1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _NET_XFRM_H
3 #define _NET_XFRM_H
4
5 #include <linux/compiler.h>
6 #include <linux/xfrm.h>
7 #include <linux/spinlock.h>
8 #include <linux/list.h>
9 #include <linux/skbuff.h>
10 #include <linux/socket.h>
11 #include <linux/pfkeyv2.h>
12 #include <linux/ipsec.h>
13 #include <linux/in6.h>
14 #include <linux/mutex.h>
15 #include <linux/audit.h>
16 #include <linux/slab.h>
17 #include <linux/refcount.h>
18 #include <linux/sockptr.h>
19
20 #include <net/sock.h>
21 #include <net/dst.h>
22 #include <net/ip.h>
23 #include <net/route.h>
24 #include <net/ipv6.h>
25 #include <net/ip6_fib.h>
26 #include <net/flow.h>
27 #include <net/gro_cells.h>
28
29 #include <linux/interrupt.h>
30
31 #ifdef CONFIG_XFRM_STATISTICS
32 #include <net/snmp.h>
33 #endif
34
35 #define XFRM_PROTO_ESP 50
36 #define XFRM_PROTO_AH 51
37 #define XFRM_PROTO_COMP 108
38 #define XFRM_PROTO_IPIP 4
39 #define XFRM_PROTO_IPV6 41
40 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING
41 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS
42
43 #define XFRM_ALIGN4(len) (((len) + 3) & ~3)
44 #define XFRM_ALIGN8(len) (((len) + 7) & ~7)
45 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
46 MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))
47 #define MODULE_ALIAS_XFRM_TYPE(family, proto) \
48 MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto))
49 #define MODULE_ALIAS_XFRM_OFFLOAD_TYPE(family, proto) \
50 MODULE_ALIAS("xfrm-offload-" __stringify(family) "-" __stringify(proto))
51
52 #ifdef CONFIG_XFRM_STATISTICS
53 #define XFRM_INC_STATS(net, field) SNMP_INC_STATS((net)->mib.xfrm_statistics, field)
54 #else
55 #define XFRM_INC_STATS(net, field) ((void)(net))
56 #endif
57
58
59 /* Organization of SPD aka "XFRM rules"
60 ------------------------------------
61
62 Basic objects:
63 - policy rule, struct xfrm_policy (=SPD entry)
64 - bundle of transformations, struct dst_entry == struct xfrm_dst (=SA bundle)
65 - instance of a transformer, struct xfrm_state (=SA)
66 - template to clone xfrm_state, struct xfrm_tmpl
67
68 SPD is plain linear list of xfrm_policy rules, ordered by priority.
69 (To be compatible with existing pfkeyv2 implementations,
70 many rules with priority of 0x7fffffff are allowed to exist and
71 such rules are ordered in an unpredictable way, thanks to bsd folks.)
72
73 Lookup is plain linear search until the first match with selector.
74
75 If "action" is "block", then we prohibit the flow, otherwise:
76 if "xfrms_nr" is zero, the flow passes untransformed. Otherwise,
77 policy entry has list of up to XFRM_MAX_DEPTH transformations,
78 described by templates xfrm_tmpl. Each template is resolved
79 to a complete xfrm_state (see below) and we pack bundle of transformations
80 to a dst_entry returned to requestor.
81
82 dst -. xfrm .-> xfrm_state #1
83 |---. child .-> dst -. xfrm .-> xfrm_state #2
84 |---. child .-> dst -. xfrm .-> xfrm_state #3
85 |---. child .-> NULL
86
87 Bundles are cached at xrfm_policy struct (field ->bundles).
88
89
90 Resolution of xrfm_tmpl
91 -----------------------
92 Template contains:
93 1. ->mode Mode: transport or tunnel
94 2. ->id.proto Protocol: AH/ESP/IPCOMP
95 3. ->id.daddr Remote tunnel endpoint, ignored for transport mode.
96 Q: allow to resolve security gateway?
97 4. ->id.spi If not zero, static SPI.
98 5. ->saddr Local tunnel endpoint, ignored for transport mode.
99 6. ->algos List of allowed algos. Plain bitmask now.
100 Q: ealgos, aalgos, calgos. What a mess...
101 7. ->share Sharing mode.
102 Q: how to implement private sharing mode? To add struct sock* to
103 flow id?
104
105 Having this template we search through SAD searching for entries
106 with appropriate mode/proto/algo, permitted by selector.
107 If no appropriate entry found, it is requested from key manager.
108
109 PROBLEMS:
110 Q: How to find all the bundles referring to a physical path for
111 PMTU discovery? Seems, dst should contain list of all parents...
112 and enter to infinite locking hierarchy disaster.
113 No! It is easier, we will not search for them, let them find us.
114 We add genid to each dst plus pointer to genid of raw IP route,
115 pmtu disc will update pmtu on raw IP route and increase its genid.
116 dst_check() will see this for top level and trigger resyncing
117 metrics. Plus, it will be made via sk->sk_dst_cache. Solved.
118 */
119
120 struct xfrm_state_walk {
121 struct list_head all;
122 u8 state;
123 u8 dying;
124 u8 proto;
125 u32 seq;
126 struct xfrm_address_filter *filter;
127 };
128
129 enum {
130 XFRM_DEV_OFFLOAD_IN = 1,
131 XFRM_DEV_OFFLOAD_OUT,
132 XFRM_DEV_OFFLOAD_FWD,
133 };
134
135 enum {
136 XFRM_DEV_OFFLOAD_UNSPECIFIED,
137 XFRM_DEV_OFFLOAD_CRYPTO,
138 XFRM_DEV_OFFLOAD_PACKET,
139 };
140
141 enum {
142 XFRM_DEV_OFFLOAD_FLAG_ACQ = 1,
143 };
144
145 struct xfrm_dev_offload {
146 struct net_device *dev;
147 netdevice_tracker dev_tracker;
148 struct net_device *real_dev;
149 unsigned long offload_handle;
150 u8 dir : 2;
151 u8 type : 2;
152 u8 flags : 2;
153 };
154
155 struct xfrm_mode {
156 u8 encap;
157 u8 family;
158 u8 flags;
159 };
160
161 /* Flags for xfrm_mode. */
162 enum {
163 XFRM_MODE_FLAG_TUNNEL = 1,
164 };
165
166 enum xfrm_replay_mode {
167 XFRM_REPLAY_MODE_LEGACY,
168 XFRM_REPLAY_MODE_BMP,
169 XFRM_REPLAY_MODE_ESN,
170 };
171
172 /* Full description of state of transformer. */
173 struct xfrm_state {
174 possible_net_t xs_net;
175 union {
176 struct hlist_node gclist;
177 struct hlist_node bydst;
178 };
179 union {
180 struct hlist_node dev_gclist;
181 struct hlist_node bysrc;
182 };
183 struct hlist_node byspi;
184 struct hlist_node byseq;
185
186 refcount_t refcnt;
187 spinlock_t lock;
188
189 struct xfrm_id id;
190 struct xfrm_selector sel;
191 struct xfrm_mark mark;
192 u32 if_id;
193 u32 tfcpad;
194
195 u32 genid;
196
197 /* Key manager bits */
198 struct xfrm_state_walk km;
199
200 /* Parameters of this state. */
201 struct {
202 u32 reqid;
203 u8 mode;
204 u8 replay_window;
205 u8 aalgo, ealgo, calgo;
206 u8 flags;
207 u16 family;
208 xfrm_address_t saddr;
209 int header_len;
210 int trailer_len;
211 u32 extra_flags;
212 struct xfrm_mark smark;
213 } props;
214
215 struct xfrm_lifetime_cfg lft;
216
217 /* Data for transformer */
218 struct xfrm_algo_auth *aalg;
219 struct xfrm_algo *ealg;
220 struct xfrm_algo *calg;
221 struct xfrm_algo_aead *aead;
222 const char *geniv;
223
224 /* mapping change rate limiting */
225 __be16 new_mapping_sport;
226 u32 new_mapping; /* seconds */
227 u32 mapping_maxage; /* seconds for input SA */
228
229 /* Data for encapsulator */
230 struct xfrm_encap_tmpl *encap;
231
232 /* Data for care-of address */
233 xfrm_address_t *coaddr;
234
235 /* IPComp needs an IPIP tunnel for handling uncompressed packets */
236 struct xfrm_state *tunnel;
237
238 /* If a tunnel, number of users + 1 */
239 atomic_t tunnel_users;
240
241 /* State for replay detection */
242 struct xfrm_replay_state replay;
243 struct xfrm_replay_state_esn *replay_esn;
244
245 /* Replay detection state at the time we sent the last notification */
246 struct xfrm_replay_state preplay;
247 struct xfrm_replay_state_esn *preplay_esn;
248
249 /* replay detection mode */
250 enum xfrm_replay_mode repl_mode;
251 /* internal flag that only holds state for delayed aevent at the
252 * moment
253 */
254 u32 xflags;
255
256 /* Replay detection notification settings */
257 u32 replay_maxage;
258 u32 replay_maxdiff;
259
260 /* Replay detection notification timer */
261 struct timer_list rtimer;
262
263 /* Statistics */
264 struct xfrm_stats stats;
265
266 struct xfrm_lifetime_cur curlft;
267 struct hrtimer mtimer;
268
269 struct xfrm_dev_offload xso;
270
271 /* used to fix curlft->add_time when changing date */
272 long saved_tmo;
273
274 /* Last used time */
275 time64_t lastused;
276
277 struct page_frag xfrag;
278
279 /* Reference to data common to all the instances of this
280 * transformer. */
281 const struct xfrm_type *type;
282 struct xfrm_mode inner_mode;
283 struct xfrm_mode inner_mode_iaf;
284 struct xfrm_mode outer_mode;
285
286 const struct xfrm_type_offload *type_offload;
287
288 /* Security context */
289 struct xfrm_sec_ctx *security;
290
291 /* Private data of this transformer, format is opaque,
292 * interpreted by xfrm_type methods. */
293 void *data;
294 };
295
xs_net(struct xfrm_state * x)296 static inline struct net *xs_net(struct xfrm_state *x)
297 {
298 return read_pnet(&x->xs_net);
299 }
300
301 /* xflags - make enum if more show up */
302 #define XFRM_TIME_DEFER 1
303 #define XFRM_SOFT_EXPIRE 2
304
305 enum {
306 XFRM_STATE_VOID,
307 XFRM_STATE_ACQ,
308 XFRM_STATE_VALID,
309 XFRM_STATE_ERROR,
310 XFRM_STATE_EXPIRED,
311 XFRM_STATE_DEAD
312 };
313
314 /* callback structure passed from either netlink or pfkey */
315 struct km_event {
316 union {
317 u32 hard;
318 u32 proto;
319 u32 byid;
320 u32 aevent;
321 u32 type;
322 } data;
323
324 u32 seq;
325 u32 portid;
326 u32 event;
327 struct net *net;
328 };
329
330 struct xfrm_if_decode_session_result {
331 struct net *net;
332 u32 if_id;
333 };
334
335 struct xfrm_if_cb {
336 bool (*decode_session)(struct sk_buff *skb,
337 unsigned short family,
338 struct xfrm_if_decode_session_result *res);
339 };
340
341 void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
342 void xfrm_if_unregister_cb(void);
343
344 struct xfrm_dst_lookup_params {
345 struct net *net;
346 int tos;
347 int oif;
348 xfrm_address_t *saddr;
349 xfrm_address_t *daddr;
350 u32 mark;
351 __u8 ipproto;
352 union flowi_uli uli;
353 };
354
355 struct net_device;
356 struct xfrm_type;
357 struct xfrm_dst;
358 struct xfrm_policy_afinfo {
359 struct dst_ops *dst_ops;
360 struct dst_entry *(*dst_lookup)(const struct xfrm_dst_lookup_params *params);
361 int (*get_saddr)(xfrm_address_t *saddr,
362 const struct xfrm_dst_lookup_params *params);
363 int (*fill_dst)(struct xfrm_dst *xdst,
364 struct net_device *dev,
365 const struct flowi *fl);
366 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
367 };
368
369 int xfrm_policy_register_afinfo(const struct xfrm_policy_afinfo *afinfo, int family);
370 void xfrm_policy_unregister_afinfo(const struct xfrm_policy_afinfo *afinfo);
371 void km_policy_notify(struct xfrm_policy *xp, int dir,
372 const struct km_event *c);
373 void km_state_notify(struct xfrm_state *x, const struct km_event *c);
374
375 struct xfrm_tmpl;
376 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t,
377 struct xfrm_policy *pol);
378 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
379 int __xfrm_state_delete(struct xfrm_state *x);
380
381 struct xfrm_state_afinfo {
382 u8 family;
383 u8 proto;
384
385 const struct xfrm_type_offload *type_offload_esp;
386
387 const struct xfrm_type *type_esp;
388 const struct xfrm_type *type_ipip;
389 const struct xfrm_type *type_ipip6;
390 const struct xfrm_type *type_comp;
391 const struct xfrm_type *type_ah;
392 const struct xfrm_type *type_routing;
393 const struct xfrm_type *type_dstopts;
394
395 int (*output)(struct net *net, struct sock *sk, struct sk_buff *skb);
396 int (*transport_finish)(struct sk_buff *skb,
397 int async);
398 void (*local_error)(struct sk_buff *skb, u32 mtu);
399 };
400
401 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
402 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
403 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
404 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family);
405
406 struct xfrm_input_afinfo {
407 u8 family;
408 bool is_ipip;
409 int (*callback)(struct sk_buff *skb, u8 protocol,
410 int err);
411 };
412
413 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
414 int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
415
416 void xfrm_flush_gc(void);
417 void xfrm_state_delete_tunnel(struct xfrm_state *x);
418
419 struct xfrm_type {
420 struct module *owner;
421 u8 proto;
422 u8 flags;
423 #define XFRM_TYPE_NON_FRAGMENT 1
424 #define XFRM_TYPE_REPLAY_PROT 2
425 #define XFRM_TYPE_LOCAL_COADDR 4
426 #define XFRM_TYPE_REMOTE_COADDR 8
427
428 int (*init_state)(struct xfrm_state *x,
429 struct netlink_ext_ack *extack);
430 void (*destructor)(struct xfrm_state *);
431 int (*input)(struct xfrm_state *, struct sk_buff *skb);
432 int (*output)(struct xfrm_state *, struct sk_buff *pskb);
433 int (*reject)(struct xfrm_state *, struct sk_buff *,
434 const struct flowi *);
435 };
436
437 int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
438 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
439
440 struct xfrm_type_offload {
441 struct module *owner;
442 u8 proto;
443 void (*encap)(struct xfrm_state *, struct sk_buff *pskb);
444 int (*input_tail)(struct xfrm_state *x, struct sk_buff *skb);
445 int (*xmit)(struct xfrm_state *, struct sk_buff *pskb, netdev_features_t features);
446 };
447
448 int xfrm_register_type_offload(const struct xfrm_type_offload *type, unsigned short family);
449 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type, unsigned short family);
450
xfrm_af2proto(unsigned int family)451 static inline int xfrm_af2proto(unsigned int family)
452 {
453 switch(family) {
454 case AF_INET:
455 return IPPROTO_IPIP;
456 case AF_INET6:
457 return IPPROTO_IPV6;
458 default:
459 return 0;
460 }
461 }
462
xfrm_ip2inner_mode(struct xfrm_state * x,int ipproto)463 static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
464 {
465 if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
466 (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
467 return &x->inner_mode;
468 else
469 return &x->inner_mode_iaf;
470 }
471
472 struct xfrm_tmpl {
473 /* id in template is interpreted as:
474 * daddr - destination of tunnel, may be zero for transport mode.
475 * spi - zero to acquire spi. Not zero if spi is static, then
476 * daddr must be fixed too.
477 * proto - AH/ESP/IPCOMP
478 */
479 struct xfrm_id id;
480
481 /* Source address of tunnel. Ignored, if it is not a tunnel. */
482 xfrm_address_t saddr;
483
484 unsigned short encap_family;
485
486 u32 reqid;
487
488 /* Mode: transport, tunnel etc. */
489 u8 mode;
490
491 /* Sharing mode: unique, this session only, this user only etc. */
492 u8 share;
493
494 /* May skip this transfomration if no SA is found */
495 u8 optional;
496
497 /* Skip aalgos/ealgos/calgos checks. */
498 u8 allalgs;
499
500 /* Bit mask of algos allowed for acquisition */
501 u32 aalgos;
502 u32 ealgos;
503 u32 calgos;
504 };
505
506 #define XFRM_MAX_DEPTH 6
507 #define XFRM_MAX_OFFLOAD_DEPTH 1
508
509 struct xfrm_policy_walk_entry {
510 struct list_head all;
511 u8 dead;
512 };
513
514 struct xfrm_policy_walk {
515 struct xfrm_policy_walk_entry walk;
516 u8 type;
517 u32 seq;
518 };
519
520 struct xfrm_policy_queue {
521 struct sk_buff_head hold_queue;
522 struct timer_list hold_timer;
523 unsigned long timeout;
524 };
525
526 struct xfrm_policy {
527 possible_net_t xp_net;
528 struct hlist_node bydst;
529 struct hlist_node byidx;
530
531 /* This lock only affects elements except for entry. */
532 rwlock_t lock;
533 refcount_t refcnt;
534 u32 pos;
535 struct timer_list timer;
536
537 atomic_t genid;
538 u32 priority;
539 u32 index;
540 u32 if_id;
541 struct xfrm_mark mark;
542 struct xfrm_selector selector;
543 struct xfrm_lifetime_cfg lft;
544 struct xfrm_lifetime_cur curlft;
545 struct xfrm_policy_walk_entry walk;
546 struct xfrm_policy_queue polq;
547 bool bydst_reinsert;
548 u8 type;
549 u8 action;
550 u8 flags;
551 u8 xfrm_nr;
552 u16 family;
553 struct xfrm_sec_ctx *security;
554 struct xfrm_tmpl xfrm_vec[XFRM_MAX_DEPTH];
555 struct hlist_node bydst_inexact_list;
556 struct rcu_head rcu;
557
558 struct xfrm_dev_offload xdo;
559 };
560
xp_net(const struct xfrm_policy * xp)561 static inline struct net *xp_net(const struct xfrm_policy *xp)
562 {
563 return read_pnet(&xp->xp_net);
564 }
565
566 struct xfrm_kmaddress {
567 xfrm_address_t local;
568 xfrm_address_t remote;
569 u32 reserved;
570 u16 family;
571 };
572
573 struct xfrm_migrate {
574 xfrm_address_t old_daddr;
575 xfrm_address_t old_saddr;
576 xfrm_address_t new_daddr;
577 xfrm_address_t new_saddr;
578 u8 proto;
579 u8 mode;
580 u16 reserved;
581 u32 reqid;
582 u16 old_family;
583 u16 new_family;
584 };
585
586 #define XFRM_KM_TIMEOUT 30
587 /* what happened */
588 #define XFRM_REPLAY_UPDATE XFRM_AE_CR
589 #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE
590
591 /* default aevent timeout in units of 100ms */
592 #define XFRM_AE_ETIME 10
593 /* Async Event timer multiplier */
594 #define XFRM_AE_ETH_M 10
595 /* default seq threshold size */
596 #define XFRM_AE_SEQT_SIZE 2
597
598 struct xfrm_mgr {
599 struct list_head list;
600 int (*notify)(struct xfrm_state *x, const struct km_event *c);
601 int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
602 struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
603 int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
604 int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
605 int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
606 int (*migrate)(const struct xfrm_selector *sel,
607 u8 dir, u8 type,
608 const struct xfrm_migrate *m,
609 int num_bundles,
610 const struct xfrm_kmaddress *k,
611 const struct xfrm_encap_tmpl *encap);
612 bool (*is_alive)(const struct km_event *c);
613 };
614
615 void xfrm_register_km(struct xfrm_mgr *km);
616 void xfrm_unregister_km(struct xfrm_mgr *km);
617
618 struct xfrm_tunnel_skb_cb {
619 union {
620 struct inet_skb_parm h4;
621 struct inet6_skb_parm h6;
622 } header;
623
624 union {
625 struct ip_tunnel *ip4;
626 struct ip6_tnl *ip6;
627 } tunnel;
628 };
629
630 #define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0]))
631
632 /*
633 * This structure is used for the duration where packets are being
634 * transformed by IPsec. As soon as the packet leaves IPsec the
635 * area beyond the generic IP part may be overwritten.
636 */
637 struct xfrm_skb_cb {
638 struct xfrm_tunnel_skb_cb header;
639
640 /* Sequence number for replay protection. */
641 union {
642 struct {
643 __u32 low;
644 __u32 hi;
645 } output;
646 struct {
647 __be32 low;
648 __be32 hi;
649 } input;
650 } seq;
651 };
652
653 #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0]))
654
655 /*
656 * This structure is used by the afinfo prepare_input/prepare_output functions
657 * to transmit header information to the mode input/output functions.
658 */
659 struct xfrm_mode_skb_cb {
660 struct xfrm_tunnel_skb_cb header;
661
662 /* Copied from header for IPv4, always set to zero and DF for IPv6. */
663 __be16 id;
664 __be16 frag_off;
665
666 /* IP header length (excluding options or extension headers). */
667 u8 ihl;
668
669 /* TOS for IPv4, class for IPv6. */
670 u8 tos;
671
672 /* TTL for IPv4, hop limitfor IPv6. */
673 u8 ttl;
674
675 /* Protocol for IPv4, NH for IPv6. */
676 u8 protocol;
677
678 /* Option length for IPv4, zero for IPv6. */
679 u8 optlen;
680
681 /* Used by IPv6 only, zero for IPv4. */
682 u8 flow_lbl[3];
683 };
684
685 #define XFRM_MODE_SKB_CB(__skb) ((struct xfrm_mode_skb_cb *)&((__skb)->cb[0]))
686
687 /*
688 * This structure is used by the input processing to locate the SPI and
689 * related information.
690 */
691 struct xfrm_spi_skb_cb {
692 struct xfrm_tunnel_skb_cb header;
693
694 unsigned int daddroff;
695 unsigned int family;
696 __be32 seq;
697 };
698
699 #define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))
700
701 #ifdef CONFIG_AUDITSYSCALL
xfrm_audit_start(const char * op)702 static inline struct audit_buffer *xfrm_audit_start(const char *op)
703 {
704 struct audit_buffer *audit_buf = NULL;
705
706 if (audit_enabled == AUDIT_OFF)
707 return NULL;
708 audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
709 AUDIT_MAC_IPSEC_EVENT);
710 if (audit_buf == NULL)
711 return NULL;
712 audit_log_format(audit_buf, "op=%s", op);
713 return audit_buf;
714 }
715
xfrm_audit_helper_usrinfo(bool task_valid,struct audit_buffer * audit_buf)716 static inline void xfrm_audit_helper_usrinfo(bool task_valid,
717 struct audit_buffer *audit_buf)
718 {
719 const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
720 audit_get_loginuid(current) :
721 INVALID_UID);
722 const unsigned int ses = task_valid ? audit_get_sessionid(current) :
723 AUDIT_SID_UNSET;
724
725 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
726 audit_log_task_context(audit_buf);
727 }
728
729 void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
730 void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
731 bool task_valid);
732 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
733 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
734 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
735 struct sk_buff *skb);
736 void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
737 __be32 net_seq);
738 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
739 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, __be32 net_spi,
740 __be32 net_seq);
741 void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
742 u8 proto);
743 #else
744
xfrm_audit_policy_add(struct xfrm_policy * xp,int result,bool task_valid)745 static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
746 bool task_valid)
747 {
748 }
749
xfrm_audit_policy_delete(struct xfrm_policy * xp,int result,bool task_valid)750 static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
751 bool task_valid)
752 {
753 }
754
xfrm_audit_state_add(struct xfrm_state * x,int result,bool task_valid)755 static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
756 bool task_valid)
757 {
758 }
759
xfrm_audit_state_delete(struct xfrm_state * x,int result,bool task_valid)760 static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
761 bool task_valid)
762 {
763 }
764
xfrm_audit_state_replay_overflow(struct xfrm_state * x,struct sk_buff * skb)765 static inline void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
766 struct sk_buff *skb)
767 {
768 }
769
xfrm_audit_state_replay(struct xfrm_state * x,struct sk_buff * skb,__be32 net_seq)770 static inline void xfrm_audit_state_replay(struct xfrm_state *x,
771 struct sk_buff *skb, __be32 net_seq)
772 {
773 }
774
xfrm_audit_state_notfound_simple(struct sk_buff * skb,u16 family)775 static inline void xfrm_audit_state_notfound_simple(struct sk_buff *skb,
776 u16 family)
777 {
778 }
779
xfrm_audit_state_notfound(struct sk_buff * skb,u16 family,__be32 net_spi,__be32 net_seq)780 static inline void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
781 __be32 net_spi, __be32 net_seq)
782 {
783 }
784
xfrm_audit_state_icvfail(struct xfrm_state * x,struct sk_buff * skb,u8 proto)785 static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
786 struct sk_buff *skb, u8 proto)
787 {
788 }
789 #endif /* CONFIG_AUDITSYSCALL */
790
xfrm_pol_hold(struct xfrm_policy * policy)791 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
792 {
793 if (likely(policy != NULL))
794 refcount_inc(&policy->refcnt);
795 }
796
797 void xfrm_policy_destroy(struct xfrm_policy *policy);
798
xfrm_pol_put(struct xfrm_policy * policy)799 static inline void xfrm_pol_put(struct xfrm_policy *policy)
800 {
801 if (refcount_dec_and_test(&policy->refcnt))
802 xfrm_policy_destroy(policy);
803 }
804
xfrm_pols_put(struct xfrm_policy ** pols,int npols)805 static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
806 {
807 int i;
808 for (i = npols - 1; i >= 0; --i)
809 xfrm_pol_put(pols[i]);
810 }
811
812 void __xfrm_state_destroy(struct xfrm_state *, bool);
813
__xfrm_state_put(struct xfrm_state * x)814 static inline void __xfrm_state_put(struct xfrm_state *x)
815 {
816 refcount_dec(&x->refcnt);
817 }
818
xfrm_state_put(struct xfrm_state * x)819 static inline void xfrm_state_put(struct xfrm_state *x)
820 {
821 if (refcount_dec_and_test(&x->refcnt))
822 __xfrm_state_destroy(x, false);
823 }
824
xfrm_state_put_sync(struct xfrm_state * x)825 static inline void xfrm_state_put_sync(struct xfrm_state *x)
826 {
827 if (refcount_dec_and_test(&x->refcnt))
828 __xfrm_state_destroy(x, true);
829 }
830
xfrm_state_hold(struct xfrm_state * x)831 static inline void xfrm_state_hold(struct xfrm_state *x)
832 {
833 refcount_inc(&x->refcnt);
834 }
835
addr_match(const void * token1,const void * token2,unsigned int prefixlen)836 static inline bool addr_match(const void *token1, const void *token2,
837 unsigned int prefixlen)
838 {
839 const __be32 *a1 = token1;
840 const __be32 *a2 = token2;
841 unsigned int pdw;
842 unsigned int pbi;
843
844 pdw = prefixlen >> 5; /* num of whole u32 in prefix */
845 pbi = prefixlen & 0x1f; /* num of bits in incomplete u32 in prefix */
846
847 if (pdw)
848 if (memcmp(a1, a2, pdw << 2))
849 return false;
850
851 if (pbi) {
852 __be32 mask;
853
854 mask = htonl((0xffffffff) << (32 - pbi));
855
856 if ((a1[pdw] ^ a2[pdw]) & mask)
857 return false;
858 }
859
860 return true;
861 }
862
addr4_match(__be32 a1,__be32 a2,u8 prefixlen)863 static inline bool addr4_match(__be32 a1, __be32 a2, u8 prefixlen)
864 {
865 /* C99 6.5.7 (3): u32 << 32 is undefined behaviour */
866 if (sizeof(long) == 4 && prefixlen == 0)
867 return true;
868 return !((a1 ^ a2) & htonl(~0UL << (32 - prefixlen)));
869 }
870
871 static __inline__
xfrm_flowi_sport(const struct flowi * fl,const union flowi_uli * uli)872 __be16 xfrm_flowi_sport(const struct flowi *fl, const union flowi_uli *uli)
873 {
874 __be16 port;
875 switch(fl->flowi_proto) {
876 case IPPROTO_TCP:
877 case IPPROTO_UDP:
878 case IPPROTO_UDPLITE:
879 case IPPROTO_SCTP:
880 port = uli->ports.sport;
881 break;
882 case IPPROTO_ICMP:
883 case IPPROTO_ICMPV6:
884 port = htons(uli->icmpt.type);
885 break;
886 case IPPROTO_MH:
887 port = htons(uli->mht.type);
888 break;
889 case IPPROTO_GRE:
890 port = htons(ntohl(uli->gre_key) >> 16);
891 break;
892 default:
893 port = 0; /*XXX*/
894 }
895 return port;
896 }
897
898 static __inline__
xfrm_flowi_dport(const struct flowi * fl,const union flowi_uli * uli)899 __be16 xfrm_flowi_dport(const struct flowi *fl, const union flowi_uli *uli)
900 {
901 __be16 port;
902 switch(fl->flowi_proto) {
903 case IPPROTO_TCP:
904 case IPPROTO_UDP:
905 case IPPROTO_UDPLITE:
906 case IPPROTO_SCTP:
907 port = uli->ports.dport;
908 break;
909 case IPPROTO_ICMP:
910 case IPPROTO_ICMPV6:
911 port = htons(uli->icmpt.code);
912 break;
913 case IPPROTO_GRE:
914 port = htons(ntohl(uli->gre_key) & 0xffff);
915 break;
916 default:
917 port = 0; /*XXX*/
918 }
919 return port;
920 }
921
922 bool xfrm_selector_match(const struct xfrm_selector *sel,
923 const struct flowi *fl, unsigned short family);
924
925 #ifdef CONFIG_SECURITY_NETWORK_XFRM
926 /* If neither has a context --> match
927 * Otherwise, both must have a context and the sids, doi, alg must match
928 */
xfrm_sec_ctx_match(struct xfrm_sec_ctx * s1,struct xfrm_sec_ctx * s2)929 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
930 {
931 return ((!s1 && !s2) ||
932 (s1 && s2 &&
933 (s1->ctx_sid == s2->ctx_sid) &&
934 (s1->ctx_doi == s2->ctx_doi) &&
935 (s1->ctx_alg == s2->ctx_alg)));
936 }
937 #else
xfrm_sec_ctx_match(struct xfrm_sec_ctx * s1,struct xfrm_sec_ctx * s2)938 static inline bool xfrm_sec_ctx_match(struct xfrm_sec_ctx *s1, struct xfrm_sec_ctx *s2)
939 {
940 return true;
941 }
942 #endif
943
944 /* A struct encoding bundle of transformations to apply to some set of flow.
945 *
946 * xdst->child points to the next element of bundle.
947 * dst->xfrm points to an instanse of transformer.
948 *
949 * Due to unfortunate limitations of current routing cache, which we
950 * have no time to fix, it mirrors struct rtable and bound to the same
951 * routing key, including saddr,daddr. However, we can have many of
952 * bundles differing by session id. All the bundles grow from a parent
953 * policy rule.
954 */
955 struct xfrm_dst {
956 union {
957 struct dst_entry dst;
958 struct rtable rt;
959 struct rt6_info rt6;
960 } u;
961 struct dst_entry *route;
962 struct dst_entry *child;
963 struct dst_entry *path;
964 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
965 int num_pols, num_xfrms;
966 u32 xfrm_genid;
967 u32 policy_genid;
968 u32 route_mtu_cached;
969 u32 child_mtu_cached;
970 u32 route_cookie;
971 u32 path_cookie;
972 };
973
xfrm_dst_path(const struct dst_entry * dst)974 static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
975 {
976 #ifdef CONFIG_XFRM
977 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
978 const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
979
980 return xdst->path;
981 }
982 #endif
983 return (struct dst_entry *) dst;
984 }
985
xfrm_dst_child(const struct dst_entry * dst)986 static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
987 {
988 #ifdef CONFIG_XFRM
989 if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
990 struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
991 return xdst->child;
992 }
993 #endif
994 return NULL;
995 }
996
997 #ifdef CONFIG_XFRM
xfrm_dst_set_child(struct xfrm_dst * xdst,struct dst_entry * child)998 static inline void xfrm_dst_set_child(struct xfrm_dst *xdst, struct dst_entry *child)
999 {
1000 xdst->child = child;
1001 }
1002
xfrm_dst_destroy(struct xfrm_dst * xdst)1003 static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
1004 {
1005 xfrm_pols_put(xdst->pols, xdst->num_pols);
1006 dst_release(xdst->route);
1007 if (likely(xdst->u.dst.xfrm))
1008 xfrm_state_put(xdst->u.dst.xfrm);
1009 }
1010 #endif
1011
1012 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
1013
1014 struct xfrm_if_parms {
1015 int link; /* ifindex of underlying L2 interface */
1016 u32 if_id; /* interface identifyer */
1017 bool collect_md;
1018 };
1019
1020 struct xfrm_if {
1021 struct xfrm_if __rcu *next; /* next interface in list */
1022 struct net_device *dev; /* virtual device associated with interface */
1023 struct net *net; /* netns for packet i/o */
1024 struct xfrm_if_parms p; /* interface parms */
1025
1026 struct gro_cells gro_cells;
1027 };
1028
1029 struct xfrm_offload {
1030 /* Output sequence number for replay protection on offloading. */
1031 struct {
1032 __u32 low;
1033 __u32 hi;
1034 } seq;
1035
1036 __u32 flags;
1037 #define SA_DELETE_REQ 1
1038 #define CRYPTO_DONE 2
1039 #define CRYPTO_NEXT_DONE 4
1040 #define CRYPTO_FALLBACK 8
1041 #define XFRM_GSO_SEGMENT 16
1042 #define XFRM_GRO 32
1043 /* 64 is free */
1044 #define XFRM_DEV_RESUME 128
1045 #define XFRM_XMIT 256
1046
1047 __u32 status;
1048 #define CRYPTO_SUCCESS 1
1049 #define CRYPTO_GENERIC_ERROR 2
1050 #define CRYPTO_TRANSPORT_AH_AUTH_FAILED 4
1051 #define CRYPTO_TRANSPORT_ESP_AUTH_FAILED 8
1052 #define CRYPTO_TUNNEL_AH_AUTH_FAILED 16
1053 #define CRYPTO_TUNNEL_ESP_AUTH_FAILED 32
1054 #define CRYPTO_INVALID_PACKET_SYNTAX 64
1055 #define CRYPTO_INVALID_PROTOCOL 128
1056
1057 /* Used to keep whole l2 header for transport mode GRO */
1058 __u32 orig_mac_len;
1059
1060 __u8 proto;
1061 __u8 inner_ipproto;
1062 };
1063
1064 struct sec_path {
1065 int len;
1066 int olen;
1067 int verified_cnt;
1068
1069 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
1070 struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
1071 };
1072
1073 struct sec_path *secpath_set(struct sk_buff *skb);
1074
1075 static inline void
secpath_reset(struct sk_buff * skb)1076 secpath_reset(struct sk_buff *skb)
1077 {
1078 #ifdef CONFIG_XFRM
1079 skb_ext_del(skb, SKB_EXT_SEC_PATH);
1080 #endif
1081 }
1082
1083 static inline int
xfrm_addr_any(const xfrm_address_t * addr,unsigned short family)1084 xfrm_addr_any(const xfrm_address_t *addr, unsigned short family)
1085 {
1086 switch (family) {
1087 case AF_INET:
1088 return addr->a4 == 0;
1089 case AF_INET6:
1090 return ipv6_addr_any(&addr->in6);
1091 }
1092 return 0;
1093 }
1094
1095 static inline int
__xfrm4_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x)1096 __xfrm4_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1097 {
1098 return (tmpl->saddr.a4 &&
1099 tmpl->saddr.a4 != x->props.saddr.a4);
1100 }
1101
1102 static inline int
__xfrm6_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x)1103 __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x)
1104 {
1105 return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) &&
1106 !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr));
1107 }
1108
1109 static inline int
xfrm_state_addr_cmp(const struct xfrm_tmpl * tmpl,const struct xfrm_state * x,unsigned short family)1110 xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, unsigned short family)
1111 {
1112 switch (family) {
1113 case AF_INET:
1114 return __xfrm4_state_addr_cmp(tmpl, x);
1115 case AF_INET6:
1116 return __xfrm6_state_addr_cmp(tmpl, x);
1117 }
1118 return !0;
1119 }
1120
1121 #ifdef CONFIG_XFRM
xfrm_input_state(struct sk_buff * skb)1122 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
1123 {
1124 struct sec_path *sp = skb_sec_path(skb);
1125
1126 return sp->xvec[sp->len - 1];
1127 }
1128 #endif
1129
xfrm_offload(struct sk_buff * skb)1130 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
1131 {
1132 #ifdef CONFIG_XFRM
1133 struct sec_path *sp = skb_sec_path(skb);
1134
1135 if (!sp || !sp->olen || sp->len != sp->olen)
1136 return NULL;
1137
1138 return &sp->ovec[sp->olen - 1];
1139 #else
1140 return NULL;
1141 #endif
1142 }
1143
1144 #ifdef CONFIG_XFRM
1145 int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
1146 unsigned short family);
1147
__xfrm_check_nopolicy(struct net * net,struct sk_buff * skb,int dir)1148 static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
1149 int dir)
1150 {
1151 if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
1152 return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
1153
1154 return false;
1155 }
1156
__xfrm_check_dev_nopolicy(struct sk_buff * skb,int dir,unsigned short family)1157 static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
1158 int dir, unsigned short family)
1159 {
1160 if (dir != XFRM_POLICY_OUT && family == AF_INET) {
1161 /* same dst may be used for traffic originating from
1162 * devices with different policy settings.
1163 */
1164 return IPCB(skb)->flags & IPSKB_NOPOLICY;
1165 }
1166 return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
1167 }
1168
__xfrm_policy_check2(struct sock * sk,int dir,struct sk_buff * skb,unsigned int family,int reverse)1169 static inline int __xfrm_policy_check2(struct sock *sk, int dir,
1170 struct sk_buff *skb,
1171 unsigned int family, int reverse)
1172 {
1173 struct net *net = dev_net(skb->dev);
1174 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
1175 struct xfrm_offload *xo = xfrm_offload(skb);
1176 struct xfrm_state *x;
1177
1178 if (sk && sk->sk_policy[XFRM_POLICY_IN])
1179 return __xfrm_policy_check(sk, ndir, skb, family);
1180
1181 if (xo) {
1182 x = xfrm_input_state(skb);
1183 if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {
1184 bool check = (xo->flags & CRYPTO_DONE) &&
1185 (xo->status & CRYPTO_SUCCESS);
1186
1187 /* The packets here are plain ones and secpath was
1188 * needed to indicate that hardware already handled
1189 * them and there is no need to do nothing in addition.
1190 *
1191 * Consume secpath which was set by drivers.
1192 */
1193 secpath_reset(skb);
1194 return check;
1195 }
1196 }
1197
1198 return __xfrm_check_nopolicy(net, skb, dir) ||
1199 __xfrm_check_dev_nopolicy(skb, dir, family) ||
1200 __xfrm_policy_check(sk, ndir, skb, family);
1201 }
1202
xfrm_policy_check(struct sock * sk,int dir,struct sk_buff * skb,unsigned short family)1203 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1204 {
1205 return __xfrm_policy_check2(sk, dir, skb, family, 0);
1206 }
1207
xfrm4_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1208 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1209 {
1210 return xfrm_policy_check(sk, dir, skb, AF_INET);
1211 }
1212
xfrm6_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1213 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1214 {
1215 return xfrm_policy_check(sk, dir, skb, AF_INET6);
1216 }
1217
xfrm4_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1218 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1219 struct sk_buff *skb)
1220 {
1221 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
1222 }
1223
xfrm6_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1224 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1225 struct sk_buff *skb)
1226 {
1227 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
1228 }
1229
1230 int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1231 unsigned int family, int reverse);
1232
xfrm_decode_session(struct sk_buff * skb,struct flowi * fl,unsigned int family)1233 static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1234 unsigned int family)
1235 {
1236 return __xfrm_decode_session(skb, fl, family, 0);
1237 }
1238
xfrm_decode_session_reverse(struct sk_buff * skb,struct flowi * fl,unsigned int family)1239 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1240 struct flowi *fl,
1241 unsigned int family)
1242 {
1243 return __xfrm_decode_session(skb, fl, family, 1);
1244 }
1245
1246 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
1247
xfrm_route_forward(struct sk_buff * skb,unsigned short family)1248 static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
1249 {
1250 struct net *net = dev_net(skb->dev);
1251
1252 if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
1253 net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
1254 return true;
1255
1256 return (skb_dst(skb)->flags & DST_NOXFRM) ||
1257 __xfrm_route_forward(skb, family);
1258 }
1259
xfrm4_route_forward(struct sk_buff * skb)1260 static inline int xfrm4_route_forward(struct sk_buff *skb)
1261 {
1262 return xfrm_route_forward(skb, AF_INET);
1263 }
1264
xfrm6_route_forward(struct sk_buff * skb)1265 static inline int xfrm6_route_forward(struct sk_buff *skb)
1266 {
1267 return xfrm_route_forward(skb, AF_INET6);
1268 }
1269
1270 int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
1271
xfrm_sk_clone_policy(struct sock * sk,const struct sock * osk)1272 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
1273 {
1274 if (!sk_fullsock(osk))
1275 return 0;
1276 sk->sk_policy[0] = NULL;
1277 sk->sk_policy[1] = NULL;
1278 if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
1279 return __xfrm_sk_clone_policy(sk, osk);
1280 return 0;
1281 }
1282
1283 int xfrm_policy_delete(struct xfrm_policy *pol, int dir);
1284
xfrm_sk_free_policy(struct sock * sk)1285 static inline void xfrm_sk_free_policy(struct sock *sk)
1286 {
1287 struct xfrm_policy *pol;
1288
1289 pol = rcu_dereference_protected(sk->sk_policy[0], 1);
1290 if (unlikely(pol != NULL)) {
1291 xfrm_policy_delete(pol, XFRM_POLICY_MAX);
1292 sk->sk_policy[0] = NULL;
1293 }
1294 pol = rcu_dereference_protected(sk->sk_policy[1], 1);
1295 if (unlikely(pol != NULL)) {
1296 xfrm_policy_delete(pol, XFRM_POLICY_MAX+1);
1297 sk->sk_policy[1] = NULL;
1298 }
1299 }
1300
1301 #else
1302
xfrm_sk_free_policy(struct sock * sk)1303 static inline void xfrm_sk_free_policy(struct sock *sk) {}
xfrm_sk_clone_policy(struct sock * sk,const struct sock * osk)1304 static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) { return 0; }
xfrm6_route_forward(struct sk_buff * skb)1305 static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; }
xfrm4_route_forward(struct sk_buff * skb)1306 static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; }
xfrm6_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1307 static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1308 {
1309 return 1;
1310 }
xfrm4_policy_check(struct sock * sk,int dir,struct sk_buff * skb)1311 static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
1312 {
1313 return 1;
1314 }
xfrm_policy_check(struct sock * sk,int dir,struct sk_buff * skb,unsigned short family)1315 static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
1316 {
1317 return 1;
1318 }
xfrm_decode_session_reverse(struct sk_buff * skb,struct flowi * fl,unsigned int family)1319 static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
1320 struct flowi *fl,
1321 unsigned int family)
1322 {
1323 return -ENOSYS;
1324 }
xfrm4_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1325 static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
1326 struct sk_buff *skb)
1327 {
1328 return 1;
1329 }
xfrm6_policy_check_reverse(struct sock * sk,int dir,struct sk_buff * skb)1330 static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
1331 struct sk_buff *skb)
1332 {
1333 return 1;
1334 }
1335 #endif
1336
1337 static __inline__
xfrm_flowi_daddr(const struct flowi * fl,unsigned short family)1338 xfrm_address_t *xfrm_flowi_daddr(const struct flowi *fl, unsigned short family)
1339 {
1340 switch (family){
1341 case AF_INET:
1342 return (xfrm_address_t *)&fl->u.ip4.daddr;
1343 case AF_INET6:
1344 return (xfrm_address_t *)&fl->u.ip6.daddr;
1345 }
1346 return NULL;
1347 }
1348
1349 static __inline__
xfrm_flowi_saddr(const struct flowi * fl,unsigned short family)1350 xfrm_address_t *xfrm_flowi_saddr(const struct flowi *fl, unsigned short family)
1351 {
1352 switch (family){
1353 case AF_INET:
1354 return (xfrm_address_t *)&fl->u.ip4.saddr;
1355 case AF_INET6:
1356 return (xfrm_address_t *)&fl->u.ip6.saddr;
1357 }
1358 return NULL;
1359 }
1360
1361 static __inline__
xfrm_flowi_addr_get(const struct flowi * fl,xfrm_address_t * saddr,xfrm_address_t * daddr,unsigned short family)1362 void xfrm_flowi_addr_get(const struct flowi *fl,
1363 xfrm_address_t *saddr, xfrm_address_t *daddr,
1364 unsigned short family)
1365 {
1366 switch(family) {
1367 case AF_INET:
1368 memcpy(&saddr->a4, &fl->u.ip4.saddr, sizeof(saddr->a4));
1369 memcpy(&daddr->a4, &fl->u.ip4.daddr, sizeof(daddr->a4));
1370 break;
1371 case AF_INET6:
1372 saddr->in6 = fl->u.ip6.saddr;
1373 daddr->in6 = fl->u.ip6.daddr;
1374 break;
1375 }
1376 }
1377
1378 static __inline__ int
__xfrm4_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr)1379 __xfrm4_state_addr_check(const struct xfrm_state *x,
1380 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1381 {
1382 if (daddr->a4 == x->id.daddr.a4 &&
1383 (saddr->a4 == x->props.saddr.a4 || !saddr->a4 || !x->props.saddr.a4))
1384 return 1;
1385 return 0;
1386 }
1387
1388 static __inline__ int
__xfrm6_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr)1389 __xfrm6_state_addr_check(const struct xfrm_state *x,
1390 const xfrm_address_t *daddr, const xfrm_address_t *saddr)
1391 {
1392 if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) &&
1393 (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) ||
1394 ipv6_addr_any((struct in6_addr *)saddr) ||
1395 ipv6_addr_any((struct in6_addr *)&x->props.saddr)))
1396 return 1;
1397 return 0;
1398 }
1399
1400 static __inline__ int
xfrm_state_addr_check(const struct xfrm_state * x,const xfrm_address_t * daddr,const xfrm_address_t * saddr,unsigned short family)1401 xfrm_state_addr_check(const struct xfrm_state *x,
1402 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1403 unsigned short family)
1404 {
1405 switch (family) {
1406 case AF_INET:
1407 return __xfrm4_state_addr_check(x, daddr, saddr);
1408 case AF_INET6:
1409 return __xfrm6_state_addr_check(x, daddr, saddr);
1410 }
1411 return 0;
1412 }
1413
1414 static __inline__ int
xfrm_state_addr_flow_check(const struct xfrm_state * x,const struct flowi * fl,unsigned short family)1415 xfrm_state_addr_flow_check(const struct xfrm_state *x, const struct flowi *fl,
1416 unsigned short family)
1417 {
1418 switch (family) {
1419 case AF_INET:
1420 return __xfrm4_state_addr_check(x,
1421 (const xfrm_address_t *)&fl->u.ip4.daddr,
1422 (const xfrm_address_t *)&fl->u.ip4.saddr);
1423 case AF_INET6:
1424 return __xfrm6_state_addr_check(x,
1425 (const xfrm_address_t *)&fl->u.ip6.daddr,
1426 (const xfrm_address_t *)&fl->u.ip6.saddr);
1427 }
1428 return 0;
1429 }
1430
xfrm_state_kern(const struct xfrm_state * x)1431 static inline int xfrm_state_kern(const struct xfrm_state *x)
1432 {
1433 return atomic_read(&x->tunnel_users);
1434 }
1435
xfrm_id_proto_valid(u8 proto)1436 static inline bool xfrm_id_proto_valid(u8 proto)
1437 {
1438 switch (proto) {
1439 case IPPROTO_AH:
1440 case IPPROTO_ESP:
1441 case IPPROTO_COMP:
1442 #if IS_ENABLED(CONFIG_IPV6)
1443 case IPPROTO_ROUTING:
1444 case IPPROTO_DSTOPTS:
1445 #endif
1446 return true;
1447 default:
1448 return false;
1449 }
1450 }
1451
1452 /* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
xfrm_id_proto_match(u8 proto,u8 userproto)1453 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
1454 {
1455 return (!userproto || proto == userproto ||
1456 (userproto == IPSEC_PROTO_ANY && (proto == IPPROTO_AH ||
1457 proto == IPPROTO_ESP ||
1458 proto == IPPROTO_COMP)));
1459 }
1460
1461 /*
1462 * xfrm algorithm information
1463 */
1464 struct xfrm_algo_aead_info {
1465 char *geniv;
1466 u16 icv_truncbits;
1467 };
1468
1469 struct xfrm_algo_auth_info {
1470 u16 icv_truncbits;
1471 u16 icv_fullbits;
1472 };
1473
1474 struct xfrm_algo_encr_info {
1475 char *geniv;
1476 u16 blockbits;
1477 u16 defkeybits;
1478 };
1479
1480 struct xfrm_algo_comp_info {
1481 u16 threshold;
1482 };
1483
1484 struct xfrm_algo_desc {
1485 char *name;
1486 char *compat;
1487 u8 available:1;
1488 u8 pfkey_supported:1;
1489 union {
1490 struct xfrm_algo_aead_info aead;
1491 struct xfrm_algo_auth_info auth;
1492 struct xfrm_algo_encr_info encr;
1493 struct xfrm_algo_comp_info comp;
1494 } uinfo;
1495 struct sadb_alg desc;
1496 };
1497
1498 /* XFRM protocol handlers. */
1499 struct xfrm4_protocol {
1500 int (*handler)(struct sk_buff *skb);
1501 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1502 int encap_type);
1503 int (*cb_handler)(struct sk_buff *skb, int err);
1504 int (*err_handler)(struct sk_buff *skb, u32 info);
1505
1506 struct xfrm4_protocol __rcu *next;
1507 int priority;
1508 };
1509
1510 struct xfrm6_protocol {
1511 int (*handler)(struct sk_buff *skb);
1512 int (*input_handler)(struct sk_buff *skb, int nexthdr, __be32 spi,
1513 int encap_type);
1514 int (*cb_handler)(struct sk_buff *skb, int err);
1515 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1516 u8 type, u8 code, int offset, __be32 info);
1517
1518 struct xfrm6_protocol __rcu *next;
1519 int priority;
1520 };
1521
1522 /* XFRM tunnel handlers. */
1523 struct xfrm_tunnel {
1524 int (*handler)(struct sk_buff *skb);
1525 int (*cb_handler)(struct sk_buff *skb, int err);
1526 int (*err_handler)(struct sk_buff *skb, u32 info);
1527
1528 struct xfrm_tunnel __rcu *next;
1529 int priority;
1530 };
1531
1532 struct xfrm6_tunnel {
1533 int (*handler)(struct sk_buff *skb);
1534 int (*cb_handler)(struct sk_buff *skb, int err);
1535 int (*err_handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
1536 u8 type, u8 code, int offset, __be32 info);
1537 struct xfrm6_tunnel __rcu *next;
1538 int priority;
1539 };
1540
1541 void xfrm_init(void);
1542 void xfrm4_init(void);
1543 int xfrm_state_init(struct net *net);
1544 void xfrm_state_fini(struct net *net);
1545 void xfrm4_state_init(void);
1546 void xfrm4_protocol_init(void);
1547 #ifdef CONFIG_XFRM
1548 int xfrm6_init(void);
1549 void xfrm6_fini(void);
1550 int xfrm6_state_init(void);
1551 void xfrm6_state_fini(void);
1552 int xfrm6_protocol_init(void);
1553 void xfrm6_protocol_fini(void);
1554 #else
xfrm6_init(void)1555 static inline int xfrm6_init(void)
1556 {
1557 return 0;
1558 }
xfrm6_fini(void)1559 static inline void xfrm6_fini(void)
1560 {
1561 ;
1562 }
1563 #endif
1564
1565 #ifdef CONFIG_XFRM_STATISTICS
1566 int xfrm_proc_init(struct net *net);
1567 void xfrm_proc_fini(struct net *net);
1568 #endif
1569
1570 int xfrm_sysctl_init(struct net *net);
1571 #ifdef CONFIG_SYSCTL
1572 void xfrm_sysctl_fini(struct net *net);
1573 #else
xfrm_sysctl_fini(struct net * net)1574 static inline void xfrm_sysctl_fini(struct net *net)
1575 {
1576 }
1577 #endif
1578
1579 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
1580 struct xfrm_address_filter *filter);
1581 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1582 int (*func)(struct xfrm_state *, int, void*), void *);
1583 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1584 struct xfrm_state *xfrm_state_alloc(struct net *net);
1585 void xfrm_state_free(struct xfrm_state *x);
1586 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1587 const xfrm_address_t *saddr,
1588 const struct flowi *fl,
1589 struct xfrm_tmpl *tmpl,
1590 struct xfrm_policy *pol, int *err,
1591 unsigned short family, u32 if_id);
1592 struct xfrm_state *xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1593 xfrm_address_t *daddr,
1594 xfrm_address_t *saddr,
1595 unsigned short family,
1596 u8 mode, u8 proto, u32 reqid);
1597 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1598 unsigned short family);
1599 int xfrm_state_check_expire(struct xfrm_state *x);
1600 #ifdef CONFIG_XFRM_OFFLOAD
xfrm_dev_state_update_curlft(struct xfrm_state * x)1601 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x)
1602 {
1603 struct xfrm_dev_offload *xdo = &x->xso;
1604 struct net_device *dev = READ_ONCE(xdo->dev);
1605
1606 if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
1607 return;
1608
1609 if (dev && dev->xfrmdev_ops &&
1610 dev->xfrmdev_ops->xdo_dev_state_update_curlft)
1611 dev->xfrmdev_ops->xdo_dev_state_update_curlft(x);
1612
1613 }
1614 #else
xfrm_dev_state_update_curlft(struct xfrm_state * x)1615 static inline void xfrm_dev_state_update_curlft(struct xfrm_state *x) {}
1616 #endif
1617 void xfrm_state_insert(struct xfrm_state *x);
1618 int xfrm_state_add(struct xfrm_state *x);
1619 int xfrm_state_update(struct xfrm_state *x);
1620 struct xfrm_state *xfrm_state_lookup(struct net *net, u32 mark,
1621 const xfrm_address_t *daddr, __be32 spi,
1622 u8 proto, unsigned short family);
1623 struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1624 const xfrm_address_t *daddr,
1625 const xfrm_address_t *saddr,
1626 u8 proto,
1627 unsigned short family);
1628 #ifdef CONFIG_XFRM_SUB_POLICY
1629 void xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1630 unsigned short family);
1631 void xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1632 unsigned short family);
1633 #else
xfrm_tmpl_sort(struct xfrm_tmpl ** d,struct xfrm_tmpl ** s,int n,unsigned short family)1634 static inline void xfrm_tmpl_sort(struct xfrm_tmpl **d, struct xfrm_tmpl **s,
1635 int n, unsigned short family)
1636 {
1637 }
1638
xfrm_state_sort(struct xfrm_state ** d,struct xfrm_state ** s,int n,unsigned short family)1639 static inline void xfrm_state_sort(struct xfrm_state **d, struct xfrm_state **s,
1640 int n, unsigned short family)
1641 {
1642 }
1643 #endif
1644
1645 struct xfrmk_sadinfo {
1646 u32 sadhcnt; /* current hash bkts */
1647 u32 sadhmcnt; /* max allowed hash bkts */
1648 u32 sadcnt; /* current running count */
1649 };
1650
1651 struct xfrmk_spdinfo {
1652 u32 incnt;
1653 u32 outcnt;
1654 u32 fwdcnt;
1655 u32 inscnt;
1656 u32 outscnt;
1657 u32 fwdscnt;
1658 u32 spdhcnt;
1659 u32 spdhmcnt;
1660 };
1661
1662 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
1663 int xfrm_state_delete(struct xfrm_state *x);
1664 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1665 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
1666 int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
1667 bool task_valid);
1668 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
1669 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
1670 u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
1671 int xfrm_init_replay(struct xfrm_state *x, struct netlink_ext_ack *extack);
1672 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu);
1673 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
1674 struct netlink_ext_ack *extack);
1675 int xfrm_init_state(struct xfrm_state *x);
1676 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
1677 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
1678 int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
1679 int (*finish)(struct net *, struct sock *,
1680 struct sk_buff *));
1681 int xfrm_trans_queue(struct sk_buff *skb,
1682 int (*finish)(struct net *, struct sock *,
1683 struct sk_buff *));
1684 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err);
1685 int xfrm_output(struct sock *sk, struct sk_buff *skb);
1686
1687 #if IS_ENABLED(CONFIG_NET_PKTGEN)
1688 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb);
1689 #endif
1690
1691 void xfrm_local_error(struct sk_buff *skb, int mtu);
1692 int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1693 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1694 int encap_type);
1695 int xfrm4_transport_finish(struct sk_buff *skb, int async);
1696 int xfrm4_rcv(struct sk_buff *skb);
1697
xfrm4_rcv_spi(struct sk_buff * skb,int nexthdr,__be32 spi)1698 static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
1699 {
1700 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
1701 XFRM_SPI_SKB_CB(skb)->family = AF_INET;
1702 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
1703 return xfrm_input(skb, nexthdr, spi, 0);
1704 }
1705
1706 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1707 int xfrm4_protocol_register(struct xfrm4_protocol *handler, unsigned char protocol);
1708 int xfrm4_protocol_deregister(struct xfrm4_protocol *handler, unsigned char protocol);
1709 int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family);
1710 int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler, unsigned short family);
1711 void xfrm4_local_error(struct sk_buff *skb, u32 mtu);
1712 int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb);
1713 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
1714 struct ip6_tnl *t);
1715 int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
1716 int encap_type);
1717 int xfrm6_transport_finish(struct sk_buff *skb, int async);
1718 int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t);
1719 int xfrm6_rcv(struct sk_buff *skb);
1720 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
1721 xfrm_address_t *saddr, u8 proto);
1722 void xfrm6_local_error(struct sk_buff *skb, u32 mtu);
1723 int xfrm6_protocol_register(struct xfrm6_protocol *handler, unsigned char protocol);
1724 int xfrm6_protocol_deregister(struct xfrm6_protocol *handler, unsigned char protocol);
1725 int xfrm6_tunnel_register(struct xfrm6_tunnel *handler, unsigned short family);
1726 int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler, unsigned short family);
1727 __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr);
1728 __be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr);
1729 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
1730
1731 #ifdef CONFIG_XFRM
1732 void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
1733 int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1734 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
1735 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
1736 int optlen);
1737 #else
xfrm_user_policy(struct sock * sk,int optname,sockptr_t optval,int optlen)1738 static inline int xfrm_user_policy(struct sock *sk, int optname,
1739 sockptr_t optval, int optlen)
1740 {
1741 return -ENOPROTOOPT;
1742 }
1743 #endif
1744
1745 struct dst_entry *__xfrm_dst_lookup(int family, const struct xfrm_dst_lookup_params *params);
1746
1747 struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
1748
1749 void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1750 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1751 int (*func)(struct xfrm_policy *, int, int, void*),
1752 void *);
1753 void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1754 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1755 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
1756 const struct xfrm_mark *mark,
1757 u32 if_id, u8 type, int dir,
1758 struct xfrm_selector *sel,
1759 struct xfrm_sec_ctx *ctx, int delete,
1760 int *err);
1761 struct xfrm_policy *xfrm_policy_byid(struct net *net,
1762 const struct xfrm_mark *mark, u32 if_id,
1763 u8 type, int dir, u32 id, int delete,
1764 int *err);
1765 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
1766 void xfrm_policy_hash_rebuild(struct net *net);
1767 u32 xfrm_get_acqseq(void);
1768 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
1769 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
1770 struct netlink_ext_ack *extack);
1771 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
1772 u8 mode, u32 reqid, u32 if_id, u8 proto,
1773 const xfrm_address_t *daddr,
1774 const xfrm_address_t *saddr, int create,
1775 unsigned short family);
1776 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1777
1778 #ifdef CONFIG_XFRM_MIGRATE
1779 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1780 const struct xfrm_migrate *m, int num_bundles,
1781 const struct xfrm_kmaddress *k,
1782 const struct xfrm_encap_tmpl *encap);
1783 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
1784 u32 if_id);
1785 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1786 struct xfrm_migrate *m,
1787 struct xfrm_encap_tmpl *encap);
1788 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1789 struct xfrm_migrate *m, int num_bundles,
1790 struct xfrm_kmaddress *k, struct net *net,
1791 struct xfrm_encap_tmpl *encap, u32 if_id,
1792 struct netlink_ext_ack *extack);
1793 #endif
1794
1795 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
1796 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid);
1797 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel,
1798 xfrm_address_t *addr);
1799
1800 void xfrm_input_init(void);
1801 int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq);
1802
1803 void xfrm_probe_algs(void);
1804 int xfrm_count_pfkey_auth_supported(void);
1805 int xfrm_count_pfkey_enc_supported(void);
1806 struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx);
1807 struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx);
1808 struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id);
1809 struct xfrm_algo_desc *xfrm_ealg_get_byid(int alg_id);
1810 struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
1811 struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe);
1812 struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe);
1813 struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe);
1814 struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len,
1815 int probe);
1816
xfrm6_addr_equal(const xfrm_address_t * a,const xfrm_address_t * b)1817 static inline bool xfrm6_addr_equal(const xfrm_address_t *a,
1818 const xfrm_address_t *b)
1819 {
1820 return ipv6_addr_equal((const struct in6_addr *)a,
1821 (const struct in6_addr *)b);
1822 }
1823
xfrm_addr_equal(const xfrm_address_t * a,const xfrm_address_t * b,sa_family_t family)1824 static inline bool xfrm_addr_equal(const xfrm_address_t *a,
1825 const xfrm_address_t *b,
1826 sa_family_t family)
1827 {
1828 switch (family) {
1829 default:
1830 case AF_INET:
1831 return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0;
1832 case AF_INET6:
1833 return xfrm6_addr_equal(a, b);
1834 }
1835 }
1836
xfrm_policy_id2dir(u32 index)1837 static inline int xfrm_policy_id2dir(u32 index)
1838 {
1839 return index & 7;
1840 }
1841
1842 #ifdef CONFIG_XFRM
1843 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq);
1844 int xfrm_replay_check(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1845 void xfrm_replay_notify(struct xfrm_state *x, int event);
1846 int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb);
1847 int xfrm_replay_recheck(struct xfrm_state *x, struct sk_buff *skb, __be32 net_seq);
1848
xfrm_aevent_is_on(struct net * net)1849 static inline int xfrm_aevent_is_on(struct net *net)
1850 {
1851 struct sock *nlsk;
1852 int ret = 0;
1853
1854 rcu_read_lock();
1855 nlsk = rcu_dereference(net->xfrm.nlsk);
1856 if (nlsk)
1857 ret = netlink_has_listeners(nlsk, XFRMNLGRP_AEVENTS);
1858 rcu_read_unlock();
1859 return ret;
1860 }
1861
xfrm_acquire_is_on(struct net * net)1862 static inline int xfrm_acquire_is_on(struct net *net)
1863 {
1864 struct sock *nlsk;
1865 int ret = 0;
1866
1867 rcu_read_lock();
1868 nlsk = rcu_dereference(net->xfrm.nlsk);
1869 if (nlsk)
1870 ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE);
1871 rcu_read_unlock();
1872
1873 return ret;
1874 }
1875 #endif
1876
aead_len(struct xfrm_algo_aead * alg)1877 static inline unsigned int aead_len(struct xfrm_algo_aead *alg)
1878 {
1879 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1880 }
1881
xfrm_alg_len(const struct xfrm_algo * alg)1882 static inline unsigned int xfrm_alg_len(const struct xfrm_algo *alg)
1883 {
1884 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1885 }
1886
xfrm_alg_auth_len(const struct xfrm_algo_auth * alg)1887 static inline unsigned int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
1888 {
1889 return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
1890 }
1891
xfrm_replay_state_esn_len(struct xfrm_replay_state_esn * replay_esn)1892 static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
1893 {
1894 return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
1895 }
1896
1897 #ifdef CONFIG_XFRM_MIGRATE
xfrm_replay_clone(struct xfrm_state * x,struct xfrm_state * orig)1898 static inline int xfrm_replay_clone(struct xfrm_state *x,
1899 struct xfrm_state *orig)
1900 {
1901
1902 x->replay_esn = kmemdup(orig->replay_esn,
1903 xfrm_replay_state_esn_len(orig->replay_esn),
1904 GFP_KERNEL);
1905 if (!x->replay_esn)
1906 return -ENOMEM;
1907 x->preplay_esn = kmemdup(orig->preplay_esn,
1908 xfrm_replay_state_esn_len(orig->preplay_esn),
1909 GFP_KERNEL);
1910 if (!x->preplay_esn)
1911 return -ENOMEM;
1912
1913 return 0;
1914 }
1915
xfrm_algo_aead_clone(struct xfrm_algo_aead * orig)1916 static inline struct xfrm_algo_aead *xfrm_algo_aead_clone(struct xfrm_algo_aead *orig)
1917 {
1918 return kmemdup(orig, aead_len(orig), GFP_KERNEL);
1919 }
1920
1921
xfrm_algo_clone(struct xfrm_algo * orig)1922 static inline struct xfrm_algo *xfrm_algo_clone(struct xfrm_algo *orig)
1923 {
1924 return kmemdup(orig, xfrm_alg_len(orig), GFP_KERNEL);
1925 }
1926
xfrm_algo_auth_clone(struct xfrm_algo_auth * orig)1927 static inline struct xfrm_algo_auth *xfrm_algo_auth_clone(struct xfrm_algo_auth *orig)
1928 {
1929 return kmemdup(orig, xfrm_alg_auth_len(orig), GFP_KERNEL);
1930 }
1931
xfrm_states_put(struct xfrm_state ** states,int n)1932 static inline void xfrm_states_put(struct xfrm_state **states, int n)
1933 {
1934 int i;
1935 for (i = 0; i < n; i++)
1936 xfrm_state_put(*(states + i));
1937 }
1938
xfrm_states_delete(struct xfrm_state ** states,int n)1939 static inline void xfrm_states_delete(struct xfrm_state **states, int n)
1940 {
1941 int i;
1942 for (i = 0; i < n; i++)
1943 xfrm_state_delete(*(states + i));
1944 }
1945 #endif
1946
1947 void __init xfrm_dev_init(void);
1948
1949 #ifdef CONFIG_XFRM_OFFLOAD
1950 void xfrm_dev_resume(struct sk_buff *skb);
1951 void xfrm_dev_backlog(struct softnet_data *sd);
1952 struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again);
1953 int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
1954 struct xfrm_user_offload *xuo,
1955 struct netlink_ext_ack *extack);
1956 int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
1957 struct xfrm_user_offload *xuo, u8 dir,
1958 struct netlink_ext_ack *extack);
1959 bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1960 void xfrm_dev_state_delete(struct xfrm_state *x);
1961 void xfrm_dev_state_free(struct xfrm_state *x);
1962
xfrm_dev_state_advance_esn(struct xfrm_state * x)1963 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1964 {
1965 struct xfrm_dev_offload *xso = &x->xso;
1966 struct net_device *dev = READ_ONCE(xso->dev);
1967
1968 if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1969 dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1970 }
1971
xfrm_dst_offload_ok(struct dst_entry * dst)1972 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
1973 {
1974 struct xfrm_state *x = dst->xfrm;
1975 struct xfrm_dst *xdst;
1976
1977 if (!x || !x->type_offload)
1978 return false;
1979
1980 xdst = (struct xfrm_dst *) dst;
1981 if (!x->xso.offload_handle && !xdst->child->xfrm)
1982 return true;
1983 if (x->xso.offload_handle && (x->xso.dev == xfrm_dst_path(dst)->dev) &&
1984 !xdst->child->xfrm)
1985 return true;
1986
1987 return false;
1988 }
1989
xfrm_dev_policy_delete(struct xfrm_policy * x)1990 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
1991 {
1992 struct xfrm_dev_offload *xdo = &x->xdo;
1993 struct net_device *dev = xdo->dev;
1994
1995 if (dev && dev->xfrmdev_ops && dev->xfrmdev_ops->xdo_dev_policy_delete)
1996 dev->xfrmdev_ops->xdo_dev_policy_delete(x);
1997 }
1998
xfrm_dev_policy_free(struct xfrm_policy * x)1999 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2000 {
2001 struct xfrm_dev_offload *xdo = &x->xdo;
2002 struct net_device *dev = xdo->dev;
2003
2004 if (dev && dev->xfrmdev_ops) {
2005 if (dev->xfrmdev_ops->xdo_dev_policy_free)
2006 dev->xfrmdev_ops->xdo_dev_policy_free(x);
2007 xdo->dev = NULL;
2008 netdev_put(dev, &xdo->dev_tracker);
2009 }
2010 }
2011 #else
xfrm_dev_resume(struct sk_buff * skb)2012 static inline void xfrm_dev_resume(struct sk_buff *skb)
2013 {
2014 }
2015
xfrm_dev_backlog(struct softnet_data * sd)2016 static inline void xfrm_dev_backlog(struct softnet_data *sd)
2017 {
2018 }
2019
validate_xmit_xfrm(struct sk_buff * skb,netdev_features_t features,bool * again)2020 static inline struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
2021 {
2022 return skb;
2023 }
2024
xfrm_dev_state_add(struct net * net,struct xfrm_state * x,struct xfrm_user_offload * xuo,struct netlink_ext_ack * extack)2025 static inline int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, struct xfrm_user_offload *xuo, struct netlink_ext_ack *extack)
2026 {
2027 return 0;
2028 }
2029
xfrm_dev_state_delete(struct xfrm_state * x)2030 static inline void xfrm_dev_state_delete(struct xfrm_state *x)
2031 {
2032 }
2033
xfrm_dev_state_free(struct xfrm_state * x)2034 static inline void xfrm_dev_state_free(struct xfrm_state *x)
2035 {
2036 }
2037
xfrm_dev_policy_add(struct net * net,struct xfrm_policy * xp,struct xfrm_user_offload * xuo,u8 dir,struct netlink_ext_ack * extack)2038 static inline int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
2039 struct xfrm_user_offload *xuo, u8 dir,
2040 struct netlink_ext_ack *extack)
2041 {
2042 return 0;
2043 }
2044
xfrm_dev_policy_delete(struct xfrm_policy * x)2045 static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
2046 {
2047 }
2048
xfrm_dev_policy_free(struct xfrm_policy * x)2049 static inline void xfrm_dev_policy_free(struct xfrm_policy *x)
2050 {
2051 }
2052
xfrm_dev_offload_ok(struct sk_buff * skb,struct xfrm_state * x)2053 static inline bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
2054 {
2055 return false;
2056 }
2057
xfrm_dev_state_advance_esn(struct xfrm_state * x)2058 static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
2059 {
2060 }
2061
xfrm_dst_offload_ok(struct dst_entry * dst)2062 static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
2063 {
2064 return false;
2065 }
2066 #endif
2067
xfrm_mark_get(struct nlattr ** attrs,struct xfrm_mark * m)2068 static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
2069 {
2070 if (attrs[XFRMA_MARK])
2071 memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(struct xfrm_mark));
2072 else
2073 m->v = m->m = 0;
2074
2075 return m->v & m->m;
2076 }
2077
xfrm_mark_put(struct sk_buff * skb,const struct xfrm_mark * m)2078 static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m)
2079 {
2080 int ret = 0;
2081
2082 if (m->m | m->v)
2083 ret = nla_put(skb, XFRMA_MARK, sizeof(struct xfrm_mark), m);
2084 return ret;
2085 }
2086
xfrm_smark_get(__u32 mark,struct xfrm_state * x)2087 static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)
2088 {
2089 struct xfrm_mark *m = &x->props.smark;
2090
2091 return (m->v & m->m) | (mark & ~m->m);
2092 }
2093
xfrm_if_id_put(struct sk_buff * skb,__u32 if_id)2094 static inline int xfrm_if_id_put(struct sk_buff *skb, __u32 if_id)
2095 {
2096 int ret = 0;
2097
2098 if (if_id)
2099 ret = nla_put_u32(skb, XFRMA_IF_ID, if_id);
2100 return ret;
2101 }
2102
xfrm_tunnel_check(struct sk_buff * skb,struct xfrm_state * x,unsigned int family)2103 static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,
2104 unsigned int family)
2105 {
2106 bool tunnel = false;
2107
2108 switch(family) {
2109 case AF_INET:
2110 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
2111 tunnel = true;
2112 break;
2113 case AF_INET6:
2114 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
2115 tunnel = true;
2116 break;
2117 }
2118 if (tunnel && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL))
2119 return -EINVAL;
2120
2121 return 0;
2122 }
2123
2124 extern const int xfrm_msg_min[XFRM_NR_MSGTYPES];
2125 extern const struct nla_policy xfrma_policy[XFRMA_MAX+1];
2126
2127 struct xfrm_translator {
2128 /* Allocate frag_list and put compat translation there */
2129 int (*alloc_compat)(struct sk_buff *skb, const struct nlmsghdr *src);
2130
2131 /* Allocate nlmsg with 64-bit translaton of received 32-bit message */
2132 struct nlmsghdr *(*rcv_msg_compat)(const struct nlmsghdr *nlh,
2133 int maxtype, const struct nla_policy *policy,
2134 struct netlink_ext_ack *extack);
2135
2136 /* Translate 32-bit user_policy from sockptr */
2137 int (*xlate_user_policy_sockptr)(u8 **pdata32, int optlen);
2138
2139 struct module *owner;
2140 };
2141
2142 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2143 extern int xfrm_register_translator(struct xfrm_translator *xtr);
2144 extern int xfrm_unregister_translator(struct xfrm_translator *xtr);
2145 extern struct xfrm_translator *xfrm_get_translator(void);
2146 extern void xfrm_put_translator(struct xfrm_translator *xtr);
2147 #else
xfrm_get_translator(void)2148 static inline struct xfrm_translator *xfrm_get_translator(void)
2149 {
2150 return NULL;
2151 }
xfrm_put_translator(struct xfrm_translator * xtr)2152 static inline void xfrm_put_translator(struct xfrm_translator *xtr)
2153 {
2154 }
2155 #endif
2156
2157 #if IS_ENABLED(CONFIG_IPV6)
xfrm6_local_dontfrag(const struct sock * sk)2158 static inline bool xfrm6_local_dontfrag(const struct sock *sk)
2159 {
2160 int proto;
2161
2162 if (!sk || sk->sk_family != AF_INET6)
2163 return false;
2164
2165 proto = sk->sk_protocol;
2166 if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
2167 return inet6_sk(sk)->dontfrag;
2168
2169 return false;
2170 }
2171 #endif
2172
2173 #if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \
2174 (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))
2175
2176 extern struct metadata_dst __percpu *xfrm_bpf_md_dst;
2177
2178 int register_xfrm_interface_bpf(void);
2179
2180 #else
2181
register_xfrm_interface_bpf(void)2182 static inline int register_xfrm_interface_bpf(void)
2183 {
2184 return 0;
2185 }
2186
2187 #endif
2188
2189 #endif /* _NET_XFRM_H */
2190