projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Audit: collect sessionid in netlink messages
[deliverable/linux.git] / net / xfrm / xfrm_state.c
1 /*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
13 *
14 */
15
16 #include <linux/workqueue.h>
17 #include <net/xfrm.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
24
25 #include "xfrm_hash.h"
26
27 struct sock *xfrm_nl;
28 EXPORT_SYMBOL(xfrm_nl);
29
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
32
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
35
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
37
38 /* Each xfrm_state may be linked to two tables:
39
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
43 */
44
45 static DEFINE_SPINLOCK(xfrm_state_lock);
46
47 /* Hash table to find appropriate SA towards given target (endpoint
48 * of tunnel or destination of transport mode) allowed by selector.
49 *
50 * Main use is finding SA after policy selected tunnel or transport mode.
51 * Also, it can be used by ah/esp icmp error handler to find offending SA.
52 */
53 static LIST_HEAD(xfrm_state_all);
54 static struct hlist_head *xfrm_state_bydst __read_mostly;
55 static struct hlist_head *xfrm_state_bysrc __read_mostly;
56 static struct hlist_head *xfrm_state_byspi __read_mostly;
57 static unsigned int xfrm_state_hmask __read_mostly;
58 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
59 static unsigned int xfrm_state_num;
60 static unsigned int xfrm_state_genid;
61
62 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
63 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
64
65 #ifdef CONFIG_AUDITSYSCALL
66 static void xfrm_audit_state_replay(struct xfrm_state *x,
67 struct sk_buff *skb, __be32 net_seq);
68 #else
69 #define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
70 #endif /* CONFIG_AUDITSYSCALL */
71
72 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
73 xfrm_address_t *saddr,
74 u32 reqid,
75 unsigned short family)
76 {
77 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
78 }
79
80 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
81 xfrm_address_t *saddr,
82 unsigned short family)
83 {
84 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
85 }
86
87 static inline unsigned int
88 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
89 {
90 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
91 }
92
93 static void xfrm_hash_transfer(struct hlist_head *list,
94 struct hlist_head *ndsttable,
95 struct hlist_head *nsrctable,
96 struct hlist_head *nspitable,
97 unsigned int nhashmask)
98 {
99 struct hlist_node *entry, *tmp;
100 struct xfrm_state *x;
101
102 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
103 unsigned int h;
104
105 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
106 x->props.reqid, x->props.family,
107 nhashmask);
108 hlist_add_head(&x->bydst, ndsttable+h);
109
110 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
111 x->props.family,
112 nhashmask);
113 hlist_add_head(&x->bysrc, nsrctable+h);
114
115 if (x->id.spi) {
116 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
117 x->id.proto, x->props.family,
118 nhashmask);
119 hlist_add_head(&x->byspi, nspitable+h);
120 }
121 }
122 }
123
124 static unsigned long xfrm_hash_new_size(void)
125 {
126 return ((xfrm_state_hmask + 1) << 1) *
127 sizeof(struct hlist_head);
128 }
129
130 static DEFINE_MUTEX(hash_resize_mutex);
131
132 static void xfrm_hash_resize(struct work_struct *__unused)
133 {
134 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
135 unsigned long nsize, osize;
136 unsigned int nhashmask, ohashmask;
137 int i;
138
139 mutex_lock(&hash_resize_mutex);
140
141 nsize = xfrm_hash_new_size();
142 ndst = xfrm_hash_alloc(nsize);
143 if (!ndst)
144 goto out_unlock;
145 nsrc = xfrm_hash_alloc(nsize);
146 if (!nsrc) {
147 xfrm_hash_free(ndst, nsize);
148 goto out_unlock;
149 }
150 nspi = xfrm_hash_alloc(nsize);
151 if (!nspi) {
152 xfrm_hash_free(ndst, nsize);
153 xfrm_hash_free(nsrc, nsize);
154 goto out_unlock;
155 }
156
157 spin_lock_bh(&xfrm_state_lock);
158
159 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
160 for (i = xfrm_state_hmask; i >= 0; i--)
161 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
162 nhashmask);
163
164 odst = xfrm_state_bydst;
165 osrc = xfrm_state_bysrc;
166 ospi = xfrm_state_byspi;
167 ohashmask = xfrm_state_hmask;
168
169 xfrm_state_bydst = ndst;
170 xfrm_state_bysrc = nsrc;
171 xfrm_state_byspi = nspi;
172 xfrm_state_hmask = nhashmask;
173
174 spin_unlock_bh(&xfrm_state_lock);
175
176 osize = (ohashmask + 1) * sizeof(struct hlist_head);
177 xfrm_hash_free(odst, osize);
178 xfrm_hash_free(osrc, osize);
179 xfrm_hash_free(ospi, osize);
180
181 out_unlock:
182 mutex_unlock(&hash_resize_mutex);
183 }
184
185 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
186
187 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
188 EXPORT_SYMBOL(km_waitq);
189
190 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
191 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
192
193 static struct work_struct xfrm_state_gc_work;
194 static HLIST_HEAD(xfrm_state_gc_list);
195 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
196
197 int __xfrm_state_delete(struct xfrm_state *x);
198
199 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
200 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
201
202 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
203 {
204 struct xfrm_state_afinfo *afinfo;
205 if (unlikely(family >= NPROTO))
206 return NULL;
207 write_lock_bh(&xfrm_state_afinfo_lock);
208 afinfo = xfrm_state_afinfo[family];
209 if (unlikely(!afinfo))
210 write_unlock_bh(&xfrm_state_afinfo_lock);
211 return afinfo;
212 }
213
214 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
215 __releases(xfrm_state_afinfo_lock)
216 {
217 write_unlock_bh(&xfrm_state_afinfo_lock);
218 }
219
220 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
221 {
222 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
223 const struct xfrm_type **typemap;
224 int err = 0;
225
226 if (unlikely(afinfo == NULL))
227 return -EAFNOSUPPORT;
228 typemap = afinfo->type_map;
229
230 if (likely(typemap[type->proto] == NULL))
231 typemap[type->proto] = type;
232 else
233 err = -EEXIST;
234 xfrm_state_unlock_afinfo(afinfo);
235 return err;
236 }
237 EXPORT_SYMBOL(xfrm_register_type);
238
239 int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
240 {
241 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
242 const struct xfrm_type **typemap;
243 int err = 0;
244
245 if (unlikely(afinfo == NULL))
246 return -EAFNOSUPPORT;
247 typemap = afinfo->type_map;
248
249 if (unlikely(typemap[type->proto] != type))
250 err = -ENOENT;
251 else
252 typemap[type->proto] = NULL;
253 xfrm_state_unlock_afinfo(afinfo);
254 return err;
255 }
256 EXPORT_SYMBOL(xfrm_unregister_type);
257
258 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
259 {
260 struct xfrm_state_afinfo *afinfo;
261 const struct xfrm_type **typemap;
262 const struct xfrm_type *type;
263 int modload_attempted = 0;
264
265 retry:
266 afinfo = xfrm_state_get_afinfo(family);
267 if (unlikely(afinfo == NULL))
268 return NULL;
269 typemap = afinfo->type_map;
270
271 type = typemap[proto];
272 if (unlikely(type && !try_module_get(type->owner)))
273 type = NULL;
274 if (!type && !modload_attempted) {
275 xfrm_state_put_afinfo(afinfo);
276 request_module("xfrm-type-%d-%d", family, proto);
277 modload_attempted = 1;
278 goto retry;
279 }
280
281 xfrm_state_put_afinfo(afinfo);
282 return type;
283 }
284
285 static void xfrm_put_type(const struct xfrm_type *type)
286 {
287 module_put(type->owner);
288 }
289
290 int xfrm_register_mode(struct xfrm_mode *mode, int family)
291 {
292 struct xfrm_state_afinfo *afinfo;
293 struct xfrm_mode **modemap;
294 int err;
295
296 if (unlikely(mode->encap >= XFRM_MODE_MAX))
297 return -EINVAL;
298
299 afinfo = xfrm_state_lock_afinfo(family);
300 if (unlikely(afinfo == NULL))
301 return -EAFNOSUPPORT;
302
303 err = -EEXIST;
304 modemap = afinfo->mode_map;
305 if (modemap[mode->encap])
306 goto out;
307
308 err = -ENOENT;
309 if (!try_module_get(afinfo->owner))
310 goto out;
311
312 mode->afinfo = afinfo;
313 modemap[mode->encap] = mode;
314 err = 0;
315
316 out:
317 xfrm_state_unlock_afinfo(afinfo);
318 return err;
319 }
320 EXPORT_SYMBOL(xfrm_register_mode);
321
322 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
323 {
324 struct xfrm_state_afinfo *afinfo;
325 struct xfrm_mode **modemap;
326 int err;
327
328 if (unlikely(mode->encap >= XFRM_MODE_MAX))
329 return -EINVAL;
330
331 afinfo = xfrm_state_lock_afinfo(family);
332 if (unlikely(afinfo == NULL))
333 return -EAFNOSUPPORT;
334
335 err = -ENOENT;
336 modemap = afinfo->mode_map;
337 if (likely(modemap[mode->encap] == mode)) {
338 modemap[mode->encap] = NULL;
339 module_put(mode->afinfo->owner);
340 err = 0;
341 }
342
343 xfrm_state_unlock_afinfo(afinfo);
344 return err;
345 }
346 EXPORT_SYMBOL(xfrm_unregister_mode);
347
348 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
349 {
350 struct xfrm_state_afinfo *afinfo;
351 struct xfrm_mode *mode;
352 int modload_attempted = 0;
353
354 if (unlikely(encap >= XFRM_MODE_MAX))
355 return NULL;
356
357 retry:
358 afinfo = xfrm_state_get_afinfo(family);
359 if (unlikely(afinfo == NULL))
360 return NULL;
361
362 mode = afinfo->mode_map[encap];
363 if (unlikely(mode && !try_module_get(mode->owner)))
364 mode = NULL;
365 if (!mode && !modload_attempted) {
366 xfrm_state_put_afinfo(afinfo);
367 request_module("xfrm-mode-%d-%d", family, encap);
368 modload_attempted = 1;
369 goto retry;
370 }
371
372 xfrm_state_put_afinfo(afinfo);
373 return mode;
374 }
375
376 static void xfrm_put_mode(struct xfrm_mode *mode)
377 {
378 module_put(mode->owner);
379 }
380
381 static void xfrm_state_gc_destroy(struct xfrm_state *x)
382 {
383 del_timer_sync(&x->timer);
384 del_timer_sync(&x->rtimer);
385 kfree(x->aalg);
386 kfree(x->ealg);
387 kfree(x->calg);
388 kfree(x->encap);
389 kfree(x->coaddr);
390 if (x->inner_mode)
391 xfrm_put_mode(x->inner_mode);
392 if (x->inner_mode_iaf)
393 xfrm_put_mode(x->inner_mode_iaf);
394 if (x->outer_mode)
395 xfrm_put_mode(x->outer_mode);
396 if (x->type) {
397 x->type->destructor(x);
398 xfrm_put_type(x->type);
399 }
400 security_xfrm_state_free(x);
401 kfree(x);
402 }
403
404 static void xfrm_state_gc_task(struct work_struct *data)
405 {
406 struct xfrm_state *x;
407 struct hlist_node *entry, *tmp;
408 struct hlist_head gc_list;
409
410 spin_lock_bh(&xfrm_state_gc_lock);
411 gc_list.first = xfrm_state_gc_list.first;
412 INIT_HLIST_HEAD(&xfrm_state_gc_list);
413 spin_unlock_bh(&xfrm_state_gc_lock);
414
415 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
416 xfrm_state_gc_destroy(x);
417
418 wake_up(&km_waitq);
419 }
420
421 static inline unsigned long make_jiffies(long secs)
422 {
423 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
424 return MAX_SCHEDULE_TIMEOUT-1;
425 else
426 return secs*HZ;
427 }
428
429 static void xfrm_timer_handler(unsigned long data)
430 {
431 struct xfrm_state *x = (struct xfrm_state*)data;
432 unsigned long now = get_seconds();
433 long next = LONG_MAX;
434 int warn = 0;
435 int err = 0;
436
437 spin_lock(&x->lock);
438 if (x->km.state == XFRM_STATE_DEAD)
439 goto out;
440 if (x->km.state == XFRM_STATE_EXPIRED)
441 goto expired;
442 if (x->lft.hard_add_expires_seconds) {
443 long tmo = x->lft.hard_add_expires_seconds +
444 x->curlft.add_time - now;
445 if (tmo <= 0)
446 goto expired;
447 if (tmo < next)
448 next = tmo;
449 }
450 if (x->lft.hard_use_expires_seconds) {
451 long tmo = x->lft.hard_use_expires_seconds +
452 (x->curlft.use_time ? : now) - now;
453 if (tmo <= 0)
454 goto expired;
455 if (tmo < next)
456 next = tmo;
457 }
458 if (x->km.dying)
459 goto resched;
460 if (x->lft.soft_add_expires_seconds) {
461 long tmo = x->lft.soft_add_expires_seconds +
462 x->curlft.add_time - now;
463 if (tmo <= 0)
464 warn = 1;
465 else if (tmo < next)
466 next = tmo;
467 }
468 if (x->lft.soft_use_expires_seconds) {
469 long tmo = x->lft.soft_use_expires_seconds +
470 (x->curlft.use_time ? : now) - now;
471 if (tmo <= 0)
472 warn = 1;
473 else if (tmo < next)
474 next = tmo;
475 }
476
477 x->km.dying = warn;
478 if (warn)
479 km_state_expired(x, 0, 0);
480 resched:
481 if (next != LONG_MAX)
482 mod_timer(&x->timer, jiffies + make_jiffies(next));
483
484 goto out;
485
486 expired:
487 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
488 x->km.state = XFRM_STATE_EXPIRED;
489 wake_up(&km_waitq);
490 next = 2;
491 goto resched;
492 }
493
494 err = __xfrm_state_delete(x);
495 if (!err && x->id.spi)
496 km_state_expired(x, 1, 0);
497
498 xfrm_audit_state_delete(x, err ? 0 : 1,
499 audit_get_loginuid(current),
500 audit_get_sessionid(current), 0);
501
502 out:
503 spin_unlock(&x->lock);
504 }
505
506 static void xfrm_replay_timer_handler(unsigned long data);
507
508 struct xfrm_state *xfrm_state_alloc(void)
509 {
510 struct xfrm_state *x;
511
512 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
513
514 if (x) {
515 atomic_set(&x->refcnt, 1);
516 atomic_set(&x->tunnel_users, 0);
517 INIT_LIST_HEAD(&x->all);
518 INIT_HLIST_NODE(&x->bydst);
519 INIT_HLIST_NODE(&x->bysrc);
520 INIT_HLIST_NODE(&x->byspi);
521 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
522 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
523 (unsigned long)x);
524 x->curlft.add_time = get_seconds();
525 x->lft.soft_byte_limit = XFRM_INF;
526 x->lft.soft_packet_limit = XFRM_INF;
527 x->lft.hard_byte_limit = XFRM_INF;
528 x->lft.hard_packet_limit = XFRM_INF;
529 x->replay_maxage = 0;
530 x->replay_maxdiff = 0;
531 x->inner_mode = NULL;
532 x->inner_mode_iaf = NULL;
533 spin_lock_init(&x->lock);
534 }
535 return x;
536 }
537 EXPORT_SYMBOL(xfrm_state_alloc);
538
539 void __xfrm_state_destroy(struct xfrm_state *x)
540 {
541 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
542
543 spin_lock_bh(&xfrm_state_lock);
544 list_del(&x->all);
545 spin_unlock_bh(&xfrm_state_lock);
546
547 spin_lock_bh(&xfrm_state_gc_lock);
548 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
549 spin_unlock_bh(&xfrm_state_gc_lock);
550 schedule_work(&xfrm_state_gc_work);
551 }
552 EXPORT_SYMBOL(__xfrm_state_destroy);
553
554 int __xfrm_state_delete(struct xfrm_state *x)
555 {
556 int err = -ESRCH;
557
558 if (x->km.state != XFRM_STATE_DEAD) {
559 x->km.state = XFRM_STATE_DEAD;
560 spin_lock(&xfrm_state_lock);
561 hlist_del(&x->bydst);
562 hlist_del(&x->bysrc);
563 if (x->id.spi)
564 hlist_del(&x->byspi);
565 xfrm_state_num--;
566 spin_unlock(&xfrm_state_lock);
567
568 /* All xfrm_state objects are created by xfrm_state_alloc.
569 * The xfrm_state_alloc call gives a reference, and that
570 * is what we are dropping here.
571 */
572 xfrm_state_put(x);
573 err = 0;
574 }
575
576 return err;
577 }
578 EXPORT_SYMBOL(__xfrm_state_delete);
579
580 int xfrm_state_delete(struct xfrm_state *x)
581 {
582 int err;
583
584 spin_lock_bh(&x->lock);
585 err = __xfrm_state_delete(x);
586 spin_unlock_bh(&x->lock);
587
588 return err;
589 }
590 EXPORT_SYMBOL(xfrm_state_delete);
591
592 #ifdef CONFIG_SECURITY_NETWORK_XFRM
593 static inline int
594 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
595 {
596 int i, err = 0;
597
598 for (i = 0; i <= xfrm_state_hmask; i++) {
599 struct hlist_node *entry;
600 struct xfrm_state *x;
601
602 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
603 if (xfrm_id_proto_match(x->id.proto, proto) &&
604 (err = security_xfrm_state_delete(x)) != 0) {
605 xfrm_audit_state_delete(x, 0,
606 audit_info->loginuid,
607 audit_info->sessionid,
608 audit_info->secid);
609 return err;
610 }
611 }
612 }
613
614 return err;
615 }
616 #else
617 static inline int
618 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
619 {
620 return 0;
621 }
622 #endif
623
624 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
625 {
626 int i, err = 0;
627
628 spin_lock_bh(&xfrm_state_lock);
629 err = xfrm_state_flush_secctx_check(proto, audit_info);
630 if (err)
631 goto out;
632
633 for (i = 0; i <= xfrm_state_hmask; i++) {
634 struct hlist_node *entry;
635 struct xfrm_state *x;
636 restart:
637 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
638 if (!xfrm_state_kern(x) &&
639 xfrm_id_proto_match(x->id.proto, proto)) {
640 xfrm_state_hold(x);
641 spin_unlock_bh(&xfrm_state_lock);
642
643 err = xfrm_state_delete(x);
644 xfrm_audit_state_delete(x, err ? 0 : 1,
645 audit_info->loginuid,
646 audit_info->sessionid,
647 audit_info->secid);
648 xfrm_state_put(x);
649
650 spin_lock_bh(&xfrm_state_lock);
651 goto restart;
652 }
653 }
654 }
655 err = 0;
656
657 out:
658 spin_unlock_bh(&xfrm_state_lock);
659 wake_up(&km_waitq);
660 return err;
661 }
662 EXPORT_SYMBOL(xfrm_state_flush);
663
664 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
665 {
666 spin_lock_bh(&xfrm_state_lock);
667 si->sadcnt = xfrm_state_num;
668 si->sadhcnt = xfrm_state_hmask;
669 si->sadhmcnt = xfrm_state_hashmax;
670 spin_unlock_bh(&xfrm_state_lock);
671 }
672 EXPORT_SYMBOL(xfrm_sad_getinfo);
673
674 static int
675 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
676 struct xfrm_tmpl *tmpl,
677 xfrm_address_t *daddr, xfrm_address_t *saddr,
678 unsigned short family)
679 {
680 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
681 if (!afinfo)
682 return -1;
683 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
684 xfrm_state_put_afinfo(afinfo);
685 return 0;
686 }
687
688 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
689 {
690 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
691 struct xfrm_state *x;
692 struct hlist_node *entry;
693
694 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
695 if (x->props.family != family ||
696 x->id.spi != spi ||
697 x->id.proto != proto)
698 continue;
699
700 switch (family) {
701 case AF_INET:
702 if (x->id.daddr.a4 != daddr->a4)
703 continue;
704 break;
705 case AF_INET6:
706 if (!ipv6_addr_equal((struct in6_addr *)daddr,
707 (struct in6_addr *)
708 x->id.daddr.a6))
709 continue;
710 break;
711 }
712
713 xfrm_state_hold(x);
714 return x;
715 }
716
717 return NULL;
718 }
719
720 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
721 {
722 unsigned int h = xfrm_src_hash(daddr, saddr, family);
723 struct xfrm_state *x;
724 struct hlist_node *entry;
725
726 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
727 if (x->props.family != family ||
728 x->id.proto != proto)
729 continue;
730
731 switch (family) {
732 case AF_INET:
733 if (x->id.daddr.a4 != daddr->a4 ||
734 x->props.saddr.a4 != saddr->a4)
735 continue;
736 break;
737 case AF_INET6:
738 if (!ipv6_addr_equal((struct in6_addr *)daddr,
739 (struct in6_addr *)
740 x->id.daddr.a6) ||
741 !ipv6_addr_equal((struct in6_addr *)saddr,
742 (struct in6_addr *)
743 x->props.saddr.a6))
744 continue;
745 break;
746 }
747
748 xfrm_state_hold(x);
749 return x;
750 }
751
752 return NULL;
753 }
754
755 static inline struct xfrm_state *
756 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
757 {
758 if (use_spi)
759 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
760 x->id.proto, family);
761 else
762 return __xfrm_state_lookup_byaddr(&x->id.daddr,
763 &x->props.saddr,
764 x->id.proto, family);
765 }
766
767 static void xfrm_hash_grow_check(int have_hash_collision)
768 {
769 if (have_hash_collision &&
770 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
771 xfrm_state_num > xfrm_state_hmask)
772 schedule_work(&xfrm_hash_work);
773 }
774
775 struct xfrm_state *
776 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
777 struct flowi *fl, struct xfrm_tmpl *tmpl,
778 struct xfrm_policy *pol, int *err,
779 unsigned short family)
780 {
781 unsigned int h;
782 struct hlist_node *entry;
783 struct xfrm_state *x, *x0;
784 int acquire_in_progress = 0;
785 int error = 0;
786 struct xfrm_state *best = NULL;
787
788 spin_lock_bh(&xfrm_state_lock);
789 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
790 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
791 if (x->props.family == family &&
792 x->props.reqid == tmpl->reqid &&
793 !(x->props.flags & XFRM_STATE_WILDRECV) &&
794 xfrm_state_addr_check(x, daddr, saddr, family) &&
795 tmpl->mode == x->props.mode &&
796 tmpl->id.proto == x->id.proto &&
797 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
798 /* Resolution logic:
799 1. There is a valid state with matching selector.
800 Done.
801 2. Valid state with inappropriate selector. Skip.
802
803 Entering area of "sysdeps".
804
805 3. If state is not valid, selector is temporary,
806 it selects only session which triggered
807 previous resolution. Key manager will do
808 something to install a state with proper
809 selector.
810 */
811 if (x->km.state == XFRM_STATE_VALID) {
812 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
813 !security_xfrm_state_pol_flow_match(x, pol, fl))
814 continue;
815 if (!best ||
816 best->km.dying > x->km.dying ||
817 (best->km.dying == x->km.dying &&
818 best->curlft.add_time < x->curlft.add_time))
819 best = x;
820 } else if (x->km.state == XFRM_STATE_ACQ) {
821 acquire_in_progress = 1;
822 } else if (x->km.state == XFRM_STATE_ERROR ||
823 x->km.state == XFRM_STATE_EXPIRED) {
824 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
825 security_xfrm_state_pol_flow_match(x, pol, fl))
826 error = -ESRCH;
827 }
828 }
829 }
830
831 x = best;
832 if (!x && !error && !acquire_in_progress) {
833 if (tmpl->id.spi &&
834 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
835 tmpl->id.proto, family)) != NULL) {
836 xfrm_state_put(x0);
837 error = -EEXIST;
838 goto out;
839 }
840 x = xfrm_state_alloc();
841 if (x == NULL) {
842 error = -ENOMEM;
843 goto out;
844 }
845 /* Initialize temporary selector matching only
846 * to current session. */
847 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
848
849 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
850 if (error) {
851 x->km.state = XFRM_STATE_DEAD;
852 xfrm_state_put(x);
853 x = NULL;
854 goto out;
855 }
856
857 if (km_query(x, tmpl, pol) == 0) {
858 x->km.state = XFRM_STATE_ACQ;
859 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
860 h = xfrm_src_hash(daddr, saddr, family);
861 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
862 if (x->id.spi) {
863 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
864 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
865 }
866 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
867 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
868 add_timer(&x->timer);
869 xfrm_state_num++;
870 xfrm_hash_grow_check(x->bydst.next != NULL);
871 } else {
872 x->km.state = XFRM_STATE_DEAD;
873 xfrm_state_put(x);
874 x = NULL;
875 error = -ESRCH;
876 }
877 }
878 out:
879 if (x)
880 xfrm_state_hold(x);
881 else
882 *err = acquire_in_progress ? -EAGAIN : error;
883 spin_unlock_bh(&xfrm_state_lock);
884 return x;
885 }
886
887 struct xfrm_state *
888 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
889 unsigned short family, u8 mode, u8 proto, u32 reqid)
890 {
891 unsigned int h;
892 struct xfrm_state *rx = NULL, *x = NULL;
893 struct hlist_node *entry;
894
895 spin_lock(&xfrm_state_lock);
896 h = xfrm_dst_hash(daddr, saddr, reqid, family);
897 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
898 if (x->props.family == family &&
899 x->props.reqid == reqid &&
900 !(x->props.flags & XFRM_STATE_WILDRECV) &&
901 xfrm_state_addr_check(x, daddr, saddr, family) &&
902 mode == x->props.mode &&
903 proto == x->id.proto &&
904 x->km.state == XFRM_STATE_VALID) {
905 rx = x;
906 break;
907 }
908 }
909
910 if (rx)
911 xfrm_state_hold(rx);
912 spin_unlock(&xfrm_state_lock);
913
914
915 return rx;
916 }
917 EXPORT_SYMBOL(xfrm_stateonly_find);
918
919 static void __xfrm_state_insert(struct xfrm_state *x)
920 {
921 unsigned int h;
922
923 x->genid = ++xfrm_state_genid;
924
925 list_add_tail(&x->all, &xfrm_state_all);
926
927 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
928 x->props.reqid, x->props.family);
929 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
930
931 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
932 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
933
934 if (x->id.spi) {
935 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
936 x->props.family);
937
938 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
939 }
940
941 mod_timer(&x->timer, jiffies + HZ);
942 if (x->replay_maxage)
943 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
944
945 wake_up(&km_waitq);
946
947 xfrm_state_num++;
948
949 xfrm_hash_grow_check(x->bydst.next != NULL);
950 }
951
952 /* xfrm_state_lock is held */
953 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
954 {
955 unsigned short family = xnew->props.family;
956 u32 reqid = xnew->props.reqid;
957 struct xfrm_state *x;
958 struct hlist_node *entry;
959 unsigned int h;
960
961 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
962 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
963 if (x->props.family == family &&
964 x->props.reqid == reqid &&
965 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
966 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
967 x->genid = xfrm_state_genid;
968 }
969 }
970
971 void xfrm_state_insert(struct xfrm_state *x)
972 {
973 spin_lock_bh(&xfrm_state_lock);
974 __xfrm_state_bump_genids(x);
975 __xfrm_state_insert(x);
976 spin_unlock_bh(&xfrm_state_lock);
977 }
978 EXPORT_SYMBOL(xfrm_state_insert);
979
980 /* xfrm_state_lock is held */
981 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
982 {
983 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
984 struct hlist_node *entry;
985 struct xfrm_state *x;
986
987 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
988 if (x->props.reqid != reqid ||
989 x->props.mode != mode ||
990 x->props.family != family ||
991 x->km.state != XFRM_STATE_ACQ ||
992 x->id.spi != 0 ||
993 x->id.proto != proto)
994 continue;
995
996 switch (family) {
997 case AF_INET:
998 if (x->id.daddr.a4 != daddr->a4 ||
999 x->props.saddr.a4 != saddr->a4)
1000 continue;
1001 break;
1002 case AF_INET6:
1003 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
1004 (struct in6_addr *)daddr) ||
1005 !ipv6_addr_equal((struct in6_addr *)
1006 x->props.saddr.a6,
1007 (struct in6_addr *)saddr))
1008 continue;
1009 break;
1010 }
1011
1012 xfrm_state_hold(x);
1013 return x;
1014 }
1015
1016 if (!create)
1017 return NULL;
1018
1019 x = xfrm_state_alloc();
1020 if (likely(x)) {
1021 switch (family) {
1022 case AF_INET:
1023 x->sel.daddr.a4 = daddr->a4;
1024 x->sel.saddr.a4 = saddr->a4;
1025 x->sel.prefixlen_d = 32;
1026 x->sel.prefixlen_s = 32;
1027 x->props.saddr.a4 = saddr->a4;
1028 x->id.daddr.a4 = daddr->a4;
1029 break;
1030
1031 case AF_INET6:
1032 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1033 (struct in6_addr *)daddr);
1034 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1035 (struct in6_addr *)saddr);
1036 x->sel.prefixlen_d = 128;
1037 x->sel.prefixlen_s = 128;
1038 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1039 (struct in6_addr *)saddr);
1040 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1041 (struct in6_addr *)daddr);
1042 break;
1043 }
1044
1045 x->km.state = XFRM_STATE_ACQ;
1046 x->id.proto = proto;
1047 x->props.family = family;
1048 x->props.mode = mode;
1049 x->props.reqid = reqid;
1050 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1051 xfrm_state_hold(x);
1052 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1053 add_timer(&x->timer);
1054 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
1055 h = xfrm_src_hash(daddr, saddr, family);
1056 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
1057
1058 xfrm_state_num++;
1059
1060 xfrm_hash_grow_check(x->bydst.next != NULL);
1061 }
1062
1063 return x;
1064 }
1065
1066 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1067
1068 int xfrm_state_add(struct xfrm_state *x)
1069 {
1070 struct xfrm_state *x1;
1071 int family;
1072 int err;
1073 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1074
1075 family = x->props.family;
1076
1077 spin_lock_bh(&xfrm_state_lock);
1078
1079 x1 = __xfrm_state_locate(x, use_spi, family);
1080 if (x1) {
1081 xfrm_state_put(x1);
1082 x1 = NULL;
1083 err = -EEXIST;
1084 goto out;
1085 }
1086
1087 if (use_spi && x->km.seq) {
1088 x1 = __xfrm_find_acq_byseq(x->km.seq);
1089 if (x1 && ((x1->id.proto != x->id.proto) ||
1090 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1091 xfrm_state_put(x1);
1092 x1 = NULL;
1093 }
1094 }
1095
1096 if (use_spi && !x1)
1097 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1098 x->id.proto,
1099 &x->id.daddr, &x->props.saddr, 0);
1100
1101 __xfrm_state_bump_genids(x);
1102 __xfrm_state_insert(x);
1103 err = 0;
1104
1105 out:
1106 spin_unlock_bh(&xfrm_state_lock);
1107
1108 if (x1) {
1109 xfrm_state_delete(x1);
1110 xfrm_state_put(x1);
1111 }
1112
1113 return err;
1114 }
1115 EXPORT_SYMBOL(xfrm_state_add);
1116
1117 #ifdef CONFIG_XFRM_MIGRATE
1118 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1119 {
1120 int err = -ENOMEM;
1121 struct xfrm_state *x = xfrm_state_alloc();
1122 if (!x)
1123 goto error;
1124
1125 memcpy(&x->id, &orig->id, sizeof(x->id));
1126 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1127 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1128 x->props.mode = orig->props.mode;
1129 x->props.replay_window = orig->props.replay_window;
1130 x->props.reqid = orig->props.reqid;
1131 x->props.family = orig->props.family;
1132 x->props.saddr = orig->props.saddr;
1133
1134 if (orig->aalg) {
1135 x->aalg = xfrm_algo_clone(orig->aalg);
1136 if (!x->aalg)
1137 goto error;
1138 }
1139 x->props.aalgo = orig->props.aalgo;
1140
1141 if (orig->ealg) {
1142 x->ealg = xfrm_algo_clone(orig->ealg);
1143 if (!x->ealg)
1144 goto error;
1145 }
1146 x->props.ealgo = orig->props.ealgo;
1147
1148 if (orig->calg) {
1149 x->calg = xfrm_algo_clone(orig->calg);
1150 if (!x->calg)
1151 goto error;
1152 }
1153 x->props.calgo = orig->props.calgo;
1154
1155 if (orig->encap) {
1156 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1157 if (!x->encap)
1158 goto error;
1159 }
1160
1161 if (orig->coaddr) {
1162 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1163 GFP_KERNEL);
1164 if (!x->coaddr)
1165 goto error;
1166 }
1167
1168 err = xfrm_init_state(x);
1169 if (err)
1170 goto error;
1171
1172 x->props.flags = orig->props.flags;
1173
1174 x->curlft.add_time = orig->curlft.add_time;
1175 x->km.state = orig->km.state;
1176 x->km.seq = orig->km.seq;
1177
1178 return x;
1179
1180 error:
1181 if (errp)
1182 *errp = err;
1183 if (x) {
1184 kfree(x->aalg);
1185 kfree(x->ealg);
1186 kfree(x->calg);
1187 kfree(x->encap);
1188 kfree(x->coaddr);
1189 }
1190 kfree(x);
1191 return NULL;
1192 }
1193
1194 /* xfrm_state_lock is held */
1195 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1196 {
1197 unsigned int h;
1198 struct xfrm_state *x;
1199 struct hlist_node *entry;
1200
1201 if (m->reqid) {
1202 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1203 m->reqid, m->old_family);
1204 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1205 if (x->props.mode != m->mode ||
1206 x->id.proto != m->proto)
1207 continue;
1208 if (m->reqid && x->props.reqid != m->reqid)
1209 continue;
1210 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1211 m->old_family) ||
1212 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1213 m->old_family))
1214 continue;
1215 xfrm_state_hold(x);
1216 return x;
1217 }
1218 } else {
1219 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1220 m->old_family);
1221 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1222 if (x->props.mode != m->mode ||
1223 x->id.proto != m->proto)
1224 continue;
1225 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1226 m->old_family) ||
1227 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1228 m->old_family))
1229 continue;
1230 xfrm_state_hold(x);
1231 return x;
1232 }
1233 }
1234
1235 return NULL;
1236 }
1237 EXPORT_SYMBOL(xfrm_migrate_state_find);
1238
1239 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1240 struct xfrm_migrate *m)
1241 {
1242 struct xfrm_state *xc;
1243 int err;
1244
1245 xc = xfrm_state_clone(x, &err);
1246 if (!xc)
1247 return NULL;
1248
1249 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1250 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1251
1252 /* add state */
1253 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1254 /* a care is needed when the destination address of the
1255 state is to be updated as it is a part of triplet */
1256 xfrm_state_insert(xc);
1257 } else {
1258 if ((err = xfrm_state_add(xc)) < 0)
1259 goto error;
1260 }
1261
1262 return xc;
1263 error:
1264 kfree(xc);
1265 return NULL;
1266 }
1267 EXPORT_SYMBOL(xfrm_state_migrate);
1268 #endif
1269
1270 int xfrm_state_update(struct xfrm_state *x)
1271 {
1272 struct xfrm_state *x1;
1273 int err;
1274 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1275
1276 spin_lock_bh(&xfrm_state_lock);
1277 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1278
1279 err = -ESRCH;
1280 if (!x1)
1281 goto out;
1282
1283 if (xfrm_state_kern(x1)) {
1284 xfrm_state_put(x1);
1285 err = -EEXIST;
1286 goto out;
1287 }
1288
1289 if (x1->km.state == XFRM_STATE_ACQ) {
1290 __xfrm_state_insert(x);
1291 x = NULL;
1292 }
1293 err = 0;
1294
1295 out:
1296 spin_unlock_bh(&xfrm_state_lock);
1297
1298 if (err)
1299 return err;
1300
1301 if (!x) {
1302 xfrm_state_delete(x1);
1303 xfrm_state_put(x1);
1304 return 0;
1305 }
1306
1307 err = -EINVAL;
1308 spin_lock_bh(&x1->lock);
1309 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1310 if (x->encap && x1->encap)
1311 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1312 if (x->coaddr && x1->coaddr) {
1313 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1314 }
1315 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1316 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1317 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1318 x1->km.dying = 0;
1319
1320 mod_timer(&x1->timer, jiffies + HZ);
1321 if (x1->curlft.use_time)
1322 xfrm_state_check_expire(x1);
1323
1324 err = 0;
1325 }
1326 spin_unlock_bh(&x1->lock);
1327
1328 xfrm_state_put(x1);
1329
1330 return err;
1331 }
1332 EXPORT_SYMBOL(xfrm_state_update);
1333
1334 int xfrm_state_check_expire(struct xfrm_state *x)
1335 {
1336 if (!x->curlft.use_time)
1337 x->curlft.use_time = get_seconds();
1338
1339 if (x->km.state != XFRM_STATE_VALID)
1340 return -EINVAL;
1341
1342 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1343 x->curlft.packets >= x->lft.hard_packet_limit) {
1344 x->km.state = XFRM_STATE_EXPIRED;
1345 mod_timer(&x->timer, jiffies);
1346 return -EINVAL;
1347 }
1348
1349 if (!x->km.dying &&
1350 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1351 x->curlft.packets >= x->lft.soft_packet_limit)) {
1352 x->km.dying = 1;
1353 km_state_expired(x, 0, 0);
1354 }
1355 return 0;
1356 }
1357 EXPORT_SYMBOL(xfrm_state_check_expire);
1358
1359 struct xfrm_state *
1360 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1361 unsigned short family)
1362 {
1363 struct xfrm_state *x;
1364
1365 spin_lock_bh(&xfrm_state_lock);
1366 x = __xfrm_state_lookup(daddr, spi, proto, family);
1367 spin_unlock_bh(&xfrm_state_lock);
1368 return x;
1369 }
1370 EXPORT_SYMBOL(xfrm_state_lookup);
1371
1372 struct xfrm_state *
1373 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1374 u8 proto, unsigned short family)
1375 {
1376 struct xfrm_state *x;
1377
1378 spin_lock_bh(&xfrm_state_lock);
1379 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1380 spin_unlock_bh(&xfrm_state_lock);
1381 return x;
1382 }
1383 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1384
1385 struct xfrm_state *
1386 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1387 xfrm_address_t *daddr, xfrm_address_t *saddr,
1388 int create, unsigned short family)
1389 {
1390 struct xfrm_state *x;
1391
1392 spin_lock_bh(&xfrm_state_lock);
1393 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1394 spin_unlock_bh(&xfrm_state_lock);
1395
1396 return x;
1397 }
1398 EXPORT_SYMBOL(xfrm_find_acq);
1399
1400 #ifdef CONFIG_XFRM_SUB_POLICY
1401 int
1402 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1403 unsigned short family)
1404 {
1405 int err = 0;
1406 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1407 if (!afinfo)
1408 return -EAFNOSUPPORT;
1409
1410 spin_lock_bh(&xfrm_state_lock);
1411 if (afinfo->tmpl_sort)
1412 err = afinfo->tmpl_sort(dst, src, n);
1413 spin_unlock_bh(&xfrm_state_lock);
1414 xfrm_state_put_afinfo(afinfo);
1415 return err;
1416 }
1417 EXPORT_SYMBOL(xfrm_tmpl_sort);
1418
1419 int
1420 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1421 unsigned short family)
1422 {
1423 int err = 0;
1424 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1425 if (!afinfo)
1426 return -EAFNOSUPPORT;
1427
1428 spin_lock_bh(&xfrm_state_lock);
1429 if (afinfo->state_sort)
1430 err = afinfo->state_sort(dst, src, n);
1431 spin_unlock_bh(&xfrm_state_lock);
1432 xfrm_state_put_afinfo(afinfo);
1433 return err;
1434 }
1435 EXPORT_SYMBOL(xfrm_state_sort);
1436 #endif
1437
1438 /* Silly enough, but I'm lazy to build resolution list */
1439
1440 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1441 {
1442 int i;
1443
1444 for (i = 0; i <= xfrm_state_hmask; i++) {
1445 struct hlist_node *entry;
1446 struct xfrm_state *x;
1447
1448 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1449 if (x->km.seq == seq &&
1450 x->km.state == XFRM_STATE_ACQ) {
1451 xfrm_state_hold(x);
1452 return x;
1453 }
1454 }
1455 }
1456 return NULL;
1457 }
1458
1459 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1460 {
1461 struct xfrm_state *x;
1462
1463 spin_lock_bh(&xfrm_state_lock);
1464 x = __xfrm_find_acq_byseq(seq);
1465 spin_unlock_bh(&xfrm_state_lock);
1466 return x;
1467 }
1468 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1469
1470 u32 xfrm_get_acqseq(void)
1471 {
1472 u32 res;
1473 static u32 acqseq;
1474 static DEFINE_SPINLOCK(acqseq_lock);
1475
1476 spin_lock_bh(&acqseq_lock);
1477 res = (++acqseq ? : ++acqseq);
1478 spin_unlock_bh(&acqseq_lock);
1479 return res;
1480 }
1481 EXPORT_SYMBOL(xfrm_get_acqseq);
1482
1483 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1484 {
1485 unsigned int h;
1486 struct xfrm_state *x0;
1487 int err = -ENOENT;
1488 __be32 minspi = htonl(low);
1489 __be32 maxspi = htonl(high);
1490
1491 spin_lock_bh(&x->lock);
1492 if (x->km.state == XFRM_STATE_DEAD)
1493 goto unlock;
1494
1495 err = 0;
1496 if (x->id.spi)
1497 goto unlock;
1498
1499 err = -ENOENT;
1500
1501 if (minspi == maxspi) {
1502 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1503 if (x0) {
1504 xfrm_state_put(x0);
1505 goto unlock;
1506 }
1507 x->id.spi = minspi;
1508 } else {
1509 u32 spi = 0;
1510 for (h=0; h<high-low+1; h++) {
1511 spi = low + net_random()%(high-low+1);
1512 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1513 if (x0 == NULL) {
1514 x->id.spi = htonl(spi);
1515 break;
1516 }
1517 xfrm_state_put(x0);
1518 }
1519 }
1520 if (x->id.spi) {
1521 spin_lock_bh(&xfrm_state_lock);
1522 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1523 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1524 spin_unlock_bh(&xfrm_state_lock);
1525
1526 err = 0;
1527 }
1528
1529 unlock:
1530 spin_unlock_bh(&x->lock);
1531
1532 return err;
1533 }
1534 EXPORT_SYMBOL(xfrm_alloc_spi);
1535
1536 int xfrm_state_walk(struct xfrm_state_walk *walk,
1537 int (*func)(struct xfrm_state *, int, void*),
1538 void *data)
1539 {
1540 struct xfrm_state *old, *x, *last = NULL;
1541 int err = 0;
1542
1543 if (walk->state == NULL && walk->count != 0)
1544 return 0;
1545
1546 old = x = walk->state;
1547 walk->state = NULL;
1548 spin_lock_bh(&xfrm_state_lock);
1549 if (x == NULL)
1550 x = list_first_entry(&xfrm_state_all, struct xfrm_state, all);
1551 list_for_each_entry_from(x, &xfrm_state_all, all) {
1552 if (x->km.state == XFRM_STATE_DEAD)
1553 continue;
1554 if (!xfrm_id_proto_match(x->id.proto, walk->proto))
1555 continue;
1556 if (last) {
1557 err = func(last, walk->count, data);
1558 if (err) {
1559 xfrm_state_hold(last);
1560 walk->state = last;
1561 goto out;
1562 }
1563 }
1564 last = x;
1565 walk->count++;
1566 }
1567 if (walk->count == 0) {
1568 err = -ENOENT;
1569 goto out;
1570 }
1571 if (last)
1572 err = func(last, 0, data);
1573 out:
1574 spin_unlock_bh(&xfrm_state_lock);
1575 if (old != NULL)
1576 xfrm_state_put(old);
1577 return err;
1578 }
1579 EXPORT_SYMBOL(xfrm_state_walk);
1580
1581
1582 void xfrm_replay_notify(struct xfrm_state *x, int event)
1583 {
1584 struct km_event c;
1585 /* we send notify messages in case
1586 * 1. we updated on of the sequence numbers, and the seqno difference
1587 * is at least x->replay_maxdiff, in this case we also update the
1588 * timeout of our timer function
1589 * 2. if x->replay_maxage has elapsed since last update,
1590 * and there were changes
1591 *
1592 * The state structure must be locked!
1593 */
1594
1595 switch (event) {
1596 case XFRM_REPLAY_UPDATE:
1597 if (x->replay_maxdiff &&
1598 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1599 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1600 if (x->xflags & XFRM_TIME_DEFER)
1601 event = XFRM_REPLAY_TIMEOUT;
1602 else
1603 return;
1604 }
1605
1606 break;
1607
1608 case XFRM_REPLAY_TIMEOUT:
1609 if ((x->replay.seq == x->preplay.seq) &&
1610 (x->replay.bitmap == x->preplay.bitmap) &&
1611 (x->replay.oseq == x->preplay.oseq)) {
1612 x->xflags |= XFRM_TIME_DEFER;
1613 return;
1614 }
1615
1616 break;
1617 }
1618
1619 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1620 c.event = XFRM_MSG_NEWAE;
1621 c.data.aevent = event;
1622 km_state_notify(x, &c);
1623
1624 if (x->replay_maxage &&
1625 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1626 x->xflags &= ~XFRM_TIME_DEFER;
1627 }
1628
1629 static void xfrm_replay_timer_handler(unsigned long data)
1630 {
1631 struct xfrm_state *x = (struct xfrm_state*)data;
1632
1633 spin_lock(&x->lock);
1634
1635 if (x->km.state == XFRM_STATE_VALID) {
1636 if (xfrm_aevent_is_on())
1637 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1638 else
1639 x->xflags |= XFRM_TIME_DEFER;
1640 }
1641
1642 spin_unlock(&x->lock);
1643 }
1644
1645 int xfrm_replay_check(struct xfrm_state *x,
1646 struct sk_buff *skb, __be32 net_seq)
1647 {
1648 u32 diff;
1649 u32 seq = ntohl(net_seq);
1650
1651 if (unlikely(seq == 0))
1652 goto err;
1653
1654 if (likely(seq > x->replay.seq))
1655 return 0;
1656
1657 diff = x->replay.seq - seq;
1658 if (diff >= min_t(unsigned int, x->props.replay_window,
1659 sizeof(x->replay.bitmap) * 8)) {
1660 x->stats.replay_window++;
1661 goto err;
1662 }
1663
1664 if (x->replay.bitmap & (1U << diff)) {
1665 x->stats.replay++;
1666 goto err;
1667 }
1668 return 0;
1669
1670 err:
1671 xfrm_audit_state_replay(x, skb, net_seq);
1672 return -EINVAL;
1673 }
1674
1675 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1676 {
1677 u32 diff;
1678 u32 seq = ntohl(net_seq);
1679
1680 if (seq > x->replay.seq) {
1681 diff = seq - x->replay.seq;
1682 if (diff < x->props.replay_window)
1683 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1684 else
1685 x->replay.bitmap = 1;
1686 x->replay.seq = seq;
1687 } else {
1688 diff = x->replay.seq - seq;
1689 x->replay.bitmap |= (1U << diff);
1690 }
1691
1692 if (xfrm_aevent_is_on())
1693 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1694 }
1695
1696 static LIST_HEAD(xfrm_km_list);
1697 static DEFINE_RWLOCK(xfrm_km_lock);
1698
1699 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1700 {
1701 struct xfrm_mgr *km;
1702
1703 read_lock(&xfrm_km_lock);
1704 list_for_each_entry(km, &xfrm_km_list, list)
1705 if (km->notify_policy)
1706 km->notify_policy(xp, dir, c);
1707 read_unlock(&xfrm_km_lock);
1708 }
1709
1710 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1711 {
1712 struct xfrm_mgr *km;
1713 read_lock(&xfrm_km_lock);
1714 list_for_each_entry(km, &xfrm_km_list, list)
1715 if (km->notify)
1716 km->notify(x, c);
1717 read_unlock(&xfrm_km_lock);
1718 }
1719
1720 EXPORT_SYMBOL(km_policy_notify);
1721 EXPORT_SYMBOL(km_state_notify);
1722
1723 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1724 {
1725 struct km_event c;
1726
1727 c.data.hard = hard;
1728 c.pid = pid;
1729 c.event = XFRM_MSG_EXPIRE;
1730 km_state_notify(x, &c);
1731
1732 if (hard)
1733 wake_up(&km_waitq);
1734 }
1735
1736 EXPORT_SYMBOL(km_state_expired);
1737 /*
1738 * We send to all registered managers regardless of failure
1739 * We are happy with one success
1740 */
1741 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1742 {
1743 int err = -EINVAL, acqret;
1744 struct xfrm_mgr *km;
1745
1746 read_lock(&xfrm_km_lock);
1747 list_for_each_entry(km, &xfrm_km_list, list) {
1748 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1749 if (!acqret)
1750 err = acqret;
1751 }
1752 read_unlock(&xfrm_km_lock);
1753 return err;
1754 }
1755 EXPORT_SYMBOL(km_query);
1756
1757 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1758 {
1759 int err = -EINVAL;
1760 struct xfrm_mgr *km;
1761
1762 read_lock(&xfrm_km_lock);
1763 list_for_each_entry(km, &xfrm_km_list, list) {
1764 if (km->new_mapping)
1765 err = km->new_mapping(x, ipaddr, sport);
1766 if (!err)
1767 break;
1768 }
1769 read_unlock(&xfrm_km_lock);
1770 return err;
1771 }
1772 EXPORT_SYMBOL(km_new_mapping);
1773
1774 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1775 {
1776 struct km_event c;
1777
1778 c.data.hard = hard;
1779 c.pid = pid;
1780 c.event = XFRM_MSG_POLEXPIRE;
1781 km_policy_notify(pol, dir, &c);
1782
1783 if (hard)
1784 wake_up(&km_waitq);
1785 }
1786 EXPORT_SYMBOL(km_policy_expired);
1787
1788 #ifdef CONFIG_XFRM_MIGRATE
1789 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1790 struct xfrm_migrate *m, int num_migrate)
1791 {
1792 int err = -EINVAL;
1793 int ret;
1794 struct xfrm_mgr *km;
1795
1796 read_lock(&xfrm_km_lock);
1797 list_for_each_entry(km, &xfrm_km_list, list) {
1798 if (km->migrate) {
1799 ret = km->migrate(sel, dir, type, m, num_migrate);
1800 if (!ret)
1801 err = ret;
1802 }
1803 }
1804 read_unlock(&xfrm_km_lock);
1805 return err;
1806 }
1807 EXPORT_SYMBOL(km_migrate);
1808 #endif
1809
1810 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1811 {
1812 int err = -EINVAL;
1813 int ret;
1814 struct xfrm_mgr *km;
1815
1816 read_lock(&xfrm_km_lock);
1817 list_for_each_entry(km, &xfrm_km_list, list) {
1818 if (km->report) {
1819 ret = km->report(proto, sel, addr);
1820 if (!ret)
1821 err = ret;
1822 }
1823 }
1824 read_unlock(&xfrm_km_lock);
1825 return err;
1826 }
1827 EXPORT_SYMBOL(km_report);
1828
1829 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1830 {
1831 int err;
1832 u8 *data;
1833 struct xfrm_mgr *km;
1834 struct xfrm_policy *pol = NULL;
1835
1836 if (optlen <= 0 || optlen > PAGE_SIZE)
1837 return -EMSGSIZE;
1838
1839 data = kmalloc(optlen, GFP_KERNEL);
1840 if (!data)
1841 return -ENOMEM;
1842
1843 err = -EFAULT;
1844 if (copy_from_user(data, optval, optlen))
1845 goto out;
1846
1847 err = -EINVAL;
1848 read_lock(&xfrm_km_lock);
1849 list_for_each_entry(km, &xfrm_km_list, list) {
1850 pol = km->compile_policy(sk, optname, data,
1851 optlen, &err);
1852 if (err >= 0)
1853 break;
1854 }
1855 read_unlock(&xfrm_km_lock);
1856
1857 if (err >= 0) {
1858 xfrm_sk_policy_insert(sk, err, pol);
1859 xfrm_pol_put(pol);
1860 err = 0;
1861 }
1862
1863 out:
1864 kfree(data);
1865 return err;
1866 }
1867 EXPORT_SYMBOL(xfrm_user_policy);
1868
1869 int xfrm_register_km(struct xfrm_mgr *km)
1870 {
1871 write_lock_bh(&xfrm_km_lock);
1872 list_add_tail(&km->list, &xfrm_km_list);
1873 write_unlock_bh(&xfrm_km_lock);
1874 return 0;
1875 }
1876 EXPORT_SYMBOL(xfrm_register_km);
1877
1878 int xfrm_unregister_km(struct xfrm_mgr *km)
1879 {
1880 write_lock_bh(&xfrm_km_lock);
1881 list_del(&km->list);
1882 write_unlock_bh(&xfrm_km_lock);
1883 return 0;
1884 }
1885 EXPORT_SYMBOL(xfrm_unregister_km);
1886
1887 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1888 {
1889 int err = 0;
1890 if (unlikely(afinfo == NULL))
1891 return -EINVAL;
1892 if (unlikely(afinfo->family >= NPROTO))
1893 return -EAFNOSUPPORT;
1894 write_lock_bh(&xfrm_state_afinfo_lock);
1895 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1896 err = -ENOBUFS;
1897 else
1898 xfrm_state_afinfo[afinfo->family] = afinfo;
1899 write_unlock_bh(&xfrm_state_afinfo_lock);
1900 return err;
1901 }
1902 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1903
1904 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1905 {
1906 int err = 0;
1907 if (unlikely(afinfo == NULL))
1908 return -EINVAL;
1909 if (unlikely(afinfo->family >= NPROTO))
1910 return -EAFNOSUPPORT;
1911 write_lock_bh(&xfrm_state_afinfo_lock);
1912 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1913 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1914 err = -EINVAL;
1915 else
1916 xfrm_state_afinfo[afinfo->family] = NULL;
1917 }
1918 write_unlock_bh(&xfrm_state_afinfo_lock);
1919 return err;
1920 }
1921 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1922
1923 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1924 {
1925 struct xfrm_state_afinfo *afinfo;
1926 if (unlikely(family >= NPROTO))
1927 return NULL;
1928 read_lock(&xfrm_state_afinfo_lock);
1929 afinfo = xfrm_state_afinfo[family];
1930 if (unlikely(!afinfo))
1931 read_unlock(&xfrm_state_afinfo_lock);
1932 return afinfo;
1933 }
1934
1935 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1936 __releases(xfrm_state_afinfo_lock)
1937 {
1938 read_unlock(&xfrm_state_afinfo_lock);
1939 }
1940
1941 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1942 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1943 {
1944 if (x->tunnel) {
1945 struct xfrm_state *t = x->tunnel;
1946
1947 if (atomic_read(&t->tunnel_users) == 2)
1948 xfrm_state_delete(t);
1949 atomic_dec(&t->tunnel_users);
1950 xfrm_state_put(t);
1951 x->tunnel = NULL;
1952 }
1953 }
1954 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1955
1956 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1957 {
1958 int res;
1959
1960 spin_lock_bh(&x->lock);
1961 if (x->km.state == XFRM_STATE_VALID &&
1962 x->type && x->type->get_mtu)
1963 res = x->type->get_mtu(x, mtu);
1964 else
1965 res = mtu - x->props.header_len;
1966 spin_unlock_bh(&x->lock);
1967 return res;
1968 }
1969
1970 int xfrm_init_state(struct xfrm_state *x)
1971 {
1972 struct xfrm_state_afinfo *afinfo;
1973 struct xfrm_mode *inner_mode;
1974 int family = x->props.family;
1975 int err;
1976
1977 err = -EAFNOSUPPORT;
1978 afinfo = xfrm_state_get_afinfo(family);
1979 if (!afinfo)
1980 goto error;
1981
1982 err = 0;
1983 if (afinfo->init_flags)
1984 err = afinfo->init_flags(x);
1985
1986 xfrm_state_put_afinfo(afinfo);
1987
1988 if (err)
1989 goto error;
1990
1991 err = -EPROTONOSUPPORT;
1992
1993 if (x->sel.family != AF_UNSPEC) {
1994 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
1995 if (inner_mode == NULL)
1996 goto error;
1997
1998 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
1999 family != x->sel.family) {
2000 xfrm_put_mode(inner_mode);
2001 goto error;
2002 }
2003
2004 x->inner_mode = inner_mode;
2005 } else {
2006 struct xfrm_mode *inner_mode_iaf;
2007
2008 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2009 if (inner_mode == NULL)
2010 goto error;
2011
2012 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2013 xfrm_put_mode(inner_mode);
2014 goto error;
2015 }
2016
2017 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2018 if (inner_mode_iaf == NULL)
2019 goto error;
2020
2021 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2022 xfrm_put_mode(inner_mode_iaf);
2023 goto error;
2024 }
2025
2026 if (x->props.family == AF_INET) {
2027 x->inner_mode = inner_mode;
2028 x->inner_mode_iaf = inner_mode_iaf;
2029 } else {
2030 x->inner_mode = inner_mode_iaf;
2031 x->inner_mode_iaf = inner_mode;
2032 }
2033 }
2034
2035 x->type = xfrm_get_type(x->id.proto, family);
2036 if (x->type == NULL)
2037 goto error;
2038
2039 err = x->type->init_state(x);
2040 if (err)
2041 goto error;
2042
2043 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2044 if (x->outer_mode == NULL)
2045 goto error;
2046
2047 x->km.state = XFRM_STATE_VALID;
2048
2049 error:
2050 return err;
2051 }
2052
2053 EXPORT_SYMBOL(xfrm_init_state);
2054
2055 void __init xfrm_state_init(void)
2056 {
2057 unsigned int sz;
2058
2059 sz = sizeof(struct hlist_head) * 8;
2060
2061 xfrm_state_bydst = xfrm_hash_alloc(sz);
2062 xfrm_state_bysrc = xfrm_hash_alloc(sz);
2063 xfrm_state_byspi = xfrm_hash_alloc(sz);
2064 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
2065 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
2066 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
2067
2068 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
2069 }
2070
2071 #ifdef CONFIG_AUDITSYSCALL
2072 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2073 struct audit_buffer *audit_buf)
2074 {
2075 struct xfrm_sec_ctx *ctx = x->security;
2076 u32 spi = ntohl(x->id.spi);
2077
2078 if (ctx)
2079 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2080 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2081
2082 switch(x->props.family) {
2083 case AF_INET:
2084 audit_log_format(audit_buf,
2085 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
2086 NIPQUAD(x->props.saddr.a4),
2087 NIPQUAD(x->id.daddr.a4));
2088 break;
2089 case AF_INET6:
2090 audit_log_format(audit_buf,
2091 " src=" NIP6_FMT " dst=" NIP6_FMT,
2092 NIP6(*(struct in6_addr *)x->props.saddr.a6),
2093 NIP6(*(struct in6_addr *)x->id.daddr.a6));
2094 break;
2095 }
2096
2097 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2098 }
2099
2100 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2101 struct audit_buffer *audit_buf)
2102 {
2103 struct iphdr *iph4;
2104 struct ipv6hdr *iph6;
2105
2106 switch (family) {
2107 case AF_INET:
2108 iph4 = ip_hdr(skb);
2109 audit_log_format(audit_buf,
2110 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
2111 NIPQUAD(iph4->saddr),
2112 NIPQUAD(iph4->daddr));
2113 break;
2114 case AF_INET6:
2115 iph6 = ipv6_hdr(skb);
2116 audit_log_format(audit_buf,
2117 " src=" NIP6_FMT " dst=" NIP6_FMT
2118 " flowlbl=0x%x%x%x",
2119 NIP6(iph6->saddr),
2120 NIP6(iph6->daddr),
2121 iph6->flow_lbl[0] & 0x0f,
2122 iph6->flow_lbl[1],
2123 iph6->flow_lbl[2]);
2124 break;
2125 }
2126 }
2127
2128 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2129 uid_t auid, u32 sessionid, u32 secid)
2130 {
2131 struct audit_buffer *audit_buf;
2132
2133 audit_buf = xfrm_audit_start("SAD-add");
2134 if (audit_buf == NULL)
2135 return;
2136 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2137 xfrm_audit_helper_sainfo(x, audit_buf);
2138 audit_log_format(audit_buf, " res=%u", result);
2139 audit_log_end(audit_buf);
2140 }
2141 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2142
2143 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2144 uid_t auid, u32 sessionid, u32 secid)
2145 {
2146 struct audit_buffer *audit_buf;
2147
2148 audit_buf = xfrm_audit_start("SAD-delete");
2149 if (audit_buf == NULL)
2150 return;
2151 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2152 xfrm_audit_helper_sainfo(x, audit_buf);
2153 audit_log_format(audit_buf, " res=%u", result);
2154 audit_log_end(audit_buf);
2155 }
2156 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2157
2158 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2159 struct sk_buff *skb)
2160 {
2161 struct audit_buffer *audit_buf;
2162 u32 spi;
2163
2164 audit_buf = xfrm_audit_start("SA-replay-overflow");
2165 if (audit_buf == NULL)
2166 return;
2167 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2168 /* don't record the sequence number because it's inherent in this kind
2169 * of audit message */
2170 spi = ntohl(x->id.spi);
2171 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2172 audit_log_end(audit_buf);
2173 }
2174 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2175
2176 static void xfrm_audit_state_replay(struct xfrm_state *x,
2177 struct sk_buff *skb, __be32 net_seq)
2178 {
2179 struct audit_buffer *audit_buf;
2180 u32 spi;
2181
2182 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2183 if (audit_buf == NULL)
2184 return;
2185 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2186 spi = ntohl(x->id.spi);
2187 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2188 spi, spi, ntohl(net_seq));
2189 audit_log_end(audit_buf);
2190 }
2191
2192 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2193 {
2194 struct audit_buffer *audit_buf;
2195
2196 audit_buf = xfrm_audit_start("SA-notfound");
2197 if (audit_buf == NULL)
2198 return;
2199 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2200 audit_log_end(audit_buf);
2201 }
2202 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2203
2204 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2205 __be32 net_spi, __be32 net_seq)
2206 {
2207 struct audit_buffer *audit_buf;
2208 u32 spi;
2209
2210 audit_buf = xfrm_audit_start("SA-notfound");
2211 if (audit_buf == NULL)
2212 return;
2213 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2214 spi = ntohl(net_spi);
2215 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2216 spi, spi, ntohl(net_seq));
2217 audit_log_end(audit_buf);
2218 }
2219 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2220
2221 void xfrm_audit_state_icvfail(struct xfrm_state *x,
2222 struct sk_buff *skb, u8 proto)
2223 {
2224 struct audit_buffer *audit_buf;
2225 __be32 net_spi;
2226 __be32 net_seq;
2227
2228 audit_buf = xfrm_audit_start("SA-icv-failure");
2229 if (audit_buf == NULL)
2230 return;
2231 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2232 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2233 u32 spi = ntohl(net_spi);
2234 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2235 spi, spi, ntohl(net_seq));
2236 }
2237 audit_log_end(audit_buf);
2238 }
2239 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
2240 #endif /* CONFIG_AUDITSYSCALL */
Linux kernel - Deliverables
This page took 0.110475 seconds and 5 git commands to generate.