protocol, 0); 17262306a36Sopenharmony_ci} 17362306a36Sopenharmony_ciEXPORT_SYMBOL(xfrm4_rcv); 174