1 /* 2 * xfrm_policy.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * Kazunori MIYAZAWA @USAGI 10 * YOSHIFUJI Hideaki 11 * Split up af-specific portion 12 * Derek Atkins <derek@ihtfp.com> Add the post_input processor 13 * 14 */ 15 16 #include <linux/slab.h> 17 #include <linux/kmod.h> 18 #include <linux/list.h> 19 #include <linux/spinlock.h> 20 #include <linux/workqueue.h> 21 #include <linux/notifier.h> 22 #include <linux/netdevice.h> 23 #include <linux/netfilter.h> 24 #include <linux/module.h> 25 #include <linux/cache.h> 26 #include <net/xfrm.h> 27 #include <net/ip.h> 28 #include <linux/audit.h> 29 30 #include "xfrm_hash.h" 31 32 DEFINE_MUTEX(xfrm_cfg_mutex); 33 EXPORT_SYMBOL(xfrm_cfg_mutex); 34 35 static DEFINE_RWLOCK(xfrm_policy_lock); 36 37 unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; 38 EXPORT_SYMBOL(xfrm_policy_count); 39 40 static DEFINE_RWLOCK(xfrm_policy_afinfo_lock); 41 static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO]; 42 43 static struct kmem_cache *xfrm_dst_cache __read_mostly; 44 45 static struct work_struct xfrm_policy_gc_work; 46 static HLIST_HEAD(xfrm_policy_gc_list); 47 static DEFINE_SPINLOCK(xfrm_policy_gc_lock); 48 49 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family); 50 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 51 static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family); 52 static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo); 53 54 static inline int 55 __xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl) 56 { 57 return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) && 58 addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) && 59 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 60 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 61 (fl->proto == sel->proto || !sel->proto) && 62 (fl->oif == sel->ifindex || !sel->ifindex); 63 } 64 65 static inline int 66 __xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl) 67 { 68 return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) && 69 addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) && 70 !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) && 71 !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) && 72 (fl->proto == sel->proto || !sel->proto) && 73 (fl->oif == sel->ifindex || !sel->ifindex); 74 } 75 76 int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl, 77 unsigned short family) 78 { 79 switch (family) { 80 case AF_INET: 81 return __xfrm4_selector_match(sel, fl); 82 case AF_INET6: 83 return __xfrm6_selector_match(sel, fl); 84 } 85 return 0; 86 } 87 88 int xfrm_register_type(struct xfrm_type *type, unsigned short family) 89 { 90 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family); 91 struct xfrm_type **typemap; 92 int err = 0; 93 94 if (unlikely(afinfo == NULL)) 95 return -EAFNOSUPPORT; 96 typemap = afinfo->type_map; 97 98 if (likely(typemap[type->proto] == NULL)) 99 typemap[type->proto] = type; 100 else 101 err = -EEXIST; 102 xfrm_policy_unlock_afinfo(afinfo); 103 return err; 104 } 105 EXPORT_SYMBOL(xfrm_register_type); 106 107 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family) 108 { 109 struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family); 110 struct xfrm_type **typemap; 111 int err = 0; 112 113 if (unlikely(afinfo == NULL)) 114 return -EAFNOSUPPORT; 115 typemap = afinfo->type_map; 116 117 if (unlikely(typemap[type->proto] != type)) 118 err = -ENOENT; 119 else 120 typemap[type->proto] = NULL; 121 xfrm_policy_unlock_afinfo(afinfo); 122 return err; 123 } 124 EXPORT_SYMBOL(xfrm_unregister_type); 125 126 struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 127 { 128 struct xfrm_policy_afinfo *afinfo; 129 struct xfrm_type **typemap; 130 struct xfrm_type *type; 131 int modload_attempted = 0; 132 133 retry: 134 afinfo = xfrm_policy_get_afinfo(family); 135 if (unlikely(afinfo == NULL)) 136 return NULL; 137 typemap = afinfo->type_map; 138 139 type = typemap[proto]; 140 if (unlikely(type && !try_module_get(type->owner))) 141 type = NULL; 142 if (!type && !modload_attempted) { 143 xfrm_policy_put_afinfo(afinfo); 144 request_module("xfrm-type-%d-%d", 145 (int) family, (int) proto); 146 modload_attempted = 1; 147 goto retry; 148 } 149 150 xfrm_policy_put_afinfo(afinfo); 151 return type; 152 } 153 154 int xfrm_dst_lookup(struct xfrm_dst **dst, struct flowi *fl, 155 unsigned short family) 156 { 157 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 158 int err = 0; 159 160 if (unlikely(afinfo == NULL)) 161 return -EAFNOSUPPORT; 162 163 if (likely(afinfo->dst_lookup != NULL)) 164 err = afinfo->dst_lookup(dst, fl); 165 else 166 err = -EINVAL; 167 xfrm_policy_put_afinfo(afinfo); 168 return err; 169 } 170 EXPORT_SYMBOL(xfrm_dst_lookup); 171 172 void xfrm_put_type(struct xfrm_type *type) 173 { 174 module_put(type->owner); 175 } 176 177 int xfrm_register_mode(struct xfrm_mode *mode, int family) 178 { 179 struct xfrm_policy_afinfo *afinfo; 180 struct xfrm_mode **modemap; 181 int err; 182 183 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 184 return -EINVAL; 185 186 afinfo = xfrm_policy_lock_afinfo(family); 187 if (unlikely(afinfo == NULL)) 188 return -EAFNOSUPPORT; 189 190 err = -EEXIST; 191 modemap = afinfo->mode_map; 192 if (likely(modemap[mode->encap] == NULL)) { 193 modemap[mode->encap] = mode; 194 err = 0; 195 } 196 197 xfrm_policy_unlock_afinfo(afinfo); 198 return err; 199 } 200 EXPORT_SYMBOL(xfrm_register_mode); 201 202 int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 203 { 204 struct xfrm_policy_afinfo *afinfo; 205 struct xfrm_mode **modemap; 206 int err; 207 208 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 209 return -EINVAL; 210 211 afinfo = xfrm_policy_lock_afinfo(family); 212 if (unlikely(afinfo == NULL)) 213 return -EAFNOSUPPORT; 214 215 err = -ENOENT; 216 modemap = afinfo->mode_map; 217 if (likely(modemap[mode->encap] == mode)) { 218 modemap[mode->encap] = NULL; 219 err = 0; 220 } 221 222 xfrm_policy_unlock_afinfo(afinfo); 223 return err; 224 } 225 EXPORT_SYMBOL(xfrm_unregister_mode); 226 227 struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 228 { 229 struct xfrm_policy_afinfo *afinfo; 230 struct xfrm_mode *mode; 231 int modload_attempted = 0; 232 233 if (unlikely(encap >= XFRM_MODE_MAX)) 234 return NULL; 235 236 retry: 237 afinfo = xfrm_policy_get_afinfo(family); 238 if (unlikely(afinfo == NULL)) 239 return NULL; 240 241 mode = afinfo->mode_map[encap]; 242 if (unlikely(mode && !try_module_get(mode->owner))) 243 mode = NULL; 244 if (!mode && !modload_attempted) { 245 xfrm_policy_put_afinfo(afinfo); 246 request_module("xfrm-mode-%d-%d", family, encap); 247 modload_attempted = 1; 248 goto retry; 249 } 250 251 xfrm_policy_put_afinfo(afinfo); 252 return mode; 253 } 254 255 void xfrm_put_mode(struct xfrm_mode *mode) 256 { 257 module_put(mode->owner); 258 } 259 260 static inline unsigned long make_jiffies(long secs) 261 { 262 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 263 return MAX_SCHEDULE_TIMEOUT-1; 264 else 265 return secs*HZ; 266 } 267 268 static void xfrm_policy_timer(unsigned long data) 269 { 270 struct xfrm_policy *xp = (struct xfrm_policy*)data; 271 unsigned long now = get_seconds(); 272 long next = LONG_MAX; 273 int warn = 0; 274 int dir; 275 276 read_lock(&xp->lock); 277 278 if (xp->dead) 279 goto out; 280 281 dir = xfrm_policy_id2dir(xp->index); 282 283 if (xp->lft.hard_add_expires_seconds) { 284 long tmo = xp->lft.hard_add_expires_seconds + 285 xp->curlft.add_time - now; 286 if (tmo <= 0) 287 goto expired; 288 if (tmo < next) 289 next = tmo; 290 } 291 if (xp->lft.hard_use_expires_seconds) { 292 long tmo = xp->lft.hard_use_expires_seconds + 293 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 294 if (tmo <= 0) 295 goto expired; 296 if (tmo < next) 297 next = tmo; 298 } 299 if (xp->lft.soft_add_expires_seconds) { 300 long tmo = xp->lft.soft_add_expires_seconds + 301 xp->curlft.add_time - now; 302 if (tmo <= 0) { 303 warn = 1; 304 tmo = XFRM_KM_TIMEOUT; 305 } 306 if (tmo < next) 307 next = tmo; 308 } 309 if (xp->lft.soft_use_expires_seconds) { 310 long tmo = xp->lft.soft_use_expires_seconds + 311 (xp->curlft.use_time ? : xp->curlft.add_time) - now; 312 if (tmo <= 0) { 313 warn = 1; 314 tmo = XFRM_KM_TIMEOUT; 315 } 316 if (tmo < next) 317 next = tmo; 318 } 319 320 if (warn) 321 km_policy_expired(xp, dir, 0, 0); 322 if (next != LONG_MAX && 323 !mod_timer(&xp->timer, jiffies + make_jiffies(next))) 324 xfrm_pol_hold(xp); 325 326 out: 327 read_unlock(&xp->lock); 328 xfrm_pol_put(xp); 329 return; 330 331 expired: 332 read_unlock(&xp->lock); 333 if (!xfrm_policy_delete(xp, dir)) 334 km_policy_expired(xp, dir, 1, 0); 335 xfrm_pol_put(xp); 336 } 337 338 339 /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2 340 * SPD calls. 341 */ 342 343 struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp) 344 { 345 struct xfrm_policy *policy; 346 347 policy = kzalloc(sizeof(struct xfrm_policy), gfp); 348 349 if (policy) { 350 INIT_HLIST_NODE(&policy->bydst); 351 INIT_HLIST_NODE(&policy->byidx); 352 rwlock_init(&policy->lock); 353 atomic_set(&policy->refcnt, 1); 354 init_timer(&policy->timer); 355 policy->timer.data = (unsigned long)policy; 356 policy->timer.function = xfrm_policy_timer; 357 } 358 return policy; 359 } 360 EXPORT_SYMBOL(xfrm_policy_alloc); 361 362 /* Destroy xfrm_policy: descendant resources must be released to this moment. */ 363 364 void __xfrm_policy_destroy(struct xfrm_policy *policy) 365 { 366 BUG_ON(!policy->dead); 367 368 BUG_ON(policy->bundles); 369 370 if (del_timer(&policy->timer)) 371 BUG(); 372 373 security_xfrm_policy_free(policy); 374 kfree(policy); 375 } 376 EXPORT_SYMBOL(__xfrm_policy_destroy); 377 378 static void xfrm_policy_gc_kill(struct xfrm_policy *policy) 379 { 380 struct dst_entry *dst; 381 382 while ((dst = policy->bundles) != NULL) { 383 policy->bundles = dst->next; 384 dst_free(dst); 385 } 386 387 if (del_timer(&policy->timer)) 388 atomic_dec(&policy->refcnt); 389 390 if (atomic_read(&policy->refcnt) > 1) 391 flow_cache_flush(); 392 393 xfrm_pol_put(policy); 394 } 395 396 static void xfrm_policy_gc_task(struct work_struct *work) 397 { 398 struct xfrm_policy *policy; 399 struct hlist_node *entry, *tmp; 400 struct hlist_head gc_list; 401 402 spin_lock_bh(&xfrm_policy_gc_lock); 403 gc_list.first = xfrm_policy_gc_list.first; 404 INIT_HLIST_HEAD(&xfrm_policy_gc_list); 405 spin_unlock_bh(&xfrm_policy_gc_lock); 406 407 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst) 408 xfrm_policy_gc_kill(policy); 409 } 410 411 /* Rule must be locked. Release descentant resources, announce 412 * entry dead. The rule must be unlinked from lists to the moment. 413 */ 414 415 static void xfrm_policy_kill(struct xfrm_policy *policy) 416 { 417 int dead; 418 419 write_lock_bh(&policy->lock); 420 dead = policy->dead; 421 policy->dead = 1; 422 write_unlock_bh(&policy->lock); 423 424 if (unlikely(dead)) { 425 WARN_ON(1); 426 return; 427 } 428 429 spin_lock(&xfrm_policy_gc_lock); 430 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list); 431 spin_unlock(&xfrm_policy_gc_lock); 432 433 schedule_work(&xfrm_policy_gc_work); 434 } 435 436 struct xfrm_policy_hash { 437 struct hlist_head *table; 438 unsigned int hmask; 439 }; 440 441 static struct hlist_head xfrm_policy_inexact[XFRM_POLICY_MAX*2]; 442 static struct xfrm_policy_hash xfrm_policy_bydst[XFRM_POLICY_MAX*2] __read_mostly; 443 static struct hlist_head *xfrm_policy_byidx __read_mostly; 444 static unsigned int xfrm_idx_hmask __read_mostly; 445 static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024; 446 447 static inline unsigned int idx_hash(u32 index) 448 { 449 return __idx_hash(index, xfrm_idx_hmask); 450 } 451 452 static struct hlist_head *policy_hash_bysel(struct xfrm_selector *sel, unsigned short family, int dir) 453 { 454 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 455 unsigned int hash = __sel_hash(sel, family, hmask); 456 457 return (hash == hmask + 1 ? 458 &xfrm_policy_inexact[dir] : 459 xfrm_policy_bydst[dir].table + hash); 460 } 461 462 static struct hlist_head *policy_hash_direct(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir) 463 { 464 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 465 unsigned int hash = __addr_hash(daddr, saddr, family, hmask); 466 467 return xfrm_policy_bydst[dir].table + hash; 468 } 469 470 static void xfrm_dst_hash_transfer(struct hlist_head *list, 471 struct hlist_head *ndsttable, 472 unsigned int nhashmask) 473 { 474 struct hlist_node *entry, *tmp; 475 struct xfrm_policy *pol; 476 477 hlist_for_each_entry_safe(pol, entry, tmp, list, bydst) { 478 unsigned int h; 479 480 h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr, 481 pol->family, nhashmask); 482 hlist_add_head(&pol->bydst, ndsttable+h); 483 } 484 } 485 486 static void xfrm_idx_hash_transfer(struct hlist_head *list, 487 struct hlist_head *nidxtable, 488 unsigned int nhashmask) 489 { 490 struct hlist_node *entry, *tmp; 491 struct xfrm_policy *pol; 492 493 hlist_for_each_entry_safe(pol, entry, tmp, list, byidx) { 494 unsigned int h; 495 496 h = __idx_hash(pol->index, nhashmask); 497 hlist_add_head(&pol->byidx, nidxtable+h); 498 } 499 } 500 501 static unsigned long xfrm_new_hash_mask(unsigned int old_hmask) 502 { 503 return ((old_hmask + 1) << 1) - 1; 504 } 505 506 static void xfrm_bydst_resize(int dir) 507 { 508 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 509 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 510 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 511 struct hlist_head *odst = xfrm_policy_bydst[dir].table; 512 struct hlist_head *ndst = xfrm_hash_alloc(nsize); 513 int i; 514 515 if (!ndst) 516 return; 517 518 write_lock_bh(&xfrm_policy_lock); 519 520 for (i = hmask; i >= 0; i--) 521 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask); 522 523 xfrm_policy_bydst[dir].table = ndst; 524 xfrm_policy_bydst[dir].hmask = nhashmask; 525 526 write_unlock_bh(&xfrm_policy_lock); 527 528 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head)); 529 } 530 531 static void xfrm_byidx_resize(int total) 532 { 533 unsigned int hmask = xfrm_idx_hmask; 534 unsigned int nhashmask = xfrm_new_hash_mask(hmask); 535 unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head); 536 struct hlist_head *oidx = xfrm_policy_byidx; 537 struct hlist_head *nidx = xfrm_hash_alloc(nsize); 538 int i; 539 540 if (!nidx) 541 return; 542 543 write_lock_bh(&xfrm_policy_lock); 544 545 for (i = hmask; i >= 0; i--) 546 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask); 547 548 xfrm_policy_byidx = nidx; 549 xfrm_idx_hmask = nhashmask; 550 551 write_unlock_bh(&xfrm_policy_lock); 552 553 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head)); 554 } 555 556 static inline int xfrm_bydst_should_resize(int dir, int *total) 557 { 558 unsigned int cnt = xfrm_policy_count[dir]; 559 unsigned int hmask = xfrm_policy_bydst[dir].hmask; 560 561 if (total) 562 *total += cnt; 563 564 if ((hmask + 1) < xfrm_policy_hashmax && 565 cnt > hmask) 566 return 1; 567 568 return 0; 569 } 570 571 static inline int xfrm_byidx_should_resize(int total) 572 { 573 unsigned int hmask = xfrm_idx_hmask; 574 575 if ((hmask + 1) < xfrm_policy_hashmax && 576 total > hmask) 577 return 1; 578 579 return 0; 580 } 581 582 void xfrm_spd_getinfo(struct xfrmk_spdinfo *si) 583 { 584 read_lock_bh(&xfrm_policy_lock); 585 si->incnt = xfrm_policy_count[XFRM_POLICY_IN]; 586 si->outcnt = xfrm_policy_count[XFRM_POLICY_OUT]; 587 si->fwdcnt = xfrm_policy_count[XFRM_POLICY_FWD]; 588 si->inscnt = xfrm_policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX]; 589 si->outscnt = xfrm_policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX]; 590 si->fwdscnt = xfrm_policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX]; 591 si->spdhcnt = xfrm_idx_hmask; 592 si->spdhmcnt = xfrm_policy_hashmax; 593 read_unlock_bh(&xfrm_policy_lock); 594 } 595 EXPORT_SYMBOL(xfrm_spd_getinfo); 596 597 static DEFINE_MUTEX(hash_resize_mutex); 598 static void xfrm_hash_resize(struct work_struct *__unused) 599 { 600 int dir, total; 601 602 mutex_lock(&hash_resize_mutex); 603 604 total = 0; 605 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 606 if (xfrm_bydst_should_resize(dir, &total)) 607 xfrm_bydst_resize(dir); 608 } 609 if (xfrm_byidx_should_resize(total)) 610 xfrm_byidx_resize(total); 611 612 mutex_unlock(&hash_resize_mutex); 613 } 614 615 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize); 616 617 /* Generate new index... KAME seems to generate them ordered by cost 618 * of an absolute inpredictability of ordering of rules. This will not pass. */ 619 static u32 xfrm_gen_index(u8 type, int dir) 620 { 621 static u32 idx_generator; 622 623 for (;;) { 624 struct hlist_node *entry; 625 struct hlist_head *list; 626 struct xfrm_policy *p; 627 u32 idx; 628 int found; 629 630 idx = (idx_generator | dir); 631 idx_generator += 8; 632 if (idx == 0) 633 idx = 8; 634 list = xfrm_policy_byidx + idx_hash(idx); 635 found = 0; 636 hlist_for_each_entry(p, entry, list, byidx) { 637 if (p->index == idx) { 638 found = 1; 639 break; 640 } 641 } 642 if (!found) 643 return idx; 644 } 645 } 646 647 static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2) 648 { 649 u32 *p1 = (u32 *) s1; 650 u32 *p2 = (u32 *) s2; 651 int len = sizeof(struct xfrm_selector) / sizeof(u32); 652 int i; 653 654 for (i = 0; i < len; i++) { 655 if (p1[i] != p2[i]) 656 return 1; 657 } 658 659 return 0; 660 } 661 662 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) 663 { 664 struct xfrm_policy *pol; 665 struct xfrm_policy *delpol; 666 struct hlist_head *chain; 667 struct hlist_node *entry, *newpos; 668 struct dst_entry *gc_list; 669 670 write_lock_bh(&xfrm_policy_lock); 671 chain = policy_hash_bysel(&policy->selector, policy->family, dir); 672 delpol = NULL; 673 newpos = NULL; 674 hlist_for_each_entry(pol, entry, chain, bydst) { 675 if (pol->type == policy->type && 676 !selector_cmp(&pol->selector, &policy->selector) && 677 xfrm_sec_ctx_match(pol->security, policy->security) && 678 !WARN_ON(delpol)) { 679 if (excl) { 680 write_unlock_bh(&xfrm_policy_lock); 681 return -EEXIST; 682 } 683 delpol = pol; 684 if (policy->priority > pol->priority) 685 continue; 686 } else if (policy->priority >= pol->priority) { 687 newpos = &pol->bydst; 688 continue; 689 } 690 if (delpol) 691 break; 692 } 693 if (newpos) 694 hlist_add_after(newpos, &policy->bydst); 695 else 696 hlist_add_head(&policy->bydst, chain); 697 xfrm_pol_hold(policy); 698 xfrm_policy_count[dir]++; 699 atomic_inc(&flow_cache_genid); 700 if (delpol) { 701 hlist_del(&delpol->bydst); 702 hlist_del(&delpol->byidx); 703 xfrm_policy_count[dir]--; 704 } 705 policy->index = delpol ? delpol->index : xfrm_gen_index(policy->type, dir); 706 hlist_add_head(&policy->byidx, xfrm_policy_byidx+idx_hash(policy->index)); 707 policy->curlft.add_time = get_seconds(); 708 policy->curlft.use_time = 0; 709 if (!mod_timer(&policy->timer, jiffies + HZ)) 710 xfrm_pol_hold(policy); 711 write_unlock_bh(&xfrm_policy_lock); 712 713 if (delpol) 714 xfrm_policy_kill(delpol); 715 else if (xfrm_bydst_should_resize(dir, NULL)) 716 schedule_work(&xfrm_hash_work); 717 718 read_lock_bh(&xfrm_policy_lock); 719 gc_list = NULL; 720 entry = &policy->bydst; 721 hlist_for_each_entry_continue(policy, entry, bydst) { 722 struct dst_entry *dst; 723 724 write_lock(&policy->lock); 725 dst = policy->bundles; 726 if (dst) { 727 struct dst_entry *tail = dst; 728 while (tail->next) 729 tail = tail->next; 730 tail->next = gc_list; 731 gc_list = dst; 732 733 policy->bundles = NULL; 734 } 735 write_unlock(&policy->lock); 736 } 737 read_unlock_bh(&xfrm_policy_lock); 738 739 while (gc_list) { 740 struct dst_entry *dst = gc_list; 741 742 gc_list = dst->next; 743 dst_free(dst); 744 } 745 746 return 0; 747 } 748 EXPORT_SYMBOL(xfrm_policy_insert); 749 750 struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir, 751 struct xfrm_selector *sel, 752 struct xfrm_sec_ctx *ctx, int delete, 753 int *err) 754 { 755 struct xfrm_policy *pol, *ret; 756 struct hlist_head *chain; 757 struct hlist_node *entry; 758 759 *err = 0; 760 write_lock_bh(&xfrm_policy_lock); 761 chain = policy_hash_bysel(sel, sel->family, dir); 762 ret = NULL; 763 hlist_for_each_entry(pol, entry, chain, bydst) { 764 if (pol->type == type && 765 !selector_cmp(sel, &pol->selector) && 766 xfrm_sec_ctx_match(ctx, pol->security)) { 767 xfrm_pol_hold(pol); 768 if (delete) { 769 *err = security_xfrm_policy_delete(pol); 770 if (*err) { 771 write_unlock_bh(&xfrm_policy_lock); 772 return pol; 773 } 774 hlist_del(&pol->bydst); 775 hlist_del(&pol->byidx); 776 xfrm_policy_count[dir]--; 777 } 778 ret = pol; 779 break; 780 } 781 } 782 write_unlock_bh(&xfrm_policy_lock); 783 784 if (ret && delete) { 785 atomic_inc(&flow_cache_genid); 786 xfrm_policy_kill(ret); 787 } 788 return ret; 789 } 790 EXPORT_SYMBOL(xfrm_policy_bysel_ctx); 791 792 struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete, 793 int *err) 794 { 795 struct xfrm_policy *pol, *ret; 796 struct hlist_head *chain; 797 struct hlist_node *entry; 798 799 *err = 0; 800 write_lock_bh(&xfrm_policy_lock); 801 chain = xfrm_policy_byidx + idx_hash(id); 802 ret = NULL; 803 hlist_for_each_entry(pol, entry, chain, byidx) { 804 if (pol->type == type && pol->index == id) { 805 xfrm_pol_hold(pol); 806 if (delete) { 807 *err = security_xfrm_policy_delete(pol); 808 if (*err) { 809 write_unlock_bh(&xfrm_policy_lock); 810 return pol; 811 } 812 hlist_del(&pol->bydst); 813 hlist_del(&pol->byidx); 814 xfrm_policy_count[dir]--; 815 } 816 ret = pol; 817 break; 818 } 819 } 820 write_unlock_bh(&xfrm_policy_lock); 821 822 if (ret && delete) { 823 atomic_inc(&flow_cache_genid); 824 xfrm_policy_kill(ret); 825 } 826 return ret; 827 } 828 EXPORT_SYMBOL(xfrm_policy_byid); 829 830 void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) 831 { 832 int dir; 833 834 write_lock_bh(&xfrm_policy_lock); 835 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { 836 struct xfrm_policy *pol; 837 struct hlist_node *entry; 838 int i, killed; 839 840 killed = 0; 841 again1: 842 hlist_for_each_entry(pol, entry, 843 &xfrm_policy_inexact[dir], bydst) { 844 if (pol->type != type) 845 continue; 846 hlist_del(&pol->bydst); 847 hlist_del(&pol->byidx); 848 write_unlock_bh(&xfrm_policy_lock); 849 850 xfrm_audit_log(audit_info->loginuid, audit_info->secid, 851 AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); 852 853 xfrm_policy_kill(pol); 854 killed++; 855 856 write_lock_bh(&xfrm_policy_lock); 857 goto again1; 858 } 859 860 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 861 again2: 862 hlist_for_each_entry(pol, entry, 863 xfrm_policy_bydst[dir].table + i, 864 bydst) { 865 if (pol->type != type) 866 continue; 867 hlist_del(&pol->bydst); 868 hlist_del(&pol->byidx); 869 write_unlock_bh(&xfrm_policy_lock); 870 871 xfrm_audit_log(audit_info->loginuid, 872 audit_info->secid, 873 AUDIT_MAC_IPSEC_DELSPD, 1, 874 pol, NULL); 875 876 xfrm_policy_kill(pol); 877 killed++; 878 879 write_lock_bh(&xfrm_policy_lock); 880 goto again2; 881 } 882 } 883 884 xfrm_policy_count[dir] -= killed; 885 } 886 atomic_inc(&flow_cache_genid); 887 write_unlock_bh(&xfrm_policy_lock); 888 } 889 EXPORT_SYMBOL(xfrm_policy_flush); 890 891 int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), 892 void *data) 893 { 894 struct xfrm_policy *pol, *last = NULL; 895 struct hlist_node *entry; 896 int dir, last_dir = 0, count, error; 897 898 read_lock_bh(&xfrm_policy_lock); 899 count = 0; 900 901 for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) { 902 struct hlist_head *table = xfrm_policy_bydst[dir].table; 903 int i; 904 905 hlist_for_each_entry(pol, entry, 906 &xfrm_policy_inexact[dir], bydst) { 907 if (pol->type != type) 908 continue; 909 if (last) { 910 error = func(last, last_dir % XFRM_POLICY_MAX, 911 count, data); 912 if (error) 913 goto out; 914 } 915 last = pol; 916 last_dir = dir; 917 count++; 918 } 919 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 920 hlist_for_each_entry(pol, entry, table + i, bydst) { 921 if (pol->type != type) 922 continue; 923 if (last) { 924 error = func(last, last_dir % XFRM_POLICY_MAX, 925 count, data); 926 if (error) 927 goto out; 928 } 929 last = pol; 930 last_dir = dir; 931 count++; 932 } 933 } 934 } 935 if (count == 0) { 936 error = -ENOENT; 937 goto out; 938 } 939 error = func(last, last_dir % XFRM_POLICY_MAX, 0, data); 940 out: 941 read_unlock_bh(&xfrm_policy_lock); 942 return error; 943 } 944 EXPORT_SYMBOL(xfrm_policy_walk); 945 946 /* 947 * Find policy to apply to this flow. 948 * 949 * Returns 0 if policy found, else an -errno. 950 */ 951 static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl, 952 u8 type, u16 family, int dir) 953 { 954 struct xfrm_selector *sel = &pol->selector; 955 int match, ret = -ESRCH; 956 957 if (pol->family != family || 958 pol->type != type) 959 return ret; 960 961 match = xfrm_selector_match(sel, fl, family); 962 if (match) 963 ret = security_xfrm_policy_lookup(pol, fl->secid, dir); 964 965 return ret; 966 } 967 968 static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl, 969 u16 family, u8 dir) 970 { 971 int err; 972 struct xfrm_policy *pol, *ret; 973 xfrm_address_t *daddr, *saddr; 974 struct hlist_node *entry; 975 struct hlist_head *chain; 976 u32 priority = ~0U; 977 978 daddr = xfrm_flowi_daddr(fl, family); 979 saddr = xfrm_flowi_saddr(fl, family); 980 if (unlikely(!daddr || !saddr)) 981 return NULL; 982 983 read_lock_bh(&xfrm_policy_lock); 984 chain = policy_hash_direct(daddr, saddr, family, dir); 985 ret = NULL; 986 hlist_for_each_entry(pol, entry, chain, bydst) { 987 err = xfrm_policy_match(pol, fl, type, family, dir); 988 if (err) { 989 if (err == -ESRCH) 990 continue; 991 else { 992 ret = ERR_PTR(err); 993 goto fail; 994 } 995 } else { 996 ret = pol; 997 priority = ret->priority; 998 break; 999 } 1000 } 1001 chain = &xfrm_policy_inexact[dir]; 1002 hlist_for_each_entry(pol, entry, chain, bydst) { 1003 err = xfrm_policy_match(pol, fl, type, family, dir); 1004 if (err) { 1005 if (err == -ESRCH) 1006 continue; 1007 else { 1008 ret = ERR_PTR(err); 1009 goto fail; 1010 } 1011 } else if (pol->priority < priority) { 1012 ret = pol; 1013 break; 1014 } 1015 } 1016 if (ret) 1017 xfrm_pol_hold(ret); 1018 fail: 1019 read_unlock_bh(&xfrm_policy_lock); 1020 1021 return ret; 1022 } 1023 1024 static int xfrm_policy_lookup(struct flowi *fl, u16 family, u8 dir, 1025 void **objp, atomic_t **obj_refp) 1026 { 1027 struct xfrm_policy *pol; 1028 int err = 0; 1029 1030 #ifdef CONFIG_XFRM_SUB_POLICY 1031 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB, fl, family, dir); 1032 if (IS_ERR(pol)) { 1033 err = PTR_ERR(pol); 1034 pol = NULL; 1035 } 1036 if (pol || err) 1037 goto end; 1038 #endif 1039 pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, fl, family, dir); 1040 if (IS_ERR(pol)) { 1041 err = PTR_ERR(pol); 1042 pol = NULL; 1043 } 1044 #ifdef CONFIG_XFRM_SUB_POLICY 1045 end: 1046 #endif 1047 if ((*objp = (void *) pol) != NULL) 1048 *obj_refp = &pol->refcnt; 1049 return err; 1050 } 1051 1052 static inline int policy_to_flow_dir(int dir) 1053 { 1054 if (XFRM_POLICY_IN == FLOW_DIR_IN && 1055 XFRM_POLICY_OUT == FLOW_DIR_OUT && 1056 XFRM_POLICY_FWD == FLOW_DIR_FWD) 1057 return dir; 1058 switch (dir) { 1059 default: 1060 case XFRM_POLICY_IN: 1061 return FLOW_DIR_IN; 1062 case XFRM_POLICY_OUT: 1063 return FLOW_DIR_OUT; 1064 case XFRM_POLICY_FWD: 1065 return FLOW_DIR_FWD; 1066 } 1067 } 1068 1069 static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl) 1070 { 1071 struct xfrm_policy *pol; 1072 1073 read_lock_bh(&xfrm_policy_lock); 1074 if ((pol = sk->sk_policy[dir]) != NULL) { 1075 int match = xfrm_selector_match(&pol->selector, fl, 1076 sk->sk_family); 1077 int err = 0; 1078 1079 if (match) { 1080 err = security_xfrm_policy_lookup(pol, fl->secid, 1081 policy_to_flow_dir(dir)); 1082 if (!err) 1083 xfrm_pol_hold(pol); 1084 else if (err == -ESRCH) 1085 pol = NULL; 1086 else 1087 pol = ERR_PTR(err); 1088 } else 1089 pol = NULL; 1090 } 1091 read_unlock_bh(&xfrm_policy_lock); 1092 return pol; 1093 } 1094 1095 static void __xfrm_policy_link(struct xfrm_policy *pol, int dir) 1096 { 1097 struct hlist_head *chain = policy_hash_bysel(&pol->selector, 1098 pol->family, dir); 1099 1100 hlist_add_head(&pol->bydst, chain); 1101 hlist_add_head(&pol->byidx, xfrm_policy_byidx+idx_hash(pol->index)); 1102 xfrm_policy_count[dir]++; 1103 xfrm_pol_hold(pol); 1104 1105 if (xfrm_bydst_should_resize(dir, NULL)) 1106 schedule_work(&xfrm_hash_work); 1107 } 1108 1109 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 1110 int dir) 1111 { 1112 if (hlist_unhashed(&pol->bydst)) 1113 return NULL; 1114 1115 hlist_del(&pol->bydst); 1116 hlist_del(&pol->byidx); 1117 xfrm_policy_count[dir]--; 1118 1119 return pol; 1120 } 1121 1122 int xfrm_policy_delete(struct xfrm_policy *pol, int dir) 1123 { 1124 write_lock_bh(&xfrm_policy_lock); 1125 pol = __xfrm_policy_unlink(pol, dir); 1126 write_unlock_bh(&xfrm_policy_lock); 1127 if (pol) { 1128 if (dir < XFRM_POLICY_MAX) 1129 atomic_inc(&flow_cache_genid); 1130 xfrm_policy_kill(pol); 1131 return 0; 1132 } 1133 return -ENOENT; 1134 } 1135 EXPORT_SYMBOL(xfrm_policy_delete); 1136 1137 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) 1138 { 1139 struct xfrm_policy *old_pol; 1140 1141 #ifdef CONFIG_XFRM_SUB_POLICY 1142 if (pol && pol->type != XFRM_POLICY_TYPE_MAIN) 1143 return -EINVAL; 1144 #endif 1145 1146 write_lock_bh(&xfrm_policy_lock); 1147 old_pol = sk->sk_policy[dir]; 1148 sk->sk_policy[dir] = pol; 1149 if (pol) { 1150 pol->curlft.add_time = get_seconds(); 1151 pol->index = xfrm_gen_index(pol->type, XFRM_POLICY_MAX+dir); 1152 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir); 1153 } 1154 if (old_pol) 1155 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); 1156 write_unlock_bh(&xfrm_policy_lock); 1157 1158 if (old_pol) { 1159 xfrm_policy_kill(old_pol); 1160 } 1161 return 0; 1162 } 1163 1164 static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir) 1165 { 1166 struct xfrm_policy *newp = xfrm_policy_alloc(GFP_ATOMIC); 1167 1168 if (newp) { 1169 newp->selector = old->selector; 1170 if (security_xfrm_policy_clone(old, newp)) { 1171 kfree(newp); 1172 return NULL; /* ENOMEM */ 1173 } 1174 newp->lft = old->lft; 1175 newp->curlft = old->curlft; 1176 newp->action = old->action; 1177 newp->flags = old->flags; 1178 newp->xfrm_nr = old->xfrm_nr; 1179 newp->index = old->index; 1180 newp->type = old->type; 1181 memcpy(newp->xfrm_vec, old->xfrm_vec, 1182 newp->xfrm_nr*sizeof(struct xfrm_tmpl)); 1183 write_lock_bh(&xfrm_policy_lock); 1184 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir); 1185 write_unlock_bh(&xfrm_policy_lock); 1186 xfrm_pol_put(newp); 1187 } 1188 return newp; 1189 } 1190 1191 int __xfrm_sk_clone_policy(struct sock *sk) 1192 { 1193 struct xfrm_policy *p0 = sk->sk_policy[0], 1194 *p1 = sk->sk_policy[1]; 1195 1196 sk->sk_policy[0] = sk->sk_policy[1] = NULL; 1197 if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL) 1198 return -ENOMEM; 1199 if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL) 1200 return -ENOMEM; 1201 return 0; 1202 } 1203 1204 static int 1205 xfrm_get_saddr(xfrm_address_t *local, xfrm_address_t *remote, 1206 unsigned short family) 1207 { 1208 int err; 1209 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1210 1211 if (unlikely(afinfo == NULL)) 1212 return -EINVAL; 1213 err = afinfo->get_saddr(local, remote); 1214 xfrm_policy_put_afinfo(afinfo); 1215 return err; 1216 } 1217 1218 /* Resolve list of templates for the flow, given policy. */ 1219 1220 static int 1221 xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl, 1222 struct xfrm_state **xfrm, 1223 unsigned short family) 1224 { 1225 int nx; 1226 int i, error; 1227 xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family); 1228 xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family); 1229 xfrm_address_t tmp; 1230 1231 for (nx=0, i = 0; i < policy->xfrm_nr; i++) { 1232 struct xfrm_state *x; 1233 xfrm_address_t *remote = daddr; 1234 xfrm_address_t *local = saddr; 1235 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i]; 1236 1237 if (tmpl->mode == XFRM_MODE_TUNNEL) { 1238 remote = &tmpl->id.daddr; 1239 local = &tmpl->saddr; 1240 family = tmpl->encap_family; 1241 if (xfrm_addr_any(local, family)) { 1242 error = xfrm_get_saddr(&tmp, remote, family); 1243 if (error) 1244 goto fail; 1245 local = &tmp; 1246 } 1247 } 1248 1249 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family); 1250 1251 if (x && x->km.state == XFRM_STATE_VALID) { 1252 xfrm[nx++] = x; 1253 daddr = remote; 1254 saddr = local; 1255 continue; 1256 } 1257 if (x) { 1258 error = (x->km.state == XFRM_STATE_ERROR ? 1259 -EINVAL : -EAGAIN); 1260 xfrm_state_put(x); 1261 } 1262 1263 if (!tmpl->optional) 1264 goto fail; 1265 } 1266 return nx; 1267 1268 fail: 1269 for (nx--; nx>=0; nx--) 1270 xfrm_state_put(xfrm[nx]); 1271 return error; 1272 } 1273 1274 static int 1275 xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl, 1276 struct xfrm_state **xfrm, 1277 unsigned short family) 1278 { 1279 struct xfrm_state *tp[XFRM_MAX_DEPTH]; 1280 struct xfrm_state **tpp = (npols > 1) ? tp : xfrm; 1281 int cnx = 0; 1282 int error; 1283 int ret; 1284 int i; 1285 1286 for (i = 0; i < npols; i++) { 1287 if (cnx + pols[i]->xfrm_nr >= XFRM_MAX_DEPTH) { 1288 error = -ENOBUFS; 1289 goto fail; 1290 } 1291 1292 ret = xfrm_tmpl_resolve_one(pols[i], fl, &tpp[cnx], family); 1293 if (ret < 0) { 1294 error = ret; 1295 goto fail; 1296 } else 1297 cnx += ret; 1298 } 1299 1300 /* found states are sorted for outbound processing */ 1301 if (npols > 1) 1302 xfrm_state_sort(xfrm, tpp, cnx, family); 1303 1304 return cnx; 1305 1306 fail: 1307 for (cnx--; cnx>=0; cnx--) 1308 xfrm_state_put(tpp[cnx]); 1309 return error; 1310 1311 } 1312 1313 /* Check that the bundle accepts the flow and its components are 1314 * still valid. 1315 */ 1316 1317 static struct dst_entry * 1318 xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family) 1319 { 1320 struct dst_entry *x; 1321 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1322 if (unlikely(afinfo == NULL)) 1323 return ERR_PTR(-EINVAL); 1324 x = afinfo->find_bundle(fl, policy); 1325 xfrm_policy_put_afinfo(afinfo); 1326 return x; 1327 } 1328 1329 /* Allocate chain of dst_entry's, attach known xfrm's, calculate 1330 * all the metrics... Shortly, bundle a bundle. 1331 */ 1332 1333 static int 1334 xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx, 1335 struct flowi *fl, struct dst_entry **dst_p, 1336 unsigned short family) 1337 { 1338 int err; 1339 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1340 if (unlikely(afinfo == NULL)) 1341 return -EINVAL; 1342 err = afinfo->bundle_create(policy, xfrm, nx, fl, dst_p); 1343 xfrm_policy_put_afinfo(afinfo); 1344 return err; 1345 } 1346 1347 static int inline 1348 xfrm_dst_alloc_copy(void **target, void *src, int size) 1349 { 1350 if (!*target) { 1351 *target = kmalloc(size, GFP_ATOMIC); 1352 if (!*target) 1353 return -ENOMEM; 1354 } 1355 memcpy(*target, src, size); 1356 return 0; 1357 } 1358 1359 static int inline 1360 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) 1361 { 1362 #ifdef CONFIG_XFRM_SUB_POLICY 1363 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1364 return xfrm_dst_alloc_copy((void **)&(xdst->partner), 1365 sel, sizeof(*sel)); 1366 #else 1367 return 0; 1368 #endif 1369 } 1370 1371 static int inline 1372 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) 1373 { 1374 #ifdef CONFIG_XFRM_SUB_POLICY 1375 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1376 return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); 1377 #else 1378 return 0; 1379 #endif 1380 } 1381 1382 static int stale_bundle(struct dst_entry *dst); 1383 1384 /* Main function: finds/creates a bundle for given flow. 1385 * 1386 * At the moment we eat a raw IP route. Mostly to speed up lookups 1387 * on interfaces with disabled IPsec. 1388 */ 1389 int xfrm_lookup(struct dst_entry **dst_p, struct flowi *fl, 1390 struct sock *sk, int flags) 1391 { 1392 struct xfrm_policy *policy; 1393 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1394 int npols; 1395 int pol_dead; 1396 int xfrm_nr; 1397 int pi; 1398 struct xfrm_state *xfrm[XFRM_MAX_DEPTH]; 1399 struct dst_entry *dst, *dst_orig = *dst_p; 1400 int nx = 0; 1401 int err; 1402 u32 genid; 1403 u16 family; 1404 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1405 1406 restart: 1407 genid = atomic_read(&flow_cache_genid); 1408 policy = NULL; 1409 for (pi = 0; pi < ARRAY_SIZE(pols); pi++) 1410 pols[pi] = NULL; 1411 npols = 0; 1412 pol_dead = 0; 1413 xfrm_nr = 0; 1414 1415 if (sk && sk->sk_policy[1]) { 1416 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 1417 if (IS_ERR(policy)) 1418 return PTR_ERR(policy); 1419 } 1420 1421 if (!policy) { 1422 /* To accelerate a bit... */ 1423 if ((dst_orig->flags & DST_NOXFRM) || 1424 !xfrm_policy_count[XFRM_POLICY_OUT]) 1425 return 0; 1426 1427 policy = flow_cache_lookup(fl, dst_orig->ops->family, 1428 dir, xfrm_policy_lookup); 1429 if (IS_ERR(policy)) 1430 return PTR_ERR(policy); 1431 } 1432 1433 if (!policy) 1434 return 0; 1435 1436 family = dst_orig->ops->family; 1437 policy->curlft.use_time = get_seconds(); 1438 pols[0] = policy; 1439 npols ++; 1440 xfrm_nr += pols[0]->xfrm_nr; 1441 1442 switch (policy->action) { 1443 case XFRM_POLICY_BLOCK: 1444 /* Prohibit the flow */ 1445 err = -EPERM; 1446 goto error; 1447 1448 case XFRM_POLICY_ALLOW: 1449 #ifndef CONFIG_XFRM_SUB_POLICY 1450 if (policy->xfrm_nr == 0) { 1451 /* Flow passes not transformed. */ 1452 xfrm_pol_put(policy); 1453 return 0; 1454 } 1455 #endif 1456 1457 /* Try to find matching bundle. 1458 * 1459 * LATER: help from flow cache. It is optional, this 1460 * is required only for output policy. 1461 */ 1462 dst = xfrm_find_bundle(fl, policy, family); 1463 if (IS_ERR(dst)) { 1464 err = PTR_ERR(dst); 1465 goto error; 1466 } 1467 1468 if (dst) 1469 break; 1470 1471 #ifdef CONFIG_XFRM_SUB_POLICY 1472 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 1473 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, 1474 fl, family, 1475 XFRM_POLICY_OUT); 1476 if (pols[1]) { 1477 if (IS_ERR(pols[1])) { 1478 err = PTR_ERR(pols[1]); 1479 goto error; 1480 } 1481 if (pols[1]->action == XFRM_POLICY_BLOCK) { 1482 err = -EPERM; 1483 goto error; 1484 } 1485 npols ++; 1486 xfrm_nr += pols[1]->xfrm_nr; 1487 } 1488 } 1489 1490 /* 1491 * Because neither flowi nor bundle information knows about 1492 * transformation template size. On more than one policy usage 1493 * we can realize whether all of them is bypass or not after 1494 * they are searched. See above not-transformed bypass 1495 * is surrounded by non-sub policy configuration, too. 1496 */ 1497 if (xfrm_nr == 0) { 1498 /* Flow passes not transformed. */ 1499 xfrm_pols_put(pols, npols); 1500 return 0; 1501 } 1502 1503 #endif 1504 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family); 1505 1506 if (unlikely(nx<0)) { 1507 err = nx; 1508 if (err == -EAGAIN && flags) { 1509 DECLARE_WAITQUEUE(wait, current); 1510 1511 add_wait_queue(&km_waitq, &wait); 1512 set_current_state(TASK_INTERRUPTIBLE); 1513 schedule(); 1514 set_current_state(TASK_RUNNING); 1515 remove_wait_queue(&km_waitq, &wait); 1516 1517 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family); 1518 1519 if (nx == -EAGAIN && signal_pending(current)) { 1520 err = -ERESTART; 1521 goto error; 1522 } 1523 if (nx == -EAGAIN || 1524 genid != atomic_read(&flow_cache_genid)) { 1525 xfrm_pols_put(pols, npols); 1526 goto restart; 1527 } 1528 err = nx; 1529 } 1530 if (err < 0) 1531 goto error; 1532 } 1533 if (nx == 0) { 1534 /* Flow passes not transformed. */ 1535 xfrm_pols_put(pols, npols); 1536 return 0; 1537 } 1538 1539 dst = dst_orig; 1540 err = xfrm_bundle_create(policy, xfrm, nx, fl, &dst, family); 1541 1542 if (unlikely(err)) { 1543 int i; 1544 for (i=0; i<nx; i++) 1545 xfrm_state_put(xfrm[i]); 1546 goto error; 1547 } 1548 1549 for (pi = 0; pi < npols; pi++) { 1550 read_lock_bh(&pols[pi]->lock); 1551 pol_dead |= pols[pi]->dead; 1552 read_unlock_bh(&pols[pi]->lock); 1553 } 1554 1555 write_lock_bh(&policy->lock); 1556 if (unlikely(pol_dead || stale_bundle(dst))) { 1557 /* Wow! While we worked on resolving, this 1558 * policy has gone. Retry. It is not paranoia, 1559 * we just cannot enlist new bundle to dead object. 1560 * We can't enlist stable bundles either. 1561 */ 1562 write_unlock_bh(&policy->lock); 1563 if (dst) 1564 dst_free(dst); 1565 1566 err = -EHOSTUNREACH; 1567 goto error; 1568 } 1569 1570 if (npols > 1) 1571 err = xfrm_dst_update_parent(dst, &pols[1]->selector); 1572 else 1573 err = xfrm_dst_update_origin(dst, fl); 1574 if (unlikely(err)) { 1575 write_unlock_bh(&policy->lock); 1576 if (dst) 1577 dst_free(dst); 1578 goto error; 1579 } 1580 1581 dst->next = policy->bundles; 1582 policy->bundles = dst; 1583 dst_hold(dst); 1584 write_unlock_bh(&policy->lock); 1585 } 1586 *dst_p = dst; 1587 dst_release(dst_orig); 1588 xfrm_pols_put(pols, npols); 1589 return 0; 1590 1591 error: 1592 dst_release(dst_orig); 1593 xfrm_pols_put(pols, npols); 1594 *dst_p = NULL; 1595 return err; 1596 } 1597 EXPORT_SYMBOL(xfrm_lookup); 1598 1599 static inline int 1600 xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl) 1601 { 1602 struct xfrm_state *x; 1603 int err; 1604 1605 if (!skb->sp || idx < 0 || idx >= skb->sp->len) 1606 return 0; 1607 x = skb->sp->xvec[idx]; 1608 if (!x->type->reject) 1609 return 0; 1610 xfrm_state_hold(x); 1611 err = x->type->reject(x, skb, fl); 1612 xfrm_state_put(x); 1613 return err; 1614 } 1615 1616 /* When skb is transformed back to its "native" form, we have to 1617 * check policy restrictions. At the moment we make this in maximally 1618 * stupid way. Shame on me. :-) Of course, connected sockets must 1619 * have policy cached at them. 1620 */ 1621 1622 static inline int 1623 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 1624 unsigned short family) 1625 { 1626 if (xfrm_state_kern(x)) 1627 return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family); 1628 return x->id.proto == tmpl->id.proto && 1629 (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && 1630 (x->props.reqid == tmpl->reqid || !tmpl->reqid) && 1631 x->props.mode == tmpl->mode && 1632 ((tmpl->aalgos & (1<<x->props.aalgo)) || 1633 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && 1634 !(x->props.mode != XFRM_MODE_TRANSPORT && 1635 xfrm_state_addr_cmp(tmpl, x, family)); 1636 } 1637 1638 /* 1639 * 0 or more than 0 is returned when validation is succeeded (either bypass 1640 * because of optional transport mode, or next index of the mathced secpath 1641 * state with the template. 1642 * -1 is returned when no matching template is found. 1643 * Otherwise "-2 - errored_index" is returned. 1644 */ 1645 static inline int 1646 xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, 1647 unsigned short family) 1648 { 1649 int idx = start; 1650 1651 if (tmpl->optional) { 1652 if (tmpl->mode == XFRM_MODE_TRANSPORT) 1653 return start; 1654 } else 1655 start = -1; 1656 for (; idx < sp->len; idx++) { 1657 if (xfrm_state_ok(tmpl, sp->xvec[idx], family)) 1658 return ++idx; 1659 if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { 1660 if (start == -1) 1661 start = -2-idx; 1662 break; 1663 } 1664 } 1665 return start; 1666 } 1667 1668 int 1669 xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) 1670 { 1671 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1672 int err; 1673 1674 if (unlikely(afinfo == NULL)) 1675 return -EAFNOSUPPORT; 1676 1677 afinfo->decode_session(skb, fl); 1678 err = security_xfrm_decode_session(skb, &fl->secid); 1679 xfrm_policy_put_afinfo(afinfo); 1680 return err; 1681 } 1682 EXPORT_SYMBOL(xfrm_decode_session); 1683 1684 static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 1685 { 1686 for (; k < sp->len; k++) { 1687 if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) { 1688 *idxp = k; 1689 return 1; 1690 } 1691 } 1692 1693 return 0; 1694 } 1695 1696 int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, 1697 unsigned short family) 1698 { 1699 struct xfrm_policy *pol; 1700 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1701 int npols = 0; 1702 int xfrm_nr; 1703 int pi; 1704 struct flowi fl; 1705 u8 fl_dir = policy_to_flow_dir(dir); 1706 int xerr_idx = -1; 1707 1708 if (xfrm_decode_session(skb, &fl, family) < 0) 1709 return 0; 1710 nf_nat_decode_session(skb, &fl, family); 1711 1712 /* First, check used SA against their selectors. */ 1713 if (skb->sp) { 1714 int i; 1715 1716 for (i=skb->sp->len-1; i>=0; i--) { 1717 struct xfrm_state *x = skb->sp->xvec[i]; 1718 if (!xfrm_selector_match(&x->sel, &fl, family)) 1719 return 0; 1720 } 1721 } 1722 1723 pol = NULL; 1724 if (sk && sk->sk_policy[dir]) { 1725 pol = xfrm_sk_policy_lookup(sk, dir, &fl); 1726 if (IS_ERR(pol)) 1727 return 0; 1728 } 1729 1730 if (!pol) 1731 pol = flow_cache_lookup(&fl, family, fl_dir, 1732 xfrm_policy_lookup); 1733 1734 if (IS_ERR(pol)) 1735 return 0; 1736 1737 if (!pol) { 1738 if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) { 1739 xfrm_secpath_reject(xerr_idx, skb, &fl); 1740 return 0; 1741 } 1742 return 1; 1743 } 1744 1745 pol->curlft.use_time = get_seconds(); 1746 1747 pols[0] = pol; 1748 npols ++; 1749 #ifdef CONFIG_XFRM_SUB_POLICY 1750 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) { 1751 pols[1] = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_MAIN, 1752 &fl, family, 1753 XFRM_POLICY_IN); 1754 if (pols[1]) { 1755 if (IS_ERR(pols[1])) 1756 return 0; 1757 pols[1]->curlft.use_time = get_seconds(); 1758 npols ++; 1759 } 1760 } 1761 #endif 1762 1763 if (pol->action == XFRM_POLICY_ALLOW) { 1764 struct sec_path *sp; 1765 static struct sec_path dummy; 1766 struct xfrm_tmpl *tp[XFRM_MAX_DEPTH]; 1767 struct xfrm_tmpl *stp[XFRM_MAX_DEPTH]; 1768 struct xfrm_tmpl **tpp = tp; 1769 int ti = 0; 1770 int i, k; 1771 1772 if ((sp = skb->sp) == NULL) 1773 sp = &dummy; 1774 1775 for (pi = 0; pi < npols; pi++) { 1776 if (pols[pi] != pol && 1777 pols[pi]->action != XFRM_POLICY_ALLOW) 1778 goto reject; 1779 if (ti + pols[pi]->xfrm_nr >= XFRM_MAX_DEPTH) 1780 goto reject_error; 1781 for (i = 0; i < pols[pi]->xfrm_nr; i++) 1782 tpp[ti++] = &pols[pi]->xfrm_vec[i]; 1783 } 1784 xfrm_nr = ti; 1785 if (npols > 1) { 1786 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); 1787 tpp = stp; 1788 } 1789 1790 /* For each tunnel xfrm, find the first matching tmpl. 1791 * For each tmpl before that, find corresponding xfrm. 1792 * Order is _important_. Later we will implement 1793 * some barriers, but at the moment barriers 1794 * are implied between each two transformations. 1795 */ 1796 for (i = xfrm_nr-1, k = 0; i >= 0; i--) { 1797 k = xfrm_policy_ok(tpp[i], sp, k, family); 1798 if (k < 0) { 1799 if (k < -1) 1800 /* "-2 - errored_index" returned */ 1801 xerr_idx = -(2+k); 1802 goto reject; 1803 } 1804 } 1805 1806 if (secpath_has_nontransport(sp, k, &xerr_idx)) 1807 goto reject; 1808 1809 xfrm_pols_put(pols, npols); 1810 return 1; 1811 } 1812 1813 reject: 1814 xfrm_secpath_reject(xerr_idx, skb, &fl); 1815 reject_error: 1816 xfrm_pols_put(pols, npols); 1817 return 0; 1818 } 1819 EXPORT_SYMBOL(__xfrm_policy_check); 1820 1821 int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) 1822 { 1823 struct flowi fl; 1824 1825 if (xfrm_decode_session(skb, &fl, family) < 0) 1826 return 0; 1827 1828 return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0; 1829 } 1830 EXPORT_SYMBOL(__xfrm_route_forward); 1831 1832 /* Optimize later using cookies and generation ids. */ 1833 1834 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie) 1835 { 1836 /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete 1837 * to "-1" to force all XFRM destinations to get validated by 1838 * dst_ops->check on every use. We do this because when a 1839 * normal route referenced by an XFRM dst is obsoleted we do 1840 * not go looking around for all parent referencing XFRM dsts 1841 * so that we can invalidate them. It is just too much work. 1842 * Instead we make the checks here on every use. For example: 1843 * 1844 * XFRM dst A --> IPv4 dst X 1845 * 1846 * X is the "xdst->route" of A (X is also the "dst->path" of A 1847 * in this example). If X is marked obsolete, "A" will not 1848 * notice. That's what we are validating here via the 1849 * stale_bundle() check. 1850 * 1851 * When a policy's bundle is pruned, we dst_free() the XFRM 1852 * dst which causes it's ->obsolete field to be set to a 1853 * positive non-zero integer. If an XFRM dst has been pruned 1854 * like this, we want to force a new route lookup. 1855 */ 1856 if (dst->obsolete < 0 && !stale_bundle(dst)) 1857 return dst; 1858 1859 return NULL; 1860 } 1861 1862 static int stale_bundle(struct dst_entry *dst) 1863 { 1864 return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0); 1865 } 1866 1867 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev) 1868 { 1869 while ((dst = dst->child) && dst->xfrm && dst->dev == dev) { 1870 dst->dev = &loopback_dev; 1871 dev_hold(&loopback_dev); 1872 dev_put(dev); 1873 } 1874 } 1875 EXPORT_SYMBOL(xfrm_dst_ifdown); 1876 1877 static void xfrm_link_failure(struct sk_buff *skb) 1878 { 1879 /* Impossible. Such dst must be popped before reaches point of failure. */ 1880 return; 1881 } 1882 1883 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) 1884 { 1885 if (dst) { 1886 if (dst->obsolete) { 1887 dst_release(dst); 1888 dst = NULL; 1889 } 1890 } 1891 return dst; 1892 } 1893 1894 static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p) 1895 { 1896 struct dst_entry *dst, **dstp; 1897 1898 write_lock(&pol->lock); 1899 dstp = &pol->bundles; 1900 while ((dst=*dstp) != NULL) { 1901 if (func(dst)) { 1902 *dstp = dst->next; 1903 dst->next = *gc_list_p; 1904 *gc_list_p = dst; 1905 } else { 1906 dstp = &dst->next; 1907 } 1908 } 1909 write_unlock(&pol->lock); 1910 } 1911 1912 static void xfrm_prune_bundles(int (*func)(struct dst_entry *)) 1913 { 1914 struct dst_entry *gc_list = NULL; 1915 int dir; 1916 1917 read_lock_bh(&xfrm_policy_lock); 1918 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 1919 struct xfrm_policy *pol; 1920 struct hlist_node *entry; 1921 struct hlist_head *table; 1922 int i; 1923 1924 hlist_for_each_entry(pol, entry, 1925 &xfrm_policy_inexact[dir], bydst) 1926 prune_one_bundle(pol, func, &gc_list); 1927 1928 table = xfrm_policy_bydst[dir].table; 1929 for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { 1930 hlist_for_each_entry(pol, entry, table + i, bydst) 1931 prune_one_bundle(pol, func, &gc_list); 1932 } 1933 } 1934 read_unlock_bh(&xfrm_policy_lock); 1935 1936 while (gc_list) { 1937 struct dst_entry *dst = gc_list; 1938 gc_list = dst->next; 1939 dst_free(dst); 1940 } 1941 } 1942 1943 static int unused_bundle(struct dst_entry *dst) 1944 { 1945 return !atomic_read(&dst->__refcnt); 1946 } 1947 1948 static void __xfrm_garbage_collect(void) 1949 { 1950 xfrm_prune_bundles(unused_bundle); 1951 } 1952 1953 static int xfrm_flush_bundles(void) 1954 { 1955 xfrm_prune_bundles(stale_bundle); 1956 return 0; 1957 } 1958 1959 void xfrm_init_pmtu(struct dst_entry *dst) 1960 { 1961 do { 1962 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 1963 u32 pmtu, route_mtu_cached; 1964 1965 pmtu = dst_mtu(dst->child); 1966 xdst->child_mtu_cached = pmtu; 1967 1968 pmtu = xfrm_state_mtu(dst->xfrm, pmtu); 1969 1970 route_mtu_cached = dst_mtu(xdst->route); 1971 xdst->route_mtu_cached = route_mtu_cached; 1972 1973 if (pmtu > route_mtu_cached) 1974 pmtu = route_mtu_cached; 1975 1976 dst->metrics[RTAX_MTU-1] = pmtu; 1977 } while ((dst = dst->next)); 1978 } 1979 1980 EXPORT_SYMBOL(xfrm_init_pmtu); 1981 1982 /* Check that the bundle accepts the flow and its components are 1983 * still valid. 1984 */ 1985 1986 int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, 1987 struct flowi *fl, int family, int strict) 1988 { 1989 struct dst_entry *dst = &first->u.dst; 1990 struct xfrm_dst *last; 1991 u32 mtu; 1992 1993 if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || 1994 (dst->dev && !netif_running(dst->dev))) 1995 return 0; 1996 #ifdef CONFIG_XFRM_SUB_POLICY 1997 if (fl) { 1998 if (first->origin && !flow_cache_uli_match(first->origin, fl)) 1999 return 0; 2000 if (first->partner && 2001 !xfrm_selector_match(first->partner, fl, family)) 2002 return 0; 2003 } 2004 #endif 2005 2006 last = NULL; 2007 2008 do { 2009 struct xfrm_dst *xdst = (struct xfrm_dst *)dst; 2010 2011 if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family)) 2012 return 0; 2013 if (fl && pol && 2014 !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl)) 2015 return 0; 2016 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2017 return 0; 2018 if (xdst->genid != dst->xfrm->genid) 2019 return 0; 2020 2021 if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL && 2022 !xfrm_state_addr_flow_check(dst->xfrm, fl, family)) 2023 return 0; 2024 2025 mtu = dst_mtu(dst->child); 2026 if (xdst->child_mtu_cached != mtu) { 2027 last = xdst; 2028 xdst->child_mtu_cached = mtu; 2029 } 2030 2031 if (!dst_check(xdst->route, xdst->route_cookie)) 2032 return 0; 2033 mtu = dst_mtu(xdst->route); 2034 if (xdst->route_mtu_cached != mtu) { 2035 last = xdst; 2036 xdst->route_mtu_cached = mtu; 2037 } 2038 2039 dst = dst->child; 2040 } while (dst->xfrm); 2041 2042 if (likely(!last)) 2043 return 1; 2044 2045 mtu = last->child_mtu_cached; 2046 for (;;) { 2047 dst = &last->u.dst; 2048 2049 mtu = xfrm_state_mtu(dst->xfrm, mtu); 2050 if (mtu > last->route_mtu_cached) 2051 mtu = last->route_mtu_cached; 2052 dst->metrics[RTAX_MTU-1] = mtu; 2053 2054 if (last == first) 2055 break; 2056 2057 last = last->u.next; 2058 last->child_mtu_cached = mtu; 2059 } 2060 2061 return 1; 2062 } 2063 2064 EXPORT_SYMBOL(xfrm_bundle_ok); 2065 2066 #ifdef CONFIG_AUDITSYSCALL 2067 /* Audit addition and deletion of SAs and ipsec policy */ 2068 2069 void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, 2070 struct xfrm_policy *xp, struct xfrm_state *x) 2071 { 2072 2073 char *secctx; 2074 u32 secctx_len; 2075 struct xfrm_sec_ctx *sctx = NULL; 2076 struct audit_buffer *audit_buf; 2077 int family; 2078 extern int audit_enabled; 2079 2080 if (audit_enabled == 0) 2081 return; 2082 2083 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || 2084 type == AUDIT_MAC_IPSEC_DELSA) && !x); 2085 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || 2086 type == AUDIT_MAC_IPSEC_DELSPD) && !xp); 2087 2088 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); 2089 if (audit_buf == NULL) 2090 return; 2091 2092 switch(type) { 2093 case AUDIT_MAC_IPSEC_ADDSA: 2094 audit_log_format(audit_buf, "SAD add: auid=%u", auid); 2095 break; 2096 case AUDIT_MAC_IPSEC_DELSA: 2097 audit_log_format(audit_buf, "SAD delete: auid=%u", auid); 2098 break; 2099 case AUDIT_MAC_IPSEC_ADDSPD: 2100 audit_log_format(audit_buf, "SPD add: auid=%u", auid); 2101 break; 2102 case AUDIT_MAC_IPSEC_DELSPD: 2103 audit_log_format(audit_buf, "SPD delete: auid=%u", auid); 2104 break; 2105 default: 2106 return; 2107 } 2108 2109 if (sid != 0 && 2110 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) 2111 audit_log_format(audit_buf, " subj=%s", secctx); 2112 else 2113 audit_log_task_context(audit_buf); 2114 2115 if (xp) { 2116 family = xp->selector.family; 2117 if (xp->security) 2118 sctx = xp->security; 2119 } else { 2120 family = x->props.family; 2121 if (x->security) 2122 sctx = x->security; 2123 } 2124 2125 if (sctx) 2126 audit_log_format(audit_buf, 2127 " sec_alg=%u sec_doi=%u sec_obj=%s", 2128 sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); 2129 2130 switch(family) { 2131 case AF_INET: 2132 { 2133 struct in_addr saddr, daddr; 2134 if (xp) { 2135 saddr.s_addr = xp->selector.saddr.a4; 2136 daddr.s_addr = xp->selector.daddr.a4; 2137 } else { 2138 saddr.s_addr = x->props.saddr.a4; 2139 daddr.s_addr = x->id.daddr.a4; 2140 } 2141 audit_log_format(audit_buf, 2142 " src=%u.%u.%u.%u dst=%u.%u.%u.%u", 2143 NIPQUAD(saddr), NIPQUAD(daddr)); 2144 } 2145 break; 2146 case AF_INET6: 2147 { 2148 struct in6_addr saddr6, daddr6; 2149 if (xp) { 2150 memcpy(&saddr6, xp->selector.saddr.a6, 2151 sizeof(struct in6_addr)); 2152 memcpy(&daddr6, xp->selector.daddr.a6, 2153 sizeof(struct in6_addr)); 2154 } else { 2155 memcpy(&saddr6, x->props.saddr.a6, 2156 sizeof(struct in6_addr)); 2157 memcpy(&daddr6, x->id.daddr.a6, 2158 sizeof(struct in6_addr)); 2159 } 2160 audit_log_format(audit_buf, 2161 " src=" NIP6_FMT " dst=" NIP6_FMT, 2162 NIP6(saddr6), NIP6(daddr6)); 2163 } 2164 break; 2165 } 2166 2167 if (x) 2168 audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", 2169 (unsigned long)ntohl(x->id.spi), 2170 (unsigned long)ntohl(x->id.spi), 2171 x->id.proto == IPPROTO_AH ? "AH" : 2172 (x->id.proto == IPPROTO_ESP ? 2173 "ESP" : "IPCOMP")); 2174 2175 audit_log_format(audit_buf, " res=%u", result); 2176 audit_log_end(audit_buf); 2177 } 2178 2179 EXPORT_SYMBOL(xfrm_audit_log); 2180 #endif /* CONFIG_AUDITSYSCALL */ 2181 2182 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2183 { 2184 int err = 0; 2185 if (unlikely(afinfo == NULL)) 2186 return -EINVAL; 2187 if (unlikely(afinfo->family >= NPROTO)) 2188 return -EAFNOSUPPORT; 2189 write_lock_bh(&xfrm_policy_afinfo_lock); 2190 if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL)) 2191 err = -ENOBUFS; 2192 else { 2193 struct dst_ops *dst_ops = afinfo->dst_ops; 2194 if (likely(dst_ops->kmem_cachep == NULL)) 2195 dst_ops->kmem_cachep = xfrm_dst_cache; 2196 if (likely(dst_ops->check == NULL)) 2197 dst_ops->check = xfrm_dst_check; 2198 if (likely(dst_ops->negative_advice == NULL)) 2199 dst_ops->negative_advice = xfrm_negative_advice; 2200 if (likely(dst_ops->link_failure == NULL)) 2201 dst_ops->link_failure = xfrm_link_failure; 2202 if (likely(afinfo->garbage_collect == NULL)) 2203 afinfo->garbage_collect = __xfrm_garbage_collect; 2204 xfrm_policy_afinfo[afinfo->family] = afinfo; 2205 } 2206 write_unlock_bh(&xfrm_policy_afinfo_lock); 2207 return err; 2208 } 2209 EXPORT_SYMBOL(xfrm_policy_register_afinfo); 2210 2211 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) 2212 { 2213 int err = 0; 2214 if (unlikely(afinfo == NULL)) 2215 return -EINVAL; 2216 if (unlikely(afinfo->family >= NPROTO)) 2217 return -EAFNOSUPPORT; 2218 write_lock_bh(&xfrm_policy_afinfo_lock); 2219 if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) { 2220 if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo)) 2221 err = -EINVAL; 2222 else { 2223 struct dst_ops *dst_ops = afinfo->dst_ops; 2224 xfrm_policy_afinfo[afinfo->family] = NULL; 2225 dst_ops->kmem_cachep = NULL; 2226 dst_ops->check = NULL; 2227 dst_ops->negative_advice = NULL; 2228 dst_ops->link_failure = NULL; 2229 afinfo->garbage_collect = NULL; 2230 } 2231 } 2232 write_unlock_bh(&xfrm_policy_afinfo_lock); 2233 return err; 2234 } 2235 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo); 2236 2237 static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family) 2238 { 2239 struct xfrm_policy_afinfo *afinfo; 2240 if (unlikely(family >= NPROTO)) 2241 return NULL; 2242 read_lock(&xfrm_policy_afinfo_lock); 2243 afinfo = xfrm_policy_afinfo[family]; 2244 if (unlikely(!afinfo)) 2245 read_unlock(&xfrm_policy_afinfo_lock); 2246 return afinfo; 2247 } 2248 2249 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo) 2250 { 2251 read_unlock(&xfrm_policy_afinfo_lock); 2252 } 2253 2254 static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family) 2255 { 2256 struct xfrm_policy_afinfo *afinfo; 2257 if (unlikely(family >= NPROTO)) 2258 return NULL; 2259 write_lock_bh(&xfrm_policy_afinfo_lock); 2260 afinfo = xfrm_policy_afinfo[family]; 2261 if (unlikely(!afinfo)) 2262 write_unlock_bh(&xfrm_policy_afinfo_lock); 2263 return afinfo; 2264 } 2265 2266 static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo) 2267 { 2268 write_unlock_bh(&xfrm_policy_afinfo_lock); 2269 } 2270 2271 static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr) 2272 { 2273 switch (event) { 2274 case NETDEV_DOWN: 2275 xfrm_flush_bundles(); 2276 } 2277 return NOTIFY_DONE; 2278 } 2279 2280 static struct notifier_block xfrm_dev_notifier = { 2281 xfrm_dev_event, 2282 NULL, 2283 0 2284 }; 2285 2286 static void __init xfrm_policy_init(void) 2287 { 2288 unsigned int hmask, sz; 2289 int dir; 2290 2291 xfrm_dst_cache = kmem_cache_create("xfrm_dst_cache", 2292 sizeof(struct xfrm_dst), 2293 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, 2294 NULL, NULL); 2295 2296 hmask = 8 - 1; 2297 sz = (hmask+1) * sizeof(struct hlist_head); 2298 2299 xfrm_policy_byidx = xfrm_hash_alloc(sz); 2300 xfrm_idx_hmask = hmask; 2301 if (!xfrm_policy_byidx) 2302 panic("XFRM: failed to allocate byidx hash\n"); 2303 2304 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) { 2305 struct xfrm_policy_hash *htab; 2306 2307 INIT_HLIST_HEAD(&xfrm_policy_inexact[dir]); 2308 2309 htab = &xfrm_policy_bydst[dir]; 2310 htab->table = xfrm_hash_alloc(sz); 2311 htab->hmask = hmask; 2312 if (!htab->table) 2313 panic("XFRM: failed to allocate bydst hash\n"); 2314 } 2315 2316 INIT_WORK(&xfrm_policy_gc_work, xfrm_policy_gc_task); 2317 register_netdevice_notifier(&xfrm_dev_notifier); 2318 } 2319 2320 void __init xfrm_init(void) 2321 { 2322 xfrm_state_init(); 2323 xfrm_policy_init(); 2324 xfrm_input_init(); 2325 } 2326 2327 #ifdef CONFIG_XFRM_MIGRATE 2328 static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2329 struct xfrm_selector *sel_tgt) 2330 { 2331 if (sel_cmp->proto == IPSEC_ULPROTO_ANY) { 2332 if (sel_tgt->family == sel_cmp->family && 2333 xfrm_addr_cmp(&sel_tgt->daddr, &sel_cmp->daddr, 2334 sel_cmp->family) == 0 && 2335 xfrm_addr_cmp(&sel_tgt->saddr, &sel_cmp->saddr, 2336 sel_cmp->family) == 0 && 2337 sel_tgt->prefixlen_d == sel_cmp->prefixlen_d && 2338 sel_tgt->prefixlen_s == sel_cmp->prefixlen_s) { 2339 return 1; 2340 } 2341 } else { 2342 if (memcmp(sel_tgt, sel_cmp, sizeof(*sel_tgt)) == 0) { 2343 return 1; 2344 } 2345 } 2346 return 0; 2347 } 2348 2349 static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel, 2350 u8 dir, u8 type) 2351 { 2352 struct xfrm_policy *pol, *ret = NULL; 2353 struct hlist_node *entry; 2354 struct hlist_head *chain; 2355 u32 priority = ~0U; 2356 2357 read_lock_bh(&xfrm_policy_lock); 2358 chain = policy_hash_direct(&sel->daddr, &sel->saddr, sel->family, dir); 2359 hlist_for_each_entry(pol, entry, chain, bydst) { 2360 if (xfrm_migrate_selector_match(sel, &pol->selector) && 2361 pol->type == type) { 2362 ret = pol; 2363 priority = ret->priority; 2364 break; 2365 } 2366 } 2367 chain = &xfrm_policy_inexact[dir]; 2368 hlist_for_each_entry(pol, entry, chain, bydst) { 2369 if (xfrm_migrate_selector_match(sel, &pol->selector) && 2370 pol->type == type && 2371 pol->priority < priority) { 2372 ret = pol; 2373 break; 2374 } 2375 } 2376 2377 if (ret) 2378 xfrm_pol_hold(ret); 2379 2380 read_unlock_bh(&xfrm_policy_lock); 2381 2382 return ret; 2383 } 2384 2385 static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t) 2386 { 2387 int match = 0; 2388 2389 if (t->mode == m->mode && t->id.proto == m->proto && 2390 (m->reqid == 0 || t->reqid == m->reqid)) { 2391 switch (t->mode) { 2392 case XFRM_MODE_TUNNEL: 2393 case XFRM_MODE_BEET: 2394 if (xfrm_addr_cmp(&t->id.daddr, &m->old_daddr, 2395 m->old_family) == 0 && 2396 xfrm_addr_cmp(&t->saddr, &m->old_saddr, 2397 m->old_family) == 0) { 2398 match = 1; 2399 } 2400 break; 2401 case XFRM_MODE_TRANSPORT: 2402 /* in case of transport mode, template does not store 2403 any IP addresses, hence we just compare mode and 2404 protocol */ 2405 match = 1; 2406 break; 2407 default: 2408 break; 2409 } 2410 } 2411 return match; 2412 } 2413 2414 /* update endpoint address(es) of template(s) */ 2415 static int xfrm_policy_migrate(struct xfrm_policy *pol, 2416 struct xfrm_migrate *m, int num_migrate) 2417 { 2418 struct xfrm_migrate *mp; 2419 struct dst_entry *dst; 2420 int i, j, n = 0; 2421 2422 write_lock_bh(&pol->lock); 2423 if (unlikely(pol->dead)) { 2424 /* target policy has been deleted */ 2425 write_unlock_bh(&pol->lock); 2426 return -ENOENT; 2427 } 2428 2429 for (i = 0; i < pol->xfrm_nr; i++) { 2430 for (j = 0, mp = m; j < num_migrate; j++, mp++) { 2431 if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i])) 2432 continue; 2433 n++; 2434 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL) 2435 continue; 2436 /* update endpoints */ 2437 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr, 2438 sizeof(pol->xfrm_vec[i].id.daddr)); 2439 memcpy(&pol->xfrm_vec[i].saddr, &mp->new_saddr, 2440 sizeof(pol->xfrm_vec[i].saddr)); 2441 pol->xfrm_vec[i].encap_family = mp->new_family; 2442 /* flush bundles */ 2443 while ((dst = pol->bundles) != NULL) { 2444 pol->bundles = dst->next; 2445 dst_free(dst); 2446 } 2447 } 2448 } 2449 2450 write_unlock_bh(&pol->lock); 2451 2452 if (!n) 2453 return -ENODATA; 2454 2455 return 0; 2456 } 2457 2458 static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate) 2459 { 2460 int i, j; 2461 2462 if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) 2463 return -EINVAL; 2464 2465 for (i = 0; i < num_migrate; i++) { 2466 if ((xfrm_addr_cmp(&m[i].old_daddr, &m[i].new_daddr, 2467 m[i].old_family) == 0) && 2468 (xfrm_addr_cmp(&m[i].old_saddr, &m[i].new_saddr, 2469 m[i].old_family) == 0)) 2470 return -EINVAL; 2471 if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) || 2472 xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) 2473 return -EINVAL; 2474 2475 /* check if there is any duplicated entry */ 2476 for (j = i + 1; j < num_migrate; j++) { 2477 if (!memcmp(&m[i].old_daddr, &m[j].old_daddr, 2478 sizeof(m[i].old_daddr)) && 2479 !memcmp(&m[i].old_saddr, &m[j].old_saddr, 2480 sizeof(m[i].old_saddr)) && 2481 m[i].proto == m[j].proto && 2482 m[i].mode == m[j].mode && 2483 m[i].reqid == m[j].reqid && 2484 m[i].old_family == m[j].old_family) 2485 return -EINVAL; 2486 } 2487 } 2488 2489 return 0; 2490 } 2491 2492 int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 2493 struct xfrm_migrate *m, int num_migrate) 2494 { 2495 int i, err, nx_cur = 0, nx_new = 0; 2496 struct xfrm_policy *pol = NULL; 2497 struct xfrm_state *x, *xc; 2498 struct xfrm_state *x_cur[XFRM_MAX_DEPTH]; 2499 struct xfrm_state *x_new[XFRM_MAX_DEPTH]; 2500 struct xfrm_migrate *mp; 2501 2502 if ((err = xfrm_migrate_check(m, num_migrate)) < 0) 2503 goto out; 2504 2505 /* Stage 1 - find policy */ 2506 if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) { 2507 err = -ENOENT; 2508 goto out; 2509 } 2510 2511 /* Stage 2 - find and update state(s) */ 2512 for (i = 0, mp = m; i < num_migrate; i++, mp++) { 2513 if ((x = xfrm_migrate_state_find(mp))) { 2514 x_cur[nx_cur] = x; 2515 nx_cur++; 2516 if ((xc = xfrm_state_migrate(x, mp))) { 2517 x_new[nx_new] = xc; 2518 nx_new++; 2519 } else { 2520 err = -ENODATA; 2521 goto restore_state; 2522 } 2523 } 2524 } 2525 2526 /* Stage 3 - update policy */ 2527 if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0) 2528 goto restore_state; 2529 2530 /* Stage 4 - delete old state(s) */ 2531 if (nx_cur) { 2532 xfrm_states_put(x_cur, nx_cur); 2533 xfrm_states_delete(x_cur, nx_cur); 2534 } 2535 2536 /* Stage 5 - announce */ 2537 km_migrate(sel, dir, type, m, num_migrate); 2538 2539 xfrm_pol_put(pol); 2540 2541 return 0; 2542 out: 2543 return err; 2544 2545 restore_state: 2546 if (pol) 2547 xfrm_pol_put(pol); 2548 if (nx_cur) 2549 xfrm_states_put(x_cur, nx_cur); 2550 if (nx_new) 2551 xfrm_states_delete(x_new, nx_new); 2552 2553 return err; 2554 } 2555 EXPORT_SYMBOL(xfrm_migrate); 2556 #endif 2557 2558