Commit 0146dca7 authored by Sabrina Dubroca's avatar Sabrina Dubroca Committed by Steffen Klassert

xfrm: add support for UDPv6 encapsulation of ESP

This patch adds support for encapsulation of ESP over UDPv6. The code
is very similar to the IPv4 encapsulation implementation, and allows
to easily add espintcp on IPv6 as a follow-up.
Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent e62905ae
...@@ -56,6 +56,9 @@ struct ipv6_stub { ...@@ -56,6 +56,9 @@ struct ipv6_stub {
void (*ndisc_send_na)(struct net_device *dev, const struct in6_addr *daddr, void (*ndisc_send_na)(struct net_device *dev, const struct in6_addr *daddr,
const struct in6_addr *solicited_addr, const struct in6_addr *solicited_addr,
bool router, bool solicited, bool override, bool inc_opt); bool router, bool solicited, bool override, bool inc_opt);
#if IS_ENABLED(CONFIG_XFRM)
int (*xfrm6_udp_encap_rcv)(struct sock *sk, struct sk_buff *skb);
#endif
struct neigh_table *nd_tbl; struct neigh_table *nd_tbl;
}; };
extern const struct ipv6_stub *ipv6_stub __read_mostly; extern const struct ipv6_stub *ipv6_stub __read_mostly;
......
...@@ -1406,6 +1406,8 @@ struct xfrm4_protocol { ...@@ -1406,6 +1406,8 @@ struct xfrm4_protocol {
struct xfrm6_protocol { struct xfrm6_protocol {
int (*handler)(struct sk_buff *skb); int (*handler)(struct sk_buff *skb);
int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
int encap_type);
int (*cb_handler)(struct sk_buff *skb, int err); int (*cb_handler)(struct sk_buff *skb, int err);
int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
u8 type, u8 code, int offset, __be32 info); u8 type, u8 code, int offset, __be32 info);
...@@ -1590,6 +1592,8 @@ int xfrm6_extract_header(struct sk_buff *skb); ...@@ -1590,6 +1592,8 @@ int xfrm6_extract_header(struct sk_buff *skb);
int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb); int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi, int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
struct ip6_tnl *t); struct ip6_tnl *t);
int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
int encap_type);
int xfrm6_transport_finish(struct sk_buff *skb, int async); int xfrm6_transport_finish(struct sk_buff *skb, int async);
int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t); int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
int xfrm6_rcv(struct sk_buff *skb); int xfrm6_rcv(struct sk_buff *skb);
...@@ -1610,6 +1614,7 @@ int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb, ...@@ -1610,6 +1614,7 @@ int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
#ifdef CONFIG_XFRM #ifdef CONFIG_XFRM
int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
int xfrm_user_policy(struct sock *sk, int optname, int xfrm_user_policy(struct sock *sk, int optname,
u8 __user *optval, int optlen); u8 __user *optval, int optlen);
#else #else
......
...@@ -112,6 +112,9 @@ ...@@ -112,6 +112,9 @@
#include <net/sock_reuseport.h> #include <net/sock_reuseport.h>
#include <net/addrconf.h> #include <net/addrconf.h>
#include <net/udp_tunnel.h> #include <net/udp_tunnel.h>
#if IS_ENABLED(CONFIG_IPV6)
#include <net/ipv6_stubs.h>
#endif
struct udp_table udp_table __read_mostly; struct udp_table udp_table __read_mostly;
EXPORT_SYMBOL(udp_table); EXPORT_SYMBOL(udp_table);
...@@ -2563,7 +2566,12 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname, ...@@ -2563,7 +2566,12 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
#ifdef CONFIG_XFRM #ifdef CONFIG_XFRM
case UDP_ENCAP_ESPINUDP: case UDP_ENCAP_ESPINUDP:
case UDP_ENCAP_ESPINUDP_NON_IKE: case UDP_ENCAP_ESPINUDP_NON_IKE:
up->encap_rcv = xfrm4_udp_encap_rcv; #if IS_ENABLED(CONFIG_IPV6)
if (sk->sk_family == AF_INET6)
up->encap_rcv = ipv6_stub->xfrm6_udp_encap_rcv;
else
#endif
up->encap_rcv = xfrm4_udp_encap_rcv;
#endif #endif
fallthrough; fallthrough;
case UDP_ENCAP_L2TPINUDP: case UDP_ENCAP_L2TPINUDP:
......
...@@ -60,6 +60,7 @@ ...@@ -60,6 +60,7 @@
#include <net/calipso.h> #include <net/calipso.h>
#include <net/seg6.h> #include <net/seg6.h>
#include <net/rpl.h> #include <net/rpl.h>
#include <net/xfrm.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/mroute6.h> #include <linux/mroute6.h>
...@@ -961,6 +962,9 @@ static const struct ipv6_stub ipv6_stub_impl = { ...@@ -961,6 +962,9 @@ static const struct ipv6_stub ipv6_stub_impl = {
.ip6_del_rt = ip6_del_rt, .ip6_del_rt = ip6_del_rt,
.udpv6_encap_enable = udpv6_encap_enable, .udpv6_encap_enable = udpv6_encap_enable,
.ndisc_send_na = ndisc_send_na, .ndisc_send_na = ndisc_send_na,
#if IS_ENABLED(CONFIG_XFRM)
.xfrm6_udp_encap_rcv = xfrm6_udp_encap_rcv,
#endif
.nd_tbl = &nd_tbl, .nd_tbl = &nd_tbl,
}; };
......
...@@ -767,6 +767,7 @@ static const struct xfrm_type ah6_type = { ...@@ -767,6 +767,7 @@ static const struct xfrm_type ah6_type = {
static struct xfrm6_protocol ah6_protocol = { static struct xfrm6_protocol ah6_protocol = {
.handler = xfrm6_rcv, .handler = xfrm6_rcv,
.input_handler = xfrm_input,
.cb_handler = ah6_rcv_cb, .cb_handler = ah6_rcv_cb,
.err_handler = ah6_err, .err_handler = ah6_err,
.priority = 0, .priority = 0,
......
This diff is collapsed.
...@@ -271,7 +271,6 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features ...@@ -271,7 +271,6 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
int alen; int alen;
int blksize; int blksize;
struct xfrm_offload *xo; struct xfrm_offload *xo;
struct ip_esp_hdr *esph;
struct crypto_aead *aead; struct crypto_aead *aead;
struct esp_info esp; struct esp_info esp;
bool hw_offload = true; bool hw_offload = true;
...@@ -312,13 +311,13 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features ...@@ -312,13 +311,13 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
seq = xo->seq.low; seq = xo->seq.low;
esph = ip_esp_hdr(skb); esp.esph = ip_esp_hdr(skb);
esph->spi = x->id.spi; esp.esph->spi = x->id.spi;
skb_push(skb, -skb_network_offset(skb)); skb_push(skb, -skb_network_offset(skb));
if (xo->flags & XFRM_GSO_SEGMENT) { if (xo->flags & XFRM_GSO_SEGMENT) {
esph->seq_no = htonl(seq); esp.esph->seq_no = htonl(seq);
if (!skb_is_gso(skb)) if (!skb_is_gso(skb))
xo->seq.low++; xo->seq.low++;
......
...@@ -296,7 +296,8 @@ static void vti6_dev_uninit(struct net_device *dev) ...@@ -296,7 +296,8 @@ static void vti6_dev_uninit(struct net_device *dev)
dev_put(dev); dev_put(dev);
} }
static int vti6_rcv(struct sk_buff *skb) static int vti6_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi,
int encap_type)
{ {
struct ip6_tnl *t; struct ip6_tnl *t;
const struct ipv6hdr *ipv6h = ipv6_hdr(skb); const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
...@@ -323,7 +324,10 @@ static int vti6_rcv(struct sk_buff *skb) ...@@ -323,7 +324,10 @@ static int vti6_rcv(struct sk_buff *skb)
rcu_read_unlock(); rcu_read_unlock();
return xfrm6_rcv_tnl(skb, t); XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
XFRM_SPI_SKB_CB(skb)->family = AF_INET6;
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
return xfrm_input(skb, nexthdr, spi, encap_type);
} }
rcu_read_unlock(); rcu_read_unlock();
return -EINVAL; return -EINVAL;
...@@ -332,6 +336,13 @@ static int vti6_rcv(struct sk_buff *skb) ...@@ -332,6 +336,13 @@ static int vti6_rcv(struct sk_buff *skb)
return 0; return 0;
} }
static int vti6_rcv(struct sk_buff *skb)
{
int nexthdr = skb_network_header(skb)[IP6CB(skb)->nhoff];
return vti6_input_proto(skb, nexthdr, 0, 0);
}
static int vti6_rcv_cb(struct sk_buff *skb, int err) static int vti6_rcv_cb(struct sk_buff *skb, int err)
{ {
unsigned short family; unsigned short family;
...@@ -1185,6 +1196,7 @@ static struct pernet_operations vti6_net_ops = { ...@@ -1185,6 +1196,7 @@ static struct pernet_operations vti6_net_ops = {
static struct xfrm6_protocol vti_esp6_protocol __read_mostly = { static struct xfrm6_protocol vti_esp6_protocol __read_mostly = {
.handler = vti6_rcv, .handler = vti6_rcv,
.input_handler = vti6_input_proto,
.cb_handler = vti6_rcv_cb, .cb_handler = vti6_rcv_cb,
.err_handler = vti6_err, .err_handler = vti6_err,
.priority = 100, .priority = 100,
...@@ -1192,6 +1204,7 @@ static struct xfrm6_protocol vti_esp6_protocol __read_mostly = { ...@@ -1192,6 +1204,7 @@ static struct xfrm6_protocol vti_esp6_protocol __read_mostly = {
static struct xfrm6_protocol vti_ah6_protocol __read_mostly = { static struct xfrm6_protocol vti_ah6_protocol __read_mostly = {
.handler = vti6_rcv, .handler = vti6_rcv,
.input_handler = vti6_input_proto,
.cb_handler = vti6_rcv_cb, .cb_handler = vti6_rcv_cb,
.err_handler = vti6_err, .err_handler = vti6_err,
.priority = 100, .priority = 100,
...@@ -1199,6 +1212,7 @@ static struct xfrm6_protocol vti_ah6_protocol __read_mostly = { ...@@ -1199,6 +1212,7 @@ static struct xfrm6_protocol vti_ah6_protocol __read_mostly = {
static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = { static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = {
.handler = vti6_rcv, .handler = vti6_rcv,
.input_handler = vti6_input_proto,
.cb_handler = vti6_rcv_cb, .cb_handler = vti6_rcv_cb,
.err_handler = vti6_err, .err_handler = vti6_err,
.priority = 100, .priority = 100,
......
...@@ -183,6 +183,7 @@ static const struct xfrm_type ipcomp6_type = { ...@@ -183,6 +183,7 @@ static const struct xfrm_type ipcomp6_type = {
static struct xfrm6_protocol ipcomp6_protocol = { static struct xfrm6_protocol ipcomp6_protocol = {
.handler = xfrm6_rcv, .handler = xfrm6_rcv,
.input_handler = xfrm_input,
.cb_handler = ipcomp6_rcv_cb, .cb_handler = ipcomp6_rcv_cb,
.err_handler = ipcomp6_err, .err_handler = ipcomp6_err,
.priority = 0, .priority = 0,
......
...@@ -35,9 +35,12 @@ EXPORT_SYMBOL(xfrm6_rcv_spi); ...@@ -35,9 +35,12 @@ EXPORT_SYMBOL(xfrm6_rcv_spi);
static int xfrm6_transport_finish2(struct net *net, struct sock *sk, static int xfrm6_transport_finish2(struct net *net, struct sock *sk,
struct sk_buff *skb) struct sk_buff *skb)
{ {
if (xfrm_trans_queue(skb, ip6_rcv_finish)) if (xfrm_trans_queue(skb, ip6_rcv_finish)) {
__kfree_skb(skb); kfree_skb(skb);
return -1; return NET_RX_DROP;
}
return 0;
} }
int xfrm6_transport_finish(struct sk_buff *skb, int async) int xfrm6_transport_finish(struct sk_buff *skb, int async)
...@@ -60,13 +63,106 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) ...@@ -60,13 +63,106 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
if (xo && (xo->flags & XFRM_GRO)) { if (xo && (xo->flags & XFRM_GRO)) {
skb_mac_header_rebuild(skb); skb_mac_header_rebuild(skb);
skb_reset_transport_header(skb); skb_reset_transport_header(skb);
return -1; return 0;
} }
NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
dev_net(skb->dev), NULL, skb, skb->dev, NULL, dev_net(skb->dev), NULL, skb, skb->dev, NULL,
xfrm6_transport_finish2); xfrm6_transport_finish2);
return -1; return 0;
}
/* If it's a keepalive packet, then just eat it.
* If it's an encapsulated packet, then pass it to the
* IPsec xfrm input.
* Returns 0 if skb passed to xfrm or was dropped.
* Returns >0 if skb should be passed to UDP.
* Returns <0 if skb should be resubmitted (-ret is protocol)
*/
int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
{
struct udp_sock *up = udp_sk(sk);
struct udphdr *uh;
struct ipv6hdr *ip6h;
int len;
int ip6hlen = sizeof(struct ipv6hdr);
__u8 *udpdata;
__be32 *udpdata32;
__u16 encap_type = up->encap_type;
/* if this is not encapsulated socket, then just return now */
if (!encap_type)
return 1;
/* If this is a paged skb, make sure we pull up
* whatever data we need to look at. */
len = skb->len - sizeof(struct udphdr);
if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
return 1;
/* Now we can get the pointers */
uh = udp_hdr(skb);
udpdata = (__u8 *)uh + sizeof(struct udphdr);
udpdata32 = (__be32 *)udpdata;
switch (encap_type) {
default:
case UDP_ENCAP_ESPINUDP:
/* Check if this is a keepalive packet. If so, eat it. */
if (len == 1 && udpdata[0] == 0xff) {
goto drop;
} else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
/* ESP Packet without Non-ESP header */
len = sizeof(struct udphdr);
} else
/* Must be an IKE packet.. pass it through */
return 1;
break;
case UDP_ENCAP_ESPINUDP_NON_IKE:
/* Check if this is a keepalive packet. If so, eat it. */
if (len == 1 && udpdata[0] == 0xff) {
goto drop;
} else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
udpdata32[0] == 0 && udpdata32[1] == 0) {
/* ESP Packet with Non-IKE marker */
len = sizeof(struct udphdr) + 2 * sizeof(u32);
} else
/* Must be an IKE packet.. pass it through */
return 1;
break;
}
/* At this point we are sure that this is an ESPinUDP packet,
* so we need to remove 'len' bytes from the packet (the UDP
* header and optional ESP marker bytes) and then modify the
* protocol to ESP, and then call into the transform receiver.
*/
if (skb_unclone(skb, GFP_ATOMIC))
goto drop;
/* Now we can update and verify the packet length... */
ip6h = ipv6_hdr(skb);
ip6h->payload_len = htons(ntohs(ip6h->payload_len) - len);
if (skb->len < ip6hlen + len) {
/* packet is too small!?! */
goto drop;
}
/* pull the data buffer up to the ESP header and set the
* transport header to point to ESP. Keep UDP on the stack
* for later.
*/
__skb_pull(skb, len);
skb_reset_transport_header(skb);
/* process ESP */
return xfrm6_rcv_encap(skb, IPPROTO_ESP, 0, encap_type);
drop:
kfree_skb(skb);
return 0;
} }
int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t) int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t)
......
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
#include <linux/mutex.h> #include <linux/mutex.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/icmpv6.h> #include <linux/icmpv6.h>
#include <net/ip6_route.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/protocol.h> #include <net/protocol.h>
#include <net/xfrm.h> #include <net/xfrm.h>
...@@ -58,6 +59,53 @@ static int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err) ...@@ -58,6 +59,53 @@ static int xfrm6_rcv_cb(struct sk_buff *skb, u8 protocol, int err)
return 0; return 0;
} }
int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
int encap_type)
{
int ret;
struct xfrm6_protocol *handler;
struct xfrm6_protocol __rcu **head = proto_handlers(nexthdr);
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
XFRM_SPI_SKB_CB(skb)->family = AF_INET6;
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
if (!head)
goto out;
if (!skb_dst(skb)) {
const struct ipv6hdr *ip6h = ipv6_hdr(skb);
int flags = RT6_LOOKUP_F_HAS_SADDR;
struct dst_entry *dst;
struct flowi6 fl6 = {
.flowi6_iif = skb->dev->ifindex,
.daddr = ip6h->daddr,
.saddr = ip6h->saddr,
.flowlabel = ip6_flowinfo(ip6h),
.flowi6_mark = skb->mark,
.flowi6_proto = ip6h->nexthdr,
};
dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
skb, flags);
if (dst->error)
goto drop;
skb_dst_set(skb, dst);
}
for_each_protocol_rcu(*head, handler)
if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL)
return ret;
out:
icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
drop:
kfree_skb(skb);
return 0;
}
EXPORT_SYMBOL(xfrm6_rcv_encap);
static int xfrm6_esp_rcv(struct sk_buff *skb) static int xfrm6_esp_rcv(struct sk_buff *skb)
{ {
int ret; int ret;
......
...@@ -755,6 +755,7 @@ static struct pernet_operations xfrmi_net_ops = { ...@@ -755,6 +755,7 @@ static struct pernet_operations xfrmi_net_ops = {
static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
.handler = xfrm6_rcv, .handler = xfrm6_rcv,
.input_handler = xfrm_input,
.cb_handler = xfrmi_rcv_cb, .cb_handler = xfrmi_rcv_cb,
.err_handler = xfrmi6_err, .err_handler = xfrmi6_err,
.priority = 10, .priority = 10,
...@@ -762,6 +763,7 @@ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = { ...@@ -762,6 +763,7 @@ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = { static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = {
.handler = xfrm6_rcv, .handler = xfrm6_rcv,
.input_handler = xfrm_input,
.cb_handler = xfrmi_rcv_cb, .cb_handler = xfrmi_rcv_cb,
.err_handler = xfrmi6_err, .err_handler = xfrmi6_err,
.priority = 10, .priority = 10,
...@@ -769,6 +771,7 @@ static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = { ...@@ -769,6 +771,7 @@ static struct xfrm6_protocol xfrmi_ah6_protocol __read_mostly = {
static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = { static struct xfrm6_protocol xfrmi_ipcomp6_protocol __read_mostly = {
.handler = xfrm6_rcv, .handler = xfrm6_rcv,
.input_handler = xfrm_input,
.cb_handler = xfrmi_rcv_cb, .cb_handler = xfrmi_rcv_cb,
.err_handler = xfrmi6_err, .err_handler = xfrmi6_err,
.priority = 10, .priority = 10,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment