1 // SPDX-License-Identifier: GPL-2.0-only 2 /* xfrm_user.c: User interface to configure xfrm engine. 3 * 4 * Copyright (C) 2002 David S. Miller (davem@redhat.com) 5 * 6 * Changes: 7 * Mitsuru KANDA @USAGI 8 * Kazunori MIYAZAWA @USAGI 9 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 10 * IPv6 support 11 * 12 */ 13 14 #include <linux/crypto.h> 15 #include <linux/module.h> 16 #include <linux/kernel.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/socket.h> 20 #include <linux/string.h> 21 #include <linux/net.h> 22 #include <linux/skbuff.h> 23 #include <linux/pfkeyv2.h> 24 #include <linux/ipsec.h> 25 #include <linux/init.h> 26 #include <linux/security.h> 27 #include <net/sock.h> 28 #include <net/xfrm.h> 29 #include <net/netlink.h> 30 #include <net/ah.h> 31 #include <linux/uaccess.h> 32 #if IS_ENABLED(CONFIG_IPV6) 33 #include <linux/in6.h> 34 #endif 35 #include <asm/unaligned.h> 36 37 static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type) 38 { 39 struct nlattr *rt = attrs[type]; 40 struct xfrm_algo *algp; 41 42 if (!rt) 43 return 0; 44 45 algp = nla_data(rt); 46 if (nla_len(rt) < (int)xfrm_alg_len(algp)) 47 return -EINVAL; 48 49 switch (type) { 50 case XFRMA_ALG_AUTH: 51 case XFRMA_ALG_CRYPT: 52 case XFRMA_ALG_COMP: 53 break; 54 55 default: 56 return -EINVAL; 57 } 58 59 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 60 return 0; 61 } 62 63 static int verify_auth_trunc(struct nlattr **attrs) 64 { 65 struct nlattr *rt = attrs[XFRMA_ALG_AUTH_TRUNC]; 66 struct xfrm_algo_auth *algp; 67 68 if (!rt) 69 return 0; 70 71 algp = nla_data(rt); 72 if (nla_len(rt) < (int)xfrm_alg_auth_len(algp)) 73 return -EINVAL; 74 75 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 76 return 0; 77 } 78 79 static int verify_aead(struct nlattr **attrs) 80 { 81 struct nlattr *rt = attrs[XFRMA_ALG_AEAD]; 82 struct xfrm_algo_aead *algp; 83 84 if (!rt) 85 return 0; 86 87 algp = nla_data(rt); 88 if (nla_len(rt) < (int)aead_len(algp)) 89 return -EINVAL; 90 91 algp->alg_name[sizeof(algp->alg_name) - 1] = '\0'; 92 return 0; 93 } 94 95 static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type, 96 xfrm_address_t **addrp) 97 { 98 struct nlattr *rt = attrs[type]; 99 100 if (rt && addrp) 101 *addrp = nla_data(rt); 102 } 103 104 static inline int verify_sec_ctx_len(struct nlattr **attrs) 105 { 106 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 107 struct xfrm_user_sec_ctx *uctx; 108 109 if (!rt) 110 return 0; 111 112 uctx = nla_data(rt); 113 if (uctx->len > nla_len(rt) || 114 uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) 115 return -EINVAL; 116 117 return 0; 118 } 119 120 static inline int verify_replay(struct xfrm_usersa_info *p, 121 struct nlattr **attrs) 122 { 123 struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; 124 struct xfrm_replay_state_esn *rs; 125 126 if (!rt) 127 return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; 128 129 rs = nla_data(rt); 130 131 if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) 132 return -EINVAL; 133 134 if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && 135 nla_len(rt) != sizeof(*rs)) 136 return -EINVAL; 137 138 /* As only ESP and AH support ESN feature. */ 139 if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH)) 140 return -EINVAL; 141 142 if (p->replay_window != 0) 143 return -EINVAL; 144 145 return 0; 146 } 147 148 static int verify_newsa_info(struct xfrm_usersa_info *p, 149 struct nlattr **attrs) 150 { 151 int err; 152 153 err = -EINVAL; 154 switch (p->family) { 155 case AF_INET: 156 break; 157 158 case AF_INET6: 159 #if IS_ENABLED(CONFIG_IPV6) 160 break; 161 #else 162 err = -EAFNOSUPPORT; 163 goto out; 164 #endif 165 166 default: 167 goto out; 168 } 169 170 switch (p->sel.family) { 171 case AF_UNSPEC: 172 break; 173 174 case AF_INET: 175 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) 176 goto out; 177 178 break; 179 180 case AF_INET6: 181 #if IS_ENABLED(CONFIG_IPV6) 182 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) 183 goto out; 184 185 break; 186 #else 187 err = -EAFNOSUPPORT; 188 goto out; 189 #endif 190 191 default: 192 goto out; 193 } 194 195 err = -EINVAL; 196 switch (p->id.proto) { 197 case IPPROTO_AH: 198 if ((!attrs[XFRMA_ALG_AUTH] && 199 !attrs[XFRMA_ALG_AUTH_TRUNC]) || 200 attrs[XFRMA_ALG_AEAD] || 201 attrs[XFRMA_ALG_CRYPT] || 202 attrs[XFRMA_ALG_COMP] || 203 attrs[XFRMA_TFCPAD]) 204 goto out; 205 break; 206 207 case IPPROTO_ESP: 208 if (attrs[XFRMA_ALG_COMP]) 209 goto out; 210 if (!attrs[XFRMA_ALG_AUTH] && 211 !attrs[XFRMA_ALG_AUTH_TRUNC] && 212 !attrs[XFRMA_ALG_CRYPT] && 213 !attrs[XFRMA_ALG_AEAD]) 214 goto out; 215 if ((attrs[XFRMA_ALG_AUTH] || 216 attrs[XFRMA_ALG_AUTH_TRUNC] || 217 attrs[XFRMA_ALG_CRYPT]) && 218 attrs[XFRMA_ALG_AEAD]) 219 goto out; 220 if (attrs[XFRMA_TFCPAD] && 221 p->mode != XFRM_MODE_TUNNEL) 222 goto out; 223 break; 224 225 case IPPROTO_COMP: 226 if (!attrs[XFRMA_ALG_COMP] || 227 attrs[XFRMA_ALG_AEAD] || 228 attrs[XFRMA_ALG_AUTH] || 229 attrs[XFRMA_ALG_AUTH_TRUNC] || 230 attrs[XFRMA_ALG_CRYPT] || 231 attrs[XFRMA_TFCPAD] || 232 (ntohl(p->id.spi) >= 0x10000)) 233 goto out; 234 break; 235 236 #if IS_ENABLED(CONFIG_IPV6) 237 case IPPROTO_DSTOPTS: 238 case IPPROTO_ROUTING: 239 if (attrs[XFRMA_ALG_COMP] || 240 attrs[XFRMA_ALG_AUTH] || 241 attrs[XFRMA_ALG_AUTH_TRUNC] || 242 attrs[XFRMA_ALG_AEAD] || 243 attrs[XFRMA_ALG_CRYPT] || 244 attrs[XFRMA_ENCAP] || 245 attrs[XFRMA_SEC_CTX] || 246 attrs[XFRMA_TFCPAD] || 247 !attrs[XFRMA_COADDR]) 248 goto out; 249 break; 250 #endif 251 252 default: 253 goto out; 254 } 255 256 if ((err = verify_aead(attrs))) 257 goto out; 258 if ((err = verify_auth_trunc(attrs))) 259 goto out; 260 if ((err = verify_one_alg(attrs, XFRMA_ALG_AUTH))) 261 goto out; 262 if ((err = verify_one_alg(attrs, XFRMA_ALG_CRYPT))) 263 goto out; 264 if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP))) 265 goto out; 266 if ((err = verify_sec_ctx_len(attrs))) 267 goto out; 268 if ((err = verify_replay(p, attrs))) 269 goto out; 270 271 err = -EINVAL; 272 switch (p->mode) { 273 case XFRM_MODE_TRANSPORT: 274 case XFRM_MODE_TUNNEL: 275 case XFRM_MODE_ROUTEOPTIMIZATION: 276 case XFRM_MODE_BEET: 277 break; 278 279 default: 280 goto out; 281 } 282 283 err = 0; 284 285 if (attrs[XFRMA_MTIMER_THRESH]) 286 if (!attrs[XFRMA_ENCAP]) 287 err = -EINVAL; 288 289 out: 290 return err; 291 } 292 293 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props, 294 struct xfrm_algo_desc *(*get_byname)(const char *, int), 295 struct nlattr *rta) 296 { 297 struct xfrm_algo *p, *ualg; 298 struct xfrm_algo_desc *algo; 299 300 if (!rta) 301 return 0; 302 303 ualg = nla_data(rta); 304 305 algo = get_byname(ualg->alg_name, 1); 306 if (!algo) 307 return -ENOSYS; 308 *props = algo->desc.sadb_alg_id; 309 310 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 311 if (!p) 312 return -ENOMEM; 313 314 strcpy(p->alg_name, algo->name); 315 *algpp = p; 316 return 0; 317 } 318 319 static int attach_crypt(struct xfrm_state *x, struct nlattr *rta) 320 { 321 struct xfrm_algo *p, *ualg; 322 struct xfrm_algo_desc *algo; 323 324 if (!rta) 325 return 0; 326 327 ualg = nla_data(rta); 328 329 algo = xfrm_ealg_get_byname(ualg->alg_name, 1); 330 if (!algo) 331 return -ENOSYS; 332 x->props.ealgo = algo->desc.sadb_alg_id; 333 334 p = kmemdup(ualg, xfrm_alg_len(ualg), GFP_KERNEL); 335 if (!p) 336 return -ENOMEM; 337 338 strcpy(p->alg_name, algo->name); 339 x->ealg = p; 340 x->geniv = algo->uinfo.encr.geniv; 341 return 0; 342 } 343 344 static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props, 345 struct nlattr *rta) 346 { 347 struct xfrm_algo *ualg; 348 struct xfrm_algo_auth *p; 349 struct xfrm_algo_desc *algo; 350 351 if (!rta) 352 return 0; 353 354 ualg = nla_data(rta); 355 356 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 357 if (!algo) 358 return -ENOSYS; 359 *props = algo->desc.sadb_alg_id; 360 361 p = kmalloc(sizeof(*p) + (ualg->alg_key_len + 7) / 8, GFP_KERNEL); 362 if (!p) 363 return -ENOMEM; 364 365 strcpy(p->alg_name, algo->name); 366 p->alg_key_len = ualg->alg_key_len; 367 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 368 memcpy(p->alg_key, ualg->alg_key, (ualg->alg_key_len + 7) / 8); 369 370 *algpp = p; 371 return 0; 372 } 373 374 static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props, 375 struct nlattr *rta) 376 { 377 struct xfrm_algo_auth *p, *ualg; 378 struct xfrm_algo_desc *algo; 379 380 if (!rta) 381 return 0; 382 383 ualg = nla_data(rta); 384 385 algo = xfrm_aalg_get_byname(ualg->alg_name, 1); 386 if (!algo) 387 return -ENOSYS; 388 if (ualg->alg_trunc_len > algo->uinfo.auth.icv_fullbits) 389 return -EINVAL; 390 *props = algo->desc.sadb_alg_id; 391 392 p = kmemdup(ualg, xfrm_alg_auth_len(ualg), GFP_KERNEL); 393 if (!p) 394 return -ENOMEM; 395 396 strcpy(p->alg_name, algo->name); 397 if (!p->alg_trunc_len) 398 p->alg_trunc_len = algo->uinfo.auth.icv_truncbits; 399 400 *algpp = p; 401 return 0; 402 } 403 404 static int attach_aead(struct xfrm_state *x, struct nlattr *rta) 405 { 406 struct xfrm_algo_aead *p, *ualg; 407 struct xfrm_algo_desc *algo; 408 409 if (!rta) 410 return 0; 411 412 ualg = nla_data(rta); 413 414 algo = xfrm_aead_get_byname(ualg->alg_name, ualg->alg_icv_len, 1); 415 if (!algo) 416 return -ENOSYS; 417 x->props.ealgo = algo->desc.sadb_alg_id; 418 419 p = kmemdup(ualg, aead_len(ualg), GFP_KERNEL); 420 if (!p) 421 return -ENOMEM; 422 423 strcpy(p->alg_name, algo->name); 424 x->aead = p; 425 x->geniv = algo->uinfo.aead.geniv; 426 return 0; 427 } 428 429 static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn, 430 struct nlattr *rp) 431 { 432 struct xfrm_replay_state_esn *up; 433 unsigned int ulen; 434 435 if (!replay_esn || !rp) 436 return 0; 437 438 up = nla_data(rp); 439 ulen = xfrm_replay_state_esn_len(up); 440 441 /* Check the overall length and the internal bitmap length to avoid 442 * potential overflow. */ 443 if (nla_len(rp) < (int)ulen || 444 xfrm_replay_state_esn_len(replay_esn) != ulen || 445 replay_esn->bmp_len != up->bmp_len) 446 return -EINVAL; 447 448 if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) 449 return -EINVAL; 450 451 return 0; 452 } 453 454 static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn, 455 struct xfrm_replay_state_esn **preplay_esn, 456 struct nlattr *rta) 457 { 458 struct xfrm_replay_state_esn *p, *pp, *up; 459 unsigned int klen, ulen; 460 461 if (!rta) 462 return 0; 463 464 up = nla_data(rta); 465 klen = xfrm_replay_state_esn_len(up); 466 ulen = nla_len(rta) >= (int)klen ? klen : sizeof(*up); 467 468 p = kzalloc(klen, GFP_KERNEL); 469 if (!p) 470 return -ENOMEM; 471 472 pp = kzalloc(klen, GFP_KERNEL); 473 if (!pp) { 474 kfree(p); 475 return -ENOMEM; 476 } 477 478 memcpy(p, up, ulen); 479 memcpy(pp, up, ulen); 480 481 *replay_esn = p; 482 *preplay_esn = pp; 483 484 return 0; 485 } 486 487 static inline unsigned int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx) 488 { 489 unsigned int len = 0; 490 491 if (xfrm_ctx) { 492 len += sizeof(struct xfrm_user_sec_ctx); 493 len += xfrm_ctx->ctx_len; 494 } 495 return len; 496 } 497 498 static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 499 { 500 memcpy(&x->id, &p->id, sizeof(x->id)); 501 memcpy(&x->sel, &p->sel, sizeof(x->sel)); 502 memcpy(&x->lft, &p->lft, sizeof(x->lft)); 503 x->props.mode = p->mode; 504 x->props.replay_window = min_t(unsigned int, p->replay_window, 505 sizeof(x->replay.bitmap) * 8); 506 x->props.reqid = p->reqid; 507 x->props.family = p->family; 508 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 509 x->props.flags = p->flags; 510 511 if (!x->sel.family && !(p->flags & XFRM_STATE_AF_UNSPEC)) 512 x->sel.family = p->family; 513 } 514 515 /* 516 * someday when pfkey also has support, we could have the code 517 * somehow made shareable and move it to xfrm_state.c - JHS 518 * 519 */ 520 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, 521 int update_esn) 522 { 523 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 524 struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL; 525 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 526 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 527 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 528 struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; 529 530 if (re) { 531 struct xfrm_replay_state_esn *replay_esn; 532 replay_esn = nla_data(re); 533 memcpy(x->replay_esn, replay_esn, 534 xfrm_replay_state_esn_len(replay_esn)); 535 memcpy(x->preplay_esn, replay_esn, 536 xfrm_replay_state_esn_len(replay_esn)); 537 } 538 539 if (rp) { 540 struct xfrm_replay_state *replay; 541 replay = nla_data(rp); 542 memcpy(&x->replay, replay, sizeof(*replay)); 543 memcpy(&x->preplay, replay, sizeof(*replay)); 544 } 545 546 if (lt) { 547 struct xfrm_lifetime_cur *ltime; 548 ltime = nla_data(lt); 549 x->curlft.bytes = ltime->bytes; 550 x->curlft.packets = ltime->packets; 551 x->curlft.add_time = ltime->add_time; 552 x->curlft.use_time = ltime->use_time; 553 } 554 555 if (et) 556 x->replay_maxage = nla_get_u32(et); 557 558 if (rt) 559 x->replay_maxdiff = nla_get_u32(rt); 560 561 if (mt) 562 x->mapping_maxage = nla_get_u32(mt); 563 } 564 565 static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m) 566 { 567 if (attrs[XFRMA_SET_MARK]) { 568 m->v = nla_get_u32(attrs[XFRMA_SET_MARK]); 569 if (attrs[XFRMA_SET_MARK_MASK]) 570 m->m = nla_get_u32(attrs[XFRMA_SET_MARK_MASK]); 571 else 572 m->m = 0xffffffff; 573 } else { 574 m->v = m->m = 0; 575 } 576 } 577 578 static struct xfrm_state *xfrm_state_construct(struct net *net, 579 struct xfrm_usersa_info *p, 580 struct nlattr **attrs, 581 int *errp) 582 { 583 struct xfrm_state *x = xfrm_state_alloc(net); 584 int err = -ENOMEM; 585 586 if (!x) 587 goto error_no_put; 588 589 copy_from_user_state(x, p); 590 591 if (attrs[XFRMA_ENCAP]) { 592 x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 593 sizeof(*x->encap), GFP_KERNEL); 594 if (x->encap == NULL) 595 goto error; 596 } 597 598 if (attrs[XFRMA_COADDR]) { 599 x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), 600 sizeof(*x->coaddr), GFP_KERNEL); 601 if (x->coaddr == NULL) 602 goto error; 603 } 604 605 if (attrs[XFRMA_SA_EXTRA_FLAGS]) 606 x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]); 607 608 if ((err = attach_aead(x, attrs[XFRMA_ALG_AEAD]))) 609 goto error; 610 if ((err = attach_auth_trunc(&x->aalg, &x->props.aalgo, 611 attrs[XFRMA_ALG_AUTH_TRUNC]))) 612 goto error; 613 if (!x->props.aalgo) { 614 if ((err = attach_auth(&x->aalg, &x->props.aalgo, 615 attrs[XFRMA_ALG_AUTH]))) 616 goto error; 617 } 618 if ((err = attach_crypt(x, attrs[XFRMA_ALG_CRYPT]))) 619 goto error; 620 if ((err = attach_one_algo(&x->calg, &x->props.calgo, 621 xfrm_calg_get_byname, 622 attrs[XFRMA_ALG_COMP]))) 623 goto error; 624 625 if (attrs[XFRMA_TFCPAD]) 626 x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]); 627 628 xfrm_mark_get(attrs, &x->mark); 629 630 xfrm_smark_init(attrs, &x->props.smark); 631 632 if (attrs[XFRMA_IF_ID]) 633 x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 634 635 err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV]); 636 if (err) 637 goto error; 638 639 if (attrs[XFRMA_SEC_CTX]) { 640 err = security_xfrm_state_alloc(x, 641 nla_data(attrs[XFRMA_SEC_CTX])); 642 if (err) 643 goto error; 644 } 645 646 if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn, 647 attrs[XFRMA_REPLAY_ESN_VAL]))) 648 goto error; 649 650 x->km.seq = p->seq; 651 x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth; 652 /* sysctl_xfrm_aevent_etime is in 100ms units */ 653 x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M; 654 655 if ((err = xfrm_init_replay(x))) 656 goto error; 657 658 /* override default values from above */ 659 xfrm_update_ae_params(x, attrs, 0); 660 661 /* configure the hardware if offload is requested */ 662 if (attrs[XFRMA_OFFLOAD_DEV]) { 663 err = xfrm_dev_state_add(net, x, 664 nla_data(attrs[XFRMA_OFFLOAD_DEV])); 665 if (err) 666 goto error; 667 } 668 669 return x; 670 671 error: 672 x->km.state = XFRM_STATE_DEAD; 673 xfrm_state_put(x); 674 error_no_put: 675 *errp = err; 676 return NULL; 677 } 678 679 static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 680 struct nlattr **attrs) 681 { 682 struct net *net = sock_net(skb->sk); 683 struct xfrm_usersa_info *p = nlmsg_data(nlh); 684 struct xfrm_state *x; 685 int err; 686 struct km_event c; 687 688 err = verify_newsa_info(p, attrs); 689 if (err) 690 return err; 691 692 x = xfrm_state_construct(net, p, attrs, &err); 693 if (!x) 694 return err; 695 696 xfrm_state_hold(x); 697 if (nlh->nlmsg_type == XFRM_MSG_NEWSA) 698 err = xfrm_state_add(x); 699 else 700 err = xfrm_state_update(x); 701 702 xfrm_audit_state_add(x, err ? 0 : 1, true); 703 704 if (err < 0) { 705 x->km.state = XFRM_STATE_DEAD; 706 xfrm_dev_state_delete(x); 707 __xfrm_state_put(x); 708 goto out; 709 } 710 711 if (x->km.state == XFRM_STATE_VOID) 712 x->km.state = XFRM_STATE_VALID; 713 714 c.seq = nlh->nlmsg_seq; 715 c.portid = nlh->nlmsg_pid; 716 c.event = nlh->nlmsg_type; 717 718 km_state_notify(x, &c); 719 out: 720 xfrm_state_put(x); 721 return err; 722 } 723 724 static struct xfrm_state *xfrm_user_state_lookup(struct net *net, 725 struct xfrm_usersa_id *p, 726 struct nlattr **attrs, 727 int *errp) 728 { 729 struct xfrm_state *x = NULL; 730 struct xfrm_mark m; 731 int err; 732 u32 mark = xfrm_mark_get(attrs, &m); 733 734 if (xfrm_id_proto_match(p->proto, IPSEC_PROTO_ANY)) { 735 err = -ESRCH; 736 x = xfrm_state_lookup(net, mark, &p->daddr, p->spi, p->proto, p->family); 737 } else { 738 xfrm_address_t *saddr = NULL; 739 740 verify_one_addr(attrs, XFRMA_SRCADDR, &saddr); 741 if (!saddr) { 742 err = -EINVAL; 743 goto out; 744 } 745 746 err = -ESRCH; 747 x = xfrm_state_lookup_byaddr(net, mark, 748 &p->daddr, saddr, 749 p->proto, p->family); 750 } 751 752 out: 753 if (!x && errp) 754 *errp = err; 755 return x; 756 } 757 758 static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 759 struct nlattr **attrs) 760 { 761 struct net *net = sock_net(skb->sk); 762 struct xfrm_state *x; 763 int err = -ESRCH; 764 struct km_event c; 765 struct xfrm_usersa_id *p = nlmsg_data(nlh); 766 767 x = xfrm_user_state_lookup(net, p, attrs, &err); 768 if (x == NULL) 769 return err; 770 771 if ((err = security_xfrm_state_delete(x)) != 0) 772 goto out; 773 774 if (xfrm_state_kern(x)) { 775 err = -EPERM; 776 goto out; 777 } 778 779 err = xfrm_state_delete(x); 780 781 if (err < 0) 782 goto out; 783 784 c.seq = nlh->nlmsg_seq; 785 c.portid = nlh->nlmsg_pid; 786 c.event = nlh->nlmsg_type; 787 km_state_notify(x, &c); 788 789 out: 790 xfrm_audit_state_delete(x, err ? 0 : 1, true); 791 xfrm_state_put(x); 792 return err; 793 } 794 795 static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p) 796 { 797 memset(p, 0, sizeof(*p)); 798 memcpy(&p->id, &x->id, sizeof(p->id)); 799 memcpy(&p->sel, &x->sel, sizeof(p->sel)); 800 memcpy(&p->lft, &x->lft, sizeof(p->lft)); 801 memcpy(&p->curlft, &x->curlft, sizeof(p->curlft)); 802 put_unaligned(x->stats.replay_window, &p->stats.replay_window); 803 put_unaligned(x->stats.replay, &p->stats.replay); 804 put_unaligned(x->stats.integrity_failed, &p->stats.integrity_failed); 805 memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr)); 806 p->mode = x->props.mode; 807 p->replay_window = x->props.replay_window; 808 p->reqid = x->props.reqid; 809 p->family = x->props.family; 810 p->flags = x->props.flags; 811 p->seq = x->km.seq; 812 } 813 814 struct xfrm_dump_info { 815 struct sk_buff *in_skb; 816 struct sk_buff *out_skb; 817 u32 nlmsg_seq; 818 u16 nlmsg_flags; 819 }; 820 821 static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb) 822 { 823 struct xfrm_user_sec_ctx *uctx; 824 struct nlattr *attr; 825 int ctx_size = sizeof(*uctx) + s->ctx_len; 826 827 attr = nla_reserve(skb, XFRMA_SEC_CTX, ctx_size); 828 if (attr == NULL) 829 return -EMSGSIZE; 830 831 uctx = nla_data(attr); 832 uctx->exttype = XFRMA_SEC_CTX; 833 uctx->len = ctx_size; 834 uctx->ctx_doi = s->ctx_doi; 835 uctx->ctx_alg = s->ctx_alg; 836 uctx->ctx_len = s->ctx_len; 837 memcpy(uctx + 1, s->ctx_str, s->ctx_len); 838 839 return 0; 840 } 841 842 static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb) 843 { 844 struct xfrm_user_offload *xuo; 845 struct nlattr *attr; 846 847 attr = nla_reserve(skb, XFRMA_OFFLOAD_DEV, sizeof(*xuo)); 848 if (attr == NULL) 849 return -EMSGSIZE; 850 851 xuo = nla_data(attr); 852 memset(xuo, 0, sizeof(*xuo)); 853 xuo->ifindex = xso->dev->ifindex; 854 xuo->flags = xso->flags; 855 856 return 0; 857 } 858 859 static bool xfrm_redact(void) 860 { 861 return IS_ENABLED(CONFIG_SECURITY) && 862 security_locked_down(LOCKDOWN_XFRM_SECRET); 863 } 864 865 static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) 866 { 867 struct xfrm_algo *algo; 868 struct xfrm_algo_auth *ap; 869 struct nlattr *nla; 870 bool redact_secret = xfrm_redact(); 871 872 nla = nla_reserve(skb, XFRMA_ALG_AUTH, 873 sizeof(*algo) + (auth->alg_key_len + 7) / 8); 874 if (!nla) 875 return -EMSGSIZE; 876 algo = nla_data(nla); 877 strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); 878 879 if (redact_secret && auth->alg_key_len) 880 memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8); 881 else 882 memcpy(algo->alg_key, auth->alg_key, 883 (auth->alg_key_len + 7) / 8); 884 algo->alg_key_len = auth->alg_key_len; 885 886 nla = nla_reserve(skb, XFRMA_ALG_AUTH_TRUNC, xfrm_alg_auth_len(auth)); 887 if (!nla) 888 return -EMSGSIZE; 889 ap = nla_data(nla); 890 memcpy(ap, auth, sizeof(struct xfrm_algo_auth)); 891 if (redact_secret && auth->alg_key_len) 892 memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8); 893 else 894 memcpy(ap->alg_key, auth->alg_key, 895 (auth->alg_key_len + 7) / 8); 896 return 0; 897 } 898 899 static int copy_to_user_aead(struct xfrm_algo_aead *aead, struct sk_buff *skb) 900 { 901 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_AEAD, aead_len(aead)); 902 struct xfrm_algo_aead *ap; 903 bool redact_secret = xfrm_redact(); 904 905 if (!nla) 906 return -EMSGSIZE; 907 908 ap = nla_data(nla); 909 memcpy(ap, aead, sizeof(*aead)); 910 911 if (redact_secret && aead->alg_key_len) 912 memset(ap->alg_key, 0, (aead->alg_key_len + 7) / 8); 913 else 914 memcpy(ap->alg_key, aead->alg_key, 915 (aead->alg_key_len + 7) / 8); 916 return 0; 917 } 918 919 static int copy_to_user_ealg(struct xfrm_algo *ealg, struct sk_buff *skb) 920 { 921 struct xfrm_algo *ap; 922 bool redact_secret = xfrm_redact(); 923 struct nlattr *nla = nla_reserve(skb, XFRMA_ALG_CRYPT, 924 xfrm_alg_len(ealg)); 925 if (!nla) 926 return -EMSGSIZE; 927 928 ap = nla_data(nla); 929 memcpy(ap, ealg, sizeof(*ealg)); 930 931 if (redact_secret && ealg->alg_key_len) 932 memset(ap->alg_key, 0, (ealg->alg_key_len + 7) / 8); 933 else 934 memcpy(ap->alg_key, ealg->alg_key, 935 (ealg->alg_key_len + 7) / 8); 936 937 return 0; 938 } 939 940 static int xfrm_smark_put(struct sk_buff *skb, struct xfrm_mark *m) 941 { 942 int ret = 0; 943 944 if (m->v | m->m) { 945 ret = nla_put_u32(skb, XFRMA_SET_MARK, m->v); 946 if (!ret) 947 ret = nla_put_u32(skb, XFRMA_SET_MARK_MASK, m->m); 948 } 949 return ret; 950 } 951 952 /* Don't change this without updating xfrm_sa_len! */ 953 static int copy_to_user_state_extra(struct xfrm_state *x, 954 struct xfrm_usersa_info *p, 955 struct sk_buff *skb) 956 { 957 int ret = 0; 958 959 copy_to_user_state(x, p); 960 961 if (x->props.extra_flags) { 962 ret = nla_put_u32(skb, XFRMA_SA_EXTRA_FLAGS, 963 x->props.extra_flags); 964 if (ret) 965 goto out; 966 } 967 968 if (x->coaddr) { 969 ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr); 970 if (ret) 971 goto out; 972 } 973 if (x->lastused) { 974 ret = nla_put_u64_64bit(skb, XFRMA_LASTUSED, x->lastused, 975 XFRMA_PAD); 976 if (ret) 977 goto out; 978 } 979 if (x->aead) { 980 ret = copy_to_user_aead(x->aead, skb); 981 if (ret) 982 goto out; 983 } 984 if (x->aalg) { 985 ret = copy_to_user_auth(x->aalg, skb); 986 if (ret) 987 goto out; 988 } 989 if (x->ealg) { 990 ret = copy_to_user_ealg(x->ealg, skb); 991 if (ret) 992 goto out; 993 } 994 if (x->calg) { 995 ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg); 996 if (ret) 997 goto out; 998 } 999 if (x->encap) { 1000 ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap); 1001 if (ret) 1002 goto out; 1003 } 1004 if (x->tfcpad) { 1005 ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad); 1006 if (ret) 1007 goto out; 1008 } 1009 ret = xfrm_mark_put(skb, &x->mark); 1010 if (ret) 1011 goto out; 1012 1013 ret = xfrm_smark_put(skb, &x->props.smark); 1014 if (ret) 1015 goto out; 1016 1017 if (x->replay_esn) 1018 ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 1019 xfrm_replay_state_esn_len(x->replay_esn), 1020 x->replay_esn); 1021 else 1022 ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 1023 &x->replay); 1024 if (ret) 1025 goto out; 1026 if(x->xso.dev) 1027 ret = copy_user_offload(&x->xso, skb); 1028 if (ret) 1029 goto out; 1030 if (x->if_id) { 1031 ret = nla_put_u32(skb, XFRMA_IF_ID, x->if_id); 1032 if (ret) 1033 goto out; 1034 } 1035 if (x->security) { 1036 ret = copy_sec_ctx(x->security, skb); 1037 if (ret) 1038 goto out; 1039 } 1040 if (x->mapping_maxage) 1041 ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage); 1042 out: 1043 return ret; 1044 } 1045 1046 static int dump_one_state(struct xfrm_state *x, int count, void *ptr) 1047 { 1048 struct xfrm_dump_info *sp = ptr; 1049 struct sk_buff *in_skb = sp->in_skb; 1050 struct sk_buff *skb = sp->out_skb; 1051 struct xfrm_translator *xtr; 1052 struct xfrm_usersa_info *p; 1053 struct nlmsghdr *nlh; 1054 int err; 1055 1056 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 1057 XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags); 1058 if (nlh == NULL) 1059 return -EMSGSIZE; 1060 1061 p = nlmsg_data(nlh); 1062 1063 err = copy_to_user_state_extra(x, p, skb); 1064 if (err) { 1065 nlmsg_cancel(skb, nlh); 1066 return err; 1067 } 1068 nlmsg_end(skb, nlh); 1069 1070 xtr = xfrm_get_translator(); 1071 if (xtr) { 1072 err = xtr->alloc_compat(skb, nlh); 1073 1074 xfrm_put_translator(xtr); 1075 if (err) { 1076 nlmsg_cancel(skb, nlh); 1077 return err; 1078 } 1079 } 1080 1081 return 0; 1082 } 1083 1084 static int xfrm_dump_sa_done(struct netlink_callback *cb) 1085 { 1086 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1087 struct sock *sk = cb->skb->sk; 1088 struct net *net = sock_net(sk); 1089 1090 if (cb->args[0]) 1091 xfrm_state_walk_done(walk, net); 1092 return 0; 1093 } 1094 1095 static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb) 1096 { 1097 struct net *net = sock_net(skb->sk); 1098 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 1099 struct xfrm_dump_info info; 1100 1101 BUILD_BUG_ON(sizeof(struct xfrm_state_walk) > 1102 sizeof(cb->args) - sizeof(cb->args[0])); 1103 1104 info.in_skb = cb->skb; 1105 info.out_skb = skb; 1106 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1107 info.nlmsg_flags = NLM_F_MULTI; 1108 1109 if (!cb->args[0]) { 1110 struct nlattr *attrs[XFRMA_MAX+1]; 1111 struct xfrm_address_filter *filter = NULL; 1112 u8 proto = 0; 1113 int err; 1114 1115 err = nlmsg_parse_deprecated(cb->nlh, 0, attrs, XFRMA_MAX, 1116 xfrma_policy, cb->extack); 1117 if (err < 0) 1118 return err; 1119 1120 if (attrs[XFRMA_ADDRESS_FILTER]) { 1121 filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), 1122 sizeof(*filter), GFP_KERNEL); 1123 if (filter == NULL) 1124 return -ENOMEM; 1125 } 1126 1127 if (attrs[XFRMA_PROTO]) 1128 proto = nla_get_u8(attrs[XFRMA_PROTO]); 1129 1130 xfrm_state_walk_init(walk, proto, filter); 1131 cb->args[0] = 1; 1132 } 1133 1134 (void) xfrm_state_walk(net, walk, dump_one_state, &info); 1135 1136 return skb->len; 1137 } 1138 1139 static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb, 1140 struct xfrm_state *x, u32 seq) 1141 { 1142 struct xfrm_dump_info info; 1143 struct sk_buff *skb; 1144 int err; 1145 1146 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1147 if (!skb) 1148 return ERR_PTR(-ENOMEM); 1149 1150 info.in_skb = in_skb; 1151 info.out_skb = skb; 1152 info.nlmsg_seq = seq; 1153 info.nlmsg_flags = 0; 1154 1155 err = dump_one_state(x, 0, &info); 1156 if (err) { 1157 kfree_skb(skb); 1158 return ERR_PTR(err); 1159 } 1160 1161 return skb; 1162 } 1163 1164 /* A wrapper for nlmsg_multicast() checking that nlsk is still available. 1165 * Must be called with RCU read lock. 1166 */ 1167 static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb, 1168 u32 pid, unsigned int group) 1169 { 1170 struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); 1171 struct xfrm_translator *xtr; 1172 1173 if (!nlsk) { 1174 kfree_skb(skb); 1175 return -EPIPE; 1176 } 1177 1178 xtr = xfrm_get_translator(); 1179 if (xtr) { 1180 int err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1181 1182 xfrm_put_translator(xtr); 1183 if (err) { 1184 kfree_skb(skb); 1185 return err; 1186 } 1187 } 1188 1189 return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); 1190 } 1191 1192 static inline unsigned int xfrm_spdinfo_msgsize(void) 1193 { 1194 return NLMSG_ALIGN(4) 1195 + nla_total_size(sizeof(struct xfrmu_spdinfo)) 1196 + nla_total_size(sizeof(struct xfrmu_spdhinfo)) 1197 + nla_total_size(sizeof(struct xfrmu_spdhthresh)) 1198 + nla_total_size(sizeof(struct xfrmu_spdhthresh)); 1199 } 1200 1201 static int build_spdinfo(struct sk_buff *skb, struct net *net, 1202 u32 portid, u32 seq, u32 flags) 1203 { 1204 struct xfrmk_spdinfo si; 1205 struct xfrmu_spdinfo spc; 1206 struct xfrmu_spdhinfo sph; 1207 struct xfrmu_spdhthresh spt4, spt6; 1208 struct nlmsghdr *nlh; 1209 int err; 1210 u32 *f; 1211 unsigned lseq; 1212 1213 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0); 1214 if (nlh == NULL) /* shouldn't really happen ... */ 1215 return -EMSGSIZE; 1216 1217 f = nlmsg_data(nlh); 1218 *f = flags; 1219 xfrm_spd_getinfo(net, &si); 1220 spc.incnt = si.incnt; 1221 spc.outcnt = si.outcnt; 1222 spc.fwdcnt = si.fwdcnt; 1223 spc.inscnt = si.inscnt; 1224 spc.outscnt = si.outscnt; 1225 spc.fwdscnt = si.fwdscnt; 1226 sph.spdhcnt = si.spdhcnt; 1227 sph.spdhmcnt = si.spdhmcnt; 1228 1229 do { 1230 lseq = read_seqbegin(&net->xfrm.policy_hthresh.lock); 1231 1232 spt4.lbits = net->xfrm.policy_hthresh.lbits4; 1233 spt4.rbits = net->xfrm.policy_hthresh.rbits4; 1234 spt6.lbits = net->xfrm.policy_hthresh.lbits6; 1235 spt6.rbits = net->xfrm.policy_hthresh.rbits6; 1236 } while (read_seqretry(&net->xfrm.policy_hthresh.lock, lseq)); 1237 1238 err = nla_put(skb, XFRMA_SPD_INFO, sizeof(spc), &spc); 1239 if (!err) 1240 err = nla_put(skb, XFRMA_SPD_HINFO, sizeof(sph), &sph); 1241 if (!err) 1242 err = nla_put(skb, XFRMA_SPD_IPV4_HTHRESH, sizeof(spt4), &spt4); 1243 if (!err) 1244 err = nla_put(skb, XFRMA_SPD_IPV6_HTHRESH, sizeof(spt6), &spt6); 1245 if (err) { 1246 nlmsg_cancel(skb, nlh); 1247 return err; 1248 } 1249 1250 nlmsg_end(skb, nlh); 1251 return 0; 1252 } 1253 1254 static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1255 struct nlattr **attrs) 1256 { 1257 struct net *net = sock_net(skb->sk); 1258 struct xfrmu_spdhthresh *thresh4 = NULL; 1259 struct xfrmu_spdhthresh *thresh6 = NULL; 1260 1261 /* selector prefixlen thresholds to hash policies */ 1262 if (attrs[XFRMA_SPD_IPV4_HTHRESH]) { 1263 struct nlattr *rta = attrs[XFRMA_SPD_IPV4_HTHRESH]; 1264 1265 if (nla_len(rta) < sizeof(*thresh4)) 1266 return -EINVAL; 1267 thresh4 = nla_data(rta); 1268 if (thresh4->lbits > 32 || thresh4->rbits > 32) 1269 return -EINVAL; 1270 } 1271 if (attrs[XFRMA_SPD_IPV6_HTHRESH]) { 1272 struct nlattr *rta = attrs[XFRMA_SPD_IPV6_HTHRESH]; 1273 1274 if (nla_len(rta) < sizeof(*thresh6)) 1275 return -EINVAL; 1276 thresh6 = nla_data(rta); 1277 if (thresh6->lbits > 128 || thresh6->rbits > 128) 1278 return -EINVAL; 1279 } 1280 1281 if (thresh4 || thresh6) { 1282 write_seqlock(&net->xfrm.policy_hthresh.lock); 1283 if (thresh4) { 1284 net->xfrm.policy_hthresh.lbits4 = thresh4->lbits; 1285 net->xfrm.policy_hthresh.rbits4 = thresh4->rbits; 1286 } 1287 if (thresh6) { 1288 net->xfrm.policy_hthresh.lbits6 = thresh6->lbits; 1289 net->xfrm.policy_hthresh.rbits6 = thresh6->rbits; 1290 } 1291 write_sequnlock(&net->xfrm.policy_hthresh.lock); 1292 1293 xfrm_policy_hash_rebuild(net); 1294 } 1295 1296 return 0; 1297 } 1298 1299 static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1300 struct nlattr **attrs) 1301 { 1302 struct net *net = sock_net(skb->sk); 1303 struct sk_buff *r_skb; 1304 u32 *flags = nlmsg_data(nlh); 1305 u32 sportid = NETLINK_CB(skb).portid; 1306 u32 seq = nlh->nlmsg_seq; 1307 int err; 1308 1309 r_skb = nlmsg_new(xfrm_spdinfo_msgsize(), GFP_ATOMIC); 1310 if (r_skb == NULL) 1311 return -ENOMEM; 1312 1313 err = build_spdinfo(r_skb, net, sportid, seq, *flags); 1314 BUG_ON(err < 0); 1315 1316 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1317 } 1318 1319 static inline unsigned int xfrm_sadinfo_msgsize(void) 1320 { 1321 return NLMSG_ALIGN(4) 1322 + nla_total_size(sizeof(struct xfrmu_sadhinfo)) 1323 + nla_total_size(4); /* XFRMA_SAD_CNT */ 1324 } 1325 1326 static int build_sadinfo(struct sk_buff *skb, struct net *net, 1327 u32 portid, u32 seq, u32 flags) 1328 { 1329 struct xfrmk_sadinfo si; 1330 struct xfrmu_sadhinfo sh; 1331 struct nlmsghdr *nlh; 1332 int err; 1333 u32 *f; 1334 1335 nlh = nlmsg_put(skb, portid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0); 1336 if (nlh == NULL) /* shouldn't really happen ... */ 1337 return -EMSGSIZE; 1338 1339 f = nlmsg_data(nlh); 1340 *f = flags; 1341 xfrm_sad_getinfo(net, &si); 1342 1343 sh.sadhmcnt = si.sadhmcnt; 1344 sh.sadhcnt = si.sadhcnt; 1345 1346 err = nla_put_u32(skb, XFRMA_SAD_CNT, si.sadcnt); 1347 if (!err) 1348 err = nla_put(skb, XFRMA_SAD_HINFO, sizeof(sh), &sh); 1349 if (err) { 1350 nlmsg_cancel(skb, nlh); 1351 return err; 1352 } 1353 1354 nlmsg_end(skb, nlh); 1355 return 0; 1356 } 1357 1358 static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh, 1359 struct nlattr **attrs) 1360 { 1361 struct net *net = sock_net(skb->sk); 1362 struct sk_buff *r_skb; 1363 u32 *flags = nlmsg_data(nlh); 1364 u32 sportid = NETLINK_CB(skb).portid; 1365 u32 seq = nlh->nlmsg_seq; 1366 int err; 1367 1368 r_skb = nlmsg_new(xfrm_sadinfo_msgsize(), GFP_ATOMIC); 1369 if (r_skb == NULL) 1370 return -ENOMEM; 1371 1372 err = build_sadinfo(r_skb, net, sportid, seq, *flags); 1373 BUG_ON(err < 0); 1374 1375 return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid); 1376 } 1377 1378 static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 1379 struct nlattr **attrs) 1380 { 1381 struct net *net = sock_net(skb->sk); 1382 struct xfrm_usersa_id *p = nlmsg_data(nlh); 1383 struct xfrm_state *x; 1384 struct sk_buff *resp_skb; 1385 int err = -ESRCH; 1386 1387 x = xfrm_user_state_lookup(net, p, attrs, &err); 1388 if (x == NULL) 1389 goto out_noput; 1390 1391 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1392 if (IS_ERR(resp_skb)) { 1393 err = PTR_ERR(resp_skb); 1394 } else { 1395 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1396 } 1397 xfrm_state_put(x); 1398 out_noput: 1399 return err; 1400 } 1401 1402 static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh, 1403 struct nlattr **attrs) 1404 { 1405 struct net *net = sock_net(skb->sk); 1406 struct xfrm_state *x; 1407 struct xfrm_userspi_info *p; 1408 struct xfrm_translator *xtr; 1409 struct sk_buff *resp_skb; 1410 xfrm_address_t *daddr; 1411 int family; 1412 int err; 1413 u32 mark; 1414 struct xfrm_mark m; 1415 u32 if_id = 0; 1416 1417 p = nlmsg_data(nlh); 1418 err = verify_spi_info(p->info.id.proto, p->min, p->max); 1419 if (err) 1420 goto out_noput; 1421 1422 family = p->info.family; 1423 daddr = &p->info.id.daddr; 1424 1425 x = NULL; 1426 1427 mark = xfrm_mark_get(attrs, &m); 1428 1429 if (attrs[XFRMA_IF_ID]) 1430 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 1431 1432 if (p->info.seq) { 1433 x = xfrm_find_acq_byseq(net, mark, p->info.seq); 1434 if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) { 1435 xfrm_state_put(x); 1436 x = NULL; 1437 } 1438 } 1439 1440 if (!x) 1441 x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid, 1442 if_id, p->info.id.proto, daddr, 1443 &p->info.saddr, 1, 1444 family); 1445 err = -ENOENT; 1446 if (x == NULL) 1447 goto out_noput; 1448 1449 err = xfrm_alloc_spi(x, p->min, p->max); 1450 if (err) 1451 goto out; 1452 1453 resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq); 1454 if (IS_ERR(resp_skb)) { 1455 err = PTR_ERR(resp_skb); 1456 goto out; 1457 } 1458 1459 xtr = xfrm_get_translator(); 1460 if (xtr) { 1461 err = xtr->alloc_compat(skb, nlmsg_hdr(skb)); 1462 1463 xfrm_put_translator(xtr); 1464 if (err) { 1465 kfree_skb(resp_skb); 1466 goto out; 1467 } 1468 } 1469 1470 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid); 1471 1472 out: 1473 xfrm_state_put(x); 1474 out_noput: 1475 return err; 1476 } 1477 1478 static int verify_policy_dir(u8 dir) 1479 { 1480 switch (dir) { 1481 case XFRM_POLICY_IN: 1482 case XFRM_POLICY_OUT: 1483 case XFRM_POLICY_FWD: 1484 break; 1485 1486 default: 1487 return -EINVAL; 1488 } 1489 1490 return 0; 1491 } 1492 1493 static int verify_policy_type(u8 type) 1494 { 1495 switch (type) { 1496 case XFRM_POLICY_TYPE_MAIN: 1497 #ifdef CONFIG_XFRM_SUB_POLICY 1498 case XFRM_POLICY_TYPE_SUB: 1499 #endif 1500 break; 1501 1502 default: 1503 return -EINVAL; 1504 } 1505 1506 return 0; 1507 } 1508 1509 static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) 1510 { 1511 int ret; 1512 1513 switch (p->share) { 1514 case XFRM_SHARE_ANY: 1515 case XFRM_SHARE_SESSION: 1516 case XFRM_SHARE_USER: 1517 case XFRM_SHARE_UNIQUE: 1518 break; 1519 1520 default: 1521 return -EINVAL; 1522 } 1523 1524 switch (p->action) { 1525 case XFRM_POLICY_ALLOW: 1526 case XFRM_POLICY_BLOCK: 1527 break; 1528 1529 default: 1530 return -EINVAL; 1531 } 1532 1533 switch (p->sel.family) { 1534 case AF_INET: 1535 if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) 1536 return -EINVAL; 1537 1538 break; 1539 1540 case AF_INET6: 1541 #if IS_ENABLED(CONFIG_IPV6) 1542 if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) 1543 return -EINVAL; 1544 1545 break; 1546 #else 1547 return -EAFNOSUPPORT; 1548 #endif 1549 1550 default: 1551 return -EINVAL; 1552 } 1553 1554 ret = verify_policy_dir(p->dir); 1555 if (ret) 1556 return ret; 1557 if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) 1558 return -EINVAL; 1559 1560 return 0; 1561 } 1562 1563 static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs) 1564 { 1565 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 1566 struct xfrm_user_sec_ctx *uctx; 1567 1568 if (!rt) 1569 return 0; 1570 1571 uctx = nla_data(rt); 1572 return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL); 1573 } 1574 1575 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut, 1576 int nr) 1577 { 1578 int i; 1579 1580 xp->xfrm_nr = nr; 1581 for (i = 0; i < nr; i++, ut++) { 1582 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 1583 1584 memcpy(&t->id, &ut->id, sizeof(struct xfrm_id)); 1585 memcpy(&t->saddr, &ut->saddr, 1586 sizeof(xfrm_address_t)); 1587 t->reqid = ut->reqid; 1588 t->mode = ut->mode; 1589 t->share = ut->share; 1590 t->optional = ut->optional; 1591 t->aalgos = ut->aalgos; 1592 t->ealgos = ut->ealgos; 1593 t->calgos = ut->calgos; 1594 /* If all masks are ~0, then we allow all algorithms. */ 1595 t->allalgs = !~(t->aalgos & t->ealgos & t->calgos); 1596 t->encap_family = ut->family; 1597 } 1598 } 1599 1600 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) 1601 { 1602 u16 prev_family; 1603 int i; 1604 1605 if (nr > XFRM_MAX_DEPTH) 1606 return -EINVAL; 1607 1608 prev_family = family; 1609 1610 for (i = 0; i < nr; i++) { 1611 /* We never validated the ut->family value, so many 1612 * applications simply leave it at zero. The check was 1613 * never made and ut->family was ignored because all 1614 * templates could be assumed to have the same family as 1615 * the policy itself. Now that we will have ipv4-in-ipv6 1616 * and ipv6-in-ipv4 tunnels, this is no longer true. 1617 */ 1618 if (!ut[i].family) 1619 ut[i].family = family; 1620 1621 switch (ut[i].mode) { 1622 case XFRM_MODE_TUNNEL: 1623 case XFRM_MODE_BEET: 1624 break; 1625 default: 1626 if (ut[i].family != prev_family) 1627 return -EINVAL; 1628 break; 1629 } 1630 if (ut[i].mode >= XFRM_MODE_MAX) 1631 return -EINVAL; 1632 1633 prev_family = ut[i].family; 1634 1635 switch (ut[i].family) { 1636 case AF_INET: 1637 break; 1638 #if IS_ENABLED(CONFIG_IPV6) 1639 case AF_INET6: 1640 break; 1641 #endif 1642 default: 1643 return -EINVAL; 1644 } 1645 1646 if (!xfrm_id_proto_valid(ut[i].id.proto)) 1647 return -EINVAL; 1648 } 1649 1650 return 0; 1651 } 1652 1653 static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs) 1654 { 1655 struct nlattr *rt = attrs[XFRMA_TMPL]; 1656 1657 if (!rt) { 1658 pol->xfrm_nr = 0; 1659 } else { 1660 struct xfrm_user_tmpl *utmpl = nla_data(rt); 1661 int nr = nla_len(rt) / sizeof(*utmpl); 1662 int err; 1663 1664 err = validate_tmpl(nr, utmpl, pol->family); 1665 if (err) 1666 return err; 1667 1668 copy_templates(pol, utmpl, nr); 1669 } 1670 return 0; 1671 } 1672 1673 static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs) 1674 { 1675 struct nlattr *rt = attrs[XFRMA_POLICY_TYPE]; 1676 struct xfrm_userpolicy_type *upt; 1677 u8 type = XFRM_POLICY_TYPE_MAIN; 1678 int err; 1679 1680 if (rt) { 1681 upt = nla_data(rt); 1682 type = upt->type; 1683 } 1684 1685 err = verify_policy_type(type); 1686 if (err) 1687 return err; 1688 1689 *tp = type; 1690 return 0; 1691 } 1692 1693 static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p) 1694 { 1695 xp->priority = p->priority; 1696 xp->index = p->index; 1697 memcpy(&xp->selector, &p->sel, sizeof(xp->selector)); 1698 memcpy(&xp->lft, &p->lft, sizeof(xp->lft)); 1699 xp->action = p->action; 1700 xp->flags = p->flags; 1701 xp->family = p->sel.family; 1702 /* XXX xp->share = p->share; */ 1703 } 1704 1705 static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir) 1706 { 1707 memset(p, 0, sizeof(*p)); 1708 memcpy(&p->sel, &xp->selector, sizeof(p->sel)); 1709 memcpy(&p->lft, &xp->lft, sizeof(p->lft)); 1710 memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft)); 1711 p->priority = xp->priority; 1712 p->index = xp->index; 1713 p->sel.family = xp->family; 1714 p->dir = dir; 1715 p->action = xp->action; 1716 p->flags = xp->flags; 1717 p->share = XFRM_SHARE_ANY; /* XXX xp->share */ 1718 } 1719 1720 static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_userpolicy_info *p, struct nlattr **attrs, int *errp) 1721 { 1722 struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL); 1723 int err; 1724 1725 if (!xp) { 1726 *errp = -ENOMEM; 1727 return NULL; 1728 } 1729 1730 copy_from_user_policy(xp, p); 1731 1732 err = copy_from_user_policy_type(&xp->type, attrs); 1733 if (err) 1734 goto error; 1735 1736 if (!(err = copy_from_user_tmpl(xp, attrs))) 1737 err = copy_from_user_sec_ctx(xp, attrs); 1738 if (err) 1739 goto error; 1740 1741 xfrm_mark_get(attrs, &xp->mark); 1742 1743 if (attrs[XFRMA_IF_ID]) 1744 xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 1745 1746 return xp; 1747 error: 1748 *errp = err; 1749 xp->walk.dead = 1; 1750 xfrm_policy_destroy(xp); 1751 return NULL; 1752 } 1753 1754 static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 1755 struct nlattr **attrs) 1756 { 1757 struct net *net = sock_net(skb->sk); 1758 struct xfrm_userpolicy_info *p = nlmsg_data(nlh); 1759 struct xfrm_policy *xp; 1760 struct km_event c; 1761 int err; 1762 int excl; 1763 1764 err = verify_newpolicy_info(p); 1765 if (err) 1766 return err; 1767 err = verify_sec_ctx_len(attrs); 1768 if (err) 1769 return err; 1770 1771 xp = xfrm_policy_construct(net, p, attrs, &err); 1772 if (!xp) 1773 return err; 1774 1775 /* shouldn't excl be based on nlh flags?? 1776 * Aha! this is anti-netlink really i.e more pfkey derived 1777 * in netlink excl is a flag and you wouldn't need 1778 * a type XFRM_MSG_UPDPOLICY - JHS */ 1779 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1780 err = xfrm_policy_insert(p->dir, xp, excl); 1781 xfrm_audit_policy_add(xp, err ? 0 : 1, true); 1782 1783 if (err) { 1784 security_xfrm_policy_free(xp->security); 1785 kfree(xp); 1786 return err; 1787 } 1788 1789 c.event = nlh->nlmsg_type; 1790 c.seq = nlh->nlmsg_seq; 1791 c.portid = nlh->nlmsg_pid; 1792 km_policy_notify(xp, p->dir, &c); 1793 1794 xfrm_pol_put(xp); 1795 1796 return 0; 1797 } 1798 1799 static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) 1800 { 1801 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH]; 1802 int i; 1803 1804 if (xp->xfrm_nr == 0) 1805 return 0; 1806 1807 for (i = 0; i < xp->xfrm_nr; i++) { 1808 struct xfrm_user_tmpl *up = &vec[i]; 1809 struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; 1810 1811 memset(up, 0, sizeof(*up)); 1812 memcpy(&up->id, &kp->id, sizeof(up->id)); 1813 up->family = kp->encap_family; 1814 memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); 1815 up->reqid = kp->reqid; 1816 up->mode = kp->mode; 1817 up->share = kp->share; 1818 up->optional = kp->optional; 1819 up->aalgos = kp->aalgos; 1820 up->ealgos = kp->ealgos; 1821 up->calgos = kp->calgos; 1822 } 1823 1824 return nla_put(skb, XFRMA_TMPL, 1825 sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec); 1826 } 1827 1828 static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb) 1829 { 1830 if (x->security) { 1831 return copy_sec_ctx(x->security, skb); 1832 } 1833 return 0; 1834 } 1835 1836 static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb) 1837 { 1838 if (xp->security) 1839 return copy_sec_ctx(xp->security, skb); 1840 return 0; 1841 } 1842 static inline unsigned int userpolicy_type_attrsize(void) 1843 { 1844 #ifdef CONFIG_XFRM_SUB_POLICY 1845 return nla_total_size(sizeof(struct xfrm_userpolicy_type)); 1846 #else 1847 return 0; 1848 #endif 1849 } 1850 1851 #ifdef CONFIG_XFRM_SUB_POLICY 1852 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1853 { 1854 struct xfrm_userpolicy_type upt; 1855 1856 /* Sadly there are two holes in struct xfrm_userpolicy_type */ 1857 memset(&upt, 0, sizeof(upt)); 1858 upt.type = type; 1859 1860 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt); 1861 } 1862 1863 #else 1864 static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb) 1865 { 1866 return 0; 1867 } 1868 #endif 1869 1870 static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr) 1871 { 1872 struct xfrm_dump_info *sp = ptr; 1873 struct xfrm_userpolicy_info *p; 1874 struct sk_buff *in_skb = sp->in_skb; 1875 struct sk_buff *skb = sp->out_skb; 1876 struct xfrm_translator *xtr; 1877 struct nlmsghdr *nlh; 1878 int err; 1879 1880 nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq, 1881 XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags); 1882 if (nlh == NULL) 1883 return -EMSGSIZE; 1884 1885 p = nlmsg_data(nlh); 1886 copy_to_user_policy(xp, p, dir); 1887 err = copy_to_user_tmpl(xp, skb); 1888 if (!err) 1889 err = copy_to_user_sec_ctx(xp, skb); 1890 if (!err) 1891 err = copy_to_user_policy_type(xp->type, skb); 1892 if (!err) 1893 err = xfrm_mark_put(skb, &xp->mark); 1894 if (!err) 1895 err = xfrm_if_id_put(skb, xp->if_id); 1896 if (err) { 1897 nlmsg_cancel(skb, nlh); 1898 return err; 1899 } 1900 nlmsg_end(skb, nlh); 1901 1902 xtr = xfrm_get_translator(); 1903 if (xtr) { 1904 err = xtr->alloc_compat(skb, nlh); 1905 1906 xfrm_put_translator(xtr); 1907 if (err) { 1908 nlmsg_cancel(skb, nlh); 1909 return err; 1910 } 1911 } 1912 1913 return 0; 1914 } 1915 1916 static int xfrm_dump_policy_done(struct netlink_callback *cb) 1917 { 1918 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 1919 struct net *net = sock_net(cb->skb->sk); 1920 1921 xfrm_policy_walk_done(walk, net); 1922 return 0; 1923 } 1924 1925 static int xfrm_dump_policy_start(struct netlink_callback *cb) 1926 { 1927 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 1928 1929 BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); 1930 1931 xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); 1932 return 0; 1933 } 1934 1935 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) 1936 { 1937 struct net *net = sock_net(skb->sk); 1938 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; 1939 struct xfrm_dump_info info; 1940 1941 info.in_skb = cb->skb; 1942 info.out_skb = skb; 1943 info.nlmsg_seq = cb->nlh->nlmsg_seq; 1944 info.nlmsg_flags = NLM_F_MULTI; 1945 1946 (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); 1947 1948 return skb->len; 1949 } 1950 1951 static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb, 1952 struct xfrm_policy *xp, 1953 int dir, u32 seq) 1954 { 1955 struct xfrm_dump_info info; 1956 struct sk_buff *skb; 1957 int err; 1958 1959 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1960 if (!skb) 1961 return ERR_PTR(-ENOMEM); 1962 1963 info.in_skb = in_skb; 1964 info.out_skb = skb; 1965 info.nlmsg_seq = seq; 1966 info.nlmsg_flags = 0; 1967 1968 err = dump_one_policy(xp, dir, 0, &info); 1969 if (err) { 1970 kfree_skb(skb); 1971 return ERR_PTR(err); 1972 } 1973 1974 return skb; 1975 } 1976 1977 static int xfrm_notify_userpolicy(struct net *net) 1978 { 1979 struct xfrm_userpolicy_default *up; 1980 int len = NLMSG_ALIGN(sizeof(*up)); 1981 struct nlmsghdr *nlh; 1982 struct sk_buff *skb; 1983 int err; 1984 1985 skb = nlmsg_new(len, GFP_ATOMIC); 1986 if (skb == NULL) 1987 return -ENOMEM; 1988 1989 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0); 1990 if (nlh == NULL) { 1991 kfree_skb(skb); 1992 return -EMSGSIZE; 1993 } 1994 1995 up = nlmsg_data(nlh); 1996 up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? 1997 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 1998 up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? 1999 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 2000 up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? 2001 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 2002 2003 nlmsg_end(skb, nlh); 2004 2005 rcu_read_lock(); 2006 err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 2007 rcu_read_unlock(); 2008 2009 return err; 2010 } 2011 2012 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2013 struct nlattr **attrs) 2014 { 2015 struct net *net = sock_net(skb->sk); 2016 struct xfrm_userpolicy_default *up = nlmsg_data(nlh); 2017 2018 if (up->in == XFRM_USERPOLICY_BLOCK) 2019 net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN; 2020 else if (up->in == XFRM_USERPOLICY_ACCEPT) 2021 net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN; 2022 2023 if (up->fwd == XFRM_USERPOLICY_BLOCK) 2024 net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD; 2025 else if (up->fwd == XFRM_USERPOLICY_ACCEPT) 2026 net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD; 2027 2028 if (up->out == XFRM_USERPOLICY_BLOCK) 2029 net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT; 2030 else if (up->out == XFRM_USERPOLICY_ACCEPT) 2031 net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT; 2032 2033 rt_genid_bump_all(net); 2034 2035 xfrm_notify_userpolicy(net); 2036 return 0; 2037 } 2038 2039 static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh, 2040 struct nlattr **attrs) 2041 { 2042 struct sk_buff *r_skb; 2043 struct nlmsghdr *r_nlh; 2044 struct net *net = sock_net(skb->sk); 2045 struct xfrm_userpolicy_default *r_up; 2046 int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default)); 2047 u32 portid = NETLINK_CB(skb).portid; 2048 u32 seq = nlh->nlmsg_seq; 2049 2050 r_skb = nlmsg_new(len, GFP_ATOMIC); 2051 if (!r_skb) 2052 return -ENOMEM; 2053 2054 r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0); 2055 if (!r_nlh) { 2056 kfree_skb(r_skb); 2057 return -EMSGSIZE; 2058 } 2059 2060 r_up = nlmsg_data(r_nlh); 2061 2062 r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ? 2063 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 2064 r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ? 2065 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 2066 r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ? 2067 XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT; 2068 nlmsg_end(r_skb, r_nlh); 2069 2070 return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid); 2071 } 2072 2073 static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2074 struct nlattr **attrs) 2075 { 2076 struct net *net = sock_net(skb->sk); 2077 struct xfrm_policy *xp; 2078 struct xfrm_userpolicy_id *p; 2079 u8 type = XFRM_POLICY_TYPE_MAIN; 2080 int err; 2081 struct km_event c; 2082 int delete; 2083 struct xfrm_mark m; 2084 u32 if_id = 0; 2085 2086 p = nlmsg_data(nlh); 2087 delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; 2088 2089 err = copy_from_user_policy_type(&type, attrs); 2090 if (err) 2091 return err; 2092 2093 err = verify_policy_dir(p->dir); 2094 if (err) 2095 return err; 2096 2097 if (attrs[XFRMA_IF_ID]) 2098 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2099 2100 xfrm_mark_get(attrs, &m); 2101 2102 if (p->index) 2103 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, 2104 p->index, delete, &err); 2105 else { 2106 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2107 struct xfrm_sec_ctx *ctx; 2108 2109 err = verify_sec_ctx_len(attrs); 2110 if (err) 2111 return err; 2112 2113 ctx = NULL; 2114 if (rt) { 2115 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2116 2117 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2118 if (err) 2119 return err; 2120 } 2121 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2122 &p->sel, ctx, delete, &err); 2123 security_xfrm_policy_free(ctx); 2124 } 2125 if (xp == NULL) 2126 return -ENOENT; 2127 2128 if (!delete) { 2129 struct sk_buff *resp_skb; 2130 2131 resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq); 2132 if (IS_ERR(resp_skb)) { 2133 err = PTR_ERR(resp_skb); 2134 } else { 2135 err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, 2136 NETLINK_CB(skb).portid); 2137 } 2138 } else { 2139 xfrm_audit_policy_delete(xp, err ? 0 : 1, true); 2140 2141 if (err != 0) 2142 goto out; 2143 2144 c.data.byid = p->index; 2145 c.event = nlh->nlmsg_type; 2146 c.seq = nlh->nlmsg_seq; 2147 c.portid = nlh->nlmsg_pid; 2148 km_policy_notify(xp, p->dir, &c); 2149 } 2150 2151 out: 2152 xfrm_pol_put(xp); 2153 return err; 2154 } 2155 2156 static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, 2157 struct nlattr **attrs) 2158 { 2159 struct net *net = sock_net(skb->sk); 2160 struct km_event c; 2161 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 2162 int err; 2163 2164 err = xfrm_state_flush(net, p->proto, true, false); 2165 if (err) { 2166 if (err == -ESRCH) /* empty table */ 2167 return 0; 2168 return err; 2169 } 2170 c.data.proto = p->proto; 2171 c.event = nlh->nlmsg_type; 2172 c.seq = nlh->nlmsg_seq; 2173 c.portid = nlh->nlmsg_pid; 2174 c.net = net; 2175 km_state_notify(NULL, &c); 2176 2177 return 0; 2178 } 2179 2180 static inline unsigned int xfrm_aevent_msgsize(struct xfrm_state *x) 2181 { 2182 unsigned int replay_size = x->replay_esn ? 2183 xfrm_replay_state_esn_len(x->replay_esn) : 2184 sizeof(struct xfrm_replay_state); 2185 2186 return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id)) 2187 + nla_total_size(replay_size) 2188 + nla_total_size_64bit(sizeof(struct xfrm_lifetime_cur)) 2189 + nla_total_size(sizeof(struct xfrm_mark)) 2190 + nla_total_size(4) /* XFRM_AE_RTHR */ 2191 + nla_total_size(4); /* XFRM_AE_ETHR */ 2192 } 2193 2194 static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2195 { 2196 struct xfrm_aevent_id *id; 2197 struct nlmsghdr *nlh; 2198 int err; 2199 2200 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_NEWAE, sizeof(*id), 0); 2201 if (nlh == NULL) 2202 return -EMSGSIZE; 2203 2204 id = nlmsg_data(nlh); 2205 memset(&id->sa_id, 0, sizeof(id->sa_id)); 2206 memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr)); 2207 id->sa_id.spi = x->id.spi; 2208 id->sa_id.family = x->props.family; 2209 id->sa_id.proto = x->id.proto; 2210 memcpy(&id->saddr, &x->props.saddr, sizeof(x->props.saddr)); 2211 id->reqid = x->props.reqid; 2212 id->flags = c->data.aevent; 2213 2214 if (x->replay_esn) { 2215 err = nla_put(skb, XFRMA_REPLAY_ESN_VAL, 2216 xfrm_replay_state_esn_len(x->replay_esn), 2217 x->replay_esn); 2218 } else { 2219 err = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), 2220 &x->replay); 2221 } 2222 if (err) 2223 goto out_cancel; 2224 err = nla_put_64bit(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft, 2225 XFRMA_PAD); 2226 if (err) 2227 goto out_cancel; 2228 2229 if (id->flags & XFRM_AE_RTHR) { 2230 err = nla_put_u32(skb, XFRMA_REPLAY_THRESH, x->replay_maxdiff); 2231 if (err) 2232 goto out_cancel; 2233 } 2234 if (id->flags & XFRM_AE_ETHR) { 2235 err = nla_put_u32(skb, XFRMA_ETIMER_THRESH, 2236 x->replay_maxage * 10 / HZ); 2237 if (err) 2238 goto out_cancel; 2239 } 2240 err = xfrm_mark_put(skb, &x->mark); 2241 if (err) 2242 goto out_cancel; 2243 2244 err = xfrm_if_id_put(skb, x->if_id); 2245 if (err) 2246 goto out_cancel; 2247 2248 nlmsg_end(skb, nlh); 2249 return 0; 2250 2251 out_cancel: 2252 nlmsg_cancel(skb, nlh); 2253 return err; 2254 } 2255 2256 static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2257 struct nlattr **attrs) 2258 { 2259 struct net *net = sock_net(skb->sk); 2260 struct xfrm_state *x; 2261 struct sk_buff *r_skb; 2262 int err; 2263 struct km_event c; 2264 u32 mark; 2265 struct xfrm_mark m; 2266 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2267 struct xfrm_usersa_id *id = &p->sa_id; 2268 2269 mark = xfrm_mark_get(attrs, &m); 2270 2271 x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family); 2272 if (x == NULL) 2273 return -ESRCH; 2274 2275 r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 2276 if (r_skb == NULL) { 2277 xfrm_state_put(x); 2278 return -ENOMEM; 2279 } 2280 2281 /* 2282 * XXX: is this lock really needed - none of the other 2283 * gets lock (the concern is things getting updated 2284 * while we are still reading) - jhs 2285 */ 2286 spin_lock_bh(&x->lock); 2287 c.data.aevent = p->flags; 2288 c.seq = nlh->nlmsg_seq; 2289 c.portid = nlh->nlmsg_pid; 2290 2291 err = build_aevent(r_skb, x, &c); 2292 BUG_ON(err < 0); 2293 2294 err = nlmsg_unicast(net->xfrm.nlsk, r_skb, NETLINK_CB(skb).portid); 2295 spin_unlock_bh(&x->lock); 2296 xfrm_state_put(x); 2297 return err; 2298 } 2299 2300 static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, 2301 struct nlattr **attrs) 2302 { 2303 struct net *net = sock_net(skb->sk); 2304 struct xfrm_state *x; 2305 struct km_event c; 2306 int err = -EINVAL; 2307 u32 mark = 0; 2308 struct xfrm_mark m; 2309 struct xfrm_aevent_id *p = nlmsg_data(nlh); 2310 struct nlattr *rp = attrs[XFRMA_REPLAY_VAL]; 2311 struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL]; 2312 struct nlattr *lt = attrs[XFRMA_LTIME_VAL]; 2313 struct nlattr *et = attrs[XFRMA_ETIMER_THRESH]; 2314 struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; 2315 2316 if (!lt && !rp && !re && !et && !rt) 2317 return err; 2318 2319 /* pedantic mode - thou shalt sayeth replaceth */ 2320 if (!(nlh->nlmsg_flags&NLM_F_REPLACE)) 2321 return err; 2322 2323 mark = xfrm_mark_get(attrs, &m); 2324 2325 x = xfrm_state_lookup(net, mark, &p->sa_id.daddr, p->sa_id.spi, p->sa_id.proto, p->sa_id.family); 2326 if (x == NULL) 2327 return -ESRCH; 2328 2329 if (x->km.state != XFRM_STATE_VALID) 2330 goto out; 2331 2332 err = xfrm_replay_verify_len(x->replay_esn, re); 2333 if (err) 2334 goto out; 2335 2336 spin_lock_bh(&x->lock); 2337 xfrm_update_ae_params(x, attrs, 1); 2338 spin_unlock_bh(&x->lock); 2339 2340 c.event = nlh->nlmsg_type; 2341 c.seq = nlh->nlmsg_seq; 2342 c.portid = nlh->nlmsg_pid; 2343 c.data.aevent = XFRM_AE_CU; 2344 km_state_notify(x, &c); 2345 err = 0; 2346 out: 2347 xfrm_state_put(x); 2348 return err; 2349 } 2350 2351 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, 2352 struct nlattr **attrs) 2353 { 2354 struct net *net = sock_net(skb->sk); 2355 struct km_event c; 2356 u8 type = XFRM_POLICY_TYPE_MAIN; 2357 int err; 2358 2359 err = copy_from_user_policy_type(&type, attrs); 2360 if (err) 2361 return err; 2362 2363 err = xfrm_policy_flush(net, type, true); 2364 if (err) { 2365 if (err == -ESRCH) /* empty table */ 2366 return 0; 2367 return err; 2368 } 2369 2370 c.data.type = type; 2371 c.event = nlh->nlmsg_type; 2372 c.seq = nlh->nlmsg_seq; 2373 c.portid = nlh->nlmsg_pid; 2374 c.net = net; 2375 km_policy_notify(NULL, 0, &c); 2376 return 0; 2377 } 2378 2379 static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2380 struct nlattr **attrs) 2381 { 2382 struct net *net = sock_net(skb->sk); 2383 struct xfrm_policy *xp; 2384 struct xfrm_user_polexpire *up = nlmsg_data(nlh); 2385 struct xfrm_userpolicy_info *p = &up->pol; 2386 u8 type = XFRM_POLICY_TYPE_MAIN; 2387 int err = -ENOENT; 2388 struct xfrm_mark m; 2389 u32 if_id = 0; 2390 2391 err = copy_from_user_policy_type(&type, attrs); 2392 if (err) 2393 return err; 2394 2395 err = verify_policy_dir(p->dir); 2396 if (err) 2397 return err; 2398 2399 if (attrs[XFRMA_IF_ID]) 2400 if_id = nla_get_u32(attrs[XFRMA_IF_ID]); 2401 2402 xfrm_mark_get(attrs, &m); 2403 2404 if (p->index) 2405 xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index, 2406 0, &err); 2407 else { 2408 struct nlattr *rt = attrs[XFRMA_SEC_CTX]; 2409 struct xfrm_sec_ctx *ctx; 2410 2411 err = verify_sec_ctx_len(attrs); 2412 if (err) 2413 return err; 2414 2415 ctx = NULL; 2416 if (rt) { 2417 struct xfrm_user_sec_ctx *uctx = nla_data(rt); 2418 2419 err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL); 2420 if (err) 2421 return err; 2422 } 2423 xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir, 2424 &p->sel, ctx, 0, &err); 2425 security_xfrm_policy_free(ctx); 2426 } 2427 if (xp == NULL) 2428 return -ENOENT; 2429 2430 if (unlikely(xp->walk.dead)) 2431 goto out; 2432 2433 err = 0; 2434 if (up->hard) { 2435 xfrm_policy_delete(xp, p->dir); 2436 xfrm_audit_policy_delete(xp, 1, true); 2437 } 2438 km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid); 2439 2440 out: 2441 xfrm_pol_put(xp); 2442 return err; 2443 } 2444 2445 static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, 2446 struct nlattr **attrs) 2447 { 2448 struct net *net = sock_net(skb->sk); 2449 struct xfrm_state *x; 2450 int err; 2451 struct xfrm_user_expire *ue = nlmsg_data(nlh); 2452 struct xfrm_usersa_info *p = &ue->state; 2453 struct xfrm_mark m; 2454 u32 mark = xfrm_mark_get(attrs, &m); 2455 2456 x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family); 2457 2458 err = -ENOENT; 2459 if (x == NULL) 2460 return err; 2461 2462 spin_lock_bh(&x->lock); 2463 err = -EINVAL; 2464 if (x->km.state != XFRM_STATE_VALID) 2465 goto out; 2466 km_state_expired(x, ue->hard, nlh->nlmsg_pid); 2467 2468 if (ue->hard) { 2469 __xfrm_state_delete(x); 2470 xfrm_audit_state_delete(x, 1, true); 2471 } 2472 err = 0; 2473 out: 2474 spin_unlock_bh(&x->lock); 2475 xfrm_state_put(x); 2476 return err; 2477 } 2478 2479 static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, 2480 struct nlattr **attrs) 2481 { 2482 struct net *net = sock_net(skb->sk); 2483 struct xfrm_policy *xp; 2484 struct xfrm_user_tmpl *ut; 2485 int i; 2486 struct nlattr *rt = attrs[XFRMA_TMPL]; 2487 struct xfrm_mark mark; 2488 2489 struct xfrm_user_acquire *ua = nlmsg_data(nlh); 2490 struct xfrm_state *x = xfrm_state_alloc(net); 2491 int err = -ENOMEM; 2492 2493 if (!x) 2494 goto nomem; 2495 2496 xfrm_mark_get(attrs, &mark); 2497 2498 err = verify_newpolicy_info(&ua->policy); 2499 if (err) 2500 goto free_state; 2501 err = verify_sec_ctx_len(attrs); 2502 if (err) 2503 goto free_state; 2504 2505 /* build an XP */ 2506 xp = xfrm_policy_construct(net, &ua->policy, attrs, &err); 2507 if (!xp) 2508 goto free_state; 2509 2510 memcpy(&x->id, &ua->id, sizeof(ua->id)); 2511 memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr)); 2512 memcpy(&x->sel, &ua->sel, sizeof(ua->sel)); 2513 xp->mark.m = x->mark.m = mark.m; 2514 xp->mark.v = x->mark.v = mark.v; 2515 ut = nla_data(rt); 2516 /* extract the templates and for each call km_key */ 2517 for (i = 0; i < xp->xfrm_nr; i++, ut++) { 2518 struct xfrm_tmpl *t = &xp->xfrm_vec[i]; 2519 memcpy(&x->id, &t->id, sizeof(x->id)); 2520 x->props.mode = t->mode; 2521 x->props.reqid = t->reqid; 2522 x->props.family = ut->family; 2523 t->aalgos = ua->aalgos; 2524 t->ealgos = ua->ealgos; 2525 t->calgos = ua->calgos; 2526 err = km_query(x, t, xp); 2527 2528 } 2529 2530 xfrm_state_free(x); 2531 kfree(xp); 2532 2533 return 0; 2534 2535 free_state: 2536 xfrm_state_free(x); 2537 nomem: 2538 return err; 2539 } 2540 2541 #ifdef CONFIG_XFRM_MIGRATE 2542 static int copy_from_user_migrate(struct xfrm_migrate *ma, 2543 struct xfrm_kmaddress *k, 2544 struct nlattr **attrs, int *num) 2545 { 2546 struct nlattr *rt = attrs[XFRMA_MIGRATE]; 2547 struct xfrm_user_migrate *um; 2548 int i, num_migrate; 2549 2550 if (k != NULL) { 2551 struct xfrm_user_kmaddress *uk; 2552 2553 uk = nla_data(attrs[XFRMA_KMADDRESS]); 2554 memcpy(&k->local, &uk->local, sizeof(k->local)); 2555 memcpy(&k->remote, &uk->remote, sizeof(k->remote)); 2556 k->family = uk->family; 2557 k->reserved = uk->reserved; 2558 } 2559 2560 um = nla_data(rt); 2561 num_migrate = nla_len(rt) / sizeof(*um); 2562 2563 if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) 2564 return -EINVAL; 2565 2566 for (i = 0; i < num_migrate; i++, um++, ma++) { 2567 memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr)); 2568 memcpy(&ma->old_saddr, &um->old_saddr, sizeof(ma->old_saddr)); 2569 memcpy(&ma->new_daddr, &um->new_daddr, sizeof(ma->new_daddr)); 2570 memcpy(&ma->new_saddr, &um->new_saddr, sizeof(ma->new_saddr)); 2571 2572 ma->proto = um->proto; 2573 ma->mode = um->mode; 2574 ma->reqid = um->reqid; 2575 2576 ma->old_family = um->old_family; 2577 ma->new_family = um->new_family; 2578 } 2579 2580 *num = i; 2581 return 0; 2582 } 2583 2584 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2585 struct nlattr **attrs) 2586 { 2587 struct xfrm_userpolicy_id *pi = nlmsg_data(nlh); 2588 struct xfrm_migrate m[XFRM_MAX_DEPTH]; 2589 struct xfrm_kmaddress km, *kmp; 2590 u8 type; 2591 int err; 2592 int n = 0; 2593 struct net *net = sock_net(skb->sk); 2594 struct xfrm_encap_tmpl *encap = NULL; 2595 2596 if (attrs[XFRMA_MIGRATE] == NULL) 2597 return -EINVAL; 2598 2599 kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL; 2600 2601 err = copy_from_user_policy_type(&type, attrs); 2602 if (err) 2603 return err; 2604 2605 err = copy_from_user_migrate((struct xfrm_migrate *)m, kmp, attrs, &n); 2606 if (err) 2607 return err; 2608 2609 if (!n) 2610 return 0; 2611 2612 if (attrs[XFRMA_ENCAP]) { 2613 encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), 2614 sizeof(*encap), GFP_KERNEL); 2615 if (!encap) 2616 return -ENOMEM; 2617 } 2618 2619 err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap); 2620 2621 kfree(encap); 2622 2623 return err; 2624 } 2625 #else 2626 static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh, 2627 struct nlattr **attrs) 2628 { 2629 return -ENOPROTOOPT; 2630 } 2631 #endif 2632 2633 #ifdef CONFIG_XFRM_MIGRATE 2634 static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb) 2635 { 2636 struct xfrm_user_migrate um; 2637 2638 memset(&um, 0, sizeof(um)); 2639 um.proto = m->proto; 2640 um.mode = m->mode; 2641 um.reqid = m->reqid; 2642 um.old_family = m->old_family; 2643 memcpy(&um.old_daddr, &m->old_daddr, sizeof(um.old_daddr)); 2644 memcpy(&um.old_saddr, &m->old_saddr, sizeof(um.old_saddr)); 2645 um.new_family = m->new_family; 2646 memcpy(&um.new_daddr, &m->new_daddr, sizeof(um.new_daddr)); 2647 memcpy(&um.new_saddr, &m->new_saddr, sizeof(um.new_saddr)); 2648 2649 return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um); 2650 } 2651 2652 static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb) 2653 { 2654 struct xfrm_user_kmaddress uk; 2655 2656 memset(&uk, 0, sizeof(uk)); 2657 uk.family = k->family; 2658 uk.reserved = k->reserved; 2659 memcpy(&uk.local, &k->local, sizeof(uk.local)); 2660 memcpy(&uk.remote, &k->remote, sizeof(uk.remote)); 2661 2662 return nla_put(skb, XFRMA_KMADDRESS, sizeof(uk), &uk); 2663 } 2664 2665 static inline unsigned int xfrm_migrate_msgsize(int num_migrate, int with_kma, 2666 int with_encp) 2667 { 2668 return NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_id)) 2669 + (with_kma ? nla_total_size(sizeof(struct xfrm_kmaddress)) : 0) 2670 + (with_encp ? nla_total_size(sizeof(struct xfrm_encap_tmpl)) : 0) 2671 + nla_total_size(sizeof(struct xfrm_user_migrate) * num_migrate) 2672 + userpolicy_type_attrsize(); 2673 } 2674 2675 static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m, 2676 int num_migrate, const struct xfrm_kmaddress *k, 2677 const struct xfrm_selector *sel, 2678 const struct xfrm_encap_tmpl *encap, u8 dir, u8 type) 2679 { 2680 const struct xfrm_migrate *mp; 2681 struct xfrm_userpolicy_id *pol_id; 2682 struct nlmsghdr *nlh; 2683 int i, err; 2684 2685 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MIGRATE, sizeof(*pol_id), 0); 2686 if (nlh == NULL) 2687 return -EMSGSIZE; 2688 2689 pol_id = nlmsg_data(nlh); 2690 /* copy data from selector, dir, and type to the pol_id */ 2691 memset(pol_id, 0, sizeof(*pol_id)); 2692 memcpy(&pol_id->sel, sel, sizeof(pol_id->sel)); 2693 pol_id->dir = dir; 2694 2695 if (k != NULL) { 2696 err = copy_to_user_kmaddress(k, skb); 2697 if (err) 2698 goto out_cancel; 2699 } 2700 if (encap) { 2701 err = nla_put(skb, XFRMA_ENCAP, sizeof(*encap), encap); 2702 if (err) 2703 goto out_cancel; 2704 } 2705 err = copy_to_user_policy_type(type, skb); 2706 if (err) 2707 goto out_cancel; 2708 for (i = 0, mp = m ; i < num_migrate; i++, mp++) { 2709 err = copy_to_user_migrate(mp, skb); 2710 if (err) 2711 goto out_cancel; 2712 } 2713 2714 nlmsg_end(skb, nlh); 2715 return 0; 2716 2717 out_cancel: 2718 nlmsg_cancel(skb, nlh); 2719 return err; 2720 } 2721 2722 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2723 const struct xfrm_migrate *m, int num_migrate, 2724 const struct xfrm_kmaddress *k, 2725 const struct xfrm_encap_tmpl *encap) 2726 { 2727 struct net *net = &init_net; 2728 struct sk_buff *skb; 2729 int err; 2730 2731 skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k, !!encap), 2732 GFP_ATOMIC); 2733 if (skb == NULL) 2734 return -ENOMEM; 2735 2736 /* build migrate */ 2737 err = build_migrate(skb, m, num_migrate, k, sel, encap, dir, type); 2738 BUG_ON(err < 0); 2739 2740 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MIGRATE); 2741 } 2742 #else 2743 static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 2744 const struct xfrm_migrate *m, int num_migrate, 2745 const struct xfrm_kmaddress *k, 2746 const struct xfrm_encap_tmpl *encap) 2747 { 2748 return -ENOPROTOOPT; 2749 } 2750 #endif 2751 2752 #define XMSGSIZE(type) sizeof(struct type) 2753 2754 const int xfrm_msg_min[XFRM_NR_MSGTYPES] = { 2755 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2756 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2757 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_id), 2758 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2759 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2760 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2761 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info), 2762 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire), 2763 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_expire), 2764 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info), 2765 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info), 2766 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_polexpire), 2767 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush), 2768 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = 0, 2769 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2770 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_aevent_id), 2771 [XFRM_MSG_REPORT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_report), 2772 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id), 2773 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), 2774 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 2775 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), 2776 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 2777 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), 2778 }; 2779 EXPORT_SYMBOL_GPL(xfrm_msg_min); 2780 2781 #undef XMSGSIZE 2782 2783 const struct nla_policy xfrma_policy[XFRMA_MAX+1] = { 2784 [XFRMA_SA] = { .len = sizeof(struct xfrm_usersa_info)}, 2785 [XFRMA_POLICY] = { .len = sizeof(struct xfrm_userpolicy_info)}, 2786 [XFRMA_LASTUSED] = { .type = NLA_U64}, 2787 [XFRMA_ALG_AUTH_TRUNC] = { .len = sizeof(struct xfrm_algo_auth)}, 2788 [XFRMA_ALG_AEAD] = { .len = sizeof(struct xfrm_algo_aead) }, 2789 [XFRMA_ALG_AUTH] = { .len = sizeof(struct xfrm_algo) }, 2790 [XFRMA_ALG_CRYPT] = { .len = sizeof(struct xfrm_algo) }, 2791 [XFRMA_ALG_COMP] = { .len = sizeof(struct xfrm_algo) }, 2792 [XFRMA_ENCAP] = { .len = sizeof(struct xfrm_encap_tmpl) }, 2793 [XFRMA_TMPL] = { .len = sizeof(struct xfrm_user_tmpl) }, 2794 [XFRMA_SEC_CTX] = { .len = sizeof(struct xfrm_sec_ctx) }, 2795 [XFRMA_LTIME_VAL] = { .len = sizeof(struct xfrm_lifetime_cur) }, 2796 [XFRMA_REPLAY_VAL] = { .len = sizeof(struct xfrm_replay_state) }, 2797 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 }, 2798 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 }, 2799 [XFRMA_SRCADDR] = { .len = sizeof(xfrm_address_t) }, 2800 [XFRMA_COADDR] = { .len = sizeof(xfrm_address_t) }, 2801 [XFRMA_POLICY_TYPE] = { .len = sizeof(struct xfrm_userpolicy_type)}, 2802 [XFRMA_MIGRATE] = { .len = sizeof(struct xfrm_user_migrate) }, 2803 [XFRMA_KMADDRESS] = { .len = sizeof(struct xfrm_user_kmaddress) }, 2804 [XFRMA_MARK] = { .len = sizeof(struct xfrm_mark) }, 2805 [XFRMA_TFCPAD] = { .type = NLA_U32 }, 2806 [XFRMA_REPLAY_ESN_VAL] = { .len = sizeof(struct xfrm_replay_state_esn) }, 2807 [XFRMA_SA_EXTRA_FLAGS] = { .type = NLA_U32 }, 2808 [XFRMA_PROTO] = { .type = NLA_U8 }, 2809 [XFRMA_ADDRESS_FILTER] = { .len = sizeof(struct xfrm_address_filter) }, 2810 [XFRMA_OFFLOAD_DEV] = { .len = sizeof(struct xfrm_user_offload) }, 2811 [XFRMA_SET_MARK] = { .type = NLA_U32 }, 2812 [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, 2813 [XFRMA_IF_ID] = { .type = NLA_U32 }, 2814 }; 2815 EXPORT_SYMBOL_GPL(xfrma_policy); 2816 2817 static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { 2818 [XFRMA_SPD_IPV4_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 2819 [XFRMA_SPD_IPV6_HTHRESH] = { .len = sizeof(struct xfrmu_spdhthresh) }, 2820 }; 2821 2822 static const struct xfrm_link { 2823 int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); 2824 int (*start)(struct netlink_callback *); 2825 int (*dump)(struct sk_buff *, struct netlink_callback *); 2826 int (*done)(struct netlink_callback *); 2827 const struct nla_policy *nla_pol; 2828 int nla_max; 2829 } xfrm_dispatch[XFRM_NR_MSGTYPES] = { 2830 [XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2831 [XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa }, 2832 [XFRM_MSG_GETSA - XFRM_MSG_BASE] = { .doit = xfrm_get_sa, 2833 .dump = xfrm_dump_sa, 2834 .done = xfrm_dump_sa_done }, 2835 [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2836 [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, 2837 [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, 2838 .start = xfrm_dump_policy_start, 2839 .dump = xfrm_dump_policy, 2840 .done = xfrm_dump_policy_done }, 2841 [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, 2842 [XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire }, 2843 [XFRM_MSG_EXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_sa_expire }, 2844 [XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, 2845 [XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa }, 2846 [XFRM_MSG_POLEXPIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_pol_expire}, 2847 [XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa }, 2848 [XFRM_MSG_FLUSHPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_flush_policy }, 2849 [XFRM_MSG_NEWAE - XFRM_MSG_BASE] = { .doit = xfrm_new_ae }, 2850 [XFRM_MSG_GETAE - XFRM_MSG_BASE] = { .doit = xfrm_get_ae }, 2851 [XFRM_MSG_MIGRATE - XFRM_MSG_BASE] = { .doit = xfrm_do_migrate }, 2852 [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_sadinfo }, 2853 [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_set_spdinfo, 2854 .nla_pol = xfrma_spd_policy, 2855 .nla_max = XFRMA_SPD_MAX }, 2856 [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo }, 2857 [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default }, 2858 [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default }, 2859 }; 2860 2861 static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 2862 struct netlink_ext_ack *extack) 2863 { 2864 struct net *net = sock_net(skb->sk); 2865 struct nlattr *attrs[XFRMA_MAX+1]; 2866 const struct xfrm_link *link; 2867 struct nlmsghdr *nlh64 = NULL; 2868 int type, err; 2869 2870 type = nlh->nlmsg_type; 2871 if (type > XFRM_MSG_MAX) 2872 return -EINVAL; 2873 2874 type -= XFRM_MSG_BASE; 2875 link = &xfrm_dispatch[type]; 2876 2877 /* All operations require privileges, even GET */ 2878 if (!netlink_net_capable(skb, CAP_NET_ADMIN)) 2879 return -EPERM; 2880 2881 if (in_compat_syscall()) { 2882 struct xfrm_translator *xtr = xfrm_get_translator(); 2883 2884 if (!xtr) 2885 return -EOPNOTSUPP; 2886 2887 nlh64 = xtr->rcv_msg_compat(nlh, link->nla_max, 2888 link->nla_pol, extack); 2889 xfrm_put_translator(xtr); 2890 if (IS_ERR(nlh64)) 2891 return PTR_ERR(nlh64); 2892 if (nlh64) 2893 nlh = nlh64; 2894 } 2895 2896 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 2897 type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) && 2898 (nlh->nlmsg_flags & NLM_F_DUMP)) { 2899 struct netlink_dump_control c = { 2900 .start = link->start, 2901 .dump = link->dump, 2902 .done = link->done, 2903 }; 2904 2905 if (link->dump == NULL) { 2906 err = -EINVAL; 2907 goto err; 2908 } 2909 2910 err = netlink_dump_start(net->xfrm.nlsk, skb, nlh, &c); 2911 goto err; 2912 } 2913 2914 err = nlmsg_parse_deprecated(nlh, xfrm_msg_min[type], attrs, 2915 link->nla_max ? : XFRMA_MAX, 2916 link->nla_pol ? : xfrma_policy, extack); 2917 if (err < 0) 2918 goto err; 2919 2920 if (link->doit == NULL) { 2921 err = -EINVAL; 2922 goto err; 2923 } 2924 2925 err = link->doit(skb, nlh, attrs); 2926 2927 /* We need to free skb allocated in xfrm_alloc_compat() before 2928 * returning from this function, because consume_skb() won't take 2929 * care of frag_list since netlink destructor sets 2930 * sbk->head to NULL. (see netlink_skb_destructor()) 2931 */ 2932 if (skb_has_frag_list(skb)) { 2933 kfree_skb(skb_shinfo(skb)->frag_list); 2934 skb_shinfo(skb)->frag_list = NULL; 2935 } 2936 2937 err: 2938 kvfree(nlh64); 2939 return err; 2940 } 2941 2942 static void xfrm_netlink_rcv(struct sk_buff *skb) 2943 { 2944 struct net *net = sock_net(skb->sk); 2945 2946 mutex_lock(&net->xfrm.xfrm_cfg_mutex); 2947 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 2948 mutex_unlock(&net->xfrm.xfrm_cfg_mutex); 2949 } 2950 2951 static inline unsigned int xfrm_expire_msgsize(void) 2952 { 2953 return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) 2954 + nla_total_size(sizeof(struct xfrm_mark)); 2955 } 2956 2957 static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c) 2958 { 2959 struct xfrm_user_expire *ue; 2960 struct nlmsghdr *nlh; 2961 int err; 2962 2963 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0); 2964 if (nlh == NULL) 2965 return -EMSGSIZE; 2966 2967 ue = nlmsg_data(nlh); 2968 copy_to_user_state(x, &ue->state); 2969 ue->hard = (c->data.hard != 0) ? 1 : 0; 2970 /* clear the padding bytes */ 2971 memset_after(ue, 0, hard); 2972 2973 err = xfrm_mark_put(skb, &x->mark); 2974 if (err) 2975 return err; 2976 2977 err = xfrm_if_id_put(skb, x->if_id); 2978 if (err) 2979 return err; 2980 2981 nlmsg_end(skb, nlh); 2982 return 0; 2983 } 2984 2985 static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c) 2986 { 2987 struct net *net = xs_net(x); 2988 struct sk_buff *skb; 2989 2990 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC); 2991 if (skb == NULL) 2992 return -ENOMEM; 2993 2994 if (build_expire(skb, x, c) < 0) { 2995 kfree_skb(skb); 2996 return -EMSGSIZE; 2997 } 2998 2999 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3000 } 3001 3002 static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c) 3003 { 3004 struct net *net = xs_net(x); 3005 struct sk_buff *skb; 3006 int err; 3007 3008 skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC); 3009 if (skb == NULL) 3010 return -ENOMEM; 3011 3012 err = build_aevent(skb, x, c); 3013 BUG_ON(err < 0); 3014 3015 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_AEVENTS); 3016 } 3017 3018 static int xfrm_notify_sa_flush(const struct km_event *c) 3019 { 3020 struct net *net = c->net; 3021 struct xfrm_usersa_flush *p; 3022 struct nlmsghdr *nlh; 3023 struct sk_buff *skb; 3024 int len = NLMSG_ALIGN(sizeof(struct xfrm_usersa_flush)); 3025 3026 skb = nlmsg_new(len, GFP_ATOMIC); 3027 if (skb == NULL) 3028 return -ENOMEM; 3029 3030 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHSA, sizeof(*p), 0); 3031 if (nlh == NULL) { 3032 kfree_skb(skb); 3033 return -EMSGSIZE; 3034 } 3035 3036 p = nlmsg_data(nlh); 3037 p->proto = c->data.proto; 3038 3039 nlmsg_end(skb, nlh); 3040 3041 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3042 } 3043 3044 static inline unsigned int xfrm_sa_len(struct xfrm_state *x) 3045 { 3046 unsigned int l = 0; 3047 if (x->aead) 3048 l += nla_total_size(aead_len(x->aead)); 3049 if (x->aalg) { 3050 l += nla_total_size(sizeof(struct xfrm_algo) + 3051 (x->aalg->alg_key_len + 7) / 8); 3052 l += nla_total_size(xfrm_alg_auth_len(x->aalg)); 3053 } 3054 if (x->ealg) 3055 l += nla_total_size(xfrm_alg_len(x->ealg)); 3056 if (x->calg) 3057 l += nla_total_size(sizeof(*x->calg)); 3058 if (x->encap) 3059 l += nla_total_size(sizeof(*x->encap)); 3060 if (x->tfcpad) 3061 l += nla_total_size(sizeof(x->tfcpad)); 3062 if (x->replay_esn) 3063 l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn)); 3064 else 3065 l += nla_total_size(sizeof(struct xfrm_replay_state)); 3066 if (x->security) 3067 l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) + 3068 x->security->ctx_len); 3069 if (x->coaddr) 3070 l += nla_total_size(sizeof(*x->coaddr)); 3071 if (x->props.extra_flags) 3072 l += nla_total_size(sizeof(x->props.extra_flags)); 3073 if (x->xso.dev) 3074 l += nla_total_size(sizeof(x->xso)); 3075 if (x->props.smark.v | x->props.smark.m) { 3076 l += nla_total_size(sizeof(x->props.smark.v)); 3077 l += nla_total_size(sizeof(x->props.smark.m)); 3078 } 3079 if (x->if_id) 3080 l += nla_total_size(sizeof(x->if_id)); 3081 3082 /* Must count x->lastused as it may become non-zero behind our back. */ 3083 l += nla_total_size_64bit(sizeof(u64)); 3084 3085 if (x->mapping_maxage) 3086 l += nla_total_size(sizeof(x->mapping_maxage)); 3087 3088 return l; 3089 } 3090 3091 static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 3092 { 3093 struct net *net = xs_net(x); 3094 struct xfrm_usersa_info *p; 3095 struct xfrm_usersa_id *id; 3096 struct nlmsghdr *nlh; 3097 struct sk_buff *skb; 3098 unsigned int len = xfrm_sa_len(x); 3099 unsigned int headlen; 3100 int err; 3101 3102 headlen = sizeof(*p); 3103 if (c->event == XFRM_MSG_DELSA) { 3104 len += nla_total_size(headlen); 3105 headlen = sizeof(*id); 3106 len += nla_total_size(sizeof(struct xfrm_mark)); 3107 } 3108 len += NLMSG_ALIGN(headlen); 3109 3110 skb = nlmsg_new(len, GFP_ATOMIC); 3111 if (skb == NULL) 3112 return -ENOMEM; 3113 3114 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3115 err = -EMSGSIZE; 3116 if (nlh == NULL) 3117 goto out_free_skb; 3118 3119 p = nlmsg_data(nlh); 3120 if (c->event == XFRM_MSG_DELSA) { 3121 struct nlattr *attr; 3122 3123 id = nlmsg_data(nlh); 3124 memset(id, 0, sizeof(*id)); 3125 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr)); 3126 id->spi = x->id.spi; 3127 id->family = x->props.family; 3128 id->proto = x->id.proto; 3129 3130 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p)); 3131 err = -EMSGSIZE; 3132 if (attr == NULL) 3133 goto out_free_skb; 3134 3135 p = nla_data(attr); 3136 } 3137 err = copy_to_user_state_extra(x, p, skb); 3138 if (err) 3139 goto out_free_skb; 3140 3141 nlmsg_end(skb, nlh); 3142 3143 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA); 3144 3145 out_free_skb: 3146 kfree_skb(skb); 3147 return err; 3148 } 3149 3150 static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c) 3151 { 3152 3153 switch (c->event) { 3154 case XFRM_MSG_EXPIRE: 3155 return xfrm_exp_state_notify(x, c); 3156 case XFRM_MSG_NEWAE: 3157 return xfrm_aevent_state_notify(x, c); 3158 case XFRM_MSG_DELSA: 3159 case XFRM_MSG_UPDSA: 3160 case XFRM_MSG_NEWSA: 3161 return xfrm_notify_sa(x, c); 3162 case XFRM_MSG_FLUSHSA: 3163 return xfrm_notify_sa_flush(c); 3164 default: 3165 printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n", 3166 c->event); 3167 break; 3168 } 3169 3170 return 0; 3171 3172 } 3173 3174 static inline unsigned int xfrm_acquire_msgsize(struct xfrm_state *x, 3175 struct xfrm_policy *xp) 3176 { 3177 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire)) 3178 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3179 + nla_total_size(sizeof(struct xfrm_mark)) 3180 + nla_total_size(xfrm_user_sec_ctx_size(x->security)) 3181 + userpolicy_type_attrsize(); 3182 } 3183 3184 static int build_acquire(struct sk_buff *skb, struct xfrm_state *x, 3185 struct xfrm_tmpl *xt, struct xfrm_policy *xp) 3186 { 3187 __u32 seq = xfrm_get_acqseq(); 3188 struct xfrm_user_acquire *ua; 3189 struct nlmsghdr *nlh; 3190 int err; 3191 3192 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0); 3193 if (nlh == NULL) 3194 return -EMSGSIZE; 3195 3196 ua = nlmsg_data(nlh); 3197 memcpy(&ua->id, &x->id, sizeof(ua->id)); 3198 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr)); 3199 memcpy(&ua->sel, &x->sel, sizeof(ua->sel)); 3200 copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT); 3201 ua->aalgos = xt->aalgos; 3202 ua->ealgos = xt->ealgos; 3203 ua->calgos = xt->calgos; 3204 ua->seq = x->km.seq = seq; 3205 3206 err = copy_to_user_tmpl(xp, skb); 3207 if (!err) 3208 err = copy_to_user_state_sec_ctx(x, skb); 3209 if (!err) 3210 err = copy_to_user_policy_type(xp->type, skb); 3211 if (!err) 3212 err = xfrm_mark_put(skb, &xp->mark); 3213 if (!err) 3214 err = xfrm_if_id_put(skb, xp->if_id); 3215 if (err) { 3216 nlmsg_cancel(skb, nlh); 3217 return err; 3218 } 3219 3220 nlmsg_end(skb, nlh); 3221 return 0; 3222 } 3223 3224 static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt, 3225 struct xfrm_policy *xp) 3226 { 3227 struct net *net = xs_net(x); 3228 struct sk_buff *skb; 3229 int err; 3230 3231 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC); 3232 if (skb == NULL) 3233 return -ENOMEM; 3234 3235 err = build_acquire(skb, x, xt, xp); 3236 BUG_ON(err < 0); 3237 3238 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE); 3239 } 3240 3241 /* User gives us xfrm_user_policy_info followed by an array of 0 3242 * or more templates. 3243 */ 3244 static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt, 3245 u8 *data, int len, int *dir) 3246 { 3247 struct net *net = sock_net(sk); 3248 struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data; 3249 struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1); 3250 struct xfrm_policy *xp; 3251 int nr; 3252 3253 switch (sk->sk_family) { 3254 case AF_INET: 3255 if (opt != IP_XFRM_POLICY) { 3256 *dir = -EOPNOTSUPP; 3257 return NULL; 3258 } 3259 break; 3260 #if IS_ENABLED(CONFIG_IPV6) 3261 case AF_INET6: 3262 if (opt != IPV6_XFRM_POLICY) { 3263 *dir = -EOPNOTSUPP; 3264 return NULL; 3265 } 3266 break; 3267 #endif 3268 default: 3269 *dir = -EINVAL; 3270 return NULL; 3271 } 3272 3273 *dir = -EINVAL; 3274 3275 if (len < sizeof(*p) || 3276 verify_newpolicy_info(p)) 3277 return NULL; 3278 3279 nr = ((len - sizeof(*p)) / sizeof(*ut)); 3280 if (validate_tmpl(nr, ut, p->sel.family)) 3281 return NULL; 3282 3283 if (p->dir > XFRM_POLICY_OUT) 3284 return NULL; 3285 3286 xp = xfrm_policy_alloc(net, GFP_ATOMIC); 3287 if (xp == NULL) { 3288 *dir = -ENOBUFS; 3289 return NULL; 3290 } 3291 3292 copy_from_user_policy(xp, p); 3293 xp->type = XFRM_POLICY_TYPE_MAIN; 3294 copy_templates(xp, ut, nr); 3295 3296 *dir = p->dir; 3297 3298 return xp; 3299 } 3300 3301 static inline unsigned int xfrm_polexpire_msgsize(struct xfrm_policy *xp) 3302 { 3303 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire)) 3304 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr) 3305 + nla_total_size(xfrm_user_sec_ctx_size(xp->security)) 3306 + nla_total_size(sizeof(struct xfrm_mark)) 3307 + userpolicy_type_attrsize(); 3308 } 3309 3310 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, 3311 int dir, const struct km_event *c) 3312 { 3313 struct xfrm_user_polexpire *upe; 3314 int hard = c->data.hard; 3315 struct nlmsghdr *nlh; 3316 int err; 3317 3318 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0); 3319 if (nlh == NULL) 3320 return -EMSGSIZE; 3321 3322 upe = nlmsg_data(nlh); 3323 copy_to_user_policy(xp, &upe->pol, dir); 3324 err = copy_to_user_tmpl(xp, skb); 3325 if (!err) 3326 err = copy_to_user_sec_ctx(xp, skb); 3327 if (!err) 3328 err = copy_to_user_policy_type(xp->type, skb); 3329 if (!err) 3330 err = xfrm_mark_put(skb, &xp->mark); 3331 if (!err) 3332 err = xfrm_if_id_put(skb, xp->if_id); 3333 if (err) { 3334 nlmsg_cancel(skb, nlh); 3335 return err; 3336 } 3337 upe->hard = !!hard; 3338 3339 nlmsg_end(skb, nlh); 3340 return 0; 3341 } 3342 3343 static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 3344 { 3345 struct net *net = xp_net(xp); 3346 struct sk_buff *skb; 3347 int err; 3348 3349 skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC); 3350 if (skb == NULL) 3351 return -ENOMEM; 3352 3353 err = build_polexpire(skb, xp, dir, c); 3354 BUG_ON(err < 0); 3355 3356 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE); 3357 } 3358 3359 static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c) 3360 { 3361 unsigned int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr); 3362 struct net *net = xp_net(xp); 3363 struct xfrm_userpolicy_info *p; 3364 struct xfrm_userpolicy_id *id; 3365 struct nlmsghdr *nlh; 3366 struct sk_buff *skb; 3367 unsigned int headlen; 3368 int err; 3369 3370 headlen = sizeof(*p); 3371 if (c->event == XFRM_MSG_DELPOLICY) { 3372 len += nla_total_size(headlen); 3373 headlen = sizeof(*id); 3374 } 3375 len += userpolicy_type_attrsize(); 3376 len += nla_total_size(sizeof(struct xfrm_mark)); 3377 len += NLMSG_ALIGN(headlen); 3378 3379 skb = nlmsg_new(len, GFP_ATOMIC); 3380 if (skb == NULL) 3381 return -ENOMEM; 3382 3383 nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0); 3384 err = -EMSGSIZE; 3385 if (nlh == NULL) 3386 goto out_free_skb; 3387 3388 p = nlmsg_data(nlh); 3389 if (c->event == XFRM_MSG_DELPOLICY) { 3390 struct nlattr *attr; 3391 3392 id = nlmsg_data(nlh); 3393 memset(id, 0, sizeof(*id)); 3394 id->dir = dir; 3395 if (c->data.byid) 3396 id->index = xp->index; 3397 else 3398 memcpy(&id->sel, &xp->selector, sizeof(id->sel)); 3399 3400 attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p)); 3401 err = -EMSGSIZE; 3402 if (attr == NULL) 3403 goto out_free_skb; 3404 3405 p = nla_data(attr); 3406 } 3407 3408 copy_to_user_policy(xp, p, dir); 3409 err = copy_to_user_tmpl(xp, skb); 3410 if (!err) 3411 err = copy_to_user_policy_type(xp->type, skb); 3412 if (!err) 3413 err = xfrm_mark_put(skb, &xp->mark); 3414 if (!err) 3415 err = xfrm_if_id_put(skb, xp->if_id); 3416 if (err) 3417 goto out_free_skb; 3418 3419 nlmsg_end(skb, nlh); 3420 3421 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 3422 3423 out_free_skb: 3424 kfree_skb(skb); 3425 return err; 3426 } 3427 3428 static int xfrm_notify_policy_flush(const struct km_event *c) 3429 { 3430 struct net *net = c->net; 3431 struct nlmsghdr *nlh; 3432 struct sk_buff *skb; 3433 int err; 3434 3435 skb = nlmsg_new(userpolicy_type_attrsize(), GFP_ATOMIC); 3436 if (skb == NULL) 3437 return -ENOMEM; 3438 3439 nlh = nlmsg_put(skb, c->portid, c->seq, XFRM_MSG_FLUSHPOLICY, 0, 0); 3440 err = -EMSGSIZE; 3441 if (nlh == NULL) 3442 goto out_free_skb; 3443 err = copy_to_user_policy_type(c->data.type, skb); 3444 if (err) 3445 goto out_free_skb; 3446 3447 nlmsg_end(skb, nlh); 3448 3449 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); 3450 3451 out_free_skb: 3452 kfree_skb(skb); 3453 return err; 3454 } 3455 3456 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c) 3457 { 3458 3459 switch (c->event) { 3460 case XFRM_MSG_NEWPOLICY: 3461 case XFRM_MSG_UPDPOLICY: 3462 case XFRM_MSG_DELPOLICY: 3463 return xfrm_notify_policy(xp, dir, c); 3464 case XFRM_MSG_FLUSHPOLICY: 3465 return xfrm_notify_policy_flush(c); 3466 case XFRM_MSG_POLEXPIRE: 3467 return xfrm_exp_policy_notify(xp, dir, c); 3468 default: 3469 printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n", 3470 c->event); 3471 } 3472 3473 return 0; 3474 3475 } 3476 3477 static inline unsigned int xfrm_report_msgsize(void) 3478 { 3479 return NLMSG_ALIGN(sizeof(struct xfrm_user_report)); 3480 } 3481 3482 static int build_report(struct sk_buff *skb, u8 proto, 3483 struct xfrm_selector *sel, xfrm_address_t *addr) 3484 { 3485 struct xfrm_user_report *ur; 3486 struct nlmsghdr *nlh; 3487 3488 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_REPORT, sizeof(*ur), 0); 3489 if (nlh == NULL) 3490 return -EMSGSIZE; 3491 3492 ur = nlmsg_data(nlh); 3493 ur->proto = proto; 3494 memcpy(&ur->sel, sel, sizeof(ur->sel)); 3495 3496 if (addr) { 3497 int err = nla_put(skb, XFRMA_COADDR, sizeof(*addr), addr); 3498 if (err) { 3499 nlmsg_cancel(skb, nlh); 3500 return err; 3501 } 3502 } 3503 nlmsg_end(skb, nlh); 3504 return 0; 3505 } 3506 3507 static int xfrm_send_report(struct net *net, u8 proto, 3508 struct xfrm_selector *sel, xfrm_address_t *addr) 3509 { 3510 struct sk_buff *skb; 3511 int err; 3512 3513 skb = nlmsg_new(xfrm_report_msgsize(), GFP_ATOMIC); 3514 if (skb == NULL) 3515 return -ENOMEM; 3516 3517 err = build_report(skb, proto, sel, addr); 3518 BUG_ON(err < 0); 3519 3520 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_REPORT); 3521 } 3522 3523 static inline unsigned int xfrm_mapping_msgsize(void) 3524 { 3525 return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping)); 3526 } 3527 3528 static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, 3529 xfrm_address_t *new_saddr, __be16 new_sport) 3530 { 3531 struct xfrm_user_mapping *um; 3532 struct nlmsghdr *nlh; 3533 3534 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_MAPPING, sizeof(*um), 0); 3535 if (nlh == NULL) 3536 return -EMSGSIZE; 3537 3538 um = nlmsg_data(nlh); 3539 3540 memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); 3541 um->id.spi = x->id.spi; 3542 um->id.family = x->props.family; 3543 um->id.proto = x->id.proto; 3544 memcpy(&um->new_saddr, new_saddr, sizeof(um->new_saddr)); 3545 memcpy(&um->old_saddr, &x->props.saddr, sizeof(um->old_saddr)); 3546 um->new_sport = new_sport; 3547 um->old_sport = x->encap->encap_sport; 3548 um->reqid = x->props.reqid; 3549 3550 nlmsg_end(skb, nlh); 3551 return 0; 3552 } 3553 3554 static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, 3555 __be16 sport) 3556 { 3557 struct net *net = xs_net(x); 3558 struct sk_buff *skb; 3559 int err; 3560 3561 if (x->id.proto != IPPROTO_ESP) 3562 return -EINVAL; 3563 3564 if (!x->encap) 3565 return -EINVAL; 3566 3567 skb = nlmsg_new(xfrm_mapping_msgsize(), GFP_ATOMIC); 3568 if (skb == NULL) 3569 return -ENOMEM; 3570 3571 err = build_mapping(skb, x, ipaddr, sport); 3572 BUG_ON(err < 0); 3573 3574 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_MAPPING); 3575 } 3576 3577 static bool xfrm_is_alive(const struct km_event *c) 3578 { 3579 return (bool)xfrm_acquire_is_on(c->net); 3580 } 3581 3582 static struct xfrm_mgr netlink_mgr = { 3583 .notify = xfrm_send_state_notify, 3584 .acquire = xfrm_send_acquire, 3585 .compile_policy = xfrm_compile_policy, 3586 .notify_policy = xfrm_send_policy_notify, 3587 .report = xfrm_send_report, 3588 .migrate = xfrm_send_migrate, 3589 .new_mapping = xfrm_send_mapping, 3590 .is_alive = xfrm_is_alive, 3591 }; 3592 3593 static int __net_init xfrm_user_net_init(struct net *net) 3594 { 3595 struct sock *nlsk; 3596 struct netlink_kernel_cfg cfg = { 3597 .groups = XFRMNLGRP_MAX, 3598 .input = xfrm_netlink_rcv, 3599 }; 3600 3601 nlsk = netlink_kernel_create(net, NETLINK_XFRM, &cfg); 3602 if (nlsk == NULL) 3603 return -ENOMEM; 3604 net->xfrm.nlsk_stash = nlsk; /* Don't set to NULL */ 3605 rcu_assign_pointer(net->xfrm.nlsk, nlsk); 3606 return 0; 3607 } 3608 3609 static void __net_exit xfrm_user_net_pre_exit(struct net *net) 3610 { 3611 RCU_INIT_POINTER(net->xfrm.nlsk, NULL); 3612 } 3613 3614 static void __net_exit xfrm_user_net_exit(struct list_head *net_exit_list) 3615 { 3616 struct net *net; 3617 3618 list_for_each_entry(net, net_exit_list, exit_list) 3619 netlink_kernel_release(net->xfrm.nlsk_stash); 3620 } 3621 3622 static struct pernet_operations xfrm_user_net_ops = { 3623 .init = xfrm_user_net_init, 3624 .pre_exit = xfrm_user_net_pre_exit, 3625 .exit_batch = xfrm_user_net_exit, 3626 }; 3627 3628 static int __init xfrm_user_init(void) 3629 { 3630 int rv; 3631 3632 printk(KERN_INFO "Initializing XFRM netlink socket\n"); 3633 3634 rv = register_pernet_subsys(&xfrm_user_net_ops); 3635 if (rv < 0) 3636 return rv; 3637 rv = xfrm_register_km(&netlink_mgr); 3638 if (rv < 0) 3639 unregister_pernet_subsys(&xfrm_user_net_ops); 3640 return rv; 3641 } 3642 3643 static void __exit xfrm_user_exit(void) 3644 { 3645 xfrm_unregister_km(&netlink_mgr); 3646 unregister_pernet_subsys(&xfrm_user_net_ops); 3647 } 3648 3649 module_init(xfrm_user_init); 3650 module_exit(xfrm_user_exit); 3651 MODULE_LICENSE("GPL"); 3652 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_XFRM); 3653