1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _NET_XFRM_H 3 #define _NET_XFRM_H 4 5 #include <linux/compiler.h> 6 #include <linux/xfrm.h> 7 #include <linux/spinlock.h> 8 #include <linux/list.h> 9 #include <linux/skbuff.h> 10 #include <linux/socket.h> 11 #include <linux/pfkeyv2.h> 12 #include <linux/ipsec.h> 13 #include <linux/in6.h> 14 #include <linux/mutex.h> 15 #include <linux/audit.h> 16 #include <linux/slab.h> 17 #include <linux/refcount.h> 18 #include <linux/sockptr.h> 19 20 #include <net/sock.h> 21 #include <net/dst.h> 22 #include <net/ip.h> 23 #include <net/route.h> 24 #include <net/ipv6.h> 25 #include <net/ip6_fib.h> 26 #include <net/flow.h> 27 #include <net/gro_cells.h> 28 29 #include <linux/interrupt.h> 30 31 #ifdef CONFIG_XFRM_STATISTICS 32 #include <net/snmp.h> 33 #endif 34 35 #define XFRM_PROTO_ESP 50 36 #define XFRM_PROTO_AH 51 37 #define XFRM_PROTO_COMP 108 38 #define XFRM_PROTO_IPIP 4 39 #define XFRM_PROTO_IPV6 41 40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING 41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS 42 43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3) 44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7) 45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \ 46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap)) 47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \ 48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto)) 49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \ 50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto)) 51 52 #ifdef CONFIG_XFRM_STATISTICS 53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field) 54 #else 55 #define XFRM_INC_STATS(net, field) ((void)(net)) 56 #endif 57 58 59 /* Organization of SPD aka "XFRM rules" 60 ------------------------------------ 61 62 Basic objects: 63 - policy rule, struct xfrm_policy (=SPD entry) 64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle) 65 - instance of a transformer, struct xfrm_state (=SA) 66 - template to clone xfrm_state, struct xfrm_tmpl 67 68 SPD is plain linear list of xfrm_policy rules, ordered by priority. 69 (To be compatible with existing pfkeyv2 implementations, 70 many rules with priority of 0x7fffffff are allowed to exist and 71 such rules are ordered in an unpredictable way, thanks to bsd folks.) 72 73 Lookup is plain linear search until the first match with selector. 74 75 If "action" is "block", then we prohibit the flow, otherwise: 76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise, 77 policy entry has list of up to XFRM_MAX_DEPTH transformations, 78 described by templates xfrm_tmpl. Each template is resolved 79 to a complete xfrm_state (see below) and we pack bundle of transformations 80 to a dst_entry returned to requestor. 81 82 dst -. xfrm .-> xfrm_state #1 83 |---. child .-> dst -. xfrm .-> xfrm_state #2 84 |---. child .-> dst -. xfrm .-> xfrm_state #3 85 |---. child .-> NULL 86 87 Bundles are cached at xrfm_policy struct (field ->bundles). 88 89 90 Resolution of xrfm_tmpl 91 ----------------------- 92 Template contains: 93 1. ->mode Mode: transport or tunnel 94 2. ->id.proto Protocol: AH/ESP/IPCOMP 95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode. 96 Q: allow to resolve security gateway? 97 4. ->id.spi If not zero, static SPI. 98 5. ->saddr Local tunnel endpoint, ignored for transport mode. 99 6. ->algos List of allowed algos. Plain bitmask now. 100 Q: ealgos, aalgos, calgos. What a mess... 101 7. ->share Sharing mode. 102 Q: how to implement private sharing mode? To add struct sock* to 103 flow id? 104 105 Having this template we search through SAD searching for entries 106 with appropriate mode/proto/algo, permitted by selector. 107 If no appropriate entry found, it is requested from key manager. 108 109 PROBLEMS: 110 Q: How to find all the bundles referring to a physical path for 111 PMTU discovery? Seems, dst should contain list of all parents... 112 and enter to infinite locking hierarchy disaster. 113 No! It is easier, we will not search for them, let them find us. 114 We add genid to each dst plus pointer to genid of raw IP route, 115 pmtu disc will update pmtu on raw IP route and increase its genid. 116 dst_check() will see this for top level and trigger resyncing 117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved. 118 */ 119 120 struct xfrm_state_walk { 121 struct list_head all; 122 u8 state; 123 u8 dying; 124 u8 proto; 125 u32 seq; 126 struct xfrm_address_filter *filter; 127 }; 128 129 enum { 130 XFRM_DEV_OFFLOAD_IN = 1, 131 XFRM_DEV_OFFLOAD_OUT, 132 XFRM_DEV_OFFLOAD_FWD, 133 }; 134 135 enum { 136 XFRM_DEV_OFFLOAD_UNSPECIFIED, 137 XFRM_DEV_OFFLOAD_CRYPTO, 138 XFRM_DEV_OFFLOAD_PACKET, 139 }; 140 141 enum { 142 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1, 143 }; 144 145 struct xfrm_dev_offload { 146 struct net_device *dev; 147 netdevice_tracker dev_tracker; 148 struct net_device *real_dev; 149 unsigned long offload_handle; 150 u8 dir : 2; 151 u8 type : 2; 152 u8 flags : 2; 153 }; 154 155 struct xfrm_mode { 156 u8 encap; 157 u8 family; 158 u8 flags; 159 }; 160 161 /* Flags for xfrm_mode. */ 162 enum { 163 XFRM_MODE_FLAG_TUNNEL = 1, 164 }; 165 166 enum xfrm_replay_mode { 167 XFRM_REPLAY_MODE_LEGACY, 168 XFRM_REPLAY_MODE_BMP, 169 XFRM_REPLAY_MODE_ESN, 170 }; 171 172 /* Full description of state of transformer. */ 173 struct xfrm_state { 174 possible_net_t xs_net; 175 union { 176 struct hlist_node gclist; 177 struct hlist_node bydst; 178 }; 179 union { 180 struct hlist_node dev_gclist; 181 struct hlist_node bysrc; 182 }; 183 struct hlist_node byspi; 184 struct hlist_node byseq; 185 186 refcount_t refcnt; 187 spinlock_t lock; 188 189 struct xfrm_id id; 190 struct xfrm_selector sel; 191 struct xfrm_mark mark; 192 u32 if_id; 193 u32 tfcpad; 194 195 u32 genid; 196 197 /* Key manager bits */ 198 struct xfrm_state_walk km; 199 200 /* Parameters of this state. */ 201 struct { 202 u32 reqid; 203 u8 mode; 204 u8 replay_window; 205 u8 aalgo, ealgo, calgo; 206 u8 flags; 207 u16 family; 208 xfrm_address_t saddr; 209 int header_len; 210 int trailer_len; 211 u32 extra_flags; 212 struct xfrm_mark smark; 213 } props; 214 215 struct xfrm_lifetime_cfg lft; 216 217 /* Data for transformer */ 218 struct xfrm_algo_auth *aalg; 219 struct xfrm_algo *ealg; 220 struct xfrm_algo *calg; 221 struct xfrm_algo_aead *aead; 222 const char *geniv; 223 224 /* mapping change rate limiting */ 225 __be16 new_mapping_sport; 226 u32 new_mapping; /* seconds */ 227 u32 mapping_maxage; /* seconds for input SA */ 228 229 /* Data for encapsulator */ 230 struct xfrm_encap_tmpl *encap; 231 struct sock __rcu *encap_sk; 232 233 /* Data for care-of address */ 234 xfrm_address_t *coaddr; 235 236 /* IPComp needs an IPIP tunnel for handling uncompressed packets */ 237 struct xfrm_state *tunnel; 238 239 /* If a tunnel, number of users + 1 */ 240 atomic_t tunnel_users; 241 242 /* State for replay detection */ 243 struct xfrm_replay_state replay; 244 struct xfrm_replay_state_esn *replay_esn; 245 246 /* Replay detection state at the time we sent the last notification */ 247 struct xfrm_replay_state preplay; 248 struct xfrm_replay_state_esn *preplay_esn; 249 250 /* replay detection mode */ 251 enum xfrm_replay_mode repl_mode; 252 /* internal flag that only holds state for delayed aevent at the 253 * moment 254 */ 255 u32 xflags; 256 257 /* Replay detection notification settings */ 258 u32 replay_maxage; 259 u32 replay_maxdiff; 260 261 /* Replay detection notification timer */ 262 struct timer_list rtimer; 263 264 /* Statistics */ 265 struct xfrm_stats stats; 266 267 struct xfrm_lifetime_cur curlft; 268 struct hrtimer mtimer; 269 270 struct xfrm_dev_offload xso; 271 272 /* used to fix curlft->add_time when changing date */ 273 long saved_tmo; 274 275 /* Last used time */ 276 time64_t lastused; 277 278 struct page_frag xfrag; 279 280 /* Reference to data common to all the instances of this 281 * transformer. */ 282 const struct xfrm_type *type; 283 struct xfrm_mode inner_mode; 284 struct xfrm_mode inner_mode_iaf; 285 struct xfrm_mode outer_mode; 286 287 const struct xfrm_type_offload *type_offload; 288 289 /* Security context */ 290 struct xfrm_sec_ctx *security; 291 292 /* Private data of this transformer, format is opaque, 293 * interpreted by xfrm_type methods. */ 294 void *data; 295 }; 296 xs_net(struct xfrm_state * x)297 static inline struct net *xs_net(struct xfrm_state *x) 298 { 299 return read_pnet(&x->xs_net); 300 } 301 302 /* xflags - make enum if more show up */ 303 #define XFRM_TIME_DEFER 1 304 #define XFRM_SOFT_EXPIRE 2 305 306 enum { 307 XFRM_STATE_VOID, 308 XFRM_STATE_ACQ, 309 XFRM_STATE_VALID, 310 XFRM_STATE_ERROR, 311 XFRM_STATE_EXPIRED, 312 XFRM_STATE_DEAD 313 }; 314 315 /* callback structure passed from either netlink or pfkey */ 316 struct km_event { 317 union { 318 u32 hard; 319 u32 proto; 320 u32 byid; 321 u32 aevent; 322 u32 type; 323 } data; 324 325 u32 seq; 326 u32 portid; 327 u32 event; 328 struct net *net; 329 }; 330 331 struct xfrm_if_decode_session_result { 332 struct net *net; 333 u32 if_id; 334 }; 335 336 struct xfrm_if_cb { 337 bool (*decode_session)(struct sk_buff *skb, 338 unsigned short family, 339 struct xfrm_if_decode_session_result *res); 340 }; 341 342 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb); 343 void xfrm_if_unregister_cb(void); 344 345 struct xfrm_dst_lookup_params { 346 struct net *net; 347 int tos; 348 int oif; 349 xfrm_address_t *saddr; 350 xfrm_address_t *daddr; 351 u32 mark; 352 __u8 ipproto; 353 union flowi_uli uli; 354 }; 355 356 struct net_device; 357 struct xfrm_type; 358 struct xfrm_dst; 359 struct xfrm_policy_afinfo { 360 struct dst_ops *dst_ops; 361 struct dst_entry *(*dst_lookup)(const struct xfrm_dst_lookup_params *params); 362 int (*get_saddr)(xfrm_address_t *saddr, 363 const struct xfrm_dst_lookup_params *params); 364 int (*fill_dst)(struct xfrm_dst *xdst, 365 struct net_device *dev, 366 const struct flowi *fl); 367 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig); 368 }; 369 370 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family); 371 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo); 372 void km_policy_notify(struct xfrm_policy *xp, int dir, 373 const struct km_event *c); 374 void km_state_notify(struct xfrm_state *x, const struct km_event *c); 375 376 struct xfrm_tmpl; 377 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, 378 struct xfrm_policy *pol); 379 void km_state_expired(struct xfrm_state *x, int hard, u32 portid); 380 int __xfrm_state_delete(struct xfrm_state *x); 381 382 struct xfrm_state_afinfo { 383 u8 family; 384 u8 proto; 385 386 const struct xfrm_type_offload *type_offload_esp; 387 388 const struct xfrm_type *type_esp; 389 const struct xfrm_type *type_ipip; 390 const struct xfrm_type *type_ipip6; 391 const struct xfrm_type *type_comp; 392 const struct xfrm_type *type_ah; 393 const struct xfrm_type *type_routing; 394 const struct xfrm_type *type_dstopts; 395 396 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb); 397 int (*transport_finish)(struct sk_buff *skb, 398 int async); 399 void (*local_error)(struct sk_buff *skb, u32 mtu); 400 }; 401 402 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo); 403 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo); 404 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 405 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family); 406 407 struct xfrm_input_afinfo { 408 u8 family; 409 bool is_ipip; 410 int (*callback)(struct sk_buff *skb, u8 protocol, 411 int err); 412 }; 413 414 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); 415 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); 416 417 void xfrm_flush_gc(void); 418 void xfrm_state_delete_tunnel(struct xfrm_state *x); 419 420 struct xfrm_type { 421 struct module *owner; 422 u8 proto; 423 u8 flags; 424 #define XFRM_TYPE_NON_FRAGMENT 1 425 #define XFRM_TYPE_REPLAY_PROT 2 426 #define XFRM_TYPE_LOCAL_COADDR 4 427 #define XFRM_TYPE_REMOTE_COADDR 8 428 429 int (*init_state)(struct xfrm_state *x, 430 struct netlink_ext_ack *extack); 431 void (*destructor)(struct xfrm_state *); 432 int (*input)(struct xfrm_state *, struct sk_buff *skb); 433 int (*output)(struct xfrm_state *, struct sk_buff *pskb); 434 int (*reject)(struct xfrm_state *, struct sk_buff *, 435 const struct flowi *); 436 }; 437 438 int xfrm_register_type(const struct xfrm_type *type, unsigned short family); 439 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family); 440 441 struct xfrm_type_offload { 442 struct module *owner; 443 u8 proto; 444 void (*encap)(struct xfrm_state *, struct sk_buff *pskb); 445 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb); 446 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features); 447 }; 448 449 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family); 450 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family); 451 xfrm_af2proto(unsigned int family)452 static inline int xfrm_af2proto(unsigned int family) 453 { 454 switch(family) { 455 case AF_INET: 456 return IPPROTO_IPIP; 457 case AF_INET6: 458 return IPPROTO_IPV6; 459 default: 460 return 0; 461 } 462 } 463 xfrm_ip2inner_mode(struct xfrm_state * x,int ipproto)464 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) 465 { 466 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || 467 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) 468 return &x->inner_mode; 469 else 470 return &x->inner_mode_iaf; 471 } 472 473 struct xfrm_tmpl { 474 /* id in template is interpreted as: 475 * daddr - destination of tunnel, may be zero for transport mode. 476 * spi - zero to acquire spi. Not zero if spi is static, then 477 * daddr must be fixed too. 478 * proto - AH/ESP/IPCOMP 479 */ 480 struct xfrm_id id; 481 482 /* Source address of tunnel. Ignored, if it is not a tunnel. */ 483 xfrm_address_t saddr; 484 485 unsigned short encap_family; 486 487 u32 reqid; 488 489 /* Mode: transport, tunnel etc. */ 490 u8 mode; 491 492 /* Sharing mode: unique, this session only, this user only etc. */ 493 u8 share; 494 495 /* May skip this transfomration if no SA is found */ 496 u8 optional; 497 498 /* Skip aalgos/ealgos/calgos checks. */ 499 u8 allalgs; 500 501 /* Bit mask of algos allowed for acquisition */ 502 u32 aalgos; 503 u32 ealgos; 504 u32 calgos; 505 }; 506 507 #define XFRM_MAX_DEPTH 6 508 #define XFRM_MAX_OFFLOAD_DEPTH 1 509 510 struct xfrm_policy_walk_entry { 511 struct list_head all; 512 u8 dead; 513 }; 514 515 struct xfrm_policy_walk { 516 struct xfrm_policy_walk_entry walk; 517 u8 type; 518 u32 seq; 519 }; 520 521 struct xfrm_policy_queue { 522 struct sk_buff_head hold_queue; 523 struct timer_list hold_timer; 524 unsigned long timeout; 525 }; 526 527 struct xfrm_policy { 528 possible_net_t xp_net; 529 struct hlist_node bydst; 530 struct hlist_node byidx; 531 532 /* This lock only affects elements except for entry. */ 533 rwlock_t lock; 534 refcount_t refcnt; 535 u32 pos; 536 struct timer_list timer; 537 538 atomic_t genid; 539 u32 priority; 540 u32 index; 541 u32 if_id; 542 struct xfrm_mark mark; 543 struct xfrm_selector selector; 544 struct xfrm_lifetime_cfg lft; 545 struct xfrm_lifetime_cur curlft; 546 struct xfrm_policy_walk_entry walk; 547 struct xfrm_policy_queue polq; 548 bool bydst_reinsert; 549 u8 type; 550 u8 action; 551 u8 flags; 552 u8 xfrm_nr; 553 u16 family; 554 struct xfrm_sec_ctx *security; 555 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH]; 556 struct hlist_node bydst_inexact_list; 557 struct rcu_head rcu; 558 559 struct xfrm_dev_offload xdo; 560 }; 561 xp_net(const struct xfrm_policy * xp)562 static inline struct net *xp_net(const struct xfrm_policy *xp) 563 { 564 return read_pnet(&xp->xp_net); 565 } 566 567 struct xfrm_kmaddress { 568 xfrm_address_t local; 569 xfrm_address_t remote; 570 u32 reserved; 571 u16 family; 572 }; 573 574 struct xfrm_migrate { 575 xfrm_address_t old_daddr; 576 xfrm_address_t old_saddr; 577 xfrm_address_t new_daddr; 578 xfrm_address_t new_saddr; 579 u8 proto; 580 u8 mode; 581 u16 reserved; 582 u32 reqid; 583 u16 old_family; 584 u16 new_family; 585 }; 586 587 #define XFRM_KM_TIMEOUT 30 588 /* what happened */ 589 #define XFRM_REPLAY_UPDATE XFRM_AE_CR 590 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE 591 592 /* default aevent timeout in units of 100ms */ 593 #define XFRM_AE_ETIME 10 594 /* Async Event timer multiplier */ 595 #define XFRM_AE_ETH_M 10 596 /* default seq threshold size */ 597 #define XFRM_AE_SEQT_SIZE 2 598 599 struct xfrm_mgr { 600 struct list_head list; 601 int (*notify)(struct xfrm_state *x, const struct km_event *c); 602 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp); 603 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir); 604 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 605 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c); 606 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr); 607 int (*migrate)(const struct xfrm_selector *sel, 608 u8 dir, u8 type, 609 const struct xfrm_migrate *m, 610 int num_bundles, 611 const struct xfrm_kmaddress *k, 612 const struct xfrm_encap_tmpl *encap); 613 bool (*is_alive)(const struct km_event *c); 614 }; 615 616 void xfrm_register_km(struct xfrm_mgr *km); 617 void xfrm_unregister_km(struct xfrm_mgr *km); 618 619 struct xfrm_tunnel_skb_cb { 620 union { 621 struct inet_skb_parm h4; 622 struct inet6_skb_parm h6; 623 } header; 624 625 union { 626 struct ip_tunnel *ip4; 627 struct ip6_tnl *ip6; 628 } tunnel; 629 }; 630 631 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0])) 632 633 /* 634 * This structure is used for the duration where packets are being 635 * transformed by IPsec. As soon as the packet leaves IPsec the 636 * area beyond the generic IP part may be overwritten. 637 */ 638 struct xfrm_skb_cb { 639 struct xfrm_tunnel_skb_cb header; 640 641 /* Sequence number for replay protection. */ 642 union { 643 struct { 644 __u32 low; 645 __u32 hi; 646 } output; 647 struct { 648 __be32 low; 649 __be32 hi; 650 } input; 651 } seq; 652 }; 653 654 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) 655 656 /* 657 * This structure is used by the afinfo prepare_input/prepare_output functions 658 * to transmit header information to the mode input/output functions. 659 */ 660 struct xfrm_mode_skb_cb { 661 struct xfrm_tunnel_skb_cb header; 662 663 /* Copied from header for IPv4, always set to zero and DF for IPv6. */ 664 __be16 id; 665 __be16 frag_off; 666 667 /* IP header length (excluding options or extension headers). */ 668 u8 ihl; 669 670 /* TOS for IPv4, class for IPv6. */ 671 u8 tos; 672 673 /* TTL for IPv4, hop limitfor IPv6. */ 674 u8 ttl; 675 676 /* Protocol for IPv4, NH for IPv6. */ 677 u8 protocol; 678 679 /* Option length for IPv4, zero for IPv6. */ 680 u8 optlen; 681 682 /* Used by IPv6 only, zero for IPv4. */ 683 u8 flow_lbl[3]; 684 }; 685 686 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0])) 687 688 /* 689 * This structure is used by the input processing to locate the SPI and 690 * related information. 691 */ 692 struct xfrm_spi_skb_cb { 693 struct xfrm_tunnel_skb_cb header; 694 695 unsigned int daddroff; 696 unsigned int family; 697 __be32 seq; 698 }; 699 700 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) 701 702 #ifdef CONFIG_AUDITSYSCALL xfrm_audit_start(const char * op)703 static inline struct audit_buffer *xfrm_audit_start(const char *op) 704 { 705 struct audit_buffer *audit_buf = NULL; 706 707 if (audit_enabled == AUDIT_OFF) 708 return NULL; 709 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, 710 AUDIT_MAC_IPSEC_EVENT); 711 if (audit_buf == NULL) 712 return NULL; 713 audit_log_format(audit_buf, "op=%s", op); 714 return audit_buf; 715 } 716 xfrm_audit_helper_usrinfo(bool task_valid,struct audit_buffer * audit_buf)717 static inline void xfrm_audit_helper_usrinfo(bool task_valid, 718 struct audit_buffer *audit_buf) 719 { 720 const unsigned int auid = from_kuid(&init_user_ns, task_valid ? 721 audit_get_loginuid(current) : 722 INVALID_UID); 723 const unsigned int ses = task_valid ? audit_get_sessionid(current) : 724 AUDIT_SID_UNSET; 725 726 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); 727 audit_log_task_context(audit_buf); 728 } 729 730 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid); 731 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 732 bool task_valid); 733 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid); 734 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid); 735 void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 736 struct sk_buff *skb); 737 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb, 738 __be32 net_seq); 739 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); 740 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi, 741 __be32 net_seq); 742 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb, 743 u8 proto); 744 #else 745 xfrm_audit_policy_add(struct xfrm_policy * xp,int result,bool task_valid)746 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 747 bool task_valid) 748 { 749 } 750 xfrm_audit_policy_delete(struct xfrm_policy * xp,int result,bool task_valid)751 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 752 bool task_valid) 753 { 754 } 755 xfrm_audit_state_add(struct xfrm_state * x,int result,bool task_valid)756 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, 757 bool task_valid) 758 { 759 } 760 xfrm_audit_state_delete(struct xfrm_state * x,int result,bool task_valid)761 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, 762 bool task_valid) 763 { 764 } 765 xfrm_audit_state_replay_overflow(struct xfrm_state * x,struct sk_buff * skb)766 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 767 struct sk_buff *skb) 768 { 769 } 770 xfrm_audit_state_replay(struct xfrm_state * x,struct sk_buff * skb,__be32 net_seq)771 static inline void xfrm_audit_state_replay(struct xfrm_state *x, 772 struct sk_buff *skb, __be32 net_seq) 773 { 774 } 775 xfrm_audit_state_notfound_simple(struct sk_buff * skb,u16 family)776 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb, 777 u16 family) 778 { 779 } 780 xfrm_audit_state_notfound(struct sk_buff * skb,u16 family,__be32 net_spi,__be32 net_seq)781 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, 782 __be32 net_spi, __be32 net_seq) 783 { 784 } 785 xfrm_audit_state_icvfail(struct xfrm_state * x,struct sk_buff * skb,u8 proto)786 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x, 787 struct sk_buff *skb, u8 proto) 788 { 789 } 790 #endif /* CONFIG_AUDITSYSCALL */ 791 xfrm_pol_hold(struct xfrm_policy * policy)792 static inline void xfrm_pol_hold(struct xfrm_policy *policy) 793 { 794 if (likely(policy != NULL)) 795 refcount_inc(&policy->refcnt); 796 } 797 798 void xfrm_policy_destroy(struct xfrm_policy *policy); 799 xfrm_pol_put(struct xfrm_policy * policy)800 static inline void xfrm_pol_put(struct xfrm_policy *policy) 801 { 802 if (refcount_dec_and_test(&policy->refcnt)) 803 xfrm_policy_destroy(policy); 804 } 805 xfrm_pols_put(struct xfrm_policy ** pols,int npols)806 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols) 807 { 808 int i; 809 for (i = npols - 1; i >= 0; --i) 810 xfrm_pol_put(pols[i]); 811 } 812 813 void __xfrm_state_destroy(struct xfrm_state *, bool); 814 __xfrm_state_put(struct xfrm_state * x)815 static inline void __xfrm_state_put(struct xfrm_state *x) 816 { 817 refcount_dec(&x->refcnt); 818 } 819 xfrm_state_put(struct xfrm_state * x)820 static inline void xfrm_state_put(struct xfrm_state *x) 821 { 822 if (refcount_dec_and_test(&x->refcnt)) 823 __xfrm_state_destroy(x, false); 824 } 825 xfrm_state_put_sync(struct xfrm_state * x)826 static inline void xfrm_state_put_sync(struct xfrm_state *x) 827 { 828 if (refcount_dec_and_test(&x->refcnt)) 829 __xfrm_state_destroy(x, true); 830 } 831 xfrm_state_hold(struct xfrm_state * x)832 static inline void xfrm_state_hold(struct xfrm_state *x) 833 { 834 refcount_inc(&x->refcnt); 835 } 836 addr_match(const void * token1,const void * token2,unsigned int prefixlen)837 static inline bool addr_match(const void *token1, const void *token2, 838 unsigned int prefixlen) 839 { 840 const __be32 *a1 = token1; 841 const __be32 *a2 = token2; 842 unsigned int pdw; 843 unsigned int pbi; 844 845 pdw = prefixlen >> 5; /* num of whole u32 in prefix */ 846 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */ 847 848 if (pdw) 849 if (memcmp(a1, a2, pdw << 2)) 850 return false; 851 852 if (pbi) { 853 __be32 mask; 854 855 mask = htonl((0xffffffff) << (32 - pbi)); 856 857 if ((a1[pdw] ^ a2[pdw]) & mask) 858 return false; 859 } 860 861 return true; 862 } 863 addr4_match(__be32 a1,__be32 a2,u8 prefixlen)864 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen) 865 { 866 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */ 867 if (sizeof(long) == 4 && prefixlen == 0) 868 return true; 869 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen))); 870 } 871 872 static __inline__ xfrm_flowi_sport(const struct flowi * fl,const union flowi_uli * uli)873 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli) 874 { 875 __be16 port; 876 switch(fl->flowi_proto) { 877 case IPPROTO_TCP: 878 case IPPROTO_UDP: 879 case IPPROTO_UDPLITE: 880 case IPPROTO_SCTP: 881 port = uli->ports.sport; 882 break; 883 case IPPROTO_ICMP: 884 case IPPROTO_ICMPV6: 885 port = htons(uli->icmpt.type); 886 break; 887 case IPPROTO_MH: 888 port = htons(uli->mht.type); 889 break; 890 case IPPROTO_GRE: 891 port = htons(ntohl(uli->gre_key) >> 16); 892 break; 893 default: 894 port = 0; /*XXX*/ 895 } 896 return port; 897 } 898 899 static __inline__ xfrm_flowi_dport(const struct flowi * fl,const union flowi_uli * uli)900 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli) 901 { 902 __be16 port; 903 switch(fl->flowi_proto) { 904 case IPPROTO_TCP: 905 case IPPROTO_UDP: 906 case IPPROTO_UDPLITE: 907 case IPPROTO_SCTP: 908 port = uli->ports.dport; 909 break; 910 case IPPROTO_ICMP: 911 case IPPROTO_ICMPV6: 912 port = htons(uli->icmpt.code); 913 break; 914 case IPPROTO_GRE: 915 port = htons(ntohl(uli->gre_key) & 0xffff); 916 break; 917 default: 918 port = 0; /*XXX*/ 919 } 920 return port; 921 } 922 923 bool xfrm_selector_match(const struct xfrm_selector *sel, 924 const struct flowi *fl, unsigned short family); 925 926 #ifdef CONFIG_SECURITY_NETWORK_XFRM 927 /* If neither has a context --> match 928 * Otherwise, both must have a context and the sids, doi, alg must match 929 */ xfrm_sec_ctx_match(struct xfrm_sec_ctx * s1,struct xfrm_sec_ctx * s2)930 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 931 { 932 return ((!s1 && !s2) || 933 (s1 && s2 && 934 (s1->ctx_sid == s2->ctx_sid) && 935 (s1->ctx_doi == s2->ctx_doi) && 936 (s1->ctx_alg == s2->ctx_alg))); 937 } 938 #else xfrm_sec_ctx_match(struct xfrm_sec_ctx * s1,struct xfrm_sec_ctx * s2)939 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2) 940 { 941 return true; 942 } 943 #endif 944 945 /* A struct encoding bundle of transformations to apply to some set of flow. 946 * 947 * xdst->child points to the next element of bundle. 948 * dst->xfrm points to an instanse of transformer. 949 * 950 * Due to unfortunate limitations of current routing cache, which we 951 * have no time to fix, it mirrors struct rtable and bound to the same 952 * routing key, including saddr,daddr. However, we can have many of 953 * bundles differing by session id. All the bundles grow from a parent 954 * policy rule. 955 */ 956 struct xfrm_dst { 957 union { 958 struct dst_entry dst; 959 struct rtable rt; 960 struct rt6_info rt6; 961 } u; 962 struct dst_entry *route; 963 struct dst_entry *child; 964 struct dst_entry *path; 965 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 966 int num_pols, num_xfrms; 967 u32 xfrm_genid; 968 u32 policy_genid; 969 u32 route_mtu_cached; 970 u32 child_mtu_cached; 971 u32 route_cookie; 972 u32 path_cookie; 973 }; 974 xfrm_dst_path(const struct dst_entry * dst)975 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst) 976 { 977 #ifdef CONFIG_XFRM 978 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 979 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst; 980 981 return xdst->path; 982 } 983 #endif 984 return (struct dst_entry *) dst; 985 } 986 xfrm_dst_child(const struct dst_entry * dst)987 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst) 988 { 989 #ifdef CONFIG_XFRM 990 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) { 991 struct xfrm_dst *xdst = (struct xfrm_dst *) dst; 992 return xdst->child; 993 } 994 #endif 995 return NULL; 996 } 997 998 #ifdef CONFIG_XFRM xfrm_dst_set_child(struct xfrm_dst * xdst,struct dst_entry * child)999 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child) 1000 { 1001 xdst->child = child; 1002 } 1003 xfrm_dst_destroy(struct xfrm_dst * xdst)1004 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) 1005 { 1006 xfrm_pols_put(xdst->pols, xdst->num_pols); 1007 dst_release(xdst->route); 1008 if (likely(xdst->u.dst.xfrm)) 1009 xfrm_state_put(xdst->u.dst.xfrm); 1010 } 1011 #endif 1012 1013 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 1014 1015 struct xfrm_if_parms { 1016 int link; /* ifindex of underlying L2 interface */ 1017 u32 if_id; /* interface identifyer */ 1018 bool collect_md; 1019 }; 1020 1021 struct xfrm_if { 1022 struct xfrm_if __rcu *next; /* next interface in list */ 1023 struct net_device *dev; /* virtual device associated with interface */ 1024 struct net *net; /* netns for packet i/o */ 1025 struct xfrm_if_parms p; /* interface parms */ 1026 1027 struct gro_cells gro_cells; 1028 }; 1029 1030 struct xfrm_offload { 1031 /* Output sequence number for replay protection on offloading. */ 1032 struct { 1033 __u32 low; 1034 __u32 hi; 1035 } seq; 1036 1037 __u32 flags; 1038 #define SA_DELETE_REQ 1 1039 #define CRYPTO_DONE 2 1040 #define CRYPTO_NEXT_DONE 4 1041 #define CRYPTO_FALLBACK 8 1042 #define XFRM_GSO_SEGMENT 16 1043 #define XFRM_GRO 32 1044 /* 64 is free */ 1045 #define XFRM_DEV_RESUME 128 1046 #define XFRM_XMIT 256 1047 1048 __u32 status; 1049 #define CRYPTO_SUCCESS 1 1050 #define CRYPTO_GENERIC_ERROR 2 1051 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4 1052 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8 1053 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16 1054 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32 1055 #define CRYPTO_INVALID_PACKET_SYNTAX 64 1056 #define CRYPTO_INVALID_PROTOCOL 128 1057 1058 /* Used to keep whole l2 header for transport mode GRO */ 1059 __u32 orig_mac_len; 1060 1061 __u8 proto; 1062 __u8 inner_ipproto; 1063 }; 1064 1065 struct sec_path { 1066 int len; 1067 int olen; 1068 int verified_cnt; 1069 1070 struct xfrm_state *xvec[XFRM_MAX_DEPTH]; 1071 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH]; 1072 }; 1073 1074 struct sec_path *secpath_set(struct sk_buff *skb); 1075 1076 static inline void secpath_reset(struct sk_buff * skb)1077 secpath_reset(struct sk_buff *skb) 1078 { 1079 #ifdef CONFIG_XFRM 1080 skb_ext_del(skb, SKB_EXT_SEC_PATH); 1081 #endif 1082 } 1083 1084 static inline int xfrm_addr_any(const xfrm_address_t * addr,unsigned short family)1085 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family) 1086 { 1087 switch (family) { 1088 case AF_INET: 1089 return addr->a4 == 0; 1090 case AF_INET6: 1091 return ipv6_addr_any(&addr->in6); 1092 } 1093 return 0; 1094 } 1095 1096 static inline int __xfrm4_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x)1097 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1098 { 1099 return (tmpl->saddr.a4 && 1100 tmpl->saddr.a4 != x->props.saddr.a4); 1101 } 1102 1103 static inline int __xfrm6_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x)1104 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) 1105 { 1106 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && 1107 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); 1108 } 1109 1110 static inline int xfrm_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x,unsigned short family)1111 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family) 1112 { 1113 switch (family) { 1114 case AF_INET: 1115 return __xfrm4_state_addr_cmp(tmpl, x); 1116 case AF_INET6: 1117 return __xfrm6_state_addr_cmp(tmpl, x); 1118 } 1119 return !0; 1120 } 1121 1122 #ifdef CONFIG_XFRM xfrm_input_state(struct sk_buff * skb)1123 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb) 1124 { 1125 struct sec_path *sp = skb_sec_path(skb); 1126 1127 return sp->xvec[sp->len - 1]; 1128 } 1129 #endif 1130 xfrm_offload(struct sk_buff * skb)1131 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb) 1132 { 1133 #ifdef CONFIG_XFRM 1134 struct sec_path *sp = skb_sec_path(skb); 1135 1136 if (!sp || !sp->olen || sp->len != sp->olen) 1137 return NULL; 1138 1139 return &sp->ovec[sp->olen - 1]; 1140 #else 1141 return NULL; 1142 #endif 1143 } 1144 1145 #ifdef CONFIG_XFRM 1146 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, 1147 unsigned short family); 1148 __xfrm_check_nopolicy(struct net * net,struct sk_buff * skb,int dir)1149 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb, 1150 int dir) 1151 { 1152 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) 1153 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT; 1154 1155 return false; 1156 } 1157 __xfrm_check_dev_nopolicy(struct sk_buff * skb,int dir,unsigned short family)1158 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb, 1159 int dir, unsigned short family) 1160 { 1161 if (dir != XFRM_POLICY_OUT && family == AF_INET) { 1162 /* same dst may be used for traffic originating from 1163 * devices with different policy settings. 1164 */ 1165 return IPCB(skb)->flags & IPSKB_NOPOLICY; 1166 } 1167 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY); 1168 } 1169 __xfrm_policy_check2(struct sock * sk,int dir,struct sk_buff * skb,unsigned int family,int reverse)1170 static inline int __xfrm_policy_check2(struct sock *sk, int dir, 1171 struct sk_buff *skb, 1172 unsigned int family, int reverse) 1173 { 1174 struct net *net = dev_net(skb->dev); 1175 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); 1176 struct xfrm_offload *xo = xfrm_offload(skb); 1177 struct xfrm_state *x; 1178 1179 if (sk && sk->sk_policy[XFRM_POLICY_IN]) 1180 return __xfrm_policy_check(sk, ndir, skb, family); 1181 1182 if (xo) { 1183 x = xfrm_input_state(skb); 1184 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) { 1185 bool check = (xo->flags & CRYPTO_DONE) && 1186 (xo->status & CRYPTO_SUCCESS); 1187 1188 /* The packets here are plain ones and secpath was 1189 * needed to indicate that hardware already handled 1190 * them and there is no need to do nothing in addition. 1191 * 1192 * Consume secpath which was set by drivers. 1193 */ 1194 secpath_reset(skb); 1195 return check; 1196 } 1197 } 1198 1199 return __xfrm_check_nopolicy(net, skb, dir) || 1200 __xfrm_check_dev_nopolicy(skb, dir, family) || 1201 __xfrm_policy_check(sk, ndir, skb, family); 1202 } 1203 xfrm_policy_check(struct sock * sk,int dir,struct sk_buff * skb,unsigned short family)1204 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1205 { 1206 return __xfrm_policy_check2(sk, dir, skb, family, 0); 1207 } 1208 xfrm4_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1209 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1210 { 1211 return xfrm_policy_check(sk, dir, skb, AF_INET); 1212 } 1213 xfrm6_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1214 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1215 { 1216 return xfrm_policy_check(sk, dir, skb, AF_INET6); 1217 } 1218 xfrm4_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1219 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1220 struct sk_buff *skb) 1221 { 1222 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); 1223 } 1224 xfrm6_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1225 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1226 struct sk_buff *skb) 1227 { 1228 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); 1229 } 1230 1231 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, 1232 unsigned int family, int reverse); 1233 xfrm_decode_session(struct sk_buff * skb,struct flowi * fl,unsigned int family)1234 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, 1235 unsigned int family) 1236 { 1237 return __xfrm_decode_session(skb, fl, family, 0); 1238 } 1239 xfrm_decode_session_reverse(struct sk_buff * skb,struct flowi * fl,unsigned int family)1240 static inline int xfrm_decode_session_reverse(struct sk_buff *skb, 1241 struct flowi *fl, 1242 unsigned int family) 1243 { 1244 return __xfrm_decode_session(skb, fl, family, 1); 1245 } 1246 1247 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); 1248 xfrm_route_forward(struct sk_buff * skb,unsigned short family)1249 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) 1250 { 1251 struct net *net = dev_net(skb->dev); 1252 1253 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] && 1254 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT) 1255 return true; 1256 1257 return (skb_dst(skb)->flags & DST_NOXFRM) || 1258 __xfrm_route_forward(skb, family); 1259 } 1260 xfrm4_route_forward(struct sk_buff * skb)1261 static inline int xfrm4_route_forward(struct sk_buff *skb) 1262 { 1263 return xfrm_route_forward(skb, AF_INET); 1264 } 1265 xfrm6_route_forward(struct sk_buff * skb)1266 static inline int xfrm6_route_forward(struct sk_buff *skb) 1267 { 1268 return xfrm_route_forward(skb, AF_INET6); 1269 } 1270 1271 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk); 1272 xfrm_sk_clone_policy(struct sock * sk,const struct sock * osk)1273 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) 1274 { 1275 if (!sk_fullsock(osk)) 1276 return 0; 1277 sk->sk_policy[0] = NULL; 1278 sk->sk_policy[1] = NULL; 1279 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1])) 1280 return __xfrm_sk_clone_policy(sk, osk); 1281 return 0; 1282 } 1283 1284 int xfrm_policy_delete(struct xfrm_policy *pol, int dir); 1285 xfrm_sk_free_policy(struct sock * sk)1286 static inline void xfrm_sk_free_policy(struct sock *sk) 1287 { 1288 struct xfrm_policy *pol; 1289 1290 pol = rcu_dereference_protected(sk->sk_policy[0], 1); 1291 if (unlikely(pol != NULL)) { 1292 xfrm_policy_delete(pol, XFRM_POLICY_MAX); 1293 sk->sk_policy[0] = NULL; 1294 } 1295 pol = rcu_dereference_protected(sk->sk_policy[1], 1); 1296 if (unlikely(pol != NULL)) { 1297 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1); 1298 sk->sk_policy[1] = NULL; 1299 } 1300 } 1301 1302 #else 1303 xfrm_sk_free_policy(struct sock * sk)1304 static inline void xfrm_sk_free_policy(struct sock *sk) {} xfrm_sk_clone_policy(struct sock * sk,const struct sock * osk)1305 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; } xfrm6_route_forward(struct sk_buff * skb)1306 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } xfrm4_route_forward(struct sk_buff * skb)1307 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } xfrm6_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1308 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1309 { 1310 return 1; 1311 } xfrm4_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1312 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 1313 { 1314 return 1; 1315 } xfrm_policy_check(struct sock * sk,int dir,struct sk_buff * skb,unsigned short family)1316 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 1317 { 1318 return 1; 1319 } xfrm_decode_session_reverse(struct sk_buff * skb,struct flowi * fl,unsigned int family)1320 static inline int xfrm_decode_session_reverse(struct sk_buff *skb, 1321 struct flowi *fl, 1322 unsigned int family) 1323 { 1324 return -ENOSYS; 1325 } xfrm4_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1326 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, 1327 struct sk_buff *skb) 1328 { 1329 return 1; 1330 } xfrm6_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1331 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, 1332 struct sk_buff *skb) 1333 { 1334 return 1; 1335 } 1336 #endif 1337 1338 static __inline__ xfrm_flowi_daddr(const struct flowi * fl,unsigned short family)1339 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family) 1340 { 1341 switch (family){ 1342 case AF_INET: 1343 return (xfrm_address_t *)&fl->u.ip4.daddr; 1344 case AF_INET6: 1345 return (xfrm_address_t *)&fl->u.ip6.daddr; 1346 } 1347 return NULL; 1348 } 1349 1350 static __inline__ xfrm_flowi_saddr(const struct flowi * fl,unsigned short family)1351 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family) 1352 { 1353 switch (family){ 1354 case AF_INET: 1355 return (xfrm_address_t *)&fl->u.ip4.saddr; 1356 case AF_INET6: 1357 return (xfrm_address_t *)&fl->u.ip6.saddr; 1358 } 1359 return NULL; 1360 } 1361 1362 static __inline__ xfrm_flowi_addr_get(const struct flowi * fl,xfrm_address_t * saddr,xfrm_address_t * daddr,unsigned short family)1363 void xfrm_flowi_addr_get(const struct flowi *fl, 1364 xfrm_address_t *saddr, xfrm_address_t *daddr, 1365 unsigned short family) 1366 { 1367 switch(family) { 1368 case AF_INET: 1369 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4)); 1370 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4)); 1371 break; 1372 case AF_INET6: 1373 saddr->in6 = fl->u.ip6.saddr; 1374 daddr->in6 = fl->u.ip6.daddr; 1375 break; 1376 } 1377 } 1378 1379 static __inline__ int __xfrm4_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr)1380 __xfrm4_state_addr_check(const struct xfrm_state *x, 1381 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1382 { 1383 if (daddr->a4 == x->id.daddr.a4 && 1384 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4)) 1385 return 1; 1386 return 0; 1387 } 1388 1389 static __inline__ int __xfrm6_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr)1390 __xfrm6_state_addr_check(const struct xfrm_state *x, 1391 const xfrm_address_t *daddr, const xfrm_address_t *saddr) 1392 { 1393 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && 1394 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || 1395 ipv6_addr_any((struct in6_addr *)saddr) || 1396 ipv6_addr_any((struct in6_addr *)&x->props.saddr))) 1397 return 1; 1398 return 0; 1399 } 1400 1401 static __inline__ int xfrm_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr,unsigned short family)1402 xfrm_state_addr_check(const struct xfrm_state *x, 1403 const xfrm_address_t *daddr, const xfrm_address_t *saddr, 1404 unsigned short family) 1405 { 1406 switch (family) { 1407 case AF_INET: 1408 return __xfrm4_state_addr_check(x, daddr, saddr); 1409 case AF_INET6: 1410 return __xfrm6_state_addr_check(x, daddr, saddr); 1411 } 1412 return 0; 1413 } 1414 1415 static __inline__ int xfrm_state_addr_flow_check(const struct xfrm_state * x,const struct flowi * fl,unsigned short family)1416 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl, 1417 unsigned short family) 1418 { 1419 switch (family) { 1420 case AF_INET: 1421 return __xfrm4_state_addr_check(x, 1422 (const xfrm_address_t *)&fl->u.ip4.daddr, 1423 (const xfrm_address_t *)&fl->u.ip4.saddr); 1424 case AF_INET6: 1425 return __xfrm6_state_addr_check(x, 1426 (const xfrm_address_t *)&fl->u.ip6.daddr, 1427 (const xfrm_address_t *)&fl->u.ip6.saddr); 1428 } 1429 return 0; 1430 } 1431 xfrm_state_kern(const struct xfrm_state * x)1432 static inline int xfrm_state_kern(const struct xfrm_state *x) 1433 { 1434 return atomic_read(&x->tunnel_users); 1435 } 1436 xfrm_id_proto_valid(u8 proto)1437 static inline bool xfrm_id_proto_valid(u8 proto) 1438 { 1439 switch (proto) { 1440 case IPPROTO_AH: 1441 case IPPROTO_ESP: 1442 case IPPROTO_COMP: 1443 #if IS_ENABLED(CONFIG_IPV6) 1444 case IPPROTO_ROUTING: 1445 case IPPROTO_DSTOPTS: 1446 #endif 1447 return true; 1448 default: 1449 return false; 1450 } 1451 } 1452 1453 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */ xfrm_id_proto_match(u8 proto,u8 userproto)1454 static inline int xfrm_id_proto_match(u8 proto, u8 userproto) 1455 { 1456 return (!userproto || proto == userproto || 1457 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH || 1458 proto == IPPROTO_ESP || 1459 proto == IPPROTO_COMP))); 1460 } 1461 1462 /* 1463 * xfrm algorithm information 1464 */ 1465 struct xfrm_algo_aead_info { 1466 char *geniv; 1467 u16 icv_truncbits; 1468 }; 1469 1470 struct xfrm_algo_auth_info { 1471 u16 icv_truncbits; 1472 u16 icv_fullbits; 1473 }; 1474 1475 struct xfrm_algo_encr_info { 1476 char *geniv; 1477 u16 blockbits; 1478 u16 defkeybits; 1479 }; 1480 1481 struct xfrm_algo_comp_info { 1482 u16 threshold; 1483 }; 1484 1485 struct xfrm_algo_desc { 1486 char *name; 1487 char *compat; 1488 u8 available:1; 1489 u8 pfkey_supported:1; 1490 union { 1491 struct xfrm_algo_aead_info aead; 1492 struct xfrm_algo_auth_info auth; 1493 struct xfrm_algo_encr_info encr; 1494 struct xfrm_algo_comp_info comp; 1495 } uinfo; 1496 struct sadb_alg desc; 1497 }; 1498 1499 /* XFRM protocol handlers. */ 1500 struct xfrm4_protocol { 1501 int (*handler)(struct sk_buff *skb); 1502 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1503 int encap_type); 1504 int (*cb_handler)(struct sk_buff *skb, int err); 1505 int (*err_handler)(struct sk_buff *skb, u32 info); 1506 1507 struct xfrm4_protocol __rcu *next; 1508 int priority; 1509 }; 1510 1511 struct xfrm6_protocol { 1512 int (*handler)(struct sk_buff *skb); 1513 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi, 1514 int encap_type); 1515 int (*cb_handler)(struct sk_buff *skb, int err); 1516 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1517 u8 type, u8 code, int offset, __be32 info); 1518 1519 struct xfrm6_protocol __rcu *next; 1520 int priority; 1521 }; 1522 1523 /* XFRM tunnel handlers. */ 1524 struct xfrm_tunnel { 1525 int (*handler)(struct sk_buff *skb); 1526 int (*cb_handler)(struct sk_buff *skb, int err); 1527 int (*err_handler)(struct sk_buff *skb, u32 info); 1528 1529 struct xfrm_tunnel __rcu *next; 1530 int priority; 1531 }; 1532 1533 struct xfrm6_tunnel { 1534 int (*handler)(struct sk_buff *skb); 1535 int (*cb_handler)(struct sk_buff *skb, int err); 1536 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt, 1537 u8 type, u8 code, int offset, __be32 info); 1538 struct xfrm6_tunnel __rcu *next; 1539 int priority; 1540 }; 1541 1542 void xfrm_init(void); 1543 void xfrm4_init(void); 1544 int xfrm_state_init(struct net *net); 1545 void xfrm_state_fini(struct net *net); 1546 void xfrm4_state_init(void); 1547 void xfrm4_protocol_init(void); 1548 #ifdef CONFIG_XFRM 1549 int xfrm6_init(void); 1550 void xfrm6_fini(void); 1551 int xfrm6_state_init(void); 1552 void xfrm6_state_fini(void); 1553 int xfrm6_protocol_init(void); 1554 void xfrm6_protocol_fini(void); 1555 #else xfrm6_init(void)1556 static inline int xfrm6_init(void) 1557 { 1558 return 0; 1559 } xfrm6_fini(void)1560 static inline void xfrm6_fini(void) 1561 { 1562 ; 1563 } 1564 #endif 1565 1566 #ifdef CONFIG_XFRM_STATISTICS 1567 int xfrm_proc_init(struct net *net); 1568 void xfrm_proc_fini(struct net *net); 1569 #endif 1570 1571 int xfrm_sysctl_init(struct net *net); 1572 #ifdef CONFIG_SYSCTL 1573 void xfrm_sysctl_fini(struct net *net); 1574 #else xfrm_sysctl_fini(struct net * net)1575 static inline void xfrm_sysctl_fini(struct net *net) 1576 { 1577 } 1578 #endif 1579 1580 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto, 1581 struct xfrm_address_filter *filter); 1582 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1583 int (*func)(struct xfrm_state *, int, void*), void *); 1584 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); 1585 struct xfrm_state *xfrm_state_alloc(struct net *net); 1586 void xfrm_state_free(struct xfrm_state *x); 1587 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, 1588 const xfrm_address_t *saddr, 1589 const struct flowi *fl, 1590 struct xfrm_tmpl *tmpl, 1591 struct xfrm_policy *pol, int *err, 1592 unsigned short family, u32 if_id); 1593 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id, 1594 xfrm_address_t *daddr, 1595 xfrm_address_t *saddr, 1596 unsigned short family, 1597 u8 mode, u8 proto, u32 reqid); 1598 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, 1599 unsigned short family); 1600 int xfrm_state_check_expire(struct xfrm_state *x); 1601 #ifdef CONFIG_XFRM_OFFLOAD xfrm_dev_state_update_curlft(struct xfrm_state * x)1602 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) 1603 { 1604 struct xfrm_dev_offload *xdo = &x->xso; 1605 struct net_device *dev = READ_ONCE(xdo->dev); 1606 1607 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) 1608 return; 1609 1610 if (dev && dev->xfrmdev_ops && 1611 dev->xfrmdev_ops->xdo_dev_state_update_curlft) 1612 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x); 1613 1614 } 1615 #else xfrm_dev_state_update_curlft(struct xfrm_state * x)1616 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) {} 1617 #endif 1618 void xfrm_state_insert(struct xfrm_state *x); 1619 int xfrm_state_add(struct xfrm_state *x); 1620 int xfrm_state_update(struct xfrm_state *x); 1621 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark, 1622 const xfrm_address_t *daddr, __be32 spi, 1623 u8 proto, unsigned short family); 1624 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark, 1625 const xfrm_address_t *daddr, 1626 const xfrm_address_t *saddr, 1627 u8 proto, 1628 unsigned short family); 1629 #ifdef CONFIG_XFRM_SUB_POLICY 1630 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1631 unsigned short family); 1632 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1633 unsigned short family); 1634 #else xfrm_tmpl_sort(struct xfrm_tmpl ** d,struct xfrm_tmpl ** s,int n,unsigned short family)1635 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s, 1636 int n, unsigned short family) 1637 { 1638 } 1639 xfrm_state_sort(struct xfrm_state ** d,struct xfrm_state ** s,int n,unsigned short family)1640 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s, 1641 int n, unsigned short family) 1642 { 1643 } 1644 #endif 1645 1646 struct xfrmk_sadinfo { 1647 u32 sadhcnt; /* current hash bkts */ 1648 u32 sadhmcnt; /* max allowed hash bkts */ 1649 u32 sadcnt; /* current running count */ 1650 }; 1651 1652 struct xfrmk_spdinfo { 1653 u32 incnt; 1654 u32 outcnt; 1655 u32 fwdcnt; 1656 u32 inscnt; 1657 u32 outscnt; 1658 u32 fwdscnt; 1659 u32 spdhcnt; 1660 u32 spdhmcnt; 1661 }; 1662 1663 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq); 1664 int xfrm_state_delete(struct xfrm_state *x); 1665 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync); 1666 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid); 1667 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev, 1668 bool task_valid); 1669 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si); 1670 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si); 1671 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq); 1672 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack); 1673 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu); 1674 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, 1675 struct netlink_ext_ack *extack); 1676 int xfrm_init_state(struct xfrm_state *x); 1677 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); 1678 int xfrm_input_resume(struct sk_buff *skb, int nexthdr); 1679 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, 1680 int (*finish)(struct net *, struct sock *, 1681 struct sk_buff *)); 1682 int xfrm_trans_queue(struct sk_buff *skb, 1683 int (*finish)(struct net *, struct sock *, 1684 struct sk_buff *)); 1685 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err); 1686 int xfrm_output(struct sock *sk, struct sk_buff *skb); 1687 1688 #if IS_ENABLED(CONFIG_NET_PKTGEN) 1689 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb); 1690 #endif 1691 1692 void xfrm_local_error(struct sk_buff *skb, int mtu); 1693 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb); 1694 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1695 int encap_type); 1696 int xfrm4_transport_finish(struct sk_buff *skb, int async); 1697 int xfrm4_rcv(struct sk_buff *skb); 1698 xfrm4_rcv_spi(struct sk_buff * skb,int nexthdr,__be32 spi)1699 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) 1700 { 1701 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; 1702 XFRM_SPI_SKB_CB(skb)->family = AF_INET; 1703 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); 1704 return xfrm_input(skb, nexthdr, spi, 0); 1705 } 1706 1707 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1708 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol); 1709 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol); 1710 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); 1711 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family); 1712 void xfrm4_local_error(struct sk_buff *skb, u32 mtu); 1713 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb); 1714 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi, 1715 struct ip6_tnl *t); 1716 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, 1717 int encap_type); 1718 int xfrm6_transport_finish(struct sk_buff *skb, int async); 1719 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t); 1720 int xfrm6_rcv(struct sk_buff *skb); 1721 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, 1722 xfrm_address_t *saddr, u8 proto); 1723 void xfrm6_local_error(struct sk_buff *skb, u32 mtu); 1724 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol); 1725 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol); 1726 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family); 1727 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family); 1728 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr); 1729 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr); 1730 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb); 1731 1732 #ifdef CONFIG_XFRM 1733 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu); 1734 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1735 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb); 1736 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, 1737 int optlen); 1738 #else xfrm_user_policy(struct sock * sk,int optname,sockptr_t optval,int optlen)1739 static inline int xfrm_user_policy(struct sock *sk, int optname, 1740 sockptr_t optval, int optlen) 1741 { 1742 return -ENOPROTOOPT; 1743 } 1744 #endif 1745 1746 struct dst_entry *__xfrm_dst_lookup(int family, const struct xfrm_dst_lookup_params *params); 1747 1748 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp); 1749 1750 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type); 1751 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, 1752 int (*func)(struct xfrm_policy *, int, int, void*), 1753 void *); 1754 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net); 1755 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 1756 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, 1757 const struct xfrm_mark *mark, 1758 u32 if_id, u8 type, int dir, 1759 struct xfrm_selector *sel, 1760 struct xfrm_sec_ctx *ctx, int delete, 1761 int *err); 1762 struct xfrm_policy *xfrm_policy_byid(struct net *net, 1763 const struct xfrm_mark *mark, u32 if_id, 1764 u8 type, int dir, u32 id, int delete, 1765 int *err); 1766 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid); 1767 void xfrm_policy_hash_rebuild(struct net *net); 1768 u32 xfrm_get_acqseq(void); 1769 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack); 1770 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi, 1771 struct netlink_ext_ack *extack); 1772 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, 1773 u8 mode, u32 reqid, u32 if_id, u8 proto, 1774 const xfrm_address_t *daddr, 1775 const xfrm_address_t *saddr, int create, 1776 unsigned short family); 1777 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); 1778 1779 #ifdef CONFIG_XFRM_MIGRATE 1780 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1781 const struct xfrm_migrate *m, int num_bundles, 1782 const struct xfrm_kmaddress *k, 1783 const struct xfrm_encap_tmpl *encap); 1784 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net, 1785 u32 if_id); 1786 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1787 struct xfrm_migrate *m, 1788 struct xfrm_encap_tmpl *encap); 1789 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1790 struct xfrm_migrate *m, int num_bundles, 1791 struct xfrm_kmaddress *k, struct net *net, 1792 struct xfrm_encap_tmpl *encap, u32 if_id, 1793 struct netlink_ext_ack *extack); 1794 #endif 1795 1796 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport); 1797 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid); 1798 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, 1799 xfrm_address_t *addr); 1800 1801 void xfrm_input_init(void); 1802 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq); 1803 1804 void xfrm_probe_algs(void); 1805 int xfrm_count_pfkey_auth_supported(void); 1806 int xfrm_count_pfkey_enc_supported(void); 1807 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx); 1808 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); 1809 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); 1810 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id); 1811 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id); 1812 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe); 1813 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe); 1814 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe); 1815 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, 1816 int probe); 1817 xfrm6_addr_equal(const xfrm_address_t * a,const xfrm_address_t * b)1818 static inline bool xfrm6_addr_equal(const xfrm_address_t *a, 1819 const xfrm_address_t *b) 1820 { 1821 return ipv6_addr_equal((const struct in6_addr *)a, 1822 (const struct in6_addr *)b); 1823 } 1824 xfrm_addr_equal(const xfrm_address_t * a,const xfrm_address_t * b,sa_family_t family)1825 static inline bool xfrm_addr_equal(const xfrm_address_t *a, 1826 const xfrm_address_t *b, 1827 sa_family_t family) 1828 { 1829 switch (family) { 1830 default: 1831 case AF_INET: 1832 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; 1833 case AF_INET6: 1834 return xfrm6_addr_equal(a, b); 1835 } 1836 } 1837 xfrm_policy_id2dir(u32 index)1838 static inline int xfrm_policy_id2dir(u32 index) 1839 { 1840 return index & 7; 1841 } 1842 1843 #ifdef CONFIG_XFRM 1844 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq); 1845 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1846 void xfrm_replay_notify(struct xfrm_state *x, int event); 1847 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb); 1848 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq); 1849 xfrm_aevent_is_on(struct net * net)1850 static inline int xfrm_aevent_is_on(struct net *net) 1851 { 1852 struct sock *nlsk; 1853 int ret = 0; 1854 1855 rcu_read_lock(); 1856 nlsk = rcu_dereference(net->xfrm.nlsk); 1857 if (nlsk) 1858 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS); 1859 rcu_read_unlock(); 1860 return ret; 1861 } 1862 xfrm_acquire_is_on(struct net * net)1863 static inline int xfrm_acquire_is_on(struct net *net) 1864 { 1865 struct sock *nlsk; 1866 int ret = 0; 1867 1868 rcu_read_lock(); 1869 nlsk = rcu_dereference(net->xfrm.nlsk); 1870 if (nlsk) 1871 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE); 1872 rcu_read_unlock(); 1873 1874 return ret; 1875 } 1876 #endif 1877 aead_len(struct xfrm_algo_aead * alg)1878 static inline unsigned int aead_len(struct xfrm_algo_aead *alg) 1879 { 1880 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1881 } 1882 xfrm_alg_len(const struct xfrm_algo * alg)1883 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg) 1884 { 1885 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1886 } 1887 xfrm_alg_auth_len(const struct xfrm_algo_auth * alg)1888 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg) 1889 { 1890 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8); 1891 } 1892 xfrm_replay_state_esn_len(struct xfrm_replay_state_esn * replay_esn)1893 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn) 1894 { 1895 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32); 1896 } 1897 1898 #ifdef CONFIG_XFRM_MIGRATE xfrm_replay_clone(struct xfrm_state * x,struct xfrm_state * orig)1899 static inline int xfrm_replay_clone(struct xfrm_state *x, 1900 struct xfrm_state *orig) 1901 { 1902 1903 x->replay_esn = kmemdup(orig->replay_esn, 1904 xfrm_replay_state_esn_len(orig->replay_esn), 1905 GFP_KERNEL); 1906 if (!x->replay_esn) 1907 return -ENOMEM; 1908 x->preplay_esn = kmemdup(orig->preplay_esn, 1909 xfrm_replay_state_esn_len(orig->preplay_esn), 1910 GFP_KERNEL); 1911 if (!x->preplay_esn) 1912 return -ENOMEM; 1913 1914 return 0; 1915 } 1916 xfrm_algo_aead_clone(struct xfrm_algo_aead * orig)1917 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig) 1918 { 1919 return kmemdup(orig, aead_len(orig), GFP_KERNEL); 1920 } 1921 1922 xfrm_algo_clone(struct xfrm_algo * orig)1923 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig) 1924 { 1925 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL); 1926 } 1927 xfrm_algo_auth_clone(struct xfrm_algo_auth * orig)1928 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig) 1929 { 1930 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL); 1931 } 1932 xfrm_states_put(struct xfrm_state ** states,int n)1933 static inline void xfrm_states_put(struct xfrm_state **states, int n) 1934 { 1935 int i; 1936 for (i = 0; i < n; i++) 1937 xfrm_state_put(*(states + i)); 1938 } 1939 xfrm_states_delete(struct xfrm_state ** states,int n)1940 static inline void xfrm_states_delete(struct xfrm_state **states, int n) 1941 { 1942 int i; 1943 for (i = 0; i < n; i++) 1944 xfrm_state_delete(*(states + i)); 1945 } 1946 #endif 1947 1948 void __init xfrm_dev_init(void); 1949 1950 #ifdef CONFIG_XFRM_OFFLOAD 1951 void xfrm_dev_resume(struct sk_buff *skb); 1952 void xfrm_dev_backlog(struct softnet_data *sd); 1953 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again); 1954 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, 1955 struct xfrm_user_offload *xuo, 1956 struct netlink_ext_ack *extack); 1957 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 1958 struct xfrm_user_offload *xuo, u8 dir, 1959 struct netlink_ext_ack *extack); 1960 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x); 1961 void xfrm_dev_state_delete(struct xfrm_state *x); 1962 void xfrm_dev_state_free(struct xfrm_state *x); 1963 xfrm_dev_state_advance_esn(struct xfrm_state * x)1964 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 1965 { 1966 struct xfrm_dev_offload *xso = &x->xso; 1967 struct net_device *dev = READ_ONCE(xso->dev); 1968 1969 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn) 1970 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x); 1971 } 1972 xfrm_dst_offload_ok(struct dst_entry * dst)1973 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 1974 { 1975 struct xfrm_state *x = dst->xfrm; 1976 struct xfrm_dst *xdst; 1977 1978 if (!x || !x->type_offload) 1979 return false; 1980 1981 xdst = (struct xfrm_dst *) dst; 1982 if (!x->xso.offload_handle && !xdst->child->xfrm) 1983 return true; 1984 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) && 1985 !xdst->child->xfrm) 1986 return true; 1987 1988 return false; 1989 } 1990 xfrm_dev_policy_delete(struct xfrm_policy * x)1991 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 1992 { 1993 struct xfrm_dev_offload *xdo = &x->xdo; 1994 struct net_device *dev = xdo->dev; 1995 1996 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete) 1997 dev->xfrmdev_ops->xdo_dev_policy_delete(x); 1998 } 1999 xfrm_dev_policy_free(struct xfrm_policy * x)2000 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 2001 { 2002 struct xfrm_dev_offload *xdo = &x->xdo; 2003 struct net_device *dev = xdo->dev; 2004 2005 if (dev && dev->xfrmdev_ops) { 2006 if (dev->xfrmdev_ops->xdo_dev_policy_free) 2007 dev->xfrmdev_ops->xdo_dev_policy_free(x); 2008 xdo->dev = NULL; 2009 netdev_put(dev, &xdo->dev_tracker); 2010 } 2011 } 2012 #else xfrm_dev_resume(struct sk_buff * skb)2013 static inline void xfrm_dev_resume(struct sk_buff *skb) 2014 { 2015 } 2016 xfrm_dev_backlog(struct softnet_data * sd)2017 static inline void xfrm_dev_backlog(struct softnet_data *sd) 2018 { 2019 } 2020 validate_xmit_xfrm(struct sk_buff * skb,netdev_features_t features,bool * again)2021 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again) 2022 { 2023 return skb; 2024 } 2025 xfrm_dev_state_add(struct net * net,struct xfrm_state * x,struct xfrm_user_offload * xuo,struct netlink_ext_ack * extack)2026 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack) 2027 { 2028 return 0; 2029 } 2030 xfrm_dev_state_delete(struct xfrm_state * x)2031 static inline void xfrm_dev_state_delete(struct xfrm_state *x) 2032 { 2033 } 2034 xfrm_dev_state_free(struct xfrm_state * x)2035 static inline void xfrm_dev_state_free(struct xfrm_state *x) 2036 { 2037 } 2038 xfrm_dev_policy_add(struct net * net,struct xfrm_policy * xp,struct xfrm_user_offload * xuo,u8 dir,struct netlink_ext_ack * extack)2039 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, 2040 struct xfrm_user_offload *xuo, u8 dir, 2041 struct netlink_ext_ack *extack) 2042 { 2043 return 0; 2044 } 2045 xfrm_dev_policy_delete(struct xfrm_policy * x)2046 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x) 2047 { 2048 } 2049 xfrm_dev_policy_free(struct xfrm_policy * x)2050 static inline void xfrm_dev_policy_free(struct xfrm_policy *x) 2051 { 2052 } 2053 xfrm_dev_offload_ok(struct sk_buff * skb,struct xfrm_state * x)2054 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 2055 { 2056 return false; 2057 } 2058 xfrm_dev_state_advance_esn(struct xfrm_state * x)2059 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x) 2060 { 2061 } 2062 xfrm_dst_offload_ok(struct dst_entry * dst)2063 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst) 2064 { 2065 return false; 2066 } 2067 #endif 2068 xfrm_mark_get(struct nlattr ** attrs,struct xfrm_mark * m)2069 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m) 2070 { 2071 if (attrs[XFRMA_MARK]) 2072 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark)); 2073 else 2074 m->v = m->m = 0; 2075 2076 return m->v & m->m; 2077 } 2078 xfrm_mark_put(struct sk_buff * skb,const struct xfrm_mark * m)2079 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m) 2080 { 2081 int ret = 0; 2082 2083 if (m->m | m->v) 2084 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m); 2085 return ret; 2086 } 2087 xfrm_smark_get(__u32 mark,struct xfrm_state * x)2088 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x) 2089 { 2090 struct xfrm_mark *m = &x->props.smark; 2091 2092 return (m->v & m->m) | (mark & ~m->m); 2093 } 2094 xfrm_if_id_put(struct sk_buff * skb,__u32 if_id)2095 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id) 2096 { 2097 int ret = 0; 2098 2099 if (if_id) 2100 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id); 2101 return ret; 2102 } 2103 xfrm_tunnel_check(struct sk_buff * skb,struct xfrm_state * x,unsigned int family)2104 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x, 2105 unsigned int family) 2106 { 2107 bool tunnel = false; 2108 2109 switch(family) { 2110 case AF_INET: 2111 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) 2112 tunnel = true; 2113 break; 2114 case AF_INET6: 2115 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) 2116 tunnel = true; 2117 break; 2118 } 2119 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)) 2120 return -EINVAL; 2121 2122 return 0; 2123 } 2124 2125 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES]; 2126 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1]; 2127 2128 struct xfrm_translator { 2129 /* Allocate frag_list and put compat translation there */ 2130 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src); 2131 2132 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */ 2133 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh, 2134 int maxtype, const struct nla_policy *policy, 2135 struct netlink_ext_ack *extack); 2136 2137 /* Translate 32-bit user_policy from sockptr */ 2138 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen); 2139 2140 struct module *owner; 2141 }; 2142 2143 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT) 2144 extern int xfrm_register_translator(struct xfrm_translator *xtr); 2145 extern int xfrm_unregister_translator(struct xfrm_translator *xtr); 2146 extern struct xfrm_translator *xfrm_get_translator(void); 2147 extern void xfrm_put_translator(struct xfrm_translator *xtr); 2148 #else xfrm_get_translator(void)2149 static inline struct xfrm_translator *xfrm_get_translator(void) 2150 { 2151 return NULL; 2152 } xfrm_put_translator(struct xfrm_translator * xtr)2153 static inline void xfrm_put_translator(struct xfrm_translator *xtr) 2154 { 2155 } 2156 #endif 2157 2158 #if IS_ENABLED(CONFIG_IPV6) xfrm6_local_dontfrag(const struct sock * sk)2159 static inline bool xfrm6_local_dontfrag(const struct sock *sk) 2160 { 2161 int proto; 2162 2163 if (!sk || sk->sk_family != AF_INET6) 2164 return false; 2165 2166 proto = sk->sk_protocol; 2167 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW) 2168 return inet6_sk(sk)->dontfrag; 2169 2170 return false; 2171 } 2172 #endif 2173 2174 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \ 2175 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)) 2176 2177 extern struct metadata_dst __percpu *xfrm_bpf_md_dst; 2178 2179 int register_xfrm_interface_bpf(void); 2180 2181 #else 2182 register_xfrm_interface_bpf(void)2183 static inline int register_xfrm_interface_bpf(void) 2184 { 2185 return 0; 2186 } 2187 2188 #endif 2189 2190 #endif /* _NET_XFRM_H */ 2191