xfrm_state.c revision 7c2776ee21a60e0d370538bd08b9ed82979f6e3a
1/* 2 * xfrm_state.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * YOSHIFUJI Hideaki @USAGI 10 * Split up af-specific functions 11 * Derek Atkins <derek@ihtfp.com> 12 * Add UDP Encapsulation 13 * 14 */ 15 16#include <linux/workqueue.h> 17#include <net/xfrm.h> 18#include <linux/pfkeyv2.h> 19#include <linux/ipsec.h> 20#include <linux/module.h> 21#include <linux/cache.h> 22#include <linux/audit.h> 23#include <asm/uaccess.h> 24 25#include "xfrm_hash.h" 26 27u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME; 28EXPORT_SYMBOL(sysctl_xfrm_aevent_etime); 29 30u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE; 31EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth); 32 33u32 sysctl_xfrm_acq_expires __read_mostly = 30; 34 35/* Each xfrm_state may be linked to two tables: 36 37 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 38 2. Hash table by (daddr,family,reqid) to find what SAs exist for given 39 destination/tunnel endpoint. (output) 40 */ 41 42static DEFINE_SPINLOCK(xfrm_state_lock); 43 44static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 45static unsigned int xfrm_state_genid; 46 47static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 48static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 49 50#ifdef CONFIG_AUDITSYSCALL 51static void xfrm_audit_state_replay(struct xfrm_state *x, 52 struct sk_buff *skb, __be32 net_seq); 53#else 54#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0) 55#endif /* CONFIG_AUDITSYSCALL */ 56 57static inline unsigned int xfrm_dst_hash(struct net *net, 58 xfrm_address_t *daddr, 59 xfrm_address_t *saddr, 60 u32 reqid, 61 unsigned short family) 62{ 63 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask); 64} 65 66static inline unsigned int xfrm_src_hash(struct net *net, 67 xfrm_address_t *daddr, 68 xfrm_address_t *saddr, 69 unsigned short family) 70{ 71 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask); 72} 73 74static inline unsigned int 75xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 76{ 77 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask); 78} 79 80static void xfrm_hash_transfer(struct hlist_head *list, 81 struct hlist_head *ndsttable, 82 struct hlist_head *nsrctable, 83 struct hlist_head *nspitable, 84 unsigned int nhashmask) 85{ 86 struct hlist_node *entry, *tmp; 87 struct xfrm_state *x; 88 89 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) { 90 unsigned int h; 91 92 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 93 x->props.reqid, x->props.family, 94 nhashmask); 95 hlist_add_head(&x->bydst, ndsttable+h); 96 97 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, 98 x->props.family, 99 nhashmask); 100 hlist_add_head(&x->bysrc, nsrctable+h); 101 102 if (x->id.spi) { 103 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, 104 x->id.proto, x->props.family, 105 nhashmask); 106 hlist_add_head(&x->byspi, nspitable+h); 107 } 108 } 109} 110 111static unsigned long xfrm_hash_new_size(unsigned int state_hmask) 112{ 113 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head); 114} 115 116static DEFINE_MUTEX(hash_resize_mutex); 117 118static void xfrm_hash_resize(struct work_struct *work) 119{ 120 struct net *net = container_of(work, struct net, xfrm.state_hash_work); 121 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi; 122 unsigned long nsize, osize; 123 unsigned int nhashmask, ohashmask; 124 int i; 125 126 mutex_lock(&hash_resize_mutex); 127 128 nsize = xfrm_hash_new_size(net->xfrm.state_hmask); 129 ndst = xfrm_hash_alloc(nsize); 130 if (!ndst) 131 goto out_unlock; 132 nsrc = xfrm_hash_alloc(nsize); 133 if (!nsrc) { 134 xfrm_hash_free(ndst, nsize); 135 goto out_unlock; 136 } 137 nspi = xfrm_hash_alloc(nsize); 138 if (!nspi) { 139 xfrm_hash_free(ndst, nsize); 140 xfrm_hash_free(nsrc, nsize); 141 goto out_unlock; 142 } 143 144 spin_lock_bh(&xfrm_state_lock); 145 146 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 147 for (i = net->xfrm.state_hmask; i >= 0; i--) 148 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi, 149 nhashmask); 150 151 odst = net->xfrm.state_bydst; 152 osrc = net->xfrm.state_bysrc; 153 ospi = net->xfrm.state_byspi; 154 ohashmask = net->xfrm.state_hmask; 155 156 net->xfrm.state_bydst = ndst; 157 net->xfrm.state_bysrc = nsrc; 158 net->xfrm.state_byspi = nspi; 159 net->xfrm.state_hmask = nhashmask; 160 161 spin_unlock_bh(&xfrm_state_lock); 162 163 osize = (ohashmask + 1) * sizeof(struct hlist_head); 164 xfrm_hash_free(odst, osize); 165 xfrm_hash_free(osrc, osize); 166 xfrm_hash_free(ospi, osize); 167 168out_unlock: 169 mutex_unlock(&hash_resize_mutex); 170} 171 172static DEFINE_RWLOCK(xfrm_state_afinfo_lock); 173static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO]; 174 175static DEFINE_SPINLOCK(xfrm_state_gc_lock); 176 177int __xfrm_state_delete(struct xfrm_state *x); 178 179int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 180void km_state_expired(struct xfrm_state *x, int hard, u32 pid); 181 182static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family) 183{ 184 struct xfrm_state_afinfo *afinfo; 185 if (unlikely(family >= NPROTO)) 186 return NULL; 187 write_lock_bh(&xfrm_state_afinfo_lock); 188 afinfo = xfrm_state_afinfo[family]; 189 if (unlikely(!afinfo)) 190 write_unlock_bh(&xfrm_state_afinfo_lock); 191 return afinfo; 192} 193 194static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo) 195 __releases(xfrm_state_afinfo_lock) 196{ 197 write_unlock_bh(&xfrm_state_afinfo_lock); 198} 199 200int xfrm_register_type(const struct xfrm_type *type, unsigned short family) 201{ 202 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 203 const struct xfrm_type **typemap; 204 int err = 0; 205 206 if (unlikely(afinfo == NULL)) 207 return -EAFNOSUPPORT; 208 typemap = afinfo->type_map; 209 210 if (likely(typemap[type->proto] == NULL)) 211 typemap[type->proto] = type; 212 else 213 err = -EEXIST; 214 xfrm_state_unlock_afinfo(afinfo); 215 return err; 216} 217EXPORT_SYMBOL(xfrm_register_type); 218 219int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family) 220{ 221 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 222 const struct xfrm_type **typemap; 223 int err = 0; 224 225 if (unlikely(afinfo == NULL)) 226 return -EAFNOSUPPORT; 227 typemap = afinfo->type_map; 228 229 if (unlikely(typemap[type->proto] != type)) 230 err = -ENOENT; 231 else 232 typemap[type->proto] = NULL; 233 xfrm_state_unlock_afinfo(afinfo); 234 return err; 235} 236EXPORT_SYMBOL(xfrm_unregister_type); 237 238static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 239{ 240 struct xfrm_state_afinfo *afinfo; 241 const struct xfrm_type **typemap; 242 const struct xfrm_type *type; 243 int modload_attempted = 0; 244 245retry: 246 afinfo = xfrm_state_get_afinfo(family); 247 if (unlikely(afinfo == NULL)) 248 return NULL; 249 typemap = afinfo->type_map; 250 251 type = typemap[proto]; 252 if (unlikely(type && !try_module_get(type->owner))) 253 type = NULL; 254 if (!type && !modload_attempted) { 255 xfrm_state_put_afinfo(afinfo); 256 request_module("xfrm-type-%d-%d", family, proto); 257 modload_attempted = 1; 258 goto retry; 259 } 260 261 xfrm_state_put_afinfo(afinfo); 262 return type; 263} 264 265static void xfrm_put_type(const struct xfrm_type *type) 266{ 267 module_put(type->owner); 268} 269 270int xfrm_register_mode(struct xfrm_mode *mode, int family) 271{ 272 struct xfrm_state_afinfo *afinfo; 273 struct xfrm_mode **modemap; 274 int err; 275 276 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 277 return -EINVAL; 278 279 afinfo = xfrm_state_lock_afinfo(family); 280 if (unlikely(afinfo == NULL)) 281 return -EAFNOSUPPORT; 282 283 err = -EEXIST; 284 modemap = afinfo->mode_map; 285 if (modemap[mode->encap]) 286 goto out; 287 288 err = -ENOENT; 289 if (!try_module_get(afinfo->owner)) 290 goto out; 291 292 mode->afinfo = afinfo; 293 modemap[mode->encap] = mode; 294 err = 0; 295 296out: 297 xfrm_state_unlock_afinfo(afinfo); 298 return err; 299} 300EXPORT_SYMBOL(xfrm_register_mode); 301 302int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 303{ 304 struct xfrm_state_afinfo *afinfo; 305 struct xfrm_mode **modemap; 306 int err; 307 308 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 309 return -EINVAL; 310 311 afinfo = xfrm_state_lock_afinfo(family); 312 if (unlikely(afinfo == NULL)) 313 return -EAFNOSUPPORT; 314 315 err = -ENOENT; 316 modemap = afinfo->mode_map; 317 if (likely(modemap[mode->encap] == mode)) { 318 modemap[mode->encap] = NULL; 319 module_put(mode->afinfo->owner); 320 err = 0; 321 } 322 323 xfrm_state_unlock_afinfo(afinfo); 324 return err; 325} 326EXPORT_SYMBOL(xfrm_unregister_mode); 327 328static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 329{ 330 struct xfrm_state_afinfo *afinfo; 331 struct xfrm_mode *mode; 332 int modload_attempted = 0; 333 334 if (unlikely(encap >= XFRM_MODE_MAX)) 335 return NULL; 336 337retry: 338 afinfo = xfrm_state_get_afinfo(family); 339 if (unlikely(afinfo == NULL)) 340 return NULL; 341 342 mode = afinfo->mode_map[encap]; 343 if (unlikely(mode && !try_module_get(mode->owner))) 344 mode = NULL; 345 if (!mode && !modload_attempted) { 346 xfrm_state_put_afinfo(afinfo); 347 request_module("xfrm-mode-%d-%d", family, encap); 348 modload_attempted = 1; 349 goto retry; 350 } 351 352 xfrm_state_put_afinfo(afinfo); 353 return mode; 354} 355 356static void xfrm_put_mode(struct xfrm_mode *mode) 357{ 358 module_put(mode->owner); 359} 360 361static void xfrm_state_gc_destroy(struct xfrm_state *x) 362{ 363 del_timer_sync(&x->timer); 364 del_timer_sync(&x->rtimer); 365 kfree(x->aalg); 366 kfree(x->ealg); 367 kfree(x->calg); 368 kfree(x->encap); 369 kfree(x->coaddr); 370 if (x->inner_mode) 371 xfrm_put_mode(x->inner_mode); 372 if (x->inner_mode_iaf) 373 xfrm_put_mode(x->inner_mode_iaf); 374 if (x->outer_mode) 375 xfrm_put_mode(x->outer_mode); 376 if (x->type) { 377 x->type->destructor(x); 378 xfrm_put_type(x->type); 379 } 380 security_xfrm_state_free(x); 381 kfree(x); 382} 383 384static void xfrm_state_gc_task(struct work_struct *work) 385{ 386 struct net *net = container_of(work, struct net, xfrm.state_gc_work); 387 struct xfrm_state *x; 388 struct hlist_node *entry, *tmp; 389 struct hlist_head gc_list; 390 391 spin_lock_bh(&xfrm_state_gc_lock); 392 hlist_move_list(&net->xfrm.state_gc_list, &gc_list); 393 spin_unlock_bh(&xfrm_state_gc_lock); 394 395 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist) 396 xfrm_state_gc_destroy(x); 397 398 wake_up(&net->xfrm.km_waitq); 399} 400 401static inline unsigned long make_jiffies(long secs) 402{ 403 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 404 return MAX_SCHEDULE_TIMEOUT-1; 405 else 406 return secs*HZ; 407} 408 409static void xfrm_timer_handler(unsigned long data) 410{ 411 struct xfrm_state *x = (struct xfrm_state*)data; 412 struct net *net = xs_net(x); 413 unsigned long now = get_seconds(); 414 long next = LONG_MAX; 415 int warn = 0; 416 int err = 0; 417 418 spin_lock(&x->lock); 419 if (x->km.state == XFRM_STATE_DEAD) 420 goto out; 421 if (x->km.state == XFRM_STATE_EXPIRED) 422 goto expired; 423 if (x->lft.hard_add_expires_seconds) { 424 long tmo = x->lft.hard_add_expires_seconds + 425 x->curlft.add_time - now; 426 if (tmo <= 0) 427 goto expired; 428 if (tmo < next) 429 next = tmo; 430 } 431 if (x->lft.hard_use_expires_seconds) { 432 long tmo = x->lft.hard_use_expires_seconds + 433 (x->curlft.use_time ? : now) - now; 434 if (tmo <= 0) 435 goto expired; 436 if (tmo < next) 437 next = tmo; 438 } 439 if (x->km.dying) 440 goto resched; 441 if (x->lft.soft_add_expires_seconds) { 442 long tmo = x->lft.soft_add_expires_seconds + 443 x->curlft.add_time - now; 444 if (tmo <= 0) 445 warn = 1; 446 else if (tmo < next) 447 next = tmo; 448 } 449 if (x->lft.soft_use_expires_seconds) { 450 long tmo = x->lft.soft_use_expires_seconds + 451 (x->curlft.use_time ? : now) - now; 452 if (tmo <= 0) 453 warn = 1; 454 else if (tmo < next) 455 next = tmo; 456 } 457 458 x->km.dying = warn; 459 if (warn) 460 km_state_expired(x, 0, 0); 461resched: 462 if (next != LONG_MAX) 463 mod_timer(&x->timer, jiffies + make_jiffies(next)); 464 465 goto out; 466 467expired: 468 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) { 469 x->km.state = XFRM_STATE_EXPIRED; 470 wake_up(&net->xfrm.km_waitq); 471 next = 2; 472 goto resched; 473 } 474 475 err = __xfrm_state_delete(x); 476 if (!err && x->id.spi) 477 km_state_expired(x, 1, 0); 478 479 xfrm_audit_state_delete(x, err ? 0 : 1, 480 audit_get_loginuid(current), 481 audit_get_sessionid(current), 0); 482 483out: 484 spin_unlock(&x->lock); 485} 486 487static void xfrm_replay_timer_handler(unsigned long data); 488 489struct xfrm_state *xfrm_state_alloc(struct net *net) 490{ 491 struct xfrm_state *x; 492 493 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC); 494 495 if (x) { 496 write_pnet(&x->xs_net, net); 497 atomic_set(&x->refcnt, 1); 498 atomic_set(&x->tunnel_users, 0); 499 INIT_LIST_HEAD(&x->km.all); 500 INIT_HLIST_NODE(&x->bydst); 501 INIT_HLIST_NODE(&x->bysrc); 502 INIT_HLIST_NODE(&x->byspi); 503 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x); 504 setup_timer(&x->rtimer, xfrm_replay_timer_handler, 505 (unsigned long)x); 506 x->curlft.add_time = get_seconds(); 507 x->lft.soft_byte_limit = XFRM_INF; 508 x->lft.soft_packet_limit = XFRM_INF; 509 x->lft.hard_byte_limit = XFRM_INF; 510 x->lft.hard_packet_limit = XFRM_INF; 511 x->replay_maxage = 0; 512 x->replay_maxdiff = 0; 513 x->inner_mode = NULL; 514 x->inner_mode_iaf = NULL; 515 spin_lock_init(&x->lock); 516 } 517 return x; 518} 519EXPORT_SYMBOL(xfrm_state_alloc); 520 521void __xfrm_state_destroy(struct xfrm_state *x) 522{ 523 struct net *net = xs_net(x); 524 525 WARN_ON(x->km.state != XFRM_STATE_DEAD); 526 527 spin_lock_bh(&xfrm_state_gc_lock); 528 hlist_add_head(&x->gclist, &net->xfrm.state_gc_list); 529 spin_unlock_bh(&xfrm_state_gc_lock); 530 schedule_work(&net->xfrm.state_gc_work); 531} 532EXPORT_SYMBOL(__xfrm_state_destroy); 533 534int __xfrm_state_delete(struct xfrm_state *x) 535{ 536 struct net *net = xs_net(x); 537 int err = -ESRCH; 538 539 if (x->km.state != XFRM_STATE_DEAD) { 540 x->km.state = XFRM_STATE_DEAD; 541 spin_lock(&xfrm_state_lock); 542 list_del(&x->km.all); 543 hlist_del(&x->bydst); 544 hlist_del(&x->bysrc); 545 if (x->id.spi) 546 hlist_del(&x->byspi); 547 net->xfrm.state_num--; 548 spin_unlock(&xfrm_state_lock); 549 550 /* All xfrm_state objects are created by xfrm_state_alloc. 551 * The xfrm_state_alloc call gives a reference, and that 552 * is what we are dropping here. 553 */ 554 xfrm_state_put(x); 555 err = 0; 556 } 557 558 return err; 559} 560EXPORT_SYMBOL(__xfrm_state_delete); 561 562int xfrm_state_delete(struct xfrm_state *x) 563{ 564 int err; 565 566 spin_lock_bh(&x->lock); 567 err = __xfrm_state_delete(x); 568 spin_unlock_bh(&x->lock); 569 570 return err; 571} 572EXPORT_SYMBOL(xfrm_state_delete); 573 574#ifdef CONFIG_SECURITY_NETWORK_XFRM 575static inline int 576xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) 577{ 578 int i, err = 0; 579 580 for (i = 0; i <= net->xfrm.state_hmask; i++) { 581 struct hlist_node *entry; 582 struct xfrm_state *x; 583 584 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) { 585 if (xfrm_id_proto_match(x->id.proto, proto) && 586 (err = security_xfrm_state_delete(x)) != 0) { 587 xfrm_audit_state_delete(x, 0, 588 audit_info->loginuid, 589 audit_info->sessionid, 590 audit_info->secid); 591 return err; 592 } 593 } 594 } 595 596 return err; 597} 598#else 599static inline int 600xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) 601{ 602 return 0; 603} 604#endif 605 606int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info) 607{ 608 int i, err = 0; 609 610 spin_lock_bh(&xfrm_state_lock); 611 err = xfrm_state_flush_secctx_check(net, proto, audit_info); 612 if (err) 613 goto out; 614 615 for (i = 0; i <= net->xfrm.state_hmask; i++) { 616 struct hlist_node *entry; 617 struct xfrm_state *x; 618restart: 619 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) { 620 if (!xfrm_state_kern(x) && 621 xfrm_id_proto_match(x->id.proto, proto)) { 622 xfrm_state_hold(x); 623 spin_unlock_bh(&xfrm_state_lock); 624 625 err = xfrm_state_delete(x); 626 xfrm_audit_state_delete(x, err ? 0 : 1, 627 audit_info->loginuid, 628 audit_info->sessionid, 629 audit_info->secid); 630 xfrm_state_put(x); 631 632 spin_lock_bh(&xfrm_state_lock); 633 goto restart; 634 } 635 } 636 } 637 err = 0; 638 639out: 640 spin_unlock_bh(&xfrm_state_lock); 641 wake_up(&net->xfrm.km_waitq); 642 return err; 643} 644EXPORT_SYMBOL(xfrm_state_flush); 645 646void xfrm_sad_getinfo(struct xfrmk_sadinfo *si) 647{ 648 spin_lock_bh(&xfrm_state_lock); 649 si->sadcnt = init_net.xfrm.state_num; 650 si->sadhcnt = init_net.xfrm.state_hmask; 651 si->sadhmcnt = xfrm_state_hashmax; 652 spin_unlock_bh(&xfrm_state_lock); 653} 654EXPORT_SYMBOL(xfrm_sad_getinfo); 655 656static int 657xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl, 658 struct xfrm_tmpl *tmpl, 659 xfrm_address_t *daddr, xfrm_address_t *saddr, 660 unsigned short family) 661{ 662 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 663 if (!afinfo) 664 return -1; 665 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr); 666 xfrm_state_put_afinfo(afinfo); 667 return 0; 668} 669 670static struct xfrm_state *__xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 671{ 672 unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family); 673 struct xfrm_state *x; 674 struct hlist_node *entry; 675 676 hlist_for_each_entry(x, entry, net->xfrm.state_byspi+h, byspi) { 677 if (x->props.family != family || 678 x->id.spi != spi || 679 x->id.proto != proto) 680 continue; 681 682 switch (family) { 683 case AF_INET: 684 if (x->id.daddr.a4 != daddr->a4) 685 continue; 686 break; 687 case AF_INET6: 688 if (!ipv6_addr_equal((struct in6_addr *)daddr, 689 (struct in6_addr *) 690 x->id.daddr.a6)) 691 continue; 692 break; 693 } 694 695 xfrm_state_hold(x); 696 return x; 697 } 698 699 return NULL; 700} 701 702static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family) 703{ 704 unsigned int h = xfrm_src_hash(net, daddr, saddr, family); 705 struct xfrm_state *x; 706 struct hlist_node *entry; 707 708 hlist_for_each_entry(x, entry, net->xfrm.state_bysrc+h, bysrc) { 709 if (x->props.family != family || 710 x->id.proto != proto) 711 continue; 712 713 switch (family) { 714 case AF_INET: 715 if (x->id.daddr.a4 != daddr->a4 || 716 x->props.saddr.a4 != saddr->a4) 717 continue; 718 break; 719 case AF_INET6: 720 if (!ipv6_addr_equal((struct in6_addr *)daddr, 721 (struct in6_addr *) 722 x->id.daddr.a6) || 723 !ipv6_addr_equal((struct in6_addr *)saddr, 724 (struct in6_addr *) 725 x->props.saddr.a6)) 726 continue; 727 break; 728 } 729 730 xfrm_state_hold(x); 731 return x; 732 } 733 734 return NULL; 735} 736 737static inline struct xfrm_state * 738__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family) 739{ 740 struct net *net = xs_net(x); 741 742 if (use_spi) 743 return __xfrm_state_lookup(net, &x->id.daddr, x->id.spi, 744 x->id.proto, family); 745 else 746 return __xfrm_state_lookup_byaddr(net, &x->id.daddr, 747 &x->props.saddr, 748 x->id.proto, family); 749} 750 751static void xfrm_hash_grow_check(struct net *net, int have_hash_collision) 752{ 753 if (have_hash_collision && 754 (net->xfrm.state_hmask + 1) < xfrm_state_hashmax && 755 net->xfrm.state_num > net->xfrm.state_hmask) 756 schedule_work(&net->xfrm.state_hash_work); 757} 758 759struct xfrm_state * 760xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 761 struct flowi *fl, struct xfrm_tmpl *tmpl, 762 struct xfrm_policy *pol, int *err, 763 unsigned short family) 764{ 765 struct net *net = xp_net(pol); 766 unsigned int h; 767 struct hlist_node *entry; 768 struct xfrm_state *x, *x0, *to_put; 769 int acquire_in_progress = 0; 770 int error = 0; 771 struct xfrm_state *best = NULL; 772 773 to_put = NULL; 774 775 spin_lock_bh(&xfrm_state_lock); 776 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, family); 777 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) { 778 if (x->props.family == family && 779 x->props.reqid == tmpl->reqid && 780 !(x->props.flags & XFRM_STATE_WILDRECV) && 781 xfrm_state_addr_check(x, daddr, saddr, family) && 782 tmpl->mode == x->props.mode && 783 tmpl->id.proto == x->id.proto && 784 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) { 785 /* Resolution logic: 786 1. There is a valid state with matching selector. 787 Done. 788 2. Valid state with inappropriate selector. Skip. 789 790 Entering area of "sysdeps". 791 792 3. If state is not valid, selector is temporary, 793 it selects only session which triggered 794 previous resolution. Key manager will do 795 something to install a state with proper 796 selector. 797 */ 798 if (x->km.state == XFRM_STATE_VALID) { 799 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) || 800 !security_xfrm_state_pol_flow_match(x, pol, fl)) 801 continue; 802 if (!best || 803 best->km.dying > x->km.dying || 804 (best->km.dying == x->km.dying && 805 best->curlft.add_time < x->curlft.add_time)) 806 best = x; 807 } else if (x->km.state == XFRM_STATE_ACQ) { 808 acquire_in_progress = 1; 809 } else if (x->km.state == XFRM_STATE_ERROR || 810 x->km.state == XFRM_STATE_EXPIRED) { 811 if (xfrm_selector_match(&x->sel, fl, x->sel.family) && 812 security_xfrm_state_pol_flow_match(x, pol, fl)) 813 error = -ESRCH; 814 } 815 } 816 } 817 818 x = best; 819 if (!x && !error && !acquire_in_progress) { 820 if (tmpl->id.spi && 821 (x0 = __xfrm_state_lookup(net, daddr, tmpl->id.spi, 822 tmpl->id.proto, family)) != NULL) { 823 to_put = x0; 824 error = -EEXIST; 825 goto out; 826 } 827 x = xfrm_state_alloc(net); 828 if (x == NULL) { 829 error = -ENOMEM; 830 goto out; 831 } 832 /* Initialize temporary selector matching only 833 * to current session. */ 834 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); 835 836 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 837 if (error) { 838 x->km.state = XFRM_STATE_DEAD; 839 to_put = x; 840 x = NULL; 841 goto out; 842 } 843 844 if (km_query(x, tmpl, pol) == 0) { 845 x->km.state = XFRM_STATE_ACQ; 846 list_add(&x->km.all, &net->xfrm.state_all); 847 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); 848 h = xfrm_src_hash(net, daddr, saddr, family); 849 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h); 850 if (x->id.spi) { 851 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family); 852 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); 853 } 854 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 855 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 856 add_timer(&x->timer); 857 net->xfrm.state_num++; 858 xfrm_hash_grow_check(net, x->bydst.next != NULL); 859 } else { 860 x->km.state = XFRM_STATE_DEAD; 861 to_put = x; 862 x = NULL; 863 error = -ESRCH; 864 } 865 } 866out: 867 if (x) 868 xfrm_state_hold(x); 869 else 870 *err = acquire_in_progress ? -EAGAIN : error; 871 spin_unlock_bh(&xfrm_state_lock); 872 if (to_put) 873 xfrm_state_put(to_put); 874 return x; 875} 876 877struct xfrm_state * 878xfrm_stateonly_find(struct net *net, 879 xfrm_address_t *daddr, xfrm_address_t *saddr, 880 unsigned short family, u8 mode, u8 proto, u32 reqid) 881{ 882 unsigned int h; 883 struct xfrm_state *rx = NULL, *x = NULL; 884 struct hlist_node *entry; 885 886 spin_lock(&xfrm_state_lock); 887 h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 888 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) { 889 if (x->props.family == family && 890 x->props.reqid == reqid && 891 !(x->props.flags & XFRM_STATE_WILDRECV) && 892 xfrm_state_addr_check(x, daddr, saddr, family) && 893 mode == x->props.mode && 894 proto == x->id.proto && 895 x->km.state == XFRM_STATE_VALID) { 896 rx = x; 897 break; 898 } 899 } 900 901 if (rx) 902 xfrm_state_hold(rx); 903 spin_unlock(&xfrm_state_lock); 904 905 906 return rx; 907} 908EXPORT_SYMBOL(xfrm_stateonly_find); 909 910static void __xfrm_state_insert(struct xfrm_state *x) 911{ 912 struct net *net = xs_net(x); 913 unsigned int h; 914 915 x->genid = ++xfrm_state_genid; 916 917 list_add(&x->km.all, &net->xfrm.state_all); 918 919 h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr, 920 x->props.reqid, x->props.family); 921 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); 922 923 h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family); 924 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h); 925 926 if (x->id.spi) { 927 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, 928 x->props.family); 929 930 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); 931 } 932 933 mod_timer(&x->timer, jiffies + HZ); 934 if (x->replay_maxage) 935 mod_timer(&x->rtimer, jiffies + x->replay_maxage); 936 937 wake_up(&net->xfrm.km_waitq); 938 939 net->xfrm.state_num++; 940 941 xfrm_hash_grow_check(net, x->bydst.next != NULL); 942} 943 944/* xfrm_state_lock is held */ 945static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 946{ 947 struct net *net = xs_net(xnew); 948 unsigned short family = xnew->props.family; 949 u32 reqid = xnew->props.reqid; 950 struct xfrm_state *x; 951 struct hlist_node *entry; 952 unsigned int h; 953 954 h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family); 955 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) { 956 if (x->props.family == family && 957 x->props.reqid == reqid && 958 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) && 959 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family)) 960 x->genid = xfrm_state_genid; 961 } 962} 963 964void xfrm_state_insert(struct xfrm_state *x) 965{ 966 spin_lock_bh(&xfrm_state_lock); 967 __xfrm_state_bump_genids(x); 968 __xfrm_state_insert(x); 969 spin_unlock_bh(&xfrm_state_lock); 970} 971EXPORT_SYMBOL(xfrm_state_insert); 972 973/* xfrm_state_lock is held */ 974static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create) 975{ 976 unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 977 struct hlist_node *entry; 978 struct xfrm_state *x; 979 980 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) { 981 if (x->props.reqid != reqid || 982 x->props.mode != mode || 983 x->props.family != family || 984 x->km.state != XFRM_STATE_ACQ || 985 x->id.spi != 0 || 986 x->id.proto != proto) 987 continue; 988 989 switch (family) { 990 case AF_INET: 991 if (x->id.daddr.a4 != daddr->a4 || 992 x->props.saddr.a4 != saddr->a4) 993 continue; 994 break; 995 case AF_INET6: 996 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6, 997 (struct in6_addr *)daddr) || 998 !ipv6_addr_equal((struct in6_addr *) 999 x->props.saddr.a6, 1000 (struct in6_addr *)saddr)) 1001 continue; 1002 break; 1003 } 1004 1005 xfrm_state_hold(x); 1006 return x; 1007 } 1008 1009 if (!create) 1010 return NULL; 1011 1012 x = xfrm_state_alloc(net); 1013 if (likely(x)) { 1014 switch (family) { 1015 case AF_INET: 1016 x->sel.daddr.a4 = daddr->a4; 1017 x->sel.saddr.a4 = saddr->a4; 1018 x->sel.prefixlen_d = 32; 1019 x->sel.prefixlen_s = 32; 1020 x->props.saddr.a4 = saddr->a4; 1021 x->id.daddr.a4 = daddr->a4; 1022 break; 1023 1024 case AF_INET6: 1025 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6, 1026 (struct in6_addr *)daddr); 1027 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6, 1028 (struct in6_addr *)saddr); 1029 x->sel.prefixlen_d = 128; 1030 x->sel.prefixlen_s = 128; 1031 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6, 1032 (struct in6_addr *)saddr); 1033 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6, 1034 (struct in6_addr *)daddr); 1035 break; 1036 } 1037 1038 x->km.state = XFRM_STATE_ACQ; 1039 x->id.proto = proto; 1040 x->props.family = family; 1041 x->props.mode = mode; 1042 x->props.reqid = reqid; 1043 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 1044 xfrm_state_hold(x); 1045 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 1046 add_timer(&x->timer); 1047 list_add(&x->km.all, &net->xfrm.state_all); 1048 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h); 1049 h = xfrm_src_hash(net, daddr, saddr, family); 1050 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h); 1051 1052 net->xfrm.state_num++; 1053 1054 xfrm_hash_grow_check(net, x->bydst.next != NULL); 1055 } 1056 1057 return x; 1058} 1059 1060static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 seq); 1061 1062int xfrm_state_add(struct xfrm_state *x) 1063{ 1064 struct net *net = xs_net(x); 1065 struct xfrm_state *x1, *to_put; 1066 int family; 1067 int err; 1068 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1069 1070 family = x->props.family; 1071 1072 to_put = NULL; 1073 1074 spin_lock_bh(&xfrm_state_lock); 1075 1076 x1 = __xfrm_state_locate(x, use_spi, family); 1077 if (x1) { 1078 to_put = x1; 1079 x1 = NULL; 1080 err = -EEXIST; 1081 goto out; 1082 } 1083 1084 if (use_spi && x->km.seq) { 1085 x1 = __xfrm_find_acq_byseq(net, x->km.seq); 1086 if (x1 && ((x1->id.proto != x->id.proto) || 1087 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { 1088 to_put = x1; 1089 x1 = NULL; 1090 } 1091 } 1092 1093 if (use_spi && !x1) 1094 x1 = __find_acq_core(net, family, x->props.mode, x->props.reqid, 1095 x->id.proto, 1096 &x->id.daddr, &x->props.saddr, 0); 1097 1098 __xfrm_state_bump_genids(x); 1099 __xfrm_state_insert(x); 1100 err = 0; 1101 1102out: 1103 spin_unlock_bh(&xfrm_state_lock); 1104 1105 if (x1) { 1106 xfrm_state_delete(x1); 1107 xfrm_state_put(x1); 1108 } 1109 1110 if (to_put) 1111 xfrm_state_put(to_put); 1112 1113 return err; 1114} 1115EXPORT_SYMBOL(xfrm_state_add); 1116 1117#ifdef CONFIG_XFRM_MIGRATE 1118static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 1119{ 1120 struct net *net = xs_net(orig); 1121 int err = -ENOMEM; 1122 struct xfrm_state *x = xfrm_state_alloc(net); 1123 if (!x) 1124 goto error; 1125 1126 memcpy(&x->id, &orig->id, sizeof(x->id)); 1127 memcpy(&x->sel, &orig->sel, sizeof(x->sel)); 1128 memcpy(&x->lft, &orig->lft, sizeof(x->lft)); 1129 x->props.mode = orig->props.mode; 1130 x->props.replay_window = orig->props.replay_window; 1131 x->props.reqid = orig->props.reqid; 1132 x->props.family = orig->props.family; 1133 x->props.saddr = orig->props.saddr; 1134 1135 if (orig->aalg) { 1136 x->aalg = xfrm_algo_clone(orig->aalg); 1137 if (!x->aalg) 1138 goto error; 1139 } 1140 x->props.aalgo = orig->props.aalgo; 1141 1142 if (orig->ealg) { 1143 x->ealg = xfrm_algo_clone(orig->ealg); 1144 if (!x->ealg) 1145 goto error; 1146 } 1147 x->props.ealgo = orig->props.ealgo; 1148 1149 if (orig->calg) { 1150 x->calg = xfrm_algo_clone(orig->calg); 1151 if (!x->calg) 1152 goto error; 1153 } 1154 x->props.calgo = orig->props.calgo; 1155 1156 if (orig->encap) { 1157 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL); 1158 if (!x->encap) 1159 goto error; 1160 } 1161 1162 if (orig->coaddr) { 1163 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), 1164 GFP_KERNEL); 1165 if (!x->coaddr) 1166 goto error; 1167 } 1168 1169 err = xfrm_init_state(x); 1170 if (err) 1171 goto error; 1172 1173 x->props.flags = orig->props.flags; 1174 1175 x->curlft.add_time = orig->curlft.add_time; 1176 x->km.state = orig->km.state; 1177 x->km.seq = orig->km.seq; 1178 1179 return x; 1180 1181 error: 1182 if (errp) 1183 *errp = err; 1184 if (x) { 1185 kfree(x->aalg); 1186 kfree(x->ealg); 1187 kfree(x->calg); 1188 kfree(x->encap); 1189 kfree(x->coaddr); 1190 } 1191 kfree(x); 1192 return NULL; 1193} 1194 1195/* xfrm_state_lock is held */ 1196struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m) 1197{ 1198 unsigned int h; 1199 struct xfrm_state *x; 1200 struct hlist_node *entry; 1201 1202 if (m->reqid) { 1203 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr, 1204 m->reqid, m->old_family); 1205 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 1206 if (x->props.mode != m->mode || 1207 x->id.proto != m->proto) 1208 continue; 1209 if (m->reqid && x->props.reqid != m->reqid) 1210 continue; 1211 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1212 m->old_family) || 1213 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1214 m->old_family)) 1215 continue; 1216 xfrm_state_hold(x); 1217 return x; 1218 } 1219 } else { 1220 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr, 1221 m->old_family); 1222 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) { 1223 if (x->props.mode != m->mode || 1224 x->id.proto != m->proto) 1225 continue; 1226 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1227 m->old_family) || 1228 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1229 m->old_family)) 1230 continue; 1231 xfrm_state_hold(x); 1232 return x; 1233 } 1234 } 1235 1236 return NULL; 1237} 1238EXPORT_SYMBOL(xfrm_migrate_state_find); 1239 1240struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1241 struct xfrm_migrate *m) 1242{ 1243 struct xfrm_state *xc; 1244 int err; 1245 1246 xc = xfrm_state_clone(x, &err); 1247 if (!xc) 1248 return NULL; 1249 1250 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 1251 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 1252 1253 /* add state */ 1254 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) { 1255 /* a care is needed when the destination address of the 1256 state is to be updated as it is a part of triplet */ 1257 xfrm_state_insert(xc); 1258 } else { 1259 if ((err = xfrm_state_add(xc)) < 0) 1260 goto error; 1261 } 1262 1263 return xc; 1264error: 1265 kfree(xc); 1266 return NULL; 1267} 1268EXPORT_SYMBOL(xfrm_state_migrate); 1269#endif 1270 1271int xfrm_state_update(struct xfrm_state *x) 1272{ 1273 struct xfrm_state *x1, *to_put; 1274 int err; 1275 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1276 1277 to_put = NULL; 1278 1279 spin_lock_bh(&xfrm_state_lock); 1280 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1281 1282 err = -ESRCH; 1283 if (!x1) 1284 goto out; 1285 1286 if (xfrm_state_kern(x1)) { 1287 to_put = x1; 1288 err = -EEXIST; 1289 goto out; 1290 } 1291 1292 if (x1->km.state == XFRM_STATE_ACQ) { 1293 __xfrm_state_insert(x); 1294 x = NULL; 1295 } 1296 err = 0; 1297 1298out: 1299 spin_unlock_bh(&xfrm_state_lock); 1300 1301 if (to_put) 1302 xfrm_state_put(to_put); 1303 1304 if (err) 1305 return err; 1306 1307 if (!x) { 1308 xfrm_state_delete(x1); 1309 xfrm_state_put(x1); 1310 return 0; 1311 } 1312 1313 err = -EINVAL; 1314 spin_lock_bh(&x1->lock); 1315 if (likely(x1->km.state == XFRM_STATE_VALID)) { 1316 if (x->encap && x1->encap) 1317 memcpy(x1->encap, x->encap, sizeof(*x1->encap)); 1318 if (x->coaddr && x1->coaddr) { 1319 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr)); 1320 } 1321 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel))) 1322 memcpy(&x1->sel, &x->sel, sizeof(x1->sel)); 1323 memcpy(&x1->lft, &x->lft, sizeof(x1->lft)); 1324 x1->km.dying = 0; 1325 1326 mod_timer(&x1->timer, jiffies + HZ); 1327 if (x1->curlft.use_time) 1328 xfrm_state_check_expire(x1); 1329 1330 err = 0; 1331 } 1332 spin_unlock_bh(&x1->lock); 1333 1334 xfrm_state_put(x1); 1335 1336 return err; 1337} 1338EXPORT_SYMBOL(xfrm_state_update); 1339 1340int xfrm_state_check_expire(struct xfrm_state *x) 1341{ 1342 if (!x->curlft.use_time) 1343 x->curlft.use_time = get_seconds(); 1344 1345 if (x->km.state != XFRM_STATE_VALID) 1346 return -EINVAL; 1347 1348 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1349 x->curlft.packets >= x->lft.hard_packet_limit) { 1350 x->km.state = XFRM_STATE_EXPIRED; 1351 mod_timer(&x->timer, jiffies); 1352 return -EINVAL; 1353 } 1354 1355 if (!x->km.dying && 1356 (x->curlft.bytes >= x->lft.soft_byte_limit || 1357 x->curlft.packets >= x->lft.soft_packet_limit)) { 1358 x->km.dying = 1; 1359 km_state_expired(x, 0, 0); 1360 } 1361 return 0; 1362} 1363EXPORT_SYMBOL(xfrm_state_check_expire); 1364 1365struct xfrm_state * 1366xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, 1367 unsigned short family) 1368{ 1369 struct xfrm_state *x; 1370 1371 spin_lock_bh(&xfrm_state_lock); 1372 x = __xfrm_state_lookup(net, daddr, spi, proto, family); 1373 spin_unlock_bh(&xfrm_state_lock); 1374 return x; 1375} 1376EXPORT_SYMBOL(xfrm_state_lookup); 1377 1378struct xfrm_state * 1379xfrm_state_lookup_byaddr(struct net *net, 1380 xfrm_address_t *daddr, xfrm_address_t *saddr, 1381 u8 proto, unsigned short family) 1382{ 1383 struct xfrm_state *x; 1384 1385 spin_lock_bh(&xfrm_state_lock); 1386 x = __xfrm_state_lookup_byaddr(net, daddr, saddr, proto, family); 1387 spin_unlock_bh(&xfrm_state_lock); 1388 return x; 1389} 1390EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1391 1392struct xfrm_state * 1393xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto, 1394 xfrm_address_t *daddr, xfrm_address_t *saddr, 1395 int create, unsigned short family) 1396{ 1397 struct xfrm_state *x; 1398 1399 spin_lock_bh(&xfrm_state_lock); 1400 x = __find_acq_core(net, family, mode, reqid, proto, daddr, saddr, create); 1401 spin_unlock_bh(&xfrm_state_lock); 1402 1403 return x; 1404} 1405EXPORT_SYMBOL(xfrm_find_acq); 1406 1407#ifdef CONFIG_XFRM_SUB_POLICY 1408int 1409xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1410 unsigned short family) 1411{ 1412 int err = 0; 1413 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1414 if (!afinfo) 1415 return -EAFNOSUPPORT; 1416 1417 spin_lock_bh(&xfrm_state_lock); 1418 if (afinfo->tmpl_sort) 1419 err = afinfo->tmpl_sort(dst, src, n); 1420 spin_unlock_bh(&xfrm_state_lock); 1421 xfrm_state_put_afinfo(afinfo); 1422 return err; 1423} 1424EXPORT_SYMBOL(xfrm_tmpl_sort); 1425 1426int 1427xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1428 unsigned short family) 1429{ 1430 int err = 0; 1431 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1432 if (!afinfo) 1433 return -EAFNOSUPPORT; 1434 1435 spin_lock_bh(&xfrm_state_lock); 1436 if (afinfo->state_sort) 1437 err = afinfo->state_sort(dst, src, n); 1438 spin_unlock_bh(&xfrm_state_lock); 1439 xfrm_state_put_afinfo(afinfo); 1440 return err; 1441} 1442EXPORT_SYMBOL(xfrm_state_sort); 1443#endif 1444 1445/* Silly enough, but I'm lazy to build resolution list */ 1446 1447static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 seq) 1448{ 1449 int i; 1450 1451 for (i = 0; i <= net->xfrm.state_hmask; i++) { 1452 struct hlist_node *entry; 1453 struct xfrm_state *x; 1454 1455 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) { 1456 if (x->km.seq == seq && 1457 x->km.state == XFRM_STATE_ACQ) { 1458 xfrm_state_hold(x); 1459 return x; 1460 } 1461 } 1462 } 1463 return NULL; 1464} 1465 1466struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 seq) 1467{ 1468 struct xfrm_state *x; 1469 1470 spin_lock_bh(&xfrm_state_lock); 1471 x = __xfrm_find_acq_byseq(net, seq); 1472 spin_unlock_bh(&xfrm_state_lock); 1473 return x; 1474} 1475EXPORT_SYMBOL(xfrm_find_acq_byseq); 1476 1477u32 xfrm_get_acqseq(void) 1478{ 1479 u32 res; 1480 static u32 acqseq; 1481 static DEFINE_SPINLOCK(acqseq_lock); 1482 1483 spin_lock_bh(&acqseq_lock); 1484 res = (++acqseq ? : ++acqseq); 1485 spin_unlock_bh(&acqseq_lock); 1486 return res; 1487} 1488EXPORT_SYMBOL(xfrm_get_acqseq); 1489 1490int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) 1491{ 1492 struct net *net = xs_net(x); 1493 unsigned int h; 1494 struct xfrm_state *x0; 1495 int err = -ENOENT; 1496 __be32 minspi = htonl(low); 1497 __be32 maxspi = htonl(high); 1498 1499 spin_lock_bh(&x->lock); 1500 if (x->km.state == XFRM_STATE_DEAD) 1501 goto unlock; 1502 1503 err = 0; 1504 if (x->id.spi) 1505 goto unlock; 1506 1507 err = -ENOENT; 1508 1509 if (minspi == maxspi) { 1510 x0 = xfrm_state_lookup(net, &x->id.daddr, minspi, x->id.proto, x->props.family); 1511 if (x0) { 1512 xfrm_state_put(x0); 1513 goto unlock; 1514 } 1515 x->id.spi = minspi; 1516 } else { 1517 u32 spi = 0; 1518 for (h=0; h<high-low+1; h++) { 1519 spi = low + net_random()%(high-low+1); 1520 x0 = xfrm_state_lookup(net, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); 1521 if (x0 == NULL) { 1522 x->id.spi = htonl(spi); 1523 break; 1524 } 1525 xfrm_state_put(x0); 1526 } 1527 } 1528 if (x->id.spi) { 1529 spin_lock_bh(&xfrm_state_lock); 1530 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); 1531 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); 1532 spin_unlock_bh(&xfrm_state_lock); 1533 1534 err = 0; 1535 } 1536 1537unlock: 1538 spin_unlock_bh(&x->lock); 1539 1540 return err; 1541} 1542EXPORT_SYMBOL(xfrm_alloc_spi); 1543 1544int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1545 int (*func)(struct xfrm_state *, int, void*), 1546 void *data) 1547{ 1548 struct xfrm_state *state; 1549 struct xfrm_state_walk *x; 1550 int err = 0; 1551 1552 if (walk->seq != 0 && list_empty(&walk->all)) 1553 return 0; 1554 1555 spin_lock_bh(&xfrm_state_lock); 1556 if (list_empty(&walk->all)) 1557 x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all); 1558 else 1559 x = list_entry(&walk->all, struct xfrm_state_walk, all); 1560 list_for_each_entry_from(x, &net->xfrm.state_all, all) { 1561 if (x->state == XFRM_STATE_DEAD) 1562 continue; 1563 state = container_of(x, struct xfrm_state, km); 1564 if (!xfrm_id_proto_match(state->id.proto, walk->proto)) 1565 continue; 1566 err = func(state, walk->seq, data); 1567 if (err) { 1568 list_move_tail(&walk->all, &x->all); 1569 goto out; 1570 } 1571 walk->seq++; 1572 } 1573 if (walk->seq == 0) { 1574 err = -ENOENT; 1575 goto out; 1576 } 1577 list_del_init(&walk->all); 1578out: 1579 spin_unlock_bh(&xfrm_state_lock); 1580 return err; 1581} 1582EXPORT_SYMBOL(xfrm_state_walk); 1583 1584void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto) 1585{ 1586 INIT_LIST_HEAD(&walk->all); 1587 walk->proto = proto; 1588 walk->state = XFRM_STATE_DEAD; 1589 walk->seq = 0; 1590} 1591EXPORT_SYMBOL(xfrm_state_walk_init); 1592 1593void xfrm_state_walk_done(struct xfrm_state_walk *walk) 1594{ 1595 if (list_empty(&walk->all)) 1596 return; 1597 1598 spin_lock_bh(&xfrm_state_lock); 1599 list_del(&walk->all); 1600 spin_lock_bh(&xfrm_state_lock); 1601} 1602EXPORT_SYMBOL(xfrm_state_walk_done); 1603 1604 1605void xfrm_replay_notify(struct xfrm_state *x, int event) 1606{ 1607 struct km_event c; 1608 /* we send notify messages in case 1609 * 1. we updated on of the sequence numbers, and the seqno difference 1610 * is at least x->replay_maxdiff, in this case we also update the 1611 * timeout of our timer function 1612 * 2. if x->replay_maxage has elapsed since last update, 1613 * and there were changes 1614 * 1615 * The state structure must be locked! 1616 */ 1617 1618 switch (event) { 1619 case XFRM_REPLAY_UPDATE: 1620 if (x->replay_maxdiff && 1621 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && 1622 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { 1623 if (x->xflags & XFRM_TIME_DEFER) 1624 event = XFRM_REPLAY_TIMEOUT; 1625 else 1626 return; 1627 } 1628 1629 break; 1630 1631 case XFRM_REPLAY_TIMEOUT: 1632 if ((x->replay.seq == x->preplay.seq) && 1633 (x->replay.bitmap == x->preplay.bitmap) && 1634 (x->replay.oseq == x->preplay.oseq)) { 1635 x->xflags |= XFRM_TIME_DEFER; 1636 return; 1637 } 1638 1639 break; 1640 } 1641 1642 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); 1643 c.event = XFRM_MSG_NEWAE; 1644 c.data.aevent = event; 1645 km_state_notify(x, &c); 1646 1647 if (x->replay_maxage && 1648 !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) 1649 x->xflags &= ~XFRM_TIME_DEFER; 1650} 1651 1652static void xfrm_replay_timer_handler(unsigned long data) 1653{ 1654 struct xfrm_state *x = (struct xfrm_state*)data; 1655 1656 spin_lock(&x->lock); 1657 1658 if (x->km.state == XFRM_STATE_VALID) { 1659 if (xfrm_aevent_is_on(xs_net(x))) 1660 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); 1661 else 1662 x->xflags |= XFRM_TIME_DEFER; 1663 } 1664 1665 spin_unlock(&x->lock); 1666} 1667 1668int xfrm_replay_check(struct xfrm_state *x, 1669 struct sk_buff *skb, __be32 net_seq) 1670{ 1671 u32 diff; 1672 u32 seq = ntohl(net_seq); 1673 1674 if (unlikely(seq == 0)) 1675 goto err; 1676 1677 if (likely(seq > x->replay.seq)) 1678 return 0; 1679 1680 diff = x->replay.seq - seq; 1681 if (diff >= min_t(unsigned int, x->props.replay_window, 1682 sizeof(x->replay.bitmap) * 8)) { 1683 x->stats.replay_window++; 1684 goto err; 1685 } 1686 1687 if (x->replay.bitmap & (1U << diff)) { 1688 x->stats.replay++; 1689 goto err; 1690 } 1691 return 0; 1692 1693err: 1694 xfrm_audit_state_replay(x, skb, net_seq); 1695 return -EINVAL; 1696} 1697 1698void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) 1699{ 1700 u32 diff; 1701 u32 seq = ntohl(net_seq); 1702 1703 if (seq > x->replay.seq) { 1704 diff = seq - x->replay.seq; 1705 if (diff < x->props.replay_window) 1706 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; 1707 else 1708 x->replay.bitmap = 1; 1709 x->replay.seq = seq; 1710 } else { 1711 diff = x->replay.seq - seq; 1712 x->replay.bitmap |= (1U << diff); 1713 } 1714 1715 if (xfrm_aevent_is_on(xs_net(x))) 1716 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); 1717} 1718 1719static LIST_HEAD(xfrm_km_list); 1720static DEFINE_RWLOCK(xfrm_km_lock); 1721 1722void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 1723{ 1724 struct xfrm_mgr *km; 1725 1726 read_lock(&xfrm_km_lock); 1727 list_for_each_entry(km, &xfrm_km_list, list) 1728 if (km->notify_policy) 1729 km->notify_policy(xp, dir, c); 1730 read_unlock(&xfrm_km_lock); 1731} 1732 1733void km_state_notify(struct xfrm_state *x, struct km_event *c) 1734{ 1735 struct xfrm_mgr *km; 1736 read_lock(&xfrm_km_lock); 1737 list_for_each_entry(km, &xfrm_km_list, list) 1738 if (km->notify) 1739 km->notify(x, c); 1740 read_unlock(&xfrm_km_lock); 1741} 1742 1743EXPORT_SYMBOL(km_policy_notify); 1744EXPORT_SYMBOL(km_state_notify); 1745 1746void km_state_expired(struct xfrm_state *x, int hard, u32 pid) 1747{ 1748 struct net *net = xs_net(x); 1749 struct km_event c; 1750 1751 c.data.hard = hard; 1752 c.pid = pid; 1753 c.event = XFRM_MSG_EXPIRE; 1754 km_state_notify(x, &c); 1755 1756 if (hard) 1757 wake_up(&net->xfrm.km_waitq); 1758} 1759 1760EXPORT_SYMBOL(km_state_expired); 1761/* 1762 * We send to all registered managers regardless of failure 1763 * We are happy with one success 1764*/ 1765int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) 1766{ 1767 int err = -EINVAL, acqret; 1768 struct xfrm_mgr *km; 1769 1770 read_lock(&xfrm_km_lock); 1771 list_for_each_entry(km, &xfrm_km_list, list) { 1772 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT); 1773 if (!acqret) 1774 err = acqret; 1775 } 1776 read_unlock(&xfrm_km_lock); 1777 return err; 1778} 1779EXPORT_SYMBOL(km_query); 1780 1781int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 1782{ 1783 int err = -EINVAL; 1784 struct xfrm_mgr *km; 1785 1786 read_lock(&xfrm_km_lock); 1787 list_for_each_entry(km, &xfrm_km_list, list) { 1788 if (km->new_mapping) 1789 err = km->new_mapping(x, ipaddr, sport); 1790 if (!err) 1791 break; 1792 } 1793 read_unlock(&xfrm_km_lock); 1794 return err; 1795} 1796EXPORT_SYMBOL(km_new_mapping); 1797 1798void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid) 1799{ 1800 struct net *net = xp_net(pol); 1801 struct km_event c; 1802 1803 c.data.hard = hard; 1804 c.pid = pid; 1805 c.event = XFRM_MSG_POLEXPIRE; 1806 km_policy_notify(pol, dir, &c); 1807 1808 if (hard) 1809 wake_up(&net->xfrm.km_waitq); 1810} 1811EXPORT_SYMBOL(km_policy_expired); 1812 1813#ifdef CONFIG_XFRM_MIGRATE 1814int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1815 struct xfrm_migrate *m, int num_migrate, 1816 struct xfrm_kmaddress *k) 1817{ 1818 int err = -EINVAL; 1819 int ret; 1820 struct xfrm_mgr *km; 1821 1822 read_lock(&xfrm_km_lock); 1823 list_for_each_entry(km, &xfrm_km_list, list) { 1824 if (km->migrate) { 1825 ret = km->migrate(sel, dir, type, m, num_migrate, k); 1826 if (!ret) 1827 err = ret; 1828 } 1829 } 1830 read_unlock(&xfrm_km_lock); 1831 return err; 1832} 1833EXPORT_SYMBOL(km_migrate); 1834#endif 1835 1836int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr) 1837{ 1838 int err = -EINVAL; 1839 int ret; 1840 struct xfrm_mgr *km; 1841 1842 read_lock(&xfrm_km_lock); 1843 list_for_each_entry(km, &xfrm_km_list, list) { 1844 if (km->report) { 1845 ret = km->report(net, proto, sel, addr); 1846 if (!ret) 1847 err = ret; 1848 } 1849 } 1850 read_unlock(&xfrm_km_lock); 1851 return err; 1852} 1853EXPORT_SYMBOL(km_report); 1854 1855int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) 1856{ 1857 int err; 1858 u8 *data; 1859 struct xfrm_mgr *km; 1860 struct xfrm_policy *pol = NULL; 1861 1862 if (optlen <= 0 || optlen > PAGE_SIZE) 1863 return -EMSGSIZE; 1864 1865 data = kmalloc(optlen, GFP_KERNEL); 1866 if (!data) 1867 return -ENOMEM; 1868 1869 err = -EFAULT; 1870 if (copy_from_user(data, optval, optlen)) 1871 goto out; 1872 1873 err = -EINVAL; 1874 read_lock(&xfrm_km_lock); 1875 list_for_each_entry(km, &xfrm_km_list, list) { 1876 pol = km->compile_policy(sk, optname, data, 1877 optlen, &err); 1878 if (err >= 0) 1879 break; 1880 } 1881 read_unlock(&xfrm_km_lock); 1882 1883 if (err >= 0) { 1884 xfrm_sk_policy_insert(sk, err, pol); 1885 xfrm_pol_put(pol); 1886 err = 0; 1887 } 1888 1889out: 1890 kfree(data); 1891 return err; 1892} 1893EXPORT_SYMBOL(xfrm_user_policy); 1894 1895int xfrm_register_km(struct xfrm_mgr *km) 1896{ 1897 write_lock_bh(&xfrm_km_lock); 1898 list_add_tail(&km->list, &xfrm_km_list); 1899 write_unlock_bh(&xfrm_km_lock); 1900 return 0; 1901} 1902EXPORT_SYMBOL(xfrm_register_km); 1903 1904int xfrm_unregister_km(struct xfrm_mgr *km) 1905{ 1906 write_lock_bh(&xfrm_km_lock); 1907 list_del(&km->list); 1908 write_unlock_bh(&xfrm_km_lock); 1909 return 0; 1910} 1911EXPORT_SYMBOL(xfrm_unregister_km); 1912 1913int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo) 1914{ 1915 int err = 0; 1916 if (unlikely(afinfo == NULL)) 1917 return -EINVAL; 1918 if (unlikely(afinfo->family >= NPROTO)) 1919 return -EAFNOSUPPORT; 1920 write_lock_bh(&xfrm_state_afinfo_lock); 1921 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL)) 1922 err = -ENOBUFS; 1923 else 1924 xfrm_state_afinfo[afinfo->family] = afinfo; 1925 write_unlock_bh(&xfrm_state_afinfo_lock); 1926 return err; 1927} 1928EXPORT_SYMBOL(xfrm_state_register_afinfo); 1929 1930int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo) 1931{ 1932 int err = 0; 1933 if (unlikely(afinfo == NULL)) 1934 return -EINVAL; 1935 if (unlikely(afinfo->family >= NPROTO)) 1936 return -EAFNOSUPPORT; 1937 write_lock_bh(&xfrm_state_afinfo_lock); 1938 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) { 1939 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo)) 1940 err = -EINVAL; 1941 else 1942 xfrm_state_afinfo[afinfo->family] = NULL; 1943 } 1944 write_unlock_bh(&xfrm_state_afinfo_lock); 1945 return err; 1946} 1947EXPORT_SYMBOL(xfrm_state_unregister_afinfo); 1948 1949static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family) 1950{ 1951 struct xfrm_state_afinfo *afinfo; 1952 if (unlikely(family >= NPROTO)) 1953 return NULL; 1954 read_lock(&xfrm_state_afinfo_lock); 1955 afinfo = xfrm_state_afinfo[family]; 1956 if (unlikely(!afinfo)) 1957 read_unlock(&xfrm_state_afinfo_lock); 1958 return afinfo; 1959} 1960 1961static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo) 1962 __releases(xfrm_state_afinfo_lock) 1963{ 1964 read_unlock(&xfrm_state_afinfo_lock); 1965} 1966 1967/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ 1968void xfrm_state_delete_tunnel(struct xfrm_state *x) 1969{ 1970 if (x->tunnel) { 1971 struct xfrm_state *t = x->tunnel; 1972 1973 if (atomic_read(&t->tunnel_users) == 2) 1974 xfrm_state_delete(t); 1975 atomic_dec(&t->tunnel_users); 1976 xfrm_state_put(t); 1977 x->tunnel = NULL; 1978 } 1979} 1980EXPORT_SYMBOL(xfrm_state_delete_tunnel); 1981 1982int xfrm_state_mtu(struct xfrm_state *x, int mtu) 1983{ 1984 int res; 1985 1986 spin_lock_bh(&x->lock); 1987 if (x->km.state == XFRM_STATE_VALID && 1988 x->type && x->type->get_mtu) 1989 res = x->type->get_mtu(x, mtu); 1990 else 1991 res = mtu - x->props.header_len; 1992 spin_unlock_bh(&x->lock); 1993 return res; 1994} 1995 1996int xfrm_init_state(struct xfrm_state *x) 1997{ 1998 struct xfrm_state_afinfo *afinfo; 1999 struct xfrm_mode *inner_mode; 2000 int family = x->props.family; 2001 int err; 2002 2003 err = -EAFNOSUPPORT; 2004 afinfo = xfrm_state_get_afinfo(family); 2005 if (!afinfo) 2006 goto error; 2007 2008 err = 0; 2009 if (afinfo->init_flags) 2010 err = afinfo->init_flags(x); 2011 2012 xfrm_state_put_afinfo(afinfo); 2013 2014 if (err) 2015 goto error; 2016 2017 err = -EPROTONOSUPPORT; 2018 2019 if (x->sel.family != AF_UNSPEC) { 2020 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family); 2021 if (inner_mode == NULL) 2022 goto error; 2023 2024 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 2025 family != x->sel.family) { 2026 xfrm_put_mode(inner_mode); 2027 goto error; 2028 } 2029 2030 x->inner_mode = inner_mode; 2031 } else { 2032 struct xfrm_mode *inner_mode_iaf; 2033 2034 inner_mode = xfrm_get_mode(x->props.mode, AF_INET); 2035 if (inner_mode == NULL) 2036 goto error; 2037 2038 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) { 2039 xfrm_put_mode(inner_mode); 2040 goto error; 2041 } 2042 2043 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6); 2044 if (inner_mode_iaf == NULL) 2045 goto error; 2046 2047 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) { 2048 xfrm_put_mode(inner_mode_iaf); 2049 goto error; 2050 } 2051 2052 if (x->props.family == AF_INET) { 2053 x->inner_mode = inner_mode; 2054 x->inner_mode_iaf = inner_mode_iaf; 2055 } else { 2056 x->inner_mode = inner_mode_iaf; 2057 x->inner_mode_iaf = inner_mode; 2058 } 2059 } 2060 2061 x->type = xfrm_get_type(x->id.proto, family); 2062 if (x->type == NULL) 2063 goto error; 2064 2065 err = x->type->init_state(x); 2066 if (err) 2067 goto error; 2068 2069 x->outer_mode = xfrm_get_mode(x->props.mode, family); 2070 if (x->outer_mode == NULL) 2071 goto error; 2072 2073 x->km.state = XFRM_STATE_VALID; 2074 2075error: 2076 return err; 2077} 2078 2079EXPORT_SYMBOL(xfrm_init_state); 2080 2081int __net_init xfrm_state_init(struct net *net) 2082{ 2083 unsigned int sz; 2084 2085 INIT_LIST_HEAD(&net->xfrm.state_all); 2086 2087 sz = sizeof(struct hlist_head) * 8; 2088 2089 net->xfrm.state_bydst = xfrm_hash_alloc(sz); 2090 if (!net->xfrm.state_bydst) 2091 goto out_bydst; 2092 net->xfrm.state_bysrc = xfrm_hash_alloc(sz); 2093 if (!net->xfrm.state_bysrc) 2094 goto out_bysrc; 2095 net->xfrm.state_byspi = xfrm_hash_alloc(sz); 2096 if (!net->xfrm.state_byspi) 2097 goto out_byspi; 2098 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1); 2099 2100 net->xfrm.state_num = 0; 2101 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize); 2102 INIT_HLIST_HEAD(&net->xfrm.state_gc_list); 2103 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task); 2104 init_waitqueue_head(&net->xfrm.km_waitq); 2105 return 0; 2106 2107out_byspi: 2108 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2109out_bysrc: 2110 xfrm_hash_free(net->xfrm.state_bydst, sz); 2111out_bydst: 2112 return -ENOMEM; 2113} 2114 2115void xfrm_state_fini(struct net *net) 2116{ 2117 struct xfrm_audit audit_info; 2118 unsigned int sz; 2119 2120 flush_work(&net->xfrm.state_hash_work); 2121 audit_info.loginuid = -1; 2122 audit_info.sessionid = -1; 2123 audit_info.secid = 0; 2124 xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info); 2125 flush_work(&net->xfrm.state_gc_work); 2126 2127 WARN_ON(!list_empty(&net->xfrm.state_all)); 2128 2129 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head); 2130 WARN_ON(!hlist_empty(net->xfrm.state_byspi)); 2131 xfrm_hash_free(net->xfrm.state_byspi, sz); 2132 WARN_ON(!hlist_empty(net->xfrm.state_bysrc)); 2133 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2134 WARN_ON(!hlist_empty(net->xfrm.state_bydst)); 2135 xfrm_hash_free(net->xfrm.state_bydst, sz); 2136} 2137 2138#ifdef CONFIG_AUDITSYSCALL 2139static void xfrm_audit_helper_sainfo(struct xfrm_state *x, 2140 struct audit_buffer *audit_buf) 2141{ 2142 struct xfrm_sec_ctx *ctx = x->security; 2143 u32 spi = ntohl(x->id.spi); 2144 2145 if (ctx) 2146 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2147 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2148 2149 switch(x->props.family) { 2150 case AF_INET: 2151 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2152 &x->props.saddr.a4, &x->id.daddr.a4); 2153 break; 2154 case AF_INET6: 2155 audit_log_format(audit_buf, " src=%pI6 dst=%pI6", 2156 x->props.saddr.a6, x->id.daddr.a6); 2157 break; 2158 } 2159 2160 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2161} 2162 2163static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, 2164 struct audit_buffer *audit_buf) 2165{ 2166 struct iphdr *iph4; 2167 struct ipv6hdr *iph6; 2168 2169 switch (family) { 2170 case AF_INET: 2171 iph4 = ip_hdr(skb); 2172 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2173 &iph4->saddr, &iph4->daddr); 2174 break; 2175 case AF_INET6: 2176 iph6 = ipv6_hdr(skb); 2177 audit_log_format(audit_buf, 2178 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x", 2179 &iph6->saddr,&iph6->daddr, 2180 iph6->flow_lbl[0] & 0x0f, 2181 iph6->flow_lbl[1], 2182 iph6->flow_lbl[2]); 2183 break; 2184 } 2185} 2186 2187void xfrm_audit_state_add(struct xfrm_state *x, int result, 2188 uid_t auid, u32 sessionid, u32 secid) 2189{ 2190 struct audit_buffer *audit_buf; 2191 2192 audit_buf = xfrm_audit_start("SAD-add"); 2193 if (audit_buf == NULL) 2194 return; 2195 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2196 xfrm_audit_helper_sainfo(x, audit_buf); 2197 audit_log_format(audit_buf, " res=%u", result); 2198 audit_log_end(audit_buf); 2199} 2200EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2201 2202void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2203 uid_t auid, u32 sessionid, u32 secid) 2204{ 2205 struct audit_buffer *audit_buf; 2206 2207 audit_buf = xfrm_audit_start("SAD-delete"); 2208 if (audit_buf == NULL) 2209 return; 2210 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2211 xfrm_audit_helper_sainfo(x, audit_buf); 2212 audit_log_format(audit_buf, " res=%u", result); 2213 audit_log_end(audit_buf); 2214} 2215EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2216 2217void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 2218 struct sk_buff *skb) 2219{ 2220 struct audit_buffer *audit_buf; 2221 u32 spi; 2222 2223 audit_buf = xfrm_audit_start("SA-replay-overflow"); 2224 if (audit_buf == NULL) 2225 return; 2226 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2227 /* don't record the sequence number because it's inherent in this kind 2228 * of audit message */ 2229 spi = ntohl(x->id.spi); 2230 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2231 audit_log_end(audit_buf); 2232} 2233EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); 2234 2235static void xfrm_audit_state_replay(struct xfrm_state *x, 2236 struct sk_buff *skb, __be32 net_seq) 2237{ 2238 struct audit_buffer *audit_buf; 2239 u32 spi; 2240 2241 audit_buf = xfrm_audit_start("SA-replayed-pkt"); 2242 if (audit_buf == NULL) 2243 return; 2244 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2245 spi = ntohl(x->id.spi); 2246 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2247 spi, spi, ntohl(net_seq)); 2248 audit_log_end(audit_buf); 2249} 2250 2251void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) 2252{ 2253 struct audit_buffer *audit_buf; 2254 2255 audit_buf = xfrm_audit_start("SA-notfound"); 2256 if (audit_buf == NULL) 2257 return; 2258 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2259 audit_log_end(audit_buf); 2260} 2261EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple); 2262 2263void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 2264 __be32 net_spi, __be32 net_seq) 2265{ 2266 struct audit_buffer *audit_buf; 2267 u32 spi; 2268 2269 audit_buf = xfrm_audit_start("SA-notfound"); 2270 if (audit_buf == NULL) 2271 return; 2272 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2273 spi = ntohl(net_spi); 2274 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2275 spi, spi, ntohl(net_seq)); 2276 audit_log_end(audit_buf); 2277} 2278EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound); 2279 2280void xfrm_audit_state_icvfail(struct xfrm_state *x, 2281 struct sk_buff *skb, u8 proto) 2282{ 2283 struct audit_buffer *audit_buf; 2284 __be32 net_spi; 2285 __be32 net_seq; 2286 2287 audit_buf = xfrm_audit_start("SA-icv-failure"); 2288 if (audit_buf == NULL) 2289 return; 2290 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2291 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) { 2292 u32 spi = ntohl(net_spi); 2293 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2294 spi, spi, ntohl(net_seq)); 2295 } 2296 audit_log_end(audit_buf); 2297} 2298EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail); 2299#endif /* CONFIG_AUDITSYSCALL */ 2300