mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 14:51:00 +07:00
afeb14b490
This patch adds a number of new IPsec audit events to meet the auditing requirements of RFC4303. This includes audit hooks for the following events: * Could not find a valid SA [sections 2.1, 3.4.2] . xfrm_audit_state_notfound() . xfrm_audit_state_notfound_simple() * Sequence number overflow [section 3.3.3] . xfrm_audit_state_replay_overflow() * Replayed packet [section 3.4.3] . xfrm_audit_state_replay() * Integrity check failure [sections 3.4.4.1, 3.4.4.2] . xfrm_audit_state_icvfail() While RFC4304 deals only with ESP most of the changes in this patch apply to IPsec in general, i.e. both AH and ESP. The one case, integrity check failure, where ESP specific code had to be modified the same was done to the AH code for the sake of consistency. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
349 lines
7.6 KiB
C
349 lines
7.6 KiB
C
#include <linux/err.h>
|
|
#include <linux/module.h>
|
|
#include <net/ip.h>
|
|
#include <net/xfrm.h>
|
|
#include <net/ah.h>
|
|
#include <linux/crypto.h>
|
|
#include <linux/pfkeyv2.h>
|
|
#include <linux/spinlock.h>
|
|
#include <net/icmp.h>
|
|
#include <net/protocol.h>
|
|
|
|
|
|
/* Clear mutable options and find final destination to substitute
|
|
* into IP header for icv calculation. Options are already checked
|
|
* for validity, so paranoia is not required. */
|
|
|
|
static int ip_clear_mutable_options(struct iphdr *iph, __be32 *daddr)
|
|
{
|
|
unsigned char * optptr = (unsigned char*)(iph+1);
|
|
int l = iph->ihl*4 - sizeof(struct iphdr);
|
|
int optlen;
|
|
|
|
while (l > 0) {
|
|
switch (*optptr) {
|
|
case IPOPT_END:
|
|
return 0;
|
|
case IPOPT_NOOP:
|
|
l--;
|
|
optptr++;
|
|
continue;
|
|
}
|
|
optlen = optptr[1];
|
|
if (optlen<2 || optlen>l)
|
|
return -EINVAL;
|
|
switch (*optptr) {
|
|
case IPOPT_SEC:
|
|
case 0x85: /* Some "Extended Security" crap. */
|
|
case IPOPT_CIPSO:
|
|
case IPOPT_RA:
|
|
case 0x80|21: /* RFC1770 */
|
|
break;
|
|
case IPOPT_LSRR:
|
|
case IPOPT_SSRR:
|
|
if (optlen < 6)
|
|
return -EINVAL;
|
|
memcpy(daddr, optptr+optlen-4, 4);
|
|
/* Fall through */
|
|
default:
|
|
memset(optptr, 0, optlen);
|
|
}
|
|
l -= optlen;
|
|
optptr += optlen;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
int err;
|
|
struct iphdr *iph, *top_iph;
|
|
struct ip_auth_hdr *ah;
|
|
struct ah_data *ahp;
|
|
union {
|
|
struct iphdr iph;
|
|
char buf[60];
|
|
} tmp_iph;
|
|
|
|
skb_push(skb, -skb_network_offset(skb));
|
|
top_iph = ip_hdr(skb);
|
|
iph = &tmp_iph.iph;
|
|
|
|
iph->tos = top_iph->tos;
|
|
iph->ttl = top_iph->ttl;
|
|
iph->frag_off = top_iph->frag_off;
|
|
|
|
if (top_iph->ihl != 5) {
|
|
iph->daddr = top_iph->daddr;
|
|
memcpy(iph+1, top_iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
|
|
err = ip_clear_mutable_options(top_iph, &top_iph->daddr);
|
|
if (err)
|
|
goto error;
|
|
}
|
|
|
|
ah = ip_auth_hdr(skb);
|
|
ah->nexthdr = *skb_mac_header(skb);
|
|
*skb_mac_header(skb) = IPPROTO_AH;
|
|
|
|
top_iph->tos = 0;
|
|
top_iph->tot_len = htons(skb->len);
|
|
top_iph->frag_off = 0;
|
|
top_iph->ttl = 0;
|
|
top_iph->check = 0;
|
|
|
|
ahp = x->data;
|
|
ah->hdrlen = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
|
|
|
|
ah->reserved = 0;
|
|
ah->spi = x->id.spi;
|
|
ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
|
|
|
|
spin_lock_bh(&x->lock);
|
|
err = ah_mac_digest(ahp, skb, ah->auth_data);
|
|
memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
|
|
spin_unlock_bh(&x->lock);
|
|
|
|
if (err)
|
|
goto error;
|
|
|
|
top_iph->tos = iph->tos;
|
|
top_iph->ttl = iph->ttl;
|
|
top_iph->frag_off = iph->frag_off;
|
|
if (top_iph->ihl != 5) {
|
|
top_iph->daddr = iph->daddr;
|
|
memcpy(top_iph+1, iph+1, top_iph->ihl*4 - sizeof(struct iphdr));
|
|
}
|
|
|
|
err = 0;
|
|
|
|
error:
|
|
return err;
|
|
}
|
|
|
|
static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
|
|
{
|
|
int ah_hlen;
|
|
int ihl;
|
|
int nexthdr;
|
|
int err = -EINVAL;
|
|
struct iphdr *iph;
|
|
struct ip_auth_hdr *ah;
|
|
struct ah_data *ahp;
|
|
char work_buf[60];
|
|
|
|
if (!pskb_may_pull(skb, sizeof(*ah)))
|
|
goto out;
|
|
|
|
ah = (struct ip_auth_hdr *)skb->data;
|
|
ahp = x->data;
|
|
nexthdr = ah->nexthdr;
|
|
ah_hlen = (ah->hdrlen + 2) << 2;
|
|
|
|
if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
|
|
ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
|
|
goto out;
|
|
|
|
if (!pskb_may_pull(skb, ah_hlen))
|
|
goto out;
|
|
|
|
/* We are going to _remove_ AH header to keep sockets happy,
|
|
* so... Later this can change. */
|
|
if (skb_cloned(skb) &&
|
|
pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
|
|
goto out;
|
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
ah = (struct ip_auth_hdr *)skb->data;
|
|
iph = ip_hdr(skb);
|
|
|
|
ihl = skb->data - skb_network_header(skb);
|
|
memcpy(work_buf, iph, ihl);
|
|
|
|
iph->ttl = 0;
|
|
iph->tos = 0;
|
|
iph->frag_off = 0;
|
|
iph->check = 0;
|
|
if (ihl > sizeof(*iph)) {
|
|
__be32 dummy;
|
|
if (ip_clear_mutable_options(iph, &dummy))
|
|
goto out;
|
|
}
|
|
|
|
spin_lock(&x->lock);
|
|
{
|
|
u8 auth_data[MAX_AH_AUTH_LEN];
|
|
|
|
memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len);
|
|
skb_push(skb, ihl);
|
|
err = ah_mac_digest(ahp, skb, ah->auth_data);
|
|
if (err)
|
|
goto unlock;
|
|
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
|
|
xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
|
|
err = -EBADMSG;
|
|
}
|
|
}
|
|
unlock:
|
|
spin_unlock(&x->lock);
|
|
|
|
if (err)
|
|
goto out;
|
|
|
|
skb->network_header += ah_hlen;
|
|
memcpy(skb_network_header(skb), work_buf, ihl);
|
|
skb->transport_header = skb->network_header;
|
|
__skb_pull(skb, ah_hlen + ihl);
|
|
|
|
return nexthdr;
|
|
|
|
out:
|
|
return err;
|
|
}
|
|
|
|
static void ah4_err(struct sk_buff *skb, u32 info)
|
|
{
|
|
struct iphdr *iph = (struct iphdr*)skb->data;
|
|
struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+(iph->ihl<<2));
|
|
struct xfrm_state *x;
|
|
|
|
if (icmp_hdr(skb)->type != ICMP_DEST_UNREACH ||
|
|
icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
|
|
return;
|
|
|
|
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET);
|
|
if (!x)
|
|
return;
|
|
printk(KERN_DEBUG "pmtu discovery on SA AH/%08x/%08x\n",
|
|
ntohl(ah->spi), ntohl(iph->daddr));
|
|
xfrm_state_put(x);
|
|
}
|
|
|
|
static int ah_init_state(struct xfrm_state *x)
|
|
{
|
|
struct ah_data *ahp = NULL;
|
|
struct xfrm_algo_desc *aalg_desc;
|
|
struct crypto_hash *tfm;
|
|
|
|
if (!x->aalg)
|
|
goto error;
|
|
|
|
if (x->encap)
|
|
goto error;
|
|
|
|
ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
|
|
if (ahp == NULL)
|
|
return -ENOMEM;
|
|
|
|
tfm = crypto_alloc_hash(x->aalg->alg_name, 0, CRYPTO_ALG_ASYNC);
|
|
if (IS_ERR(tfm))
|
|
goto error;
|
|
|
|
ahp->tfm = tfm;
|
|
if (crypto_hash_setkey(tfm, x->aalg->alg_key,
|
|
(x->aalg->alg_key_len + 7) / 8))
|
|
goto error;
|
|
|
|
/*
|
|
* Lookup the algorithm description maintained by xfrm_algo,
|
|
* verify crypto transform properties, and store information
|
|
* we need for AH processing. This lookup cannot fail here
|
|
* after a successful crypto_alloc_hash().
|
|
*/
|
|
aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
|
|
BUG_ON(!aalg_desc);
|
|
|
|
if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
|
|
crypto_hash_digestsize(tfm)) {
|
|
printk(KERN_INFO "AH: %s digestsize %u != %hu\n",
|
|
x->aalg->alg_name, crypto_hash_digestsize(tfm),
|
|
aalg_desc->uinfo.auth.icv_fullbits/8);
|
|
goto error;
|
|
}
|
|
|
|
ahp->icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8;
|
|
ahp->icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8;
|
|
|
|
BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
|
|
|
|
ahp->work_icv = kmalloc(ahp->icv_full_len, GFP_KERNEL);
|
|
if (!ahp->work_icv)
|
|
goto error;
|
|
|
|
x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
|
|
ahp->icv_trunc_len);
|
|
if (x->props.mode == XFRM_MODE_TUNNEL)
|
|
x->props.header_len += sizeof(struct iphdr);
|
|
x->data = ahp;
|
|
|
|
return 0;
|
|
|
|
error:
|
|
if (ahp) {
|
|
kfree(ahp->work_icv);
|
|
crypto_free_hash(ahp->tfm);
|
|
kfree(ahp);
|
|
}
|
|
return -EINVAL;
|
|
}
|
|
|
|
static void ah_destroy(struct xfrm_state *x)
|
|
{
|
|
struct ah_data *ahp = x->data;
|
|
|
|
if (!ahp)
|
|
return;
|
|
|
|
kfree(ahp->work_icv);
|
|
ahp->work_icv = NULL;
|
|
crypto_free_hash(ahp->tfm);
|
|
ahp->tfm = NULL;
|
|
kfree(ahp);
|
|
}
|
|
|
|
|
|
static struct xfrm_type ah_type =
|
|
{
|
|
.description = "AH4",
|
|
.owner = THIS_MODULE,
|
|
.proto = IPPROTO_AH,
|
|
.flags = XFRM_TYPE_REPLAY_PROT,
|
|
.init_state = ah_init_state,
|
|
.destructor = ah_destroy,
|
|
.input = ah_input,
|
|
.output = ah_output
|
|
};
|
|
|
|
static struct net_protocol ah4_protocol = {
|
|
.handler = xfrm4_rcv,
|
|
.err_handler = ah4_err,
|
|
.no_policy = 1,
|
|
};
|
|
|
|
static int __init ah4_init(void)
|
|
{
|
|
if (xfrm_register_type(&ah_type, AF_INET) < 0) {
|
|
printk(KERN_INFO "ip ah init: can't add xfrm type\n");
|
|
return -EAGAIN;
|
|
}
|
|
if (inet_add_protocol(&ah4_protocol, IPPROTO_AH) < 0) {
|
|
printk(KERN_INFO "ip ah init: can't add protocol\n");
|
|
xfrm_unregister_type(&ah_type, AF_INET);
|
|
return -EAGAIN;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void __exit ah4_fini(void)
|
|
{
|
|
if (inet_del_protocol(&ah4_protocol, IPPROTO_AH) < 0)
|
|
printk(KERN_INFO "ip ah close: can't remove protocol\n");
|
|
if (xfrm_unregister_type(&ah_type, AF_INET) < 0)
|
|
printk(KERN_INFO "ip ah close: can't remove xfrm type\n");
|
|
}
|
|
|
|
module_init(ah4_init);
|
|
module_exit(ah4_fini);
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_ALIAS_XFRM_TYPE(AF_INET, XFRM_PROTO_AH);
|