xfrm_state.c revision b754a4fd8f58d245c9b5e92914cce09c4309cb67
1/* 2 * xfrm_state.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * YOSHIFUJI Hideaki @USAGI 10 * Split up af-specific functions 11 * Derek Atkins <derek@ihtfp.com> 12 * Add UDP Encapsulation 13 * 14 */ 15 16#include <linux/workqueue.h> 17#include <net/xfrm.h> 18#include <linux/pfkeyv2.h> 19#include <linux/ipsec.h> 20#include <linux/module.h> 21#include <linux/cache.h> 22#include <linux/audit.h> 23#include <asm/uaccess.h> 24 25#include "xfrm_hash.h" 26 27struct sock *xfrm_nl; 28EXPORT_SYMBOL(xfrm_nl); 29 30u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME; 31EXPORT_SYMBOL(sysctl_xfrm_aevent_etime); 32 33u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE; 34EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth); 35 36u32 sysctl_xfrm_acq_expires __read_mostly = 30; 37 38/* Each xfrm_state may be linked to two tables: 39 40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given 42 destination/tunnel endpoint. (output) 43 */ 44 45static DEFINE_SPINLOCK(xfrm_state_lock); 46 47static unsigned int xfrm_state_hmask __read_mostly; 48static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 49static unsigned int xfrm_state_num; 50static unsigned int xfrm_state_genid; 51 52static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 53static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 54 55#ifdef CONFIG_AUDITSYSCALL 56static void xfrm_audit_state_replay(struct xfrm_state *x, 57 struct sk_buff *skb, __be32 net_seq); 58#else 59#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0) 60#endif /* CONFIG_AUDITSYSCALL */ 61 62static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr, 63 xfrm_address_t *saddr, 64 u32 reqid, 65 unsigned short family) 66{ 67 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask); 68} 69 70static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr, 71 xfrm_address_t *saddr, 72 unsigned short family) 73{ 74 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask); 75} 76 77static inline unsigned int 78xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 79{ 80 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask); 81} 82 83static void xfrm_hash_transfer(struct hlist_head *list, 84 struct hlist_head *ndsttable, 85 struct hlist_head *nsrctable, 86 struct hlist_head *nspitable, 87 unsigned int nhashmask) 88{ 89 struct hlist_node *entry, *tmp; 90 struct xfrm_state *x; 91 92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) { 93 unsigned int h; 94 95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 96 x->props.reqid, x->props.family, 97 nhashmask); 98 hlist_add_head(&x->bydst, ndsttable+h); 99 100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, 101 x->props.family, 102 nhashmask); 103 hlist_add_head(&x->bysrc, nsrctable+h); 104 105 if (x->id.spi) { 106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, 107 x->id.proto, x->props.family, 108 nhashmask); 109 hlist_add_head(&x->byspi, nspitable+h); 110 } 111 } 112} 113 114static unsigned long xfrm_hash_new_size(void) 115{ 116 return ((xfrm_state_hmask + 1) << 1) * 117 sizeof(struct hlist_head); 118} 119 120static DEFINE_MUTEX(hash_resize_mutex); 121 122static void xfrm_hash_resize(struct work_struct *__unused) 123{ 124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi; 125 unsigned long nsize, osize; 126 unsigned int nhashmask, ohashmask; 127 int i; 128 129 mutex_lock(&hash_resize_mutex); 130 131 nsize = xfrm_hash_new_size(); 132 ndst = xfrm_hash_alloc(nsize); 133 if (!ndst) 134 goto out_unlock; 135 nsrc = xfrm_hash_alloc(nsize); 136 if (!nsrc) { 137 xfrm_hash_free(ndst, nsize); 138 goto out_unlock; 139 } 140 nspi = xfrm_hash_alloc(nsize); 141 if (!nspi) { 142 xfrm_hash_free(ndst, nsize); 143 xfrm_hash_free(nsrc, nsize); 144 goto out_unlock; 145 } 146 147 spin_lock_bh(&xfrm_state_lock); 148 149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 150 for (i = xfrm_state_hmask; i >= 0; i--) 151 xfrm_hash_transfer(init_net.xfrm.state_bydst+i, ndst, nsrc, nspi, 152 nhashmask); 153 154 odst = init_net.xfrm.state_bydst; 155 osrc = init_net.xfrm.state_bysrc; 156 ospi = init_net.xfrm.state_byspi; 157 ohashmask = xfrm_state_hmask; 158 159 init_net.xfrm.state_bydst = ndst; 160 init_net.xfrm.state_bysrc = nsrc; 161 init_net.xfrm.state_byspi = nspi; 162 xfrm_state_hmask = nhashmask; 163 164 spin_unlock_bh(&xfrm_state_lock); 165 166 osize = (ohashmask + 1) * sizeof(struct hlist_head); 167 xfrm_hash_free(odst, osize); 168 xfrm_hash_free(osrc, osize); 169 xfrm_hash_free(ospi, osize); 170 171out_unlock: 172 mutex_unlock(&hash_resize_mutex); 173} 174 175static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize); 176 177DECLARE_WAIT_QUEUE_HEAD(km_waitq); 178EXPORT_SYMBOL(km_waitq); 179 180static DEFINE_RWLOCK(xfrm_state_afinfo_lock); 181static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO]; 182 183static struct work_struct xfrm_state_gc_work; 184static HLIST_HEAD(xfrm_state_gc_list); 185static DEFINE_SPINLOCK(xfrm_state_gc_lock); 186 187int __xfrm_state_delete(struct xfrm_state *x); 188 189int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 190void km_state_expired(struct xfrm_state *x, int hard, u32 pid); 191 192static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family) 193{ 194 struct xfrm_state_afinfo *afinfo; 195 if (unlikely(family >= NPROTO)) 196 return NULL; 197 write_lock_bh(&xfrm_state_afinfo_lock); 198 afinfo = xfrm_state_afinfo[family]; 199 if (unlikely(!afinfo)) 200 write_unlock_bh(&xfrm_state_afinfo_lock); 201 return afinfo; 202} 203 204static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo) 205 __releases(xfrm_state_afinfo_lock) 206{ 207 write_unlock_bh(&xfrm_state_afinfo_lock); 208} 209 210int xfrm_register_type(const struct xfrm_type *type, unsigned short family) 211{ 212 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 213 const struct xfrm_type **typemap; 214 int err = 0; 215 216 if (unlikely(afinfo == NULL)) 217 return -EAFNOSUPPORT; 218 typemap = afinfo->type_map; 219 220 if (likely(typemap[type->proto] == NULL)) 221 typemap[type->proto] = type; 222 else 223 err = -EEXIST; 224 xfrm_state_unlock_afinfo(afinfo); 225 return err; 226} 227EXPORT_SYMBOL(xfrm_register_type); 228 229int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family) 230{ 231 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 232 const struct xfrm_type **typemap; 233 int err = 0; 234 235 if (unlikely(afinfo == NULL)) 236 return -EAFNOSUPPORT; 237 typemap = afinfo->type_map; 238 239 if (unlikely(typemap[type->proto] != type)) 240 err = -ENOENT; 241 else 242 typemap[type->proto] = NULL; 243 xfrm_state_unlock_afinfo(afinfo); 244 return err; 245} 246EXPORT_SYMBOL(xfrm_unregister_type); 247 248static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 249{ 250 struct xfrm_state_afinfo *afinfo; 251 const struct xfrm_type **typemap; 252 const struct xfrm_type *type; 253 int modload_attempted = 0; 254 255retry: 256 afinfo = xfrm_state_get_afinfo(family); 257 if (unlikely(afinfo == NULL)) 258 return NULL; 259 typemap = afinfo->type_map; 260 261 type = typemap[proto]; 262 if (unlikely(type && !try_module_get(type->owner))) 263 type = NULL; 264 if (!type && !modload_attempted) { 265 xfrm_state_put_afinfo(afinfo); 266 request_module("xfrm-type-%d-%d", family, proto); 267 modload_attempted = 1; 268 goto retry; 269 } 270 271 xfrm_state_put_afinfo(afinfo); 272 return type; 273} 274 275static void xfrm_put_type(const struct xfrm_type *type) 276{ 277 module_put(type->owner); 278} 279 280int xfrm_register_mode(struct xfrm_mode *mode, int family) 281{ 282 struct xfrm_state_afinfo *afinfo; 283 struct xfrm_mode **modemap; 284 int err; 285 286 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 287 return -EINVAL; 288 289 afinfo = xfrm_state_lock_afinfo(family); 290 if (unlikely(afinfo == NULL)) 291 return -EAFNOSUPPORT; 292 293 err = -EEXIST; 294 modemap = afinfo->mode_map; 295 if (modemap[mode->encap]) 296 goto out; 297 298 err = -ENOENT; 299 if (!try_module_get(afinfo->owner)) 300 goto out; 301 302 mode->afinfo = afinfo; 303 modemap[mode->encap] = mode; 304 err = 0; 305 306out: 307 xfrm_state_unlock_afinfo(afinfo); 308 return err; 309} 310EXPORT_SYMBOL(xfrm_register_mode); 311 312int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 313{ 314 struct xfrm_state_afinfo *afinfo; 315 struct xfrm_mode **modemap; 316 int err; 317 318 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 319 return -EINVAL; 320 321 afinfo = xfrm_state_lock_afinfo(family); 322 if (unlikely(afinfo == NULL)) 323 return -EAFNOSUPPORT; 324 325 err = -ENOENT; 326 modemap = afinfo->mode_map; 327 if (likely(modemap[mode->encap] == mode)) { 328 modemap[mode->encap] = NULL; 329 module_put(mode->afinfo->owner); 330 err = 0; 331 } 332 333 xfrm_state_unlock_afinfo(afinfo); 334 return err; 335} 336EXPORT_SYMBOL(xfrm_unregister_mode); 337 338static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 339{ 340 struct xfrm_state_afinfo *afinfo; 341 struct xfrm_mode *mode; 342 int modload_attempted = 0; 343 344 if (unlikely(encap >= XFRM_MODE_MAX)) 345 return NULL; 346 347retry: 348 afinfo = xfrm_state_get_afinfo(family); 349 if (unlikely(afinfo == NULL)) 350 return NULL; 351 352 mode = afinfo->mode_map[encap]; 353 if (unlikely(mode && !try_module_get(mode->owner))) 354 mode = NULL; 355 if (!mode && !modload_attempted) { 356 xfrm_state_put_afinfo(afinfo); 357 request_module("xfrm-mode-%d-%d", family, encap); 358 modload_attempted = 1; 359 goto retry; 360 } 361 362 xfrm_state_put_afinfo(afinfo); 363 return mode; 364} 365 366static void xfrm_put_mode(struct xfrm_mode *mode) 367{ 368 module_put(mode->owner); 369} 370 371static void xfrm_state_gc_destroy(struct xfrm_state *x) 372{ 373 del_timer_sync(&x->timer); 374 del_timer_sync(&x->rtimer); 375 kfree(x->aalg); 376 kfree(x->ealg); 377 kfree(x->calg); 378 kfree(x->encap); 379 kfree(x->coaddr); 380 if (x->inner_mode) 381 xfrm_put_mode(x->inner_mode); 382 if (x->inner_mode_iaf) 383 xfrm_put_mode(x->inner_mode_iaf); 384 if (x->outer_mode) 385 xfrm_put_mode(x->outer_mode); 386 if (x->type) { 387 x->type->destructor(x); 388 xfrm_put_type(x->type); 389 } 390 security_xfrm_state_free(x); 391 kfree(x); 392} 393 394static void xfrm_state_gc_task(struct work_struct *data) 395{ 396 struct xfrm_state *x; 397 struct hlist_node *entry, *tmp; 398 struct hlist_head gc_list; 399 400 spin_lock_bh(&xfrm_state_gc_lock); 401 hlist_move_list(&xfrm_state_gc_list, &gc_list); 402 spin_unlock_bh(&xfrm_state_gc_lock); 403 404 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist) 405 xfrm_state_gc_destroy(x); 406 407 wake_up(&km_waitq); 408} 409 410static inline unsigned long make_jiffies(long secs) 411{ 412 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 413 return MAX_SCHEDULE_TIMEOUT-1; 414 else 415 return secs*HZ; 416} 417 418static void xfrm_timer_handler(unsigned long data) 419{ 420 struct xfrm_state *x = (struct xfrm_state*)data; 421 unsigned long now = get_seconds(); 422 long next = LONG_MAX; 423 int warn = 0; 424 int err = 0; 425 426 spin_lock(&x->lock); 427 if (x->km.state == XFRM_STATE_DEAD) 428 goto out; 429 if (x->km.state == XFRM_STATE_EXPIRED) 430 goto expired; 431 if (x->lft.hard_add_expires_seconds) { 432 long tmo = x->lft.hard_add_expires_seconds + 433 x->curlft.add_time - now; 434 if (tmo <= 0) 435 goto expired; 436 if (tmo < next) 437 next = tmo; 438 } 439 if (x->lft.hard_use_expires_seconds) { 440 long tmo = x->lft.hard_use_expires_seconds + 441 (x->curlft.use_time ? : now) - now; 442 if (tmo <= 0) 443 goto expired; 444 if (tmo < next) 445 next = tmo; 446 } 447 if (x->km.dying) 448 goto resched; 449 if (x->lft.soft_add_expires_seconds) { 450 long tmo = x->lft.soft_add_expires_seconds + 451 x->curlft.add_time - now; 452 if (tmo <= 0) 453 warn = 1; 454 else if (tmo < next) 455 next = tmo; 456 } 457 if (x->lft.soft_use_expires_seconds) { 458 long tmo = x->lft.soft_use_expires_seconds + 459 (x->curlft.use_time ? : now) - now; 460 if (tmo <= 0) 461 warn = 1; 462 else if (tmo < next) 463 next = tmo; 464 } 465 466 x->km.dying = warn; 467 if (warn) 468 km_state_expired(x, 0, 0); 469resched: 470 if (next != LONG_MAX) 471 mod_timer(&x->timer, jiffies + make_jiffies(next)); 472 473 goto out; 474 475expired: 476 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) { 477 x->km.state = XFRM_STATE_EXPIRED; 478 wake_up(&km_waitq); 479 next = 2; 480 goto resched; 481 } 482 483 err = __xfrm_state_delete(x); 484 if (!err && x->id.spi) 485 km_state_expired(x, 1, 0); 486 487 xfrm_audit_state_delete(x, err ? 0 : 1, 488 audit_get_loginuid(current), 489 audit_get_sessionid(current), 0); 490 491out: 492 spin_unlock(&x->lock); 493} 494 495static void xfrm_replay_timer_handler(unsigned long data); 496 497struct xfrm_state *xfrm_state_alloc(struct net *net) 498{ 499 struct xfrm_state *x; 500 501 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC); 502 503 if (x) { 504 write_pnet(&x->xs_net, net); 505 atomic_set(&x->refcnt, 1); 506 atomic_set(&x->tunnel_users, 0); 507 INIT_LIST_HEAD(&x->km.all); 508 INIT_HLIST_NODE(&x->bydst); 509 INIT_HLIST_NODE(&x->bysrc); 510 INIT_HLIST_NODE(&x->byspi); 511 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x); 512 setup_timer(&x->rtimer, xfrm_replay_timer_handler, 513 (unsigned long)x); 514 x->curlft.add_time = get_seconds(); 515 x->lft.soft_byte_limit = XFRM_INF; 516 x->lft.soft_packet_limit = XFRM_INF; 517 x->lft.hard_byte_limit = XFRM_INF; 518 x->lft.hard_packet_limit = XFRM_INF; 519 x->replay_maxage = 0; 520 x->replay_maxdiff = 0; 521 x->inner_mode = NULL; 522 x->inner_mode_iaf = NULL; 523 spin_lock_init(&x->lock); 524 } 525 return x; 526} 527EXPORT_SYMBOL(xfrm_state_alloc); 528 529void __xfrm_state_destroy(struct xfrm_state *x) 530{ 531 WARN_ON(x->km.state != XFRM_STATE_DEAD); 532 533 spin_lock_bh(&xfrm_state_gc_lock); 534 hlist_add_head(&x->gclist, &xfrm_state_gc_list); 535 spin_unlock_bh(&xfrm_state_gc_lock); 536 schedule_work(&xfrm_state_gc_work); 537} 538EXPORT_SYMBOL(__xfrm_state_destroy); 539 540int __xfrm_state_delete(struct xfrm_state *x) 541{ 542 int err = -ESRCH; 543 544 if (x->km.state != XFRM_STATE_DEAD) { 545 x->km.state = XFRM_STATE_DEAD; 546 spin_lock(&xfrm_state_lock); 547 list_del(&x->km.all); 548 hlist_del(&x->bydst); 549 hlist_del(&x->bysrc); 550 if (x->id.spi) 551 hlist_del(&x->byspi); 552 xfrm_state_num--; 553 spin_unlock(&xfrm_state_lock); 554 555 /* All xfrm_state objects are created by xfrm_state_alloc. 556 * The xfrm_state_alloc call gives a reference, and that 557 * is what we are dropping here. 558 */ 559 xfrm_state_put(x); 560 err = 0; 561 } 562 563 return err; 564} 565EXPORT_SYMBOL(__xfrm_state_delete); 566 567int xfrm_state_delete(struct xfrm_state *x) 568{ 569 int err; 570 571 spin_lock_bh(&x->lock); 572 err = __xfrm_state_delete(x); 573 spin_unlock_bh(&x->lock); 574 575 return err; 576} 577EXPORT_SYMBOL(xfrm_state_delete); 578 579#ifdef CONFIG_SECURITY_NETWORK_XFRM 580static inline int 581xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 582{ 583 int i, err = 0; 584 585 for (i = 0; i <= xfrm_state_hmask; i++) { 586 struct hlist_node *entry; 587 struct xfrm_state *x; 588 589 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) { 590 if (xfrm_id_proto_match(x->id.proto, proto) && 591 (err = security_xfrm_state_delete(x)) != 0) { 592 xfrm_audit_state_delete(x, 0, 593 audit_info->loginuid, 594 audit_info->sessionid, 595 audit_info->secid); 596 return err; 597 } 598 } 599 } 600 601 return err; 602} 603#else 604static inline int 605xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 606{ 607 return 0; 608} 609#endif 610 611int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info) 612{ 613 int i, err = 0; 614 615 spin_lock_bh(&xfrm_state_lock); 616 err = xfrm_state_flush_secctx_check(proto, audit_info); 617 if (err) 618 goto out; 619 620 for (i = 0; i <= xfrm_state_hmask; i++) { 621 struct hlist_node *entry; 622 struct xfrm_state *x; 623restart: 624 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) { 625 if (!xfrm_state_kern(x) && 626 xfrm_id_proto_match(x->id.proto, proto)) { 627 xfrm_state_hold(x); 628 spin_unlock_bh(&xfrm_state_lock); 629 630 err = xfrm_state_delete(x); 631 xfrm_audit_state_delete(x, err ? 0 : 1, 632 audit_info->loginuid, 633 audit_info->sessionid, 634 audit_info->secid); 635 xfrm_state_put(x); 636 637 spin_lock_bh(&xfrm_state_lock); 638 goto restart; 639 } 640 } 641 } 642 err = 0; 643 644out: 645 spin_unlock_bh(&xfrm_state_lock); 646 wake_up(&km_waitq); 647 return err; 648} 649EXPORT_SYMBOL(xfrm_state_flush); 650 651void xfrm_sad_getinfo(struct xfrmk_sadinfo *si) 652{ 653 spin_lock_bh(&xfrm_state_lock); 654 si->sadcnt = xfrm_state_num; 655 si->sadhcnt = xfrm_state_hmask; 656 si->sadhmcnt = xfrm_state_hashmax; 657 spin_unlock_bh(&xfrm_state_lock); 658} 659EXPORT_SYMBOL(xfrm_sad_getinfo); 660 661static int 662xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl, 663 struct xfrm_tmpl *tmpl, 664 xfrm_address_t *daddr, xfrm_address_t *saddr, 665 unsigned short family) 666{ 667 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 668 if (!afinfo) 669 return -1; 670 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr); 671 xfrm_state_put_afinfo(afinfo); 672 return 0; 673} 674 675static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 676{ 677 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family); 678 struct xfrm_state *x; 679 struct hlist_node *entry; 680 681 hlist_for_each_entry(x, entry, init_net.xfrm.state_byspi+h, byspi) { 682 if (x->props.family != family || 683 x->id.spi != spi || 684 x->id.proto != proto) 685 continue; 686 687 switch (family) { 688 case AF_INET: 689 if (x->id.daddr.a4 != daddr->a4) 690 continue; 691 break; 692 case AF_INET6: 693 if (!ipv6_addr_equal((struct in6_addr *)daddr, 694 (struct in6_addr *) 695 x->id.daddr.a6)) 696 continue; 697 break; 698 } 699 700 xfrm_state_hold(x); 701 return x; 702 } 703 704 return NULL; 705} 706 707static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family) 708{ 709 unsigned int h = xfrm_src_hash(daddr, saddr, family); 710 struct xfrm_state *x; 711 struct hlist_node *entry; 712 713 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) { 714 if (x->props.family != family || 715 x->id.proto != proto) 716 continue; 717 718 switch (family) { 719 case AF_INET: 720 if (x->id.daddr.a4 != daddr->a4 || 721 x->props.saddr.a4 != saddr->a4) 722 continue; 723 break; 724 case AF_INET6: 725 if (!ipv6_addr_equal((struct in6_addr *)daddr, 726 (struct in6_addr *) 727 x->id.daddr.a6) || 728 !ipv6_addr_equal((struct in6_addr *)saddr, 729 (struct in6_addr *) 730 x->props.saddr.a6)) 731 continue; 732 break; 733 } 734 735 xfrm_state_hold(x); 736 return x; 737 } 738 739 return NULL; 740} 741 742static inline struct xfrm_state * 743__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family) 744{ 745 if (use_spi) 746 return __xfrm_state_lookup(&x->id.daddr, x->id.spi, 747 x->id.proto, family); 748 else 749 return __xfrm_state_lookup_byaddr(&x->id.daddr, 750 &x->props.saddr, 751 x->id.proto, family); 752} 753 754static void xfrm_hash_grow_check(int have_hash_collision) 755{ 756 if (have_hash_collision && 757 (xfrm_state_hmask + 1) < xfrm_state_hashmax && 758 xfrm_state_num > xfrm_state_hmask) 759 schedule_work(&xfrm_hash_work); 760} 761 762struct xfrm_state * 763xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 764 struct flowi *fl, struct xfrm_tmpl *tmpl, 765 struct xfrm_policy *pol, int *err, 766 unsigned short family) 767{ 768 unsigned int h; 769 struct hlist_node *entry; 770 struct xfrm_state *x, *x0, *to_put; 771 int acquire_in_progress = 0; 772 int error = 0; 773 struct xfrm_state *best = NULL; 774 775 to_put = NULL; 776 777 spin_lock_bh(&xfrm_state_lock); 778 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family); 779 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 780 if (x->props.family == family && 781 x->props.reqid == tmpl->reqid && 782 !(x->props.flags & XFRM_STATE_WILDRECV) && 783 xfrm_state_addr_check(x, daddr, saddr, family) && 784 tmpl->mode == x->props.mode && 785 tmpl->id.proto == x->id.proto && 786 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) { 787 /* Resolution logic: 788 1. There is a valid state with matching selector. 789 Done. 790 2. Valid state with inappropriate selector. Skip. 791 792 Entering area of "sysdeps". 793 794 3. If state is not valid, selector is temporary, 795 it selects only session which triggered 796 previous resolution. Key manager will do 797 something to install a state with proper 798 selector. 799 */ 800 if (x->km.state == XFRM_STATE_VALID) { 801 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) || 802 !security_xfrm_state_pol_flow_match(x, pol, fl)) 803 continue; 804 if (!best || 805 best->km.dying > x->km.dying || 806 (best->km.dying == x->km.dying && 807 best->curlft.add_time < x->curlft.add_time)) 808 best = x; 809 } else if (x->km.state == XFRM_STATE_ACQ) { 810 acquire_in_progress = 1; 811 } else if (x->km.state == XFRM_STATE_ERROR || 812 x->km.state == XFRM_STATE_EXPIRED) { 813 if (xfrm_selector_match(&x->sel, fl, x->sel.family) && 814 security_xfrm_state_pol_flow_match(x, pol, fl)) 815 error = -ESRCH; 816 } 817 } 818 } 819 820 x = best; 821 if (!x && !error && !acquire_in_progress) { 822 if (tmpl->id.spi && 823 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi, 824 tmpl->id.proto, family)) != NULL) { 825 to_put = x0; 826 error = -EEXIST; 827 goto out; 828 } 829 x = xfrm_state_alloc(&init_net); 830 if (x == NULL) { 831 error = -ENOMEM; 832 goto out; 833 } 834 /* Initialize temporary selector matching only 835 * to current session. */ 836 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); 837 838 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 839 if (error) { 840 x->km.state = XFRM_STATE_DEAD; 841 to_put = x; 842 x = NULL; 843 goto out; 844 } 845 846 if (km_query(x, tmpl, pol) == 0) { 847 x->km.state = XFRM_STATE_ACQ; 848 list_add(&x->km.all, &init_net.xfrm.state_all); 849 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h); 850 h = xfrm_src_hash(daddr, saddr, family); 851 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h); 852 if (x->id.spi) { 853 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family); 854 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h); 855 } 856 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 857 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 858 add_timer(&x->timer); 859 xfrm_state_num++; 860 xfrm_hash_grow_check(x->bydst.next != NULL); 861 } else { 862 x->km.state = XFRM_STATE_DEAD; 863 to_put = x; 864 x = NULL; 865 error = -ESRCH; 866 } 867 } 868out: 869 if (x) 870 xfrm_state_hold(x); 871 else 872 *err = acquire_in_progress ? -EAGAIN : error; 873 spin_unlock_bh(&xfrm_state_lock); 874 if (to_put) 875 xfrm_state_put(to_put); 876 return x; 877} 878 879struct xfrm_state * 880xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 881 unsigned short family, u8 mode, u8 proto, u32 reqid) 882{ 883 unsigned int h; 884 struct xfrm_state *rx = NULL, *x = NULL; 885 struct hlist_node *entry; 886 887 spin_lock(&xfrm_state_lock); 888 h = xfrm_dst_hash(daddr, saddr, reqid, family); 889 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 890 if (x->props.family == family && 891 x->props.reqid == reqid && 892 !(x->props.flags & XFRM_STATE_WILDRECV) && 893 xfrm_state_addr_check(x, daddr, saddr, family) && 894 mode == x->props.mode && 895 proto == x->id.proto && 896 x->km.state == XFRM_STATE_VALID) { 897 rx = x; 898 break; 899 } 900 } 901 902 if (rx) 903 xfrm_state_hold(rx); 904 spin_unlock(&xfrm_state_lock); 905 906 907 return rx; 908} 909EXPORT_SYMBOL(xfrm_stateonly_find); 910 911static void __xfrm_state_insert(struct xfrm_state *x) 912{ 913 unsigned int h; 914 915 x->genid = ++xfrm_state_genid; 916 917 list_add(&x->km.all, &init_net.xfrm.state_all); 918 919 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 920 x->props.reqid, x->props.family); 921 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h); 922 923 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family); 924 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h); 925 926 if (x->id.spi) { 927 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, 928 x->props.family); 929 930 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h); 931 } 932 933 mod_timer(&x->timer, jiffies + HZ); 934 if (x->replay_maxage) 935 mod_timer(&x->rtimer, jiffies + x->replay_maxage); 936 937 wake_up(&km_waitq); 938 939 xfrm_state_num++; 940 941 xfrm_hash_grow_check(x->bydst.next != NULL); 942} 943 944/* xfrm_state_lock is held */ 945static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 946{ 947 unsigned short family = xnew->props.family; 948 u32 reqid = xnew->props.reqid; 949 struct xfrm_state *x; 950 struct hlist_node *entry; 951 unsigned int h; 952 953 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family); 954 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 955 if (x->props.family == family && 956 x->props.reqid == reqid && 957 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) && 958 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family)) 959 x->genid = xfrm_state_genid; 960 } 961} 962 963void xfrm_state_insert(struct xfrm_state *x) 964{ 965 spin_lock_bh(&xfrm_state_lock); 966 __xfrm_state_bump_genids(x); 967 __xfrm_state_insert(x); 968 spin_unlock_bh(&xfrm_state_lock); 969} 970EXPORT_SYMBOL(xfrm_state_insert); 971 972/* xfrm_state_lock is held */ 973static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create) 974{ 975 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family); 976 struct hlist_node *entry; 977 struct xfrm_state *x; 978 979 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 980 if (x->props.reqid != reqid || 981 x->props.mode != mode || 982 x->props.family != family || 983 x->km.state != XFRM_STATE_ACQ || 984 x->id.spi != 0 || 985 x->id.proto != proto) 986 continue; 987 988 switch (family) { 989 case AF_INET: 990 if (x->id.daddr.a4 != daddr->a4 || 991 x->props.saddr.a4 != saddr->a4) 992 continue; 993 break; 994 case AF_INET6: 995 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6, 996 (struct in6_addr *)daddr) || 997 !ipv6_addr_equal((struct in6_addr *) 998 x->props.saddr.a6, 999 (struct in6_addr *)saddr)) 1000 continue; 1001 break; 1002 } 1003 1004 xfrm_state_hold(x); 1005 return x; 1006 } 1007 1008 if (!create) 1009 return NULL; 1010 1011 x = xfrm_state_alloc(&init_net); 1012 if (likely(x)) { 1013 switch (family) { 1014 case AF_INET: 1015 x->sel.daddr.a4 = daddr->a4; 1016 x->sel.saddr.a4 = saddr->a4; 1017 x->sel.prefixlen_d = 32; 1018 x->sel.prefixlen_s = 32; 1019 x->props.saddr.a4 = saddr->a4; 1020 x->id.daddr.a4 = daddr->a4; 1021 break; 1022 1023 case AF_INET6: 1024 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6, 1025 (struct in6_addr *)daddr); 1026 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6, 1027 (struct in6_addr *)saddr); 1028 x->sel.prefixlen_d = 128; 1029 x->sel.prefixlen_s = 128; 1030 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6, 1031 (struct in6_addr *)saddr); 1032 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6, 1033 (struct in6_addr *)daddr); 1034 break; 1035 } 1036 1037 x->km.state = XFRM_STATE_ACQ; 1038 x->id.proto = proto; 1039 x->props.family = family; 1040 x->props.mode = mode; 1041 x->props.reqid = reqid; 1042 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 1043 xfrm_state_hold(x); 1044 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 1045 add_timer(&x->timer); 1046 list_add(&x->km.all, &init_net.xfrm.state_all); 1047 hlist_add_head(&x->bydst, init_net.xfrm.state_bydst+h); 1048 h = xfrm_src_hash(daddr, saddr, family); 1049 hlist_add_head(&x->bysrc, init_net.xfrm.state_bysrc+h); 1050 1051 xfrm_state_num++; 1052 1053 xfrm_hash_grow_check(x->bydst.next != NULL); 1054 } 1055 1056 return x; 1057} 1058 1059static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq); 1060 1061int xfrm_state_add(struct xfrm_state *x) 1062{ 1063 struct xfrm_state *x1, *to_put; 1064 int family; 1065 int err; 1066 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1067 1068 family = x->props.family; 1069 1070 to_put = NULL; 1071 1072 spin_lock_bh(&xfrm_state_lock); 1073 1074 x1 = __xfrm_state_locate(x, use_spi, family); 1075 if (x1) { 1076 to_put = x1; 1077 x1 = NULL; 1078 err = -EEXIST; 1079 goto out; 1080 } 1081 1082 if (use_spi && x->km.seq) { 1083 x1 = __xfrm_find_acq_byseq(x->km.seq); 1084 if (x1 && ((x1->id.proto != x->id.proto) || 1085 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { 1086 to_put = x1; 1087 x1 = NULL; 1088 } 1089 } 1090 1091 if (use_spi && !x1) 1092 x1 = __find_acq_core(family, x->props.mode, x->props.reqid, 1093 x->id.proto, 1094 &x->id.daddr, &x->props.saddr, 0); 1095 1096 __xfrm_state_bump_genids(x); 1097 __xfrm_state_insert(x); 1098 err = 0; 1099 1100out: 1101 spin_unlock_bh(&xfrm_state_lock); 1102 1103 if (x1) { 1104 xfrm_state_delete(x1); 1105 xfrm_state_put(x1); 1106 } 1107 1108 if (to_put) 1109 xfrm_state_put(to_put); 1110 1111 return err; 1112} 1113EXPORT_SYMBOL(xfrm_state_add); 1114 1115#ifdef CONFIG_XFRM_MIGRATE 1116static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 1117{ 1118 int err = -ENOMEM; 1119 struct xfrm_state *x = xfrm_state_alloc(&init_net); 1120 if (!x) 1121 goto error; 1122 1123 memcpy(&x->id, &orig->id, sizeof(x->id)); 1124 memcpy(&x->sel, &orig->sel, sizeof(x->sel)); 1125 memcpy(&x->lft, &orig->lft, sizeof(x->lft)); 1126 x->props.mode = orig->props.mode; 1127 x->props.replay_window = orig->props.replay_window; 1128 x->props.reqid = orig->props.reqid; 1129 x->props.family = orig->props.family; 1130 x->props.saddr = orig->props.saddr; 1131 1132 if (orig->aalg) { 1133 x->aalg = xfrm_algo_clone(orig->aalg); 1134 if (!x->aalg) 1135 goto error; 1136 } 1137 x->props.aalgo = orig->props.aalgo; 1138 1139 if (orig->ealg) { 1140 x->ealg = xfrm_algo_clone(orig->ealg); 1141 if (!x->ealg) 1142 goto error; 1143 } 1144 x->props.ealgo = orig->props.ealgo; 1145 1146 if (orig->calg) { 1147 x->calg = xfrm_algo_clone(orig->calg); 1148 if (!x->calg) 1149 goto error; 1150 } 1151 x->props.calgo = orig->props.calgo; 1152 1153 if (orig->encap) { 1154 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL); 1155 if (!x->encap) 1156 goto error; 1157 } 1158 1159 if (orig->coaddr) { 1160 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), 1161 GFP_KERNEL); 1162 if (!x->coaddr) 1163 goto error; 1164 } 1165 1166 err = xfrm_init_state(x); 1167 if (err) 1168 goto error; 1169 1170 x->props.flags = orig->props.flags; 1171 1172 x->curlft.add_time = orig->curlft.add_time; 1173 x->km.state = orig->km.state; 1174 x->km.seq = orig->km.seq; 1175 1176 return x; 1177 1178 error: 1179 if (errp) 1180 *errp = err; 1181 if (x) { 1182 kfree(x->aalg); 1183 kfree(x->ealg); 1184 kfree(x->calg); 1185 kfree(x->encap); 1186 kfree(x->coaddr); 1187 } 1188 kfree(x); 1189 return NULL; 1190} 1191 1192/* xfrm_state_lock is held */ 1193struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m) 1194{ 1195 unsigned int h; 1196 struct xfrm_state *x; 1197 struct hlist_node *entry; 1198 1199 if (m->reqid) { 1200 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr, 1201 m->reqid, m->old_family); 1202 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) { 1203 if (x->props.mode != m->mode || 1204 x->id.proto != m->proto) 1205 continue; 1206 if (m->reqid && x->props.reqid != m->reqid) 1207 continue; 1208 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1209 m->old_family) || 1210 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1211 m->old_family)) 1212 continue; 1213 xfrm_state_hold(x); 1214 return x; 1215 } 1216 } else { 1217 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr, 1218 m->old_family); 1219 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) { 1220 if (x->props.mode != m->mode || 1221 x->id.proto != m->proto) 1222 continue; 1223 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1224 m->old_family) || 1225 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1226 m->old_family)) 1227 continue; 1228 xfrm_state_hold(x); 1229 return x; 1230 } 1231 } 1232 1233 return NULL; 1234} 1235EXPORT_SYMBOL(xfrm_migrate_state_find); 1236 1237struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1238 struct xfrm_migrate *m) 1239{ 1240 struct xfrm_state *xc; 1241 int err; 1242 1243 xc = xfrm_state_clone(x, &err); 1244 if (!xc) 1245 return NULL; 1246 1247 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 1248 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 1249 1250 /* add state */ 1251 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) { 1252 /* a care is needed when the destination address of the 1253 state is to be updated as it is a part of triplet */ 1254 xfrm_state_insert(xc); 1255 } else { 1256 if ((err = xfrm_state_add(xc)) < 0) 1257 goto error; 1258 } 1259 1260 return xc; 1261error: 1262 kfree(xc); 1263 return NULL; 1264} 1265EXPORT_SYMBOL(xfrm_state_migrate); 1266#endif 1267 1268int xfrm_state_update(struct xfrm_state *x) 1269{ 1270 struct xfrm_state *x1, *to_put; 1271 int err; 1272 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1273 1274 to_put = NULL; 1275 1276 spin_lock_bh(&xfrm_state_lock); 1277 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1278 1279 err = -ESRCH; 1280 if (!x1) 1281 goto out; 1282 1283 if (xfrm_state_kern(x1)) { 1284 to_put = x1; 1285 err = -EEXIST; 1286 goto out; 1287 } 1288 1289 if (x1->km.state == XFRM_STATE_ACQ) { 1290 __xfrm_state_insert(x); 1291 x = NULL; 1292 } 1293 err = 0; 1294 1295out: 1296 spin_unlock_bh(&xfrm_state_lock); 1297 1298 if (to_put) 1299 xfrm_state_put(to_put); 1300 1301 if (err) 1302 return err; 1303 1304 if (!x) { 1305 xfrm_state_delete(x1); 1306 xfrm_state_put(x1); 1307 return 0; 1308 } 1309 1310 err = -EINVAL; 1311 spin_lock_bh(&x1->lock); 1312 if (likely(x1->km.state == XFRM_STATE_VALID)) { 1313 if (x->encap && x1->encap) 1314 memcpy(x1->encap, x->encap, sizeof(*x1->encap)); 1315 if (x->coaddr && x1->coaddr) { 1316 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr)); 1317 } 1318 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel))) 1319 memcpy(&x1->sel, &x->sel, sizeof(x1->sel)); 1320 memcpy(&x1->lft, &x->lft, sizeof(x1->lft)); 1321 x1->km.dying = 0; 1322 1323 mod_timer(&x1->timer, jiffies + HZ); 1324 if (x1->curlft.use_time) 1325 xfrm_state_check_expire(x1); 1326 1327 err = 0; 1328 } 1329 spin_unlock_bh(&x1->lock); 1330 1331 xfrm_state_put(x1); 1332 1333 return err; 1334} 1335EXPORT_SYMBOL(xfrm_state_update); 1336 1337int xfrm_state_check_expire(struct xfrm_state *x) 1338{ 1339 if (!x->curlft.use_time) 1340 x->curlft.use_time = get_seconds(); 1341 1342 if (x->km.state != XFRM_STATE_VALID) 1343 return -EINVAL; 1344 1345 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1346 x->curlft.packets >= x->lft.hard_packet_limit) { 1347 x->km.state = XFRM_STATE_EXPIRED; 1348 mod_timer(&x->timer, jiffies); 1349 return -EINVAL; 1350 } 1351 1352 if (!x->km.dying && 1353 (x->curlft.bytes >= x->lft.soft_byte_limit || 1354 x->curlft.packets >= x->lft.soft_packet_limit)) { 1355 x->km.dying = 1; 1356 km_state_expired(x, 0, 0); 1357 } 1358 return 0; 1359} 1360EXPORT_SYMBOL(xfrm_state_check_expire); 1361 1362struct xfrm_state * 1363xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, 1364 unsigned short family) 1365{ 1366 struct xfrm_state *x; 1367 1368 spin_lock_bh(&xfrm_state_lock); 1369 x = __xfrm_state_lookup(daddr, spi, proto, family); 1370 spin_unlock_bh(&xfrm_state_lock); 1371 return x; 1372} 1373EXPORT_SYMBOL(xfrm_state_lookup); 1374 1375struct xfrm_state * 1376xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, 1377 u8 proto, unsigned short family) 1378{ 1379 struct xfrm_state *x; 1380 1381 spin_lock_bh(&xfrm_state_lock); 1382 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family); 1383 spin_unlock_bh(&xfrm_state_lock); 1384 return x; 1385} 1386EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1387 1388struct xfrm_state * 1389xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 1390 xfrm_address_t *daddr, xfrm_address_t *saddr, 1391 int create, unsigned short family) 1392{ 1393 struct xfrm_state *x; 1394 1395 spin_lock_bh(&xfrm_state_lock); 1396 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create); 1397 spin_unlock_bh(&xfrm_state_lock); 1398 1399 return x; 1400} 1401EXPORT_SYMBOL(xfrm_find_acq); 1402 1403#ifdef CONFIG_XFRM_SUB_POLICY 1404int 1405xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1406 unsigned short family) 1407{ 1408 int err = 0; 1409 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1410 if (!afinfo) 1411 return -EAFNOSUPPORT; 1412 1413 spin_lock_bh(&xfrm_state_lock); 1414 if (afinfo->tmpl_sort) 1415 err = afinfo->tmpl_sort(dst, src, n); 1416 spin_unlock_bh(&xfrm_state_lock); 1417 xfrm_state_put_afinfo(afinfo); 1418 return err; 1419} 1420EXPORT_SYMBOL(xfrm_tmpl_sort); 1421 1422int 1423xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1424 unsigned short family) 1425{ 1426 int err = 0; 1427 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1428 if (!afinfo) 1429 return -EAFNOSUPPORT; 1430 1431 spin_lock_bh(&xfrm_state_lock); 1432 if (afinfo->state_sort) 1433 err = afinfo->state_sort(dst, src, n); 1434 spin_unlock_bh(&xfrm_state_lock); 1435 xfrm_state_put_afinfo(afinfo); 1436 return err; 1437} 1438EXPORT_SYMBOL(xfrm_state_sort); 1439#endif 1440 1441/* Silly enough, but I'm lazy to build resolution list */ 1442 1443static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq) 1444{ 1445 int i; 1446 1447 for (i = 0; i <= xfrm_state_hmask; i++) { 1448 struct hlist_node *entry; 1449 struct xfrm_state *x; 1450 1451 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+i, bydst) { 1452 if (x->km.seq == seq && 1453 x->km.state == XFRM_STATE_ACQ) { 1454 xfrm_state_hold(x); 1455 return x; 1456 } 1457 } 1458 } 1459 return NULL; 1460} 1461 1462struct xfrm_state *xfrm_find_acq_byseq(u32 seq) 1463{ 1464 struct xfrm_state *x; 1465 1466 spin_lock_bh(&xfrm_state_lock); 1467 x = __xfrm_find_acq_byseq(seq); 1468 spin_unlock_bh(&xfrm_state_lock); 1469 return x; 1470} 1471EXPORT_SYMBOL(xfrm_find_acq_byseq); 1472 1473u32 xfrm_get_acqseq(void) 1474{ 1475 u32 res; 1476 static u32 acqseq; 1477 static DEFINE_SPINLOCK(acqseq_lock); 1478 1479 spin_lock_bh(&acqseq_lock); 1480 res = (++acqseq ? : ++acqseq); 1481 spin_unlock_bh(&acqseq_lock); 1482 return res; 1483} 1484EXPORT_SYMBOL(xfrm_get_acqseq); 1485 1486int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) 1487{ 1488 unsigned int h; 1489 struct xfrm_state *x0; 1490 int err = -ENOENT; 1491 __be32 minspi = htonl(low); 1492 __be32 maxspi = htonl(high); 1493 1494 spin_lock_bh(&x->lock); 1495 if (x->km.state == XFRM_STATE_DEAD) 1496 goto unlock; 1497 1498 err = 0; 1499 if (x->id.spi) 1500 goto unlock; 1501 1502 err = -ENOENT; 1503 1504 if (minspi == maxspi) { 1505 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family); 1506 if (x0) { 1507 xfrm_state_put(x0); 1508 goto unlock; 1509 } 1510 x->id.spi = minspi; 1511 } else { 1512 u32 spi = 0; 1513 for (h=0; h<high-low+1; h++) { 1514 spi = low + net_random()%(high-low+1); 1515 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family); 1516 if (x0 == NULL) { 1517 x->id.spi = htonl(spi); 1518 break; 1519 } 1520 xfrm_state_put(x0); 1521 } 1522 } 1523 if (x->id.spi) { 1524 spin_lock_bh(&xfrm_state_lock); 1525 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family); 1526 hlist_add_head(&x->byspi, init_net.xfrm.state_byspi+h); 1527 spin_unlock_bh(&xfrm_state_lock); 1528 1529 err = 0; 1530 } 1531 1532unlock: 1533 spin_unlock_bh(&x->lock); 1534 1535 return err; 1536} 1537EXPORT_SYMBOL(xfrm_alloc_spi); 1538 1539int xfrm_state_walk(struct xfrm_state_walk *walk, 1540 int (*func)(struct xfrm_state *, int, void*), 1541 void *data) 1542{ 1543 struct xfrm_state *state; 1544 struct xfrm_state_walk *x; 1545 int err = 0; 1546 1547 if (walk->seq != 0 && list_empty(&walk->all)) 1548 return 0; 1549 1550 spin_lock_bh(&xfrm_state_lock); 1551 if (list_empty(&walk->all)) 1552 x = list_first_entry(&init_net.xfrm.state_all, struct xfrm_state_walk, all); 1553 else 1554 x = list_entry(&walk->all, struct xfrm_state_walk, all); 1555 list_for_each_entry_from(x, &init_net.xfrm.state_all, all) { 1556 if (x->state == XFRM_STATE_DEAD) 1557 continue; 1558 state = container_of(x, struct xfrm_state, km); 1559 if (!xfrm_id_proto_match(state->id.proto, walk->proto)) 1560 continue; 1561 err = func(state, walk->seq, data); 1562 if (err) { 1563 list_move_tail(&walk->all, &x->all); 1564 goto out; 1565 } 1566 walk->seq++; 1567 } 1568 if (walk->seq == 0) { 1569 err = -ENOENT; 1570 goto out; 1571 } 1572 list_del_init(&walk->all); 1573out: 1574 spin_unlock_bh(&xfrm_state_lock); 1575 return err; 1576} 1577EXPORT_SYMBOL(xfrm_state_walk); 1578 1579void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto) 1580{ 1581 INIT_LIST_HEAD(&walk->all); 1582 walk->proto = proto; 1583 walk->state = XFRM_STATE_DEAD; 1584 walk->seq = 0; 1585} 1586EXPORT_SYMBOL(xfrm_state_walk_init); 1587 1588void xfrm_state_walk_done(struct xfrm_state_walk *walk) 1589{ 1590 if (list_empty(&walk->all)) 1591 return; 1592 1593 spin_lock_bh(&xfrm_state_lock); 1594 list_del(&walk->all); 1595 spin_lock_bh(&xfrm_state_lock); 1596} 1597EXPORT_SYMBOL(xfrm_state_walk_done); 1598 1599 1600void xfrm_replay_notify(struct xfrm_state *x, int event) 1601{ 1602 struct km_event c; 1603 /* we send notify messages in case 1604 * 1. we updated on of the sequence numbers, and the seqno difference 1605 * is at least x->replay_maxdiff, in this case we also update the 1606 * timeout of our timer function 1607 * 2. if x->replay_maxage has elapsed since last update, 1608 * and there were changes 1609 * 1610 * The state structure must be locked! 1611 */ 1612 1613 switch (event) { 1614 case XFRM_REPLAY_UPDATE: 1615 if (x->replay_maxdiff && 1616 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && 1617 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { 1618 if (x->xflags & XFRM_TIME_DEFER) 1619 event = XFRM_REPLAY_TIMEOUT; 1620 else 1621 return; 1622 } 1623 1624 break; 1625 1626 case XFRM_REPLAY_TIMEOUT: 1627 if ((x->replay.seq == x->preplay.seq) && 1628 (x->replay.bitmap == x->preplay.bitmap) && 1629 (x->replay.oseq == x->preplay.oseq)) { 1630 x->xflags |= XFRM_TIME_DEFER; 1631 return; 1632 } 1633 1634 break; 1635 } 1636 1637 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); 1638 c.event = XFRM_MSG_NEWAE; 1639 c.data.aevent = event; 1640 km_state_notify(x, &c); 1641 1642 if (x->replay_maxage && 1643 !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) 1644 x->xflags &= ~XFRM_TIME_DEFER; 1645} 1646 1647static void xfrm_replay_timer_handler(unsigned long data) 1648{ 1649 struct xfrm_state *x = (struct xfrm_state*)data; 1650 1651 spin_lock(&x->lock); 1652 1653 if (x->km.state == XFRM_STATE_VALID) { 1654 if (xfrm_aevent_is_on()) 1655 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); 1656 else 1657 x->xflags |= XFRM_TIME_DEFER; 1658 } 1659 1660 spin_unlock(&x->lock); 1661} 1662 1663int xfrm_replay_check(struct xfrm_state *x, 1664 struct sk_buff *skb, __be32 net_seq) 1665{ 1666 u32 diff; 1667 u32 seq = ntohl(net_seq); 1668 1669 if (unlikely(seq == 0)) 1670 goto err; 1671 1672 if (likely(seq > x->replay.seq)) 1673 return 0; 1674 1675 diff = x->replay.seq - seq; 1676 if (diff >= min_t(unsigned int, x->props.replay_window, 1677 sizeof(x->replay.bitmap) * 8)) { 1678 x->stats.replay_window++; 1679 goto err; 1680 } 1681 1682 if (x->replay.bitmap & (1U << diff)) { 1683 x->stats.replay++; 1684 goto err; 1685 } 1686 return 0; 1687 1688err: 1689 xfrm_audit_state_replay(x, skb, net_seq); 1690 return -EINVAL; 1691} 1692 1693void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) 1694{ 1695 u32 diff; 1696 u32 seq = ntohl(net_seq); 1697 1698 if (seq > x->replay.seq) { 1699 diff = seq - x->replay.seq; 1700 if (diff < x->props.replay_window) 1701 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; 1702 else 1703 x->replay.bitmap = 1; 1704 x->replay.seq = seq; 1705 } else { 1706 diff = x->replay.seq - seq; 1707 x->replay.bitmap |= (1U << diff); 1708 } 1709 1710 if (xfrm_aevent_is_on()) 1711 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); 1712} 1713 1714static LIST_HEAD(xfrm_km_list); 1715static DEFINE_RWLOCK(xfrm_km_lock); 1716 1717void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 1718{ 1719 struct xfrm_mgr *km; 1720 1721 read_lock(&xfrm_km_lock); 1722 list_for_each_entry(km, &xfrm_km_list, list) 1723 if (km->notify_policy) 1724 km->notify_policy(xp, dir, c); 1725 read_unlock(&xfrm_km_lock); 1726} 1727 1728void km_state_notify(struct xfrm_state *x, struct km_event *c) 1729{ 1730 struct xfrm_mgr *km; 1731 read_lock(&xfrm_km_lock); 1732 list_for_each_entry(km, &xfrm_km_list, list) 1733 if (km->notify) 1734 km->notify(x, c); 1735 read_unlock(&xfrm_km_lock); 1736} 1737 1738EXPORT_SYMBOL(km_policy_notify); 1739EXPORT_SYMBOL(km_state_notify); 1740 1741void km_state_expired(struct xfrm_state *x, int hard, u32 pid) 1742{ 1743 struct km_event c; 1744 1745 c.data.hard = hard; 1746 c.pid = pid; 1747 c.event = XFRM_MSG_EXPIRE; 1748 km_state_notify(x, &c); 1749 1750 if (hard) 1751 wake_up(&km_waitq); 1752} 1753 1754EXPORT_SYMBOL(km_state_expired); 1755/* 1756 * We send to all registered managers regardless of failure 1757 * We are happy with one success 1758*/ 1759int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) 1760{ 1761 int err = -EINVAL, acqret; 1762 struct xfrm_mgr *km; 1763 1764 read_lock(&xfrm_km_lock); 1765 list_for_each_entry(km, &xfrm_km_list, list) { 1766 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT); 1767 if (!acqret) 1768 err = acqret; 1769 } 1770 read_unlock(&xfrm_km_lock); 1771 return err; 1772} 1773EXPORT_SYMBOL(km_query); 1774 1775int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 1776{ 1777 int err = -EINVAL; 1778 struct xfrm_mgr *km; 1779 1780 read_lock(&xfrm_km_lock); 1781 list_for_each_entry(km, &xfrm_km_list, list) { 1782 if (km->new_mapping) 1783 err = km->new_mapping(x, ipaddr, sport); 1784 if (!err) 1785 break; 1786 } 1787 read_unlock(&xfrm_km_lock); 1788 return err; 1789} 1790EXPORT_SYMBOL(km_new_mapping); 1791 1792void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid) 1793{ 1794 struct km_event c; 1795 1796 c.data.hard = hard; 1797 c.pid = pid; 1798 c.event = XFRM_MSG_POLEXPIRE; 1799 km_policy_notify(pol, dir, &c); 1800 1801 if (hard) 1802 wake_up(&km_waitq); 1803} 1804EXPORT_SYMBOL(km_policy_expired); 1805 1806#ifdef CONFIG_XFRM_MIGRATE 1807int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1808 struct xfrm_migrate *m, int num_migrate, 1809 struct xfrm_kmaddress *k) 1810{ 1811 int err = -EINVAL; 1812 int ret; 1813 struct xfrm_mgr *km; 1814 1815 read_lock(&xfrm_km_lock); 1816 list_for_each_entry(km, &xfrm_km_list, list) { 1817 if (km->migrate) { 1818 ret = km->migrate(sel, dir, type, m, num_migrate, k); 1819 if (!ret) 1820 err = ret; 1821 } 1822 } 1823 read_unlock(&xfrm_km_lock); 1824 return err; 1825} 1826EXPORT_SYMBOL(km_migrate); 1827#endif 1828 1829int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr) 1830{ 1831 int err = -EINVAL; 1832 int ret; 1833 struct xfrm_mgr *km; 1834 1835 read_lock(&xfrm_km_lock); 1836 list_for_each_entry(km, &xfrm_km_list, list) { 1837 if (km->report) { 1838 ret = km->report(proto, sel, addr); 1839 if (!ret) 1840 err = ret; 1841 } 1842 } 1843 read_unlock(&xfrm_km_lock); 1844 return err; 1845} 1846EXPORT_SYMBOL(km_report); 1847 1848int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) 1849{ 1850 int err; 1851 u8 *data; 1852 struct xfrm_mgr *km; 1853 struct xfrm_policy *pol = NULL; 1854 1855 if (optlen <= 0 || optlen > PAGE_SIZE) 1856 return -EMSGSIZE; 1857 1858 data = kmalloc(optlen, GFP_KERNEL); 1859 if (!data) 1860 return -ENOMEM; 1861 1862 err = -EFAULT; 1863 if (copy_from_user(data, optval, optlen)) 1864 goto out; 1865 1866 err = -EINVAL; 1867 read_lock(&xfrm_km_lock); 1868 list_for_each_entry(km, &xfrm_km_list, list) { 1869 pol = km->compile_policy(sk, optname, data, 1870 optlen, &err); 1871 if (err >= 0) 1872 break; 1873 } 1874 read_unlock(&xfrm_km_lock); 1875 1876 if (err >= 0) { 1877 xfrm_sk_policy_insert(sk, err, pol); 1878 xfrm_pol_put(pol); 1879 err = 0; 1880 } 1881 1882out: 1883 kfree(data); 1884 return err; 1885} 1886EXPORT_SYMBOL(xfrm_user_policy); 1887 1888int xfrm_register_km(struct xfrm_mgr *km) 1889{ 1890 write_lock_bh(&xfrm_km_lock); 1891 list_add_tail(&km->list, &xfrm_km_list); 1892 write_unlock_bh(&xfrm_km_lock); 1893 return 0; 1894} 1895EXPORT_SYMBOL(xfrm_register_km); 1896 1897int xfrm_unregister_km(struct xfrm_mgr *km) 1898{ 1899 write_lock_bh(&xfrm_km_lock); 1900 list_del(&km->list); 1901 write_unlock_bh(&xfrm_km_lock); 1902 return 0; 1903} 1904EXPORT_SYMBOL(xfrm_unregister_km); 1905 1906int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo) 1907{ 1908 int err = 0; 1909 if (unlikely(afinfo == NULL)) 1910 return -EINVAL; 1911 if (unlikely(afinfo->family >= NPROTO)) 1912 return -EAFNOSUPPORT; 1913 write_lock_bh(&xfrm_state_afinfo_lock); 1914 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL)) 1915 err = -ENOBUFS; 1916 else 1917 xfrm_state_afinfo[afinfo->family] = afinfo; 1918 write_unlock_bh(&xfrm_state_afinfo_lock); 1919 return err; 1920} 1921EXPORT_SYMBOL(xfrm_state_register_afinfo); 1922 1923int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo) 1924{ 1925 int err = 0; 1926 if (unlikely(afinfo == NULL)) 1927 return -EINVAL; 1928 if (unlikely(afinfo->family >= NPROTO)) 1929 return -EAFNOSUPPORT; 1930 write_lock_bh(&xfrm_state_afinfo_lock); 1931 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) { 1932 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo)) 1933 err = -EINVAL; 1934 else 1935 xfrm_state_afinfo[afinfo->family] = NULL; 1936 } 1937 write_unlock_bh(&xfrm_state_afinfo_lock); 1938 return err; 1939} 1940EXPORT_SYMBOL(xfrm_state_unregister_afinfo); 1941 1942static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family) 1943{ 1944 struct xfrm_state_afinfo *afinfo; 1945 if (unlikely(family >= NPROTO)) 1946 return NULL; 1947 read_lock(&xfrm_state_afinfo_lock); 1948 afinfo = xfrm_state_afinfo[family]; 1949 if (unlikely(!afinfo)) 1950 read_unlock(&xfrm_state_afinfo_lock); 1951 return afinfo; 1952} 1953 1954static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo) 1955 __releases(xfrm_state_afinfo_lock) 1956{ 1957 read_unlock(&xfrm_state_afinfo_lock); 1958} 1959 1960/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ 1961void xfrm_state_delete_tunnel(struct xfrm_state *x) 1962{ 1963 if (x->tunnel) { 1964 struct xfrm_state *t = x->tunnel; 1965 1966 if (atomic_read(&t->tunnel_users) == 2) 1967 xfrm_state_delete(t); 1968 atomic_dec(&t->tunnel_users); 1969 xfrm_state_put(t); 1970 x->tunnel = NULL; 1971 } 1972} 1973EXPORT_SYMBOL(xfrm_state_delete_tunnel); 1974 1975int xfrm_state_mtu(struct xfrm_state *x, int mtu) 1976{ 1977 int res; 1978 1979 spin_lock_bh(&x->lock); 1980 if (x->km.state == XFRM_STATE_VALID && 1981 x->type && x->type->get_mtu) 1982 res = x->type->get_mtu(x, mtu); 1983 else 1984 res = mtu - x->props.header_len; 1985 spin_unlock_bh(&x->lock); 1986 return res; 1987} 1988 1989int xfrm_init_state(struct xfrm_state *x) 1990{ 1991 struct xfrm_state_afinfo *afinfo; 1992 struct xfrm_mode *inner_mode; 1993 int family = x->props.family; 1994 int err; 1995 1996 err = -EAFNOSUPPORT; 1997 afinfo = xfrm_state_get_afinfo(family); 1998 if (!afinfo) 1999 goto error; 2000 2001 err = 0; 2002 if (afinfo->init_flags) 2003 err = afinfo->init_flags(x); 2004 2005 xfrm_state_put_afinfo(afinfo); 2006 2007 if (err) 2008 goto error; 2009 2010 err = -EPROTONOSUPPORT; 2011 2012 if (x->sel.family != AF_UNSPEC) { 2013 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family); 2014 if (inner_mode == NULL) 2015 goto error; 2016 2017 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 2018 family != x->sel.family) { 2019 xfrm_put_mode(inner_mode); 2020 goto error; 2021 } 2022 2023 x->inner_mode = inner_mode; 2024 } else { 2025 struct xfrm_mode *inner_mode_iaf; 2026 2027 inner_mode = xfrm_get_mode(x->props.mode, AF_INET); 2028 if (inner_mode == NULL) 2029 goto error; 2030 2031 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) { 2032 xfrm_put_mode(inner_mode); 2033 goto error; 2034 } 2035 2036 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6); 2037 if (inner_mode_iaf == NULL) 2038 goto error; 2039 2040 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) { 2041 xfrm_put_mode(inner_mode_iaf); 2042 goto error; 2043 } 2044 2045 if (x->props.family == AF_INET) { 2046 x->inner_mode = inner_mode; 2047 x->inner_mode_iaf = inner_mode_iaf; 2048 } else { 2049 x->inner_mode = inner_mode_iaf; 2050 x->inner_mode_iaf = inner_mode; 2051 } 2052 } 2053 2054 x->type = xfrm_get_type(x->id.proto, family); 2055 if (x->type == NULL) 2056 goto error; 2057 2058 err = x->type->init_state(x); 2059 if (err) 2060 goto error; 2061 2062 x->outer_mode = xfrm_get_mode(x->props.mode, family); 2063 if (x->outer_mode == NULL) 2064 goto error; 2065 2066 x->km.state = XFRM_STATE_VALID; 2067 2068error: 2069 return err; 2070} 2071 2072EXPORT_SYMBOL(xfrm_init_state); 2073 2074int __net_init xfrm_state_init(struct net *net) 2075{ 2076 unsigned int sz; 2077 2078 INIT_LIST_HEAD(&net->xfrm.state_all); 2079 2080 sz = sizeof(struct hlist_head) * 8; 2081 2082 net->xfrm.state_bydst = xfrm_hash_alloc(sz); 2083 if (!net->xfrm.state_bydst) 2084 goto out_bydst; 2085 net->xfrm.state_bysrc = xfrm_hash_alloc(sz); 2086 if (!net->xfrm.state_bysrc) 2087 goto out_bysrc; 2088 net->xfrm.state_byspi = xfrm_hash_alloc(sz); 2089 if (!net->xfrm.state_byspi) 2090 goto out_byspi; 2091 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1); 2092 2093 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); 2094 return 0; 2095 2096out_byspi: 2097 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2098out_bysrc: 2099 xfrm_hash_free(net->xfrm.state_bydst, sz); 2100out_bydst: 2101 return -ENOMEM; 2102} 2103 2104void xfrm_state_fini(struct net *net) 2105{ 2106 unsigned int sz; 2107 2108 WARN_ON(!list_empty(&net->xfrm.state_all)); 2109 2110 sz = (xfrm_state_hmask + 1) * sizeof(struct hlist_head); 2111 WARN_ON(!hlist_empty(net->xfrm.state_byspi)); 2112 xfrm_hash_free(net->xfrm.state_byspi, sz); 2113 WARN_ON(!hlist_empty(net->xfrm.state_bysrc)); 2114 xfrm_hash_free(net->xfrm.state_bysrc, sz); 2115 WARN_ON(!hlist_empty(net->xfrm.state_bydst)); 2116 xfrm_hash_free(net->xfrm.state_bydst, sz); 2117} 2118 2119#ifdef CONFIG_AUDITSYSCALL 2120static void xfrm_audit_helper_sainfo(struct xfrm_state *x, 2121 struct audit_buffer *audit_buf) 2122{ 2123 struct xfrm_sec_ctx *ctx = x->security; 2124 u32 spi = ntohl(x->id.spi); 2125 2126 if (ctx) 2127 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2128 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); 2129 2130 switch(x->props.family) { 2131 case AF_INET: 2132 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2133 &x->props.saddr.a4, &x->id.daddr.a4); 2134 break; 2135 case AF_INET6: 2136 audit_log_format(audit_buf, " src=%pI6 dst=%pI6", 2137 x->props.saddr.a6, x->id.daddr.a6); 2138 break; 2139 } 2140 2141 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2142} 2143 2144static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, 2145 struct audit_buffer *audit_buf) 2146{ 2147 struct iphdr *iph4; 2148 struct ipv6hdr *iph6; 2149 2150 switch (family) { 2151 case AF_INET: 2152 iph4 = ip_hdr(skb); 2153 audit_log_format(audit_buf, " src=%pI4 dst=%pI4", 2154 &iph4->saddr, &iph4->daddr); 2155 break; 2156 case AF_INET6: 2157 iph6 = ipv6_hdr(skb); 2158 audit_log_format(audit_buf, 2159 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x", 2160 &iph6->saddr,&iph6->daddr, 2161 iph6->flow_lbl[0] & 0x0f, 2162 iph6->flow_lbl[1], 2163 iph6->flow_lbl[2]); 2164 break; 2165 } 2166} 2167 2168void xfrm_audit_state_add(struct xfrm_state *x, int result, 2169 uid_t auid, u32 sessionid, u32 secid) 2170{ 2171 struct audit_buffer *audit_buf; 2172 2173 audit_buf = xfrm_audit_start("SAD-add"); 2174 if (audit_buf == NULL) 2175 return; 2176 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2177 xfrm_audit_helper_sainfo(x, audit_buf); 2178 audit_log_format(audit_buf, " res=%u", result); 2179 audit_log_end(audit_buf); 2180} 2181EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2182 2183void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2184 uid_t auid, u32 sessionid, u32 secid) 2185{ 2186 struct audit_buffer *audit_buf; 2187 2188 audit_buf = xfrm_audit_start("SAD-delete"); 2189 if (audit_buf == NULL) 2190 return; 2191 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2192 xfrm_audit_helper_sainfo(x, audit_buf); 2193 audit_log_format(audit_buf, " res=%u", result); 2194 audit_log_end(audit_buf); 2195} 2196EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2197 2198void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 2199 struct sk_buff *skb) 2200{ 2201 struct audit_buffer *audit_buf; 2202 u32 spi; 2203 2204 audit_buf = xfrm_audit_start("SA-replay-overflow"); 2205 if (audit_buf == NULL) 2206 return; 2207 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2208 /* don't record the sequence number because it's inherent in this kind 2209 * of audit message */ 2210 spi = ntohl(x->id.spi); 2211 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); 2212 audit_log_end(audit_buf); 2213} 2214EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow); 2215 2216static void xfrm_audit_state_replay(struct xfrm_state *x, 2217 struct sk_buff *skb, __be32 net_seq) 2218{ 2219 struct audit_buffer *audit_buf; 2220 u32 spi; 2221 2222 audit_buf = xfrm_audit_start("SA-replayed-pkt"); 2223 if (audit_buf == NULL) 2224 return; 2225 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2226 spi = ntohl(x->id.spi); 2227 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2228 spi, spi, ntohl(net_seq)); 2229 audit_log_end(audit_buf); 2230} 2231 2232void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family) 2233{ 2234 struct audit_buffer *audit_buf; 2235 2236 audit_buf = xfrm_audit_start("SA-notfound"); 2237 if (audit_buf == NULL) 2238 return; 2239 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2240 audit_log_end(audit_buf); 2241} 2242EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple); 2243 2244void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 2245 __be32 net_spi, __be32 net_seq) 2246{ 2247 struct audit_buffer *audit_buf; 2248 u32 spi; 2249 2250 audit_buf = xfrm_audit_start("SA-notfound"); 2251 if (audit_buf == NULL) 2252 return; 2253 xfrm_audit_helper_pktinfo(skb, family, audit_buf); 2254 spi = ntohl(net_spi); 2255 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2256 spi, spi, ntohl(net_seq)); 2257 audit_log_end(audit_buf); 2258} 2259EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound); 2260 2261void xfrm_audit_state_icvfail(struct xfrm_state *x, 2262 struct sk_buff *skb, u8 proto) 2263{ 2264 struct audit_buffer *audit_buf; 2265 __be32 net_spi; 2266 __be32 net_seq; 2267 2268 audit_buf = xfrm_audit_start("SA-icv-failure"); 2269 if (audit_buf == NULL) 2270 return; 2271 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf); 2272 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) { 2273 u32 spi = ntohl(net_spi); 2274 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u", 2275 spi, spi, ntohl(net_seq)); 2276 } 2277 audit_log_end(audit_buf); 2278} 2279EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail); 2280#endif /* CONFIG_AUDITSYSCALL */ 2281