1 /* xfrm_user.c: User interface to configure xfrm engine. 2 * 3 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 4 * 5 * Changes: 6 * Mitsuru KANDA @USAGI 7 * Kazunori MIYAZAWA @USAGI 8 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 9 * IPv6 support 10 * 11 */ 12 13 #include <linux/module.h> 14 #include <linux/kernel.h> 15 #include <linux/types.h> 16 #include <linux/slab.h> 17 #include <linux/socket.h> 18 #include <linux/string.h> 19 #include <linux/net.h> 20 #include <linux/skbuff.h> 21 #include <linux/netlink.h> 22 #include <linux/rtnetlink.h> 23 #include <linux/pfkeyv2.h> 24 #include <linux/ipsec.h> 25 #include <linux/init.h> 26 #include <linux/security.h> 27 #include <net/sock.h> 28 #include <net/xfrm.h> 29 #include <asm/uaccess.h> 30 31 static struct sock *xfrm_nl; 32 33 static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) 34 { 35 struct rtattr *rt = xfrma[type - 1]; 36 struct xfrm_algo *algp; 37 38 if (!rt) 39 return 0; 40 41 if ((rt->rta_len - sizeof(*rt)) < sizeof(*algp)) 42 return -EINVAL; 43 44 algp = RTA_DATA(rt); 45 switch (type) { 46 case XFRMA_ALG_AUTH: 47 if (!algp->alg_key_len && 48 strcmp(algp->alg_name, "digest_null") != 0) 49 return -EINVAL; 50 break; 51 52 case XFRMA_ALG_CRYPT: 53 if (!algp->alg_key_len && 54 strcmp(algp->alg_name, "cipher_null") != 0) 55 return -EINVAL; 56 break; 57 58 case XFRMA_ALG_COMP: 59 /* Zero length keys are legal. */ 60 break; 61 62 default: 63 return -EINVAL; 64 }; 65 66 algp->alg_name[CRYPTO_MAX_ALG_NAME - 1] = '\0'; 67 return 0; 68 } 69 70 static int verify_encap_tmpl(struct rtattr **xfrma) 71 { 72 struct rtattr *rt = xfrma[XFRMA_ENCAP - 1]; 73 struct xfrm_encap_tmpl *encap; 74 75 if (!rt) 76 return 0; 77 78 if ((rt->rta_len - sizeof(*rt)) < sizeof(*encap)) 79 return -EINVAL; 80 81 return 0; 82 } 83 84 static int verify_newsa_info(struct xfrm_usersa_info *p, 85 struct rtattr **xfrma) 86 { 87 int err; 88 89 err = -EINVAL; 90 switch (p->family) { 91 case AF_INET: 92 break; 93 94 case AF_INET6: 95 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 96 break; 97 #else 98 err = -EAFNOSUPPORT; 99 goto out; 100 #endif 101 102 default: 103 goto out; 104 }; 105 106 err = -EINVAL; 107 switch (p->id.proto) { 108 case IPPROTO_AH: 109 if (!xfrma[XFRMA_ALG_AUTH-1] || 110 xfrma[XFRMA_ALG_CRYPT-1] || 111 xfrma[XFRMA_ALG_COMP-1]) 112 goto out; 113 break; 114 115 case IPPROTO_ESP: 116 if ((!xfrma[XFRMA_ALG_AUTH-1] && 117 !xfrma[XFRMA_ALG_CRYPT-1]) || 118 xfrma[XFRMA_ALG_COMP-1]) 119 goto out; 120 break; 121 122 case IPPROTO_COMP: 123 if (!xfrma[XFRMA_ALG_COMP-1] || 124 xfrma[XFRMA_ALG_AUTH-1] || 125 xfrma[XFRMA_ALG_CRYPT-1]) 126 goto out; 127 break; 128 129 default: 130 goto out; 131 }; 132 133 if ((err = verify_one_alg(xfrma, XFRMA_ALG_AUTH))) 134 goto out; 135 if ((err = verify_one_alg(xfrma, XFRMA_ALG_CRYPT))) 136 goto out; 137 if ((err = verify_one_alg(xfrma, XFRMA_ALG_COMP))) 138 goto out; 139 if ((err = verify_encap_tmpl(xfrma))) 140 goto out; 141 142 err = -EINVAL; 143 switch (p->mode) { 144 case 0: 145 case 1: 146 break; 147 148 default: 149 goto out; 150 }; 151 152 err = 0; 153 154 out: 155 return err; 156 } 157 158 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 159 struct xfrm_algo_desc *(*get_byname)(char *, int), 160 struct rtattr *u_arg) 161 { 162 struct rtattr *rta = u_arg; 163 struct xfrm_algo *p, *ualg; 164 struct xfrm_algo_desc *algo; 165 166 if (!rta) 167 return 0; 168 169 ualg = RTA_DATA(rta); 170 171 algo = get_byname(ualg->alg_name, 1); 172 if (!algo) 173 return -ENOSYS; 174 *props = algo->desc.sadb_alg_id; 175 176 p = kmalloc(sizeof(*ualg) + ualg->alg_key_len, GFP_KERNEL); 177 if (!p) 178 return -ENOMEM; 179 180 memcpy(p, ualg, sizeof(*ualg) + ualg->alg_key_len); 181 *algpp = p; 182 return 0; 183 } 184 185 static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_arg) 186 { 187 struct rtattr *rta = u_arg; 188 struct xfrm_encap_tmpl *p, *uencap; 189 190 if (!rta) 191 return 0; 192 193 uencap = RTA_DATA(rta); 194 p = kmalloc(sizeof(*p), GFP_KERNEL); 195 if (!p) 196 return -ENOMEM; 197 198 memcpy(p, uencap, sizeof(*p)); 199 *encapp = p; 200 return 0; 201 } 202 203 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 204 { 205 memcpy(&x->id, &p->id, sizeof(x->id)); 206 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 207 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 208 x->props.mode = p->mode; 209 x->props.replay_window = p->replay_window; 210 x->props.reqid = p->reqid; 211 x->props.family = p->family; 212 x->props.saddr = p->saddr; 213 x->props.flags = p->flags; 214 } 215 216 static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p, 217 struct rtattr **xfrma, 218 int *errp) 219 { 220 struct xfrm_state *x = xfrm_state_alloc(); 221 int err = -ENOMEM; 222 223 if (!x) 224 goto error_no_put; 225 226 copy_from_user_state(x, p); 227 228 if ((err = attach_one_algo(&x->aalg, &x->props.aalgo, 229 xfrm_aalg_get_byname, 230 xfrma[XFRMA_ALG_AUTH-1]))) 231 goto error; 232 if ((err = attach_one_algo(&x->ealg, &x->props.ealgo, 233 xfrm_ealg_get_byname, 234 xfrma[XFRMA_ALG_CRYPT-1]))) 235 goto error; 236 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 237 xfrm_calg_get_byname, 238 xfrma[XFRMA_ALG_COMP-1]))) 239 goto error; 240 if ((err = attach_encap_tmpl(&x->encap, xfrma[XFRMA_ENCAP-1]))) 241 goto error; 242 243 err = -ENOENT; 244 x->type = xfrm_get_type(x->id.proto, x->props.family); 245 if (x->type == NULL) 246 goto error; 247 248 err = x->type->init_state(x, NULL); 249 if (err) 250 goto error; 251 252 x->curlft.add_time = (unsigned long) xtime.tv_sec; 253 x->km.state = XFRM_STATE_VALID; 254 x->km.seq = p->seq; 255 256 return x; 257 258 error: 259 x->km.state = XFRM_STATE_DEAD; 260 xfrm_state_put(x); 261 error_no_put: 262 *errp = err; 263 return NULL; 264 } 265 266 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 267 { 268 struct xfrm_usersa_info *p = NLMSG_DATA(nlh); 269 struct xfrm_state *x; 270 int err; 271 272 err = verify_newsa_info(p, (struct rtattr **) xfrma); 273 if (err) 274 return err; 275 276 x = xfrm_state_construct(p, (struct rtattr **) xfrma, &err); 277 if (!x) 278 return err; 279 280 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 281 err = xfrm_state_add(x); 282 else 283 err = xfrm_state_update(x); 284 285 if (err < 0) { 286 x->km.state = XFRM_STATE_DEAD; 287 xfrm_state_put(x); 288 } 289 290 return err; 291 } 292 293 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 294 { 295 struct xfrm_state *x; 296 struct xfrm_usersa_id *p = NLMSG_DATA(nlh); 297 298 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family); 299 if (x == NULL) 300 return -ESRCH; 301 302 if (xfrm_state_kern(x)) { 303 xfrm_state_put(x); 304 return -EPERM; 305 } 306 307 xfrm_state_delete(x); 308 xfrm_state_put(x); 309 310 return 0; 311 } 312 313 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 314 { 315 memcpy(&p->id, &x->id, sizeof(p->id)); 316 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 317 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 318 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 319 memcpy(&p->stats, &x->stats, sizeof(p->stats)); 320 p->saddr = x->props.saddr; 321 p->mode = x->props.mode; 322 p->replay_window = x->props.replay_window; 323 p->reqid = x->props.reqid; 324 p->family = x->props.family; 325 p->flags = x->props.flags; 326 p->seq = x->km.seq; 327 } 328 329 struct xfrm_dump_info { 330 struct sk_buff *in_skb; 331 struct sk_buff *out_skb; 332 u32 nlmsg_seq; 333 u16 nlmsg_flags; 334 int start_idx; 335 int this_idx; 336 }; 337 338 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 339 { 340 struct xfrm_dump_info *sp = ptr; 341 struct sk_buff *in_skb = sp->in_skb; 342 struct sk_buff *skb = sp->out_skb; 343 struct xfrm_usersa_info *p; 344 struct nlmsghdr *nlh; 345 unsigned char *b = skb->tail; 346 347 if (sp->this_idx < sp->start_idx) 348 goto out; 349 350 nlh = NLMSG_PUT(skb, NETLINK_CB(in_skb).pid, 351 sp->nlmsg_seq, 352 XFRM_MSG_NEWSA, sizeof(*p)); 353 nlh->nlmsg_flags = sp->nlmsg_flags; 354 355 p = NLMSG_DATA(nlh); 356 copy_to_user_state(x, p); 357 358 if (x->aalg) 359 RTA_PUT(skb, XFRMA_ALG_AUTH, 360 sizeof(*(x->aalg))+(x->aalg->alg_key_len+7)/8, x->aalg); 361 if (x->ealg) 362 RTA_PUT(skb, XFRMA_ALG_CRYPT, 363 sizeof(*(x->ealg))+(x->ealg->alg_key_len+7)/8, x->ealg); 364 if (x->calg) 365 RTA_PUT(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 366 367 if (x->encap) 368 RTA_PUT(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 369 370 nlh->nlmsg_len = skb->tail - b; 371 out: 372 sp->this_idx++; 373 return 0; 374 375 nlmsg_failure: 376 rtattr_failure: 377 skb_trim(skb, b - skb->data); 378 return -1; 379 } 380 381 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 382 { 383 struct xfrm_dump_info info; 384 385 info.in_skb = cb->skb; 386 info.out_skb = skb; 387 info.nlmsg_seq = cb->nlh->nlmsg_seq; 388 info.nlmsg_flags = NLM_F_MULTI; 389 info.this_idx = 0; 390 info.start_idx = cb->args[0]; 391 (void) xfrm_state_walk(IPSEC_PROTO_ANY, dump_one_state, &info); 392 cb->args[0] = info.this_idx; 393 394 return skb->len; 395 } 396 397 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 398 struct xfrm_state *x, u32 seq) 399 { 400 struct xfrm_dump_info info; 401 struct sk_buff *skb; 402 403 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 404 if (!skb) 405 return ERR_PTR(-ENOMEM); 406 407 NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid; 408 info.in_skb = in_skb; 409 info.out_skb = skb; 410 info.nlmsg_seq = seq; 411 info.nlmsg_flags = 0; 412 info.this_idx = info.start_idx = 0; 413 414 if (dump_one_state(x, 0, &info)) { 415 kfree_skb(skb); 416 return NULL; 417 } 418 419 return skb; 420 } 421 422 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 423 { 424 struct xfrm_usersa_id *p = NLMSG_DATA(nlh); 425 struct xfrm_state *x; 426 struct sk_buff *resp_skb; 427 int err; 428 429 x = xfrm_state_lookup(&p->daddr, p->spi, p->proto, p->family); 430 err = -ESRCH; 431 if (x == NULL) 432 goto out_noput; 433 434 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 435 if (IS_ERR(resp_skb)) { 436 err = PTR_ERR(resp_skb); 437 } else { 438 err = netlink_unicast(xfrm_nl, resp_skb, 439 NETLINK_CB(skb).pid, MSG_DONTWAIT); 440 } 441 xfrm_state_put(x); 442 out_noput: 443 return err; 444 } 445 446 static int verify_userspi_info(struct xfrm_userspi_info *p) 447 { 448 switch (p->info.id.proto) { 449 case IPPROTO_AH: 450 case IPPROTO_ESP: 451 break; 452 453 case IPPROTO_COMP: 454 /* IPCOMP spi is 16-bits. */ 455 if (p->max >= 0x10000) 456 return -EINVAL; 457 break; 458 459 default: 460 return -EINVAL; 461 }; 462 463 if (p->min > p->max) 464 return -EINVAL; 465 466 return 0; 467 } 468 469 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 470 { 471 struct xfrm_state *x; 472 struct xfrm_userspi_info *p; 473 struct sk_buff *resp_skb; 474 xfrm_address_t *daddr; 475 int family; 476 int err; 477 478 p = NLMSG_DATA(nlh); 479 err = verify_userspi_info(p); 480 if (err) 481 goto out_noput; 482 483 family = p->info.family; 484 daddr = &p->info.id.daddr; 485 486 x = NULL; 487 if (p->info.seq) { 488 x = xfrm_find_acq_byseq(p->info.seq); 489 if (x && xfrm_addr_cmp(&x->id.daddr, daddr, family)) { 490 xfrm_state_put(x); 491 x = NULL; 492 } 493 } 494 495 if (!x) 496 x = xfrm_find_acq(p->info.mode, p->info.reqid, 497 p->info.id.proto, daddr, 498 &p->info.saddr, 1, 499 family); 500 err = -ENOENT; 501 if (x == NULL) 502 goto out_noput; 503 504 resp_skb = ERR_PTR(-ENOENT); 505 506 spin_lock_bh(&x->lock); 507 if (x->km.state != XFRM_STATE_DEAD) { 508 xfrm_alloc_spi(x, htonl(p->min), htonl(p->max)); 509 if (x->id.spi) 510 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 511 } 512 spin_unlock_bh(&x->lock); 513 514 if (IS_ERR(resp_skb)) { 515 err = PTR_ERR(resp_skb); 516 goto out; 517 } 518 519 err = netlink_unicast(xfrm_nl, resp_skb, 520 NETLINK_CB(skb).pid, MSG_DONTWAIT); 521 522 out: 523 xfrm_state_put(x); 524 out_noput: 525 return err; 526 } 527 528 static int verify_policy_dir(__u8 dir) 529 { 530 switch (dir) { 531 case XFRM_POLICY_IN: 532 case XFRM_POLICY_OUT: 533 case XFRM_POLICY_FWD: 534 break; 535 536 default: 537 return -EINVAL; 538 }; 539 540 return 0; 541 } 542 543 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 544 { 545 switch (p->share) { 546 case XFRM_SHARE_ANY: 547 case XFRM_SHARE_SESSION: 548 case XFRM_SHARE_USER: 549 case XFRM_SHARE_UNIQUE: 550 break; 551 552 default: 553 return -EINVAL; 554 }; 555 556 switch (p->action) { 557 case XFRM_POLICY_ALLOW: 558 case XFRM_POLICY_BLOCK: 559 break; 560 561 default: 562 return -EINVAL; 563 }; 564 565 switch (p->sel.family) { 566 case AF_INET: 567 break; 568 569 case AF_INET6: 570 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 571 break; 572 #else 573 return -EAFNOSUPPORT; 574 #endif 575 576 default: 577 return -EINVAL; 578 }; 579 580 return verify_policy_dir(p->dir); 581 } 582 583 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 584 int nr) 585 { 586 int i; 587 588 xp->xfrm_nr = nr; 589 for (i = 0; i < nr; i++, ut++) { 590 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 591 592 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 593 memcpy(&t->saddr, &ut->saddr, 594 sizeof(xfrm_address_t)); 595 t->reqid = ut->reqid; 596 t->mode = ut->mode; 597 t->share = ut->share; 598 t->optional = ut->optional; 599 t->aalgos = ut->aalgos; 600 t->ealgos = ut->ealgos; 601 t->calgos = ut->calgos; 602 } 603 } 604 605 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma) 606 { 607 struct rtattr *rt = xfrma[XFRMA_TMPL-1]; 608 struct xfrm_user_tmpl *utmpl; 609 int nr; 610 611 if (!rt) { 612 pol->xfrm_nr = 0; 613 } else { 614 nr = (rt->rta_len - sizeof(*rt)) / sizeof(*utmpl); 615 616 if (nr > XFRM_MAX_DEPTH) 617 return -EINVAL; 618 619 copy_templates(pol, RTA_DATA(rt), nr); 620 } 621 return 0; 622 } 623 624 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 625 { 626 xp->priority = p->priority; 627 xp->index = p->index; 628 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 629 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 630 xp->action = p->action; 631 xp->flags = p->flags; 632 xp->family = p->sel.family; 633 /* XXX xp->share = p->share; */ 634 } 635 636 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 637 { 638 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 639 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 640 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 641 p->priority = xp->priority; 642 p->index = xp->index; 643 p->sel.family = xp->family; 644 p->dir = dir; 645 p->action = xp->action; 646 p->flags = xp->flags; 647 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 648 } 649 650 static struct xfrm_policy *xfrm_policy_construct(struct xfrm_userpolicy_info *p, struct rtattr **xfrma, int *errp) 651 { 652 struct xfrm_policy *xp = xfrm_policy_alloc(GFP_KERNEL); 653 int err; 654 655 if (!xp) { 656 *errp = -ENOMEM; 657 return NULL; 658 } 659 660 copy_from_user_policy(xp, p); 661 err = copy_from_user_tmpl(xp, xfrma); 662 if (err) { 663 *errp = err; 664 kfree(xp); 665 xp = NULL; 666 } 667 668 return xp; 669 } 670 671 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 672 { 673 struct xfrm_userpolicy_info *p = NLMSG_DATA(nlh); 674 struct xfrm_policy *xp; 675 int err; 676 int excl; 677 678 err = verify_newpolicy_info(p); 679 if (err) 680 return err; 681 682 xp = xfrm_policy_construct(p, (struct rtattr **) xfrma, &err); 683 if (!xp) 684 return err; 685 686 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 687 err = xfrm_policy_insert(p->dir, xp, excl); 688 if (err) { 689 kfree(xp); 690 return err; 691 } 692 693 xfrm_pol_put(xp); 694 695 return 0; 696 } 697 698 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 699 { 700 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 701 int i; 702 703 if (xp->xfrm_nr == 0) 704 return 0; 705 706 for (i = 0; i < xp->xfrm_nr; i++) { 707 struct xfrm_user_tmpl *up = &vec[i]; 708 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 709 710 memcpy(&up->id, &kp->id, sizeof(up->id)); 711 up->family = xp->family; 712 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 713 up->reqid = kp->reqid; 714 up->mode = kp->mode; 715 up->share = kp->share; 716 up->optional = kp->optional; 717 up->aalgos = kp->aalgos; 718 up->ealgos = kp->ealgos; 719 up->calgos = kp->calgos; 720 } 721 RTA_PUT(skb, XFRMA_TMPL, 722 (sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr), 723 vec); 724 725 return 0; 726 727 rtattr_failure: 728 return -1; 729 } 730 731 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 732 { 733 struct xfrm_dump_info *sp = ptr; 734 struct xfrm_userpolicy_info *p; 735 struct sk_buff *in_skb = sp->in_skb; 736 struct sk_buff *skb = sp->out_skb; 737 struct nlmsghdr *nlh; 738 unsigned char *b = skb->tail; 739 740 if (sp->this_idx < sp->start_idx) 741 goto out; 742 743 nlh = NLMSG_PUT(skb, NETLINK_CB(in_skb).pid, 744 sp->nlmsg_seq, 745 XFRM_MSG_NEWPOLICY, sizeof(*p)); 746 p = NLMSG_DATA(nlh); 747 nlh->nlmsg_flags = sp->nlmsg_flags; 748 749 copy_to_user_policy(xp, p, dir); 750 if (copy_to_user_tmpl(xp, skb) < 0) 751 goto nlmsg_failure; 752 753 nlh->nlmsg_len = skb->tail - b; 754 out: 755 sp->this_idx++; 756 return 0; 757 758 nlmsg_failure: 759 skb_trim(skb, b - skb->data); 760 return -1; 761 } 762 763 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 764 { 765 struct xfrm_dump_info info; 766 767 info.in_skb = cb->skb; 768 info.out_skb = skb; 769 info.nlmsg_seq = cb->nlh->nlmsg_seq; 770 info.nlmsg_flags = NLM_F_MULTI; 771 info.this_idx = 0; 772 info.start_idx = cb->args[0]; 773 (void) xfrm_policy_walk(dump_one_policy, &info); 774 cb->args[0] = info.this_idx; 775 776 return skb->len; 777 } 778 779 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 780 struct xfrm_policy *xp, 781 int dir, u32 seq) 782 { 783 struct xfrm_dump_info info; 784 struct sk_buff *skb; 785 786 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 787 if (!skb) 788 return ERR_PTR(-ENOMEM); 789 790 NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid; 791 info.in_skb = in_skb; 792 info.out_skb = skb; 793 info.nlmsg_seq = seq; 794 info.nlmsg_flags = 0; 795 info.this_idx = info.start_idx = 0; 796 797 if (dump_one_policy(xp, dir, 0, &info) < 0) { 798 kfree_skb(skb); 799 return NULL; 800 } 801 802 return skb; 803 } 804 805 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 806 { 807 struct xfrm_policy *xp; 808 struct xfrm_userpolicy_id *p; 809 int err; 810 int delete; 811 812 p = NLMSG_DATA(nlh); 813 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 814 815 err = verify_policy_dir(p->dir); 816 if (err) 817 return err; 818 819 if (p->index) 820 xp = xfrm_policy_byid(p->dir, p->index, delete); 821 else 822 xp = xfrm_policy_bysel(p->dir, &p->sel, delete); 823 if (xp == NULL) 824 return -ENOENT; 825 826 if (!delete) { 827 struct sk_buff *resp_skb; 828 829 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 830 if (IS_ERR(resp_skb)) { 831 err = PTR_ERR(resp_skb); 832 } else { 833 err = netlink_unicast(xfrm_nl, resp_skb, 834 NETLINK_CB(skb).pid, 835 MSG_DONTWAIT); 836 } 837 } 838 839 xfrm_pol_put(xp); 840 841 return err; 842 } 843 844 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 845 { 846 struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); 847 848 xfrm_state_flush(p->proto); 849 return 0; 850 } 851 852 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) 853 { 854 xfrm_policy_flush(); 855 return 0; 856 } 857 858 #define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type)) 859 860 static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 861 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 862 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 863 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 864 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 865 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 866 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 867 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 868 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 869 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 870 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 871 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 872 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 873 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 874 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = NLMSG_LENGTH(0), 875 }; 876 877 #undef XMSGSIZE 878 879 static struct xfrm_link { 880 int (*doit)(struct sk_buff *, struct nlmsghdr *, void **); 881 int (*dump)(struct sk_buff *, struct netlink_callback *); 882 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 883 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 884 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 885 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 886 .dump = xfrm_dump_sa }, 887 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 888 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 889 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 890 .dump = xfrm_dump_policy }, 891 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 892 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 893 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 894 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 895 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 896 }; 897 898 static int xfrm_done(struct netlink_callback *cb) 899 { 900 return 0; 901 } 902 903 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *errp) 904 { 905 struct rtattr *xfrma[XFRMA_MAX]; 906 struct xfrm_link *link; 907 int type, min_len; 908 909 if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) 910 return 0; 911 912 type = nlh->nlmsg_type; 913 914 /* A control message: ignore them */ 915 if (type < XFRM_MSG_BASE) 916 return 0; 917 918 /* Unknown message: reply with EINVAL */ 919 if (type > XFRM_MSG_MAX) 920 goto err_einval; 921 922 type -= XFRM_MSG_BASE; 923 link = &xfrm_dispatch[type]; 924 925 /* All operations require privileges, even GET */ 926 if (security_netlink_recv(skb)) { 927 *errp = -EPERM; 928 return -1; 929 } 930 931 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 932 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 933 (nlh->nlmsg_flags & NLM_F_DUMP)) { 934 u32 rlen; 935 936 if (link->dump == NULL) 937 goto err_einval; 938 939 if ((*errp = netlink_dump_start(xfrm_nl, skb, nlh, 940 link->dump, 941 xfrm_done)) != 0) { 942 return -1; 943 } 944 rlen = NLMSG_ALIGN(nlh->nlmsg_len); 945 if (rlen > skb->len) 946 rlen = skb->len; 947 skb_pull(skb, rlen); 948 return -1; 949 } 950 951 memset(xfrma, 0, sizeof(xfrma)); 952 953 if (nlh->nlmsg_len < (min_len = xfrm_msg_min[type])) 954 goto err_einval; 955 956 if (nlh->nlmsg_len > min_len) { 957 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); 958 struct rtattr *attr = (void *) nlh + NLMSG_ALIGN(min_len); 959 960 while (RTA_OK(attr, attrlen)) { 961 unsigned short flavor = attr->rta_type; 962 if (flavor) { 963 if (flavor > XFRMA_MAX) 964 goto err_einval; 965 xfrma[flavor - 1] = attr; 966 } 967 attr = RTA_NEXT(attr, attrlen); 968 } 969 } 970 971 if (link->doit == NULL) 972 goto err_einval; 973 *errp = link->doit(skb, nlh, (void **) &xfrma); 974 975 return *errp; 976 977 err_einval: 978 *errp = -EINVAL; 979 return -1; 980 } 981 982 static int xfrm_user_rcv_skb(struct sk_buff *skb) 983 { 984 int err; 985 struct nlmsghdr *nlh; 986 987 while (skb->len >= NLMSG_SPACE(0)) { 988 u32 rlen; 989 990 nlh = (struct nlmsghdr *) skb->data; 991 if (nlh->nlmsg_len < sizeof(*nlh) || 992 skb->len < nlh->nlmsg_len) 993 return 0; 994 rlen = NLMSG_ALIGN(nlh->nlmsg_len); 995 if (rlen > skb->len) 996 rlen = skb->len; 997 if (xfrm_user_rcv_msg(skb, nlh, &err) < 0) { 998 if (err == 0) 999 return -1; 1000 netlink_ack(skb, nlh, err); 1001 } else if (nlh->nlmsg_flags & NLM_F_ACK) 1002 netlink_ack(skb, nlh, 0); 1003 skb_pull(skb, rlen); 1004 } 1005 1006 return 0; 1007 } 1008 1009 static void xfrm_netlink_rcv(struct sock *sk, int len) 1010 { 1011 do { 1012 struct sk_buff *skb; 1013 1014 down(&xfrm_cfg_sem); 1015 1016 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) { 1017 if (xfrm_user_rcv_skb(skb)) { 1018 if (skb->len) 1019 skb_queue_head(&sk->sk_receive_queue, 1020 skb); 1021 else 1022 kfree_skb(skb); 1023 break; 1024 } 1025 kfree_skb(skb); 1026 } 1027 1028 up(&xfrm_cfg_sem); 1029 1030 } while (xfrm_nl && xfrm_nl->sk_receive_queue.qlen); 1031 } 1032 1033 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, int hard) 1034 { 1035 struct xfrm_user_expire *ue; 1036 struct nlmsghdr *nlh; 1037 unsigned char *b = skb->tail; 1038 1039 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_EXPIRE, 1040 sizeof(*ue)); 1041 ue = NLMSG_DATA(nlh); 1042 nlh->nlmsg_flags = 0; 1043 1044 copy_to_user_state(x, &ue->state); 1045 ue->hard = (hard != 0) ? 1 : 0; 1046 1047 nlh->nlmsg_len = skb->tail - b; 1048 return skb->len; 1049 1050 nlmsg_failure: 1051 skb_trim(skb, b - skb->data); 1052 return -1; 1053 } 1054 1055 static int xfrm_send_state_notify(struct xfrm_state *x, int hard) 1056 { 1057 struct sk_buff *skb; 1058 1059 skb = alloc_skb(sizeof(struct xfrm_user_expire) + 16, GFP_ATOMIC); 1060 if (skb == NULL) 1061 return -ENOMEM; 1062 1063 if (build_expire(skb, x, hard) < 0) 1064 BUG(); 1065 1066 NETLINK_CB(skb).dst_groups = XFRMGRP_EXPIRE; 1067 1068 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_EXPIRE, GFP_ATOMIC); 1069 } 1070 1071 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 1072 struct xfrm_tmpl *xt, struct xfrm_policy *xp, 1073 int dir) 1074 { 1075 struct xfrm_user_acquire *ua; 1076 struct nlmsghdr *nlh; 1077 unsigned char *b = skb->tail; 1078 __u32 seq = xfrm_get_acqseq(); 1079 1080 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_ACQUIRE, 1081 sizeof(*ua)); 1082 ua = NLMSG_DATA(nlh); 1083 nlh->nlmsg_flags = 0; 1084 1085 memcpy(&ua->id, &x->id, sizeof(ua->id)); 1086 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 1087 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 1088 copy_to_user_policy(xp, &ua->policy, dir); 1089 ua->aalgos = xt->aalgos; 1090 ua->ealgos = xt->ealgos; 1091 ua->calgos = xt->calgos; 1092 ua->seq = x->km.seq = seq; 1093 1094 if (copy_to_user_tmpl(xp, skb) < 0) 1095 goto nlmsg_failure; 1096 1097 nlh->nlmsg_len = skb->tail - b; 1098 return skb->len; 1099 1100 nlmsg_failure: 1101 skb_trim(skb, b - skb->data); 1102 return -1; 1103 } 1104 1105 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 1106 struct xfrm_policy *xp, int dir) 1107 { 1108 struct sk_buff *skb; 1109 size_t len; 1110 1111 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 1112 len += NLMSG_SPACE(sizeof(struct xfrm_user_acquire)); 1113 skb = alloc_skb(len, GFP_ATOMIC); 1114 if (skb == NULL) 1115 return -ENOMEM; 1116 1117 if (build_acquire(skb, x, xt, xp, dir) < 0) 1118 BUG(); 1119 1120 NETLINK_CB(skb).dst_groups = XFRMGRP_ACQUIRE; 1121 1122 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_ACQUIRE, GFP_ATOMIC); 1123 } 1124 1125 /* User gives us xfrm_user_policy_info followed by an array of 0 1126 * or more templates. 1127 */ 1128 static struct xfrm_policy *xfrm_compile_policy(u16 family, int opt, 1129 u8 *data, int len, int *dir) 1130 { 1131 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 1132 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 1133 struct xfrm_policy *xp; 1134 int nr; 1135 1136 switch (family) { 1137 case AF_INET: 1138 if (opt != IP_XFRM_POLICY) { 1139 *dir = -EOPNOTSUPP; 1140 return NULL; 1141 } 1142 break; 1143 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 1144 case AF_INET6: 1145 if (opt != IPV6_XFRM_POLICY) { 1146 *dir = -EOPNOTSUPP; 1147 return NULL; 1148 } 1149 break; 1150 #endif 1151 default: 1152 *dir = -EINVAL; 1153 return NULL; 1154 } 1155 1156 *dir = -EINVAL; 1157 1158 if (len < sizeof(*p) || 1159 verify_newpolicy_info(p)) 1160 return NULL; 1161 1162 nr = ((len - sizeof(*p)) / sizeof(*ut)); 1163 if (nr > XFRM_MAX_DEPTH) 1164 return NULL; 1165 1166 xp = xfrm_policy_alloc(GFP_KERNEL); 1167 if (xp == NULL) { 1168 *dir = -ENOBUFS; 1169 return NULL; 1170 } 1171 1172 copy_from_user_policy(xp, p); 1173 copy_templates(xp, ut, nr); 1174 1175 *dir = p->dir; 1176 1177 return xp; 1178 } 1179 1180 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 1181 int dir, int hard) 1182 { 1183 struct xfrm_user_polexpire *upe; 1184 struct nlmsghdr *nlh; 1185 unsigned char *b = skb->tail; 1186 1187 nlh = NLMSG_PUT(skb, 0, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe)); 1188 upe = NLMSG_DATA(nlh); 1189 nlh->nlmsg_flags = 0; 1190 1191 copy_to_user_policy(xp, &upe->pol, dir); 1192 if (copy_to_user_tmpl(xp, skb) < 0) 1193 goto nlmsg_failure; 1194 upe->hard = !!hard; 1195 1196 nlh->nlmsg_len = skb->tail - b; 1197 return skb->len; 1198 1199 nlmsg_failure: 1200 skb_trim(skb, b - skb->data); 1201 return -1; 1202 } 1203 1204 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, int hard) 1205 { 1206 struct sk_buff *skb; 1207 size_t len; 1208 1209 len = RTA_SPACE(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 1210 len += NLMSG_SPACE(sizeof(struct xfrm_user_polexpire)); 1211 skb = alloc_skb(len, GFP_ATOMIC); 1212 if (skb == NULL) 1213 return -ENOMEM; 1214 1215 if (build_polexpire(skb, xp, dir, hard) < 0) 1216 BUG(); 1217 1218 NETLINK_CB(skb).dst_groups = XFRMGRP_EXPIRE; 1219 1220 return netlink_broadcast(xfrm_nl, skb, 0, XFRMGRP_EXPIRE, GFP_ATOMIC); 1221 } 1222 1223 static struct xfrm_mgr netlink_mgr = { 1224 .id = "netlink", 1225 .notify = xfrm_send_state_notify, 1226 .acquire = xfrm_send_acquire, 1227 .compile_policy = xfrm_compile_policy, 1228 .notify_policy = xfrm_send_policy_notify, 1229 }; 1230 1231 static int __init xfrm_user_init(void) 1232 { 1233 printk(KERN_INFO "Initializing IPsec netlink socket\n"); 1234 1235 xfrm_nl = netlink_kernel_create(NETLINK_XFRM, xfrm_netlink_rcv); 1236 if (xfrm_nl == NULL) 1237 return -ENOMEM; 1238 1239 xfrm_register_km(&netlink_mgr); 1240 1241 return 0; 1242 } 1243 1244 static void __exit xfrm_user_exit(void) 1245 { 1246 xfrm_unregister_km(&netlink_mgr); 1247 sock_release(xfrm_nl->sk_socket); 1248 } 1249 1250 module_init(xfrm_user_init); 1251 module_exit(xfrm_user_exit); 1252 MODULE_LICENSE("GPL"); 1253